Risk Quantification

For a lot of industries, Business Continuity (BCP) and Disaster Recovery (DR) is a requirement; however, a lot of the time the programs are minimalistic in nature.

One of the biggest challenges is getting stakeholders on the same page. The general idea is: “Nothing has ever happened here, so why should I be concerned about it?”

This should make any risk person shiver when they hear this. To get buy-in from Executive Management or even Department/Business Management you want to be able to explain your story and have data to back it up.

Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
August 23, 2023
August 23, 2023
Reading time
Risk quantification and analysis

Quantification Supports Better Continuity Planning

Quantifying risk using Factor Analysis of Information Risk (FAIR) allows organizations to provide relevant information to key stakeholders. One of the biggest benefits of the standard FAIR risk model is the use of a “common language” to identify and communicate about risks.

Even from organization to organization, the terms "Business Continuity Planning", "Business Resiliency", "Disaster Recovery" and the like are used to talk about anything from the recovery of the business to just the recovery of the technology. Any BCP person knows there is a difference between BCP and DR planning. That is why having the right information and knowing what to communicate is truly important.

Identify And Measure Key Risk Components

In general, the process starts with identifying what “assets” you are concerned with and determining “how much risk is associated with each of them”. From there, completing a Business Impact Analysis (BIA) should be much easier. This is especially helpful when attempting to build a program from the ground up. But even more advanced programs can benefit from Risk Quantification.

BCP/DR alone is only a portion of a comprehensive Risk Management program. Risk Quantification, on the other hand, fits into many facets, if not all facets of a quality Risk Management program.

Our CRQ Solutions will transform how you model, measure, and manage cyber risk.

Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience.

What Quantification Looks Like

Below is an example of how your BIA can benefit from Risk Quantification. In this example a manufacturer who had a key system go down for 4 hours that was essential to their manufacturing process. They were not able to manufacture their product during this time. Being able to quantify your information for your organization allows it to see what it means in business terms to have a key system or business function become unavailable. This is a crucial step to any BIA.


In this article
Cyber Risk Quantification for better decision-making

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.