Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Risk assessment vs risk analysis

In the technical reviee manual for CRISC, Risk analysis is included under Risk assessment. Therefore, one could easily view risk analysis as a subset activity in risk assessment. However, in the QAE database or the Questions & Answers book, several answers point to completely separate the two. For example:

Whichof the following objectives is the PRIMARY reason that risk professionalsconduct risk assessments?

A. The maintenance of therisk register is part of the ongoing risk assessment process.

B. Management choosesthe right risk response strategy based on risk analysis. A risk assessmentitself is not sufficient to make educated risk response decisions.

C. Assurance on riskmanagement is not the main reason risk assessment is performed by the riskprofessional.

D. A risk assessment is the process used to identify risk anddevelop risk scenarios to determine how specific threats may adversely affectthe business.


Option B does exactly that...completely separating both activities. Isn't there some disparity between the text and the QAE database / Questions & Answers book?

You must sign in to rate content.
(Unrated)

Comments

RE: Risk assessment vs risk analysis

The key thing to remember is that there are aspects of risk analysis during both risk assessment and risk response. If you have not reviewed the risk response section yet have a quick look at the first few pages.
If you reconsider what the question is asking and the available answers with this in mind does it lead you to a different conclusion?

I'll provide a more thorough answer later if you want/need, but from a learning perspective above might be enough of a nudge in the right direction...

As an aside this is a good question for demonstrating the need to consider the detail of what the question is asking.
AlexGEnergizer at 4/13/2017 2:53:27 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Risk assessment vs risk analysis

Hi Alex, Could you kindly elaborate further as I find myself in the same predicament
Henry355Lively at 4/13/2017 4:02:24 AM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

Risk assessment includes risk analysis in order to determine level of risk.
Risk response includes analysis to determine the most appropriate treatment.
The analysis has a different focus depending on the stage at which it is being conducted and the outcome it is informing.

For this example (the explanation for why B is not the correct answer) it may have been clearer to have simply stated 'based on analysis' instead of 'based on risk analysis', that way there would have been greater consistency with the use of the term 'risk analysis' in the Review Manual, but I do not think it is an error or disparity.
In my opinion, most analysis conducted as part of the risk management life cycle could legitimately be termed risk analysis.

The most important part of the explanation is the second sentence, it could go on to say something like 'because further analysis is required to determine cost and compatibility (etc) of possible controls'.

Is that any clearer?
AlexGEnergizer at 4/13/2017 11:01:22 AM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

Hi Alex,

Indeed I have read well into the Risk Response phase and I agree with you that there is some form of what can be seen as risk analysis in that phase as well.

However, for the sake of standardization, terminology is very important. Certain important terminologies should be restricted within specific domains/phases to avoid confusion.

For example, we can as well say there is some form of risk assessment during risk identification and even during the risk response phases. But it will cause a whole lot of confusion if we start using this terminology (risk assessment) in discussions that solely refer to other phases/domains.

I trust you get my drift.

Therefore, if I were to treat risk analysis as an activity within the risk assessment phase, there will be a confusion between options B and D in the above question, because both are critical and primary purposes in the risk assessment phase. In fact, I could argue that B is a more comprehensive and encompassing answer.

What do you think?

For the benefit of all, the given answer options for the question above are:

A. To maintain the enterprise's risk register
B. To enable management choose the right risk response
C. To provide assurance on the risk management process
D. To identify risk with the highest business impact


Also, concerning the explanation in option B, you wrote "For this example (the explanation for why B is not the correct answer) it may have been clearer to have simply stated 'based on analysis' instead of 'based on risk analysis', that way there would have been greater consistency with the use of the term 'risk analysis' in the Review Manual,"

Actually, the idea that "Management chooses the right risk response strategy based on RISK ANALYSIS" is a very prevalent principle that runs through the whole QAE book/database. So if it needs to be changed here, then it needs to be changed in the whole set. But I think for sake of consistency, this idea should be maintained - here and all through the QAE.

Your thoughts please....Thanks
Iheanyi713Lively at 4/14/2017 2:02:17 PM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

Hi Alex,

Indeed I have read well into the Risk Response phase and I agree with you that there is some form of what can be seen as risk analysis in that phase as well.

However, for the sake of standardization, terminology is very important. Certain important terminologies should be restricted within specific domains/phases to avoid confusion.

For example, we can as well say there is some form of risk assessment during risk identification and even during the risk response phases. But it will cause a whole lot of confusion if we start using this terminology (risk assessment) in discussions that solely refer to other phases/domains.

I trust you get my drift.

Therefore, if I were to treat risk analysis as an activity within the risk assessment phase, there will be a confusion between options B and D in the above question, because both are critical and primary purposes in the risk assessment phase. In fact, I could argue that B is a more comprehensive and encompassing answer.

What do you think?

