From Qualitative to Quantitative

In LR-201c we covered qualitative risk assessment — impact times probability equals expected loss. That framework produces useful ordinal rankings: Risk A is higher than Risk B. At the 301 level, we move to quantitative modeling that produces cardinal values: Risk A has an expected annual loss of $340K with a 90% confidence interval of $150K to $720K. Cardinal values enable financial decisions that ordinal rankings cannot support — insurance coverage amounts, reserve allocations, and investment justification for risk mitigation.

1. Loss Distribution Modeling Instead of a single impact estimate, model the impact as a probability distribution. The impact of a data breach is not "$500K." It is a distribution: 10% chance of $100K (minor incident, fast containment), 60% chance of $300K-$700K (standard breach with notification), 30% chance of $1M+ (regulatory action, litigation). The distribution captures the range of outcomes more accurately than a point estimate.
2. Frequency Estimation Instead of a single probability, estimate the frequency — how many times per year this event might occur. A probability of 20% suggests the event occurs once every five years. Frequency estimation uses historical data, industry benchmarks, and expert judgment to produce annualized occurrence rates. The frequency times the loss distribution produces the annual loss expectancy distribution.
3. Confidence Intervals Every quantitative estimate includes a confidence interval — the range within which the actual loss is likely to fall. "Expected annual loss of $340K with a 90% confidence interval of $150K to $720K" communicates both the central estimate and the uncertainty. Confidence intervals prevent false precision — a single number suggests certainty that does not exist. [RECOMMEND]: Always report confidence intervals alongside point estimates.