Quantitative risk-base thinking – does it exist?

the-holy-grail-quntvt-ra-3I recently wrote about the benefits of quantitative risk-based thinking and why organisations should avoid qualitative methods when developing their ISO 9001:2015 processes. (link)

But is there such a thing as a practical quantitative risk-based thinking solution? Or, as one a reader suggested, “It’s the Holy Grail of risk analysis, and thus it doesn’t fully exist”?

Like some naïve, modern-day crusader, my quest for risk’s holy grail started about ten years ago. As a quality and risk consultant, I realised just how beneficial a tool like this could be for organisations world-wide.

After years of research, trial and error I almost came within touching distance of the grail. But alas, I had to concede – there is no such thing.

Don’t get disheartened, all is not lost.

The reason pure quantitative risk assessment doesn’t exist is because to accurately measure the likelihood and consequence of a future risk event, you have to take into account a large number of variables, and some that will likely remain unknown. Even large companies and institutions struggle to come close.

Just because there is no such a thing as a practical quantitative risk assessment solution, doesn’t mean your organisation has to settle for something much less.

There are plenty of semi-quantitative solutions available, but the one proven methodology I like, transforms an organisation’s existing auditing and inspection processes into a highly rigorous, yet efficient, risk monitoring, control and improvement system.

Here is a high-level overview of how it works.

  • Potential product and service nonconformances are categorised according to their likely quantitative impact (consequence) on organisation goals and objectives i.e. Critical, High, Medium and Low; not unlike Failure Mode and Effects Analysis (FMEA).



  • Maximum nonconformance frequency limits are assigned to each consequence category. These limits represent an organisation’s risk-appetite, and are used to assess and benchmark the risk performance of each process.
  • Proven ISO statistical sampling methods (ISO 2859.1: 1999 Sampling procedures for inspection by attributes) are then used to calculate the sample-size for each audit and inspection, and to estimate the frequency of nonconformance for each consequence category.
  • Risk assessment accuracy can be adjusted to strike a desired balance between an organization’s monitoring budget and its nonconformance risks.
  • If a process is deemed to have exceeded one or more of the organisation’s risk limits, action is taken to control (mitigate) product and service nonconformances (Figure 1).  If no risk limits are exceeded, products and services are approved for use (Figure 2).
  • The same sampling methods are used to assign each process an objective performance rating based on its capacity to achieve, or better, the organisation’s risk appetite over consecutive audits and inspections i.e. Excellent, Good, Poor.
  • Process performance information is best displayed in a simple performance dial (Figure 3).


  • Continuous improvement is achieved through the specification of realistic nonconformance targets, incentives and penalties.
  • Risk control is optimised by focusing an organisation’s limited monitoring and improvement resources on its processes with the worse performance rating.


If you’d like to learn more about how your organisation can take advantage these proven ISO semi-quantitative, risk-based thinking methods, be sure to check out my guide and video at (link) – or send me a personal message.

Leave a Reply

Your email address will not be published. Required fields are marked *