by David Vose

Every authoritative guideline on risk management advocates the quantitative (that is, probabilistic) evaluation of risk using Monte Carlo simulation – from ISO , COSO , NASA , RAND Corporation , AACE International and APM , to Solvency II and Basel II/III . There is some variation in terminology, but a general agreement on the basic process of risk management is shown in the following diagram. Key weak spots in the process are typically: risks are evaluated poorly (either qualitatively or quantitatively); and the low quality of the data collection process that helps identify and evaluate risks and their mitigation. In addition, the key failures in applying this process are: establishing the context; actually implementing the risk mitigation strategies that have been agreed; and checking the mitigations stay in place (highlighted).

Quantitative risk analysis (QRA) forms only a part of the whole risk management process…