Security Plan Guidance:
Appendix I: Risk Assessment Methods

Related Pages

There are several methods for determining risk. Any recordable method will do, as long as the entity determines risk as the intersection between threat, likelihood, and consequence. The National Academies of Science describes different methods of risk analysis as being on a spectrum, like those in the following table. More qualitative methods are on the left while quantitative, data-reliant methods are toward the right.

spectrum of risk analysis diagram

For example, the square risk map is a qualitative analysis method that relies on a common sense understanding of the combination of threat and vulnerability with the consequence of such an incident occurring.

square risk mask diagram

Figure 2. Square Risk Maps assess risk by comparing the threat and vulnerability of a situation to the consequence. The risk is assessed as Low, Medium, High, or Extreme.

Similarly, the relative risk score method numerically scores threats and vulnerabilities compared to the consequence of a given scenario and plots the risk according to a set range of risk levels.

relative risk score diagram

Figure 3. Example “Relative Risk Score”- This method assesses risk by numerically scoring threats and vulnerabilities compared to the consequence of a given scenario.

Page last reviewed: August 26, 2020, 03:00 PM
Content source: Division of Regulatory Science and Compliance