For the benefit of all, the given answer options for the question above are:

A. To maintain the enterprise's risk register
B. To enable management choose the right risk response
C. To provide assurance on the risk management process
D. To identify risk with the highest business impact


Also, concerning the explanation in option B, you wrote "For this example (the explanation for why B is not the correct answer) it may have been clearer to have simply stated 'based on analysis' instead of 'based on risk analysis', that way there would have been greater consistency with the use of the term 'risk analysis' in the Review Manual,"

Actually, the idea that "Management chooses the right risk response strategy based on RISK ANALYSIS" is a very prevalent principle that runs through the whole QAE book/database. So if it needs to be changed here, then it needs to be changed in the whole set. But I think for sake of consistency, this idea should be maintained - here and all through the QAE.

Your thoughts please....Thanks
Iheanyi713Lively at 4/14/2017 2:02:17 PM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

Risk assessment includes risk analysis in order to determine level of risk.
Risk response includes analysis to determine the most appropriate treatment.
The analysis has a different focus depending on the stage at which it is being conducted and the outcome it is informing.

For this example (the explanation for why B is not the correct answer) it may have been clearer to have simply stated 'based on analysis' instead of 'based on risk analysis', that way there would have been greater consistency with the use of the term 'risk analysis' in the Review Manual, but I do not think it is an error or disparity.
In my opinion, most analysis conducted as part of the risk management life cycle could legitimately be termed risk analysis.

The most important part of the explanation is the second sentence, it could go on to say something like 'because further analysis is required to determine cost and compatibility (etc) of possible controls'.

Is that any clearer?
AlexGEnergizer at 4/13/2017 11:01:22 AM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

Hi Alex, Could you kindly elaborate further as I find myself in the same predicament
Henry355Lively at 4/13/2017 4:02:24 AM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

The key thing to remember is that there are aspects of risk analysis during both risk assessment and risk response. If you have not reviewed the risk response section yet have a quick look at the first few pages.
If you reconsider what the question is asking and the available answers with this in mind does it lead you to a different conclusion?

I'll provide a more thorough answer later if you want/need, but from a learning perspective above might be enough of a nudge in the right direction...

As an aside this is a good question for demonstrating the need to consider the detail of what the question is asking.
AlexGEnergizer at 4/13/2017 2:53:27 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Risk assessment vs risk analysis

The key thing to remember is that there are aspects of risk analysis during both risk assessment and risk response. If you have not reviewed the risk response section yet have a quick look at the first few pages.
If you reconsider what the question is asking and the available answers with this in mind does it lead you to a different conclusion?

I'll provide a more thorough answer later if you want/need, but from a learning perspective above might be enough of a nudge in the right direction...

As an aside this is a good question for demonstrating the need to consider the detail of what the question is asking.
AlexGEnergizer at 4/13/2017 2:53:27 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Risk assessment vs risk analysis

Hi Alex, Could you kindly elaborate further as I find myself in the same predicament
Henry355Lively at 4/13/2017 4:02:24 AM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

Risk assessment includes risk analysis in order to determine level of risk.
Risk response includes analysis to determine the most appropriate treatment.
The analysis has a different focus depending on the stage at which it is being conducted and the outcome it is informing.

For this example (the explanation for why B is not the correct answer) it may have been clearer to have simply stated 'based on analysis' instead of 'based on risk analysis', that way there would have been greater consistency with the use of the term 'risk analysis' in the Review Manual, but I do not think it is an error or disparity.
In my opinion, most analysis conducted as part of the risk management life cycle could legitimately be termed risk analysis.

The most important part of the explanation is the second sentence, it could go on to say something like 'because further analysis is required to determine cost and compatibility (etc) of possible controls'.

Is that any clearer?
AlexGEnergizer at 4/13/2017 11:01:22 AM Quote
You must sign in to rate content.
(Unrated)

RE: Risk assessment vs risk analysis

Hi Alex,

Indeed I have read well into the Risk Response phase and I agree with you that there is some form of what can be seen as risk analysis in that phase as well.

However, for the sake of standardization, terminology is very important. Certain important terminologies should be restricted within specific domains/phases to avoid confusion.

For example, we can as well say there is some form of risk assessment during risk identification and even during the risk response phases. But it will cause a whole lot of confusion if we start using this terminology (risk assessment) in discussions that solely refer to other phases/domains.

I trust you get my drift.

Therefore, if I were to treat risk analysis as an activity within the risk assessment phase, there will be a confusion between options B and D in the above question, because both are critical and primary purposes in the risk assessment phase. In fact, I could argue that B is a more comprehensive and encompassing answer.

What do you think?

For the benefit of all, the given answer options for the question above are:

A. To maintain the enterprise's risk register
B. To enable management choose the right risk response
C. To provide assurance on the risk management process
D. To identify risk with the highest business impact


Also, concerning the explanation in option B, you wrote "For this example (the explanation for why B is not the correct answer) it may have been clearer to have simply stated 'based on analysis' instead of 'based on risk analysis', that way there would have been greater consistency with the use of the term 'risk analysis' in the Review Manual,"

Actually, the idea that "Management chooses the right risk response strategy based on RISK ANALYSIS" is a very prevalent principle that runs through the whole QAE book/database. So if it needs to be changed here, then it needs to be changed in the whole set. But I think for sake of consistency, this idea should be maintained - here and all through the QAE.

Your thoughts please....Thanks
Iheanyi713Lively at 4/14/2017 2:02:17 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.