top of page
  • amandeepsingh85

Quantitative Risk Framework – A Brief Discussion on Benefits

Updated: Nov 7, 2023

The responsibilities of first and second line Operational and IT Risk professionals can often be characterised by;

  • chasing others to finish tasks on time (finish risk events, update Actions, complete KRIs, complete RCSAs)

  • collating spreadsheets and other data

  • updating data where gaps, errors and omissions have occurred

  • seeking clarifications

  • chasing evidence

  • producing large, onerous packs and dashboards incorporating lists of Risks Events, Issues, KRIs and cyclical RCSAs.

Even with the adoption of a GRC system with some automation, many of these problems persist; leading to increase costs for organisations trying to keep up and a bored, burnt-out Risk workforce, left disillusioned and questioning why they got into the discipline at all.

Automation is the go-to solution for labour-saving solutions with a raft of possibilities, particularly within the Microsoft suite, alongside ever-improving eGRC solutions – many firms cannot afford to automate but if they could, automation must include subjectivity by nature.

Automated Scoring Reduces Time and Effort

Using a scoring system can enable automation for organisations that are in a position to automate, but also speed up a human-based process for those that aren’t, by taking the decision-based thinking and agonising (subjectivity) out of following a GRC process. This frees up capacity and enables risk professionals to focus more time on forward-looking, preventative and interesting tasks to protect the organisation.

A scoring system takes time to develop, and a period of testing is required to make sure it works for your particular organisation, but once implemented the pay back financially and in terms of increased levels of risk management over time is significant.

The following pages look at how to create a more objective scoring system and the benefits of doing so (numbers are purely for explanatory purposes).

Future role of Risk and Cyber Professionals – Current Role Overview and potential enhancements

Potential aspects of the Operational/Cyber Risk Role

  • Collation and santisation of information

  • Oversight and challenge

  • Completion of cyclical vs ongoing assessment

  • Subjective vs Objective – Quantitative vs Qualitative assessment

  • Analysis and thematics

  • Forward looking and predictive

  • Low or high volume of assessment / framework inputs and outputs

This post looks at the ability to quantify the framework inputs and outputs to design a more objective, quantitative framework

  • Developing the role of the second line to provide analytical, thematic and predictive oversight and challenge

  • Accelerating risk processes, providing fresher data and thus a fresher view of risk today

  • Reducing the effort from the business for inputs

  • Forward looking

  • Ongoing as opposed to cyclical

Scoring and Appetite

  • Use of colours and words as measures is counter-intuitive and vague in terms of what is important, what needs to be acted on, and where priorities lie

  • In the Qualitative approach, impact matrix definitions tend to be non-specific and left open to interpretation leading to inaccurate results

  • Using scoring removes subjectivity, ‘crafting’ and manipulating situations to achieve a specific pre-ordained outcome

  • Removing much of the thinking and pausing involved with a Qualitative process for inputs, accelerates the process


  • Define a Heatmap scoring method

  • Define impact levels that map directly to the Heatmap

  • Define Risk Appetite, Tolerance and Capacity in numbers, using the Organisation Heatmap and impact level scoring

Official ISO:31000 definitions:

Risk capacity: the amount and type of risk an organisation is able to support in pursuit of its business objectives | Risk appetite: the amount and type of risk an organisation is willing to accept in pursuit of its business objectives | Risk tolerance: organisation’ or stakeholders’ readiness to bear the risk after risk “treatment” in order to achieve its objectives

Designing a Scoring Method

Assigning points to the Heatmap is a balancing act. The point of the exercise is to be less subjective so it’s important to take the effort to make the numbers meaningful.

Assigning points to the Heatmap is a balancing act. The point of the exercise is to be less subjective so it’s important to take the effort to make the numbers meaningful.

Probability/likelihood – distribute scoring evenly

  • probability theory (normal distribution bell curve) tells us that under 13.4% is approaching a situation that an outcome is extremely unlikely to occur

  • 34% is when an outcome is becoming possible; 66% is starting to become likely and 86.4% is becoming highly likely

  • Choose a sensible rounding point

Impact – try to distribute scoring evenly, however you may choose a weighting as the scale increases

  • Assign points in the impact matrix (diag 3) – transpose to the Heatmap

  • Decide if points are linear or exponential (i.e., weighted)

Risk Assessment

Obtain an inherent risk score to determine if the risk is within appetite. Risks within appetite do not require resources to perform controls mandatorily.

  • A score of 9 is outside of appetite, challenging successful implementation of objectives, by landing in the Risk Capacity zone

  • Mandatory Action – decision taken to implement a preventative control framework. Score reduced by 6 to 3.

  • Residual score is in the risk appetite zone.

Framework Elements Scoring

Framework elements like Risk Events and KRIs, often identify weaknesses and gaps we did not know were there and act to inspire us to go back and assess the process after performing root cause analysis. Using a scoring mechanism, we can therefore prioritise where to focus limited resource – highest score takes precedence. Assign scores to weaknesses and gaps appropriately; then assign scores to types of Actions to resolve, managing them through the Issues and Actions process, thus taking points away.

Impact on Roles

To find out more, please use the 'Get in Touch' button situated at the the top of the page to get in contact with Integrated Control Framework Consulting.

53 views0 comments


bottom of page