Quantitative risk analysis assigns numerical monetary values to risk components, calculating metrics like Annual Loss Expectancy (ALE), Single Loss Expectancy (SLE), and Annual Rate of Occurrence (ARO). Qualitative risk analysis uses descriptive scales such as high, medium, and low to categorize risk likelihood and impact. Most mature organizations use both approaches: qualitative for initial screening and prioritization, quantitative for high-impact risks requiring precise financial justification for control investments.
Qualitative analysis typically uses a matrix approach where risks are scored on ordinal scales for likelihood and impact. Analysts categorize risks through expert judgment, workshops, and historical incident data. Quantitative analysis requires gathering data on asset values, exposure factors, and loss frequencies to calculate financial metrics. The FAIR (Factor Analysis of Information Risk) model provides a structured quantitative framework. Organizations often begin with qualitative assessment across all risks, then apply quantitative methods to the top tier where precise cost-benefit analysis justifies the additional effort.
Qualitative analysis enables rapid risk triage but can introduce subjective bias and inconsistency. Quantitative analysis produces defensible financial figures for executive decision-making but requires significant data and expertise. Understanding when to apply each method prevents analysis paralysis on low-priority risks while ensuring critical risks receive rigorous financial scrutiny. Regulatory expectations vary, but quantitative capability increasingly differentiates mature programs.
CDA teaches both methodologies through the RGA domain, starting with qualitative fundamentals in C-RECON and progressing to quantitative modeling in C-HARDEN. The FAIR framework is integrated into advanced theater missions, enabling operators to present risk in the financial language that boards and executives understand.