| Scope and covered activity | Qualitative risk assessment applies when the organization lacks the data to assign monetary values, when speed or simplicity is prioritized, or when the audience needs a narrative rather than a financial output. It covers all assets and threats in the assessment scope using descriptive likelihood and impact scales. | Quantitative risk assessment applies when the organization can source reliable loss-event data, actuarial figures, or asset valuations and needs to produce Annualized Loss Expectancy figures for budget justification or insurance purposes. It covers the same assets but requires validated input data for each probability and impact estimate. | Write the scope memo so teams can see when Qualitative is the implementation structure, when Quantitative Method controls the obligation or assurance question, and where evidence can be reused without changing the source test. |
|---|
| Who must act | Qualitative ownership should sit with the team that can operate the relevant management system, control process, risk method, supplier relationship, incident process, privacy process, or AI governance scope. | Quantitative Method ownership should follow that source's role model, such as regulator-facing accountable body, service organization, framework owner, provider, customer, processor, deployer, supplier, or risk owner. | Do not copy owners from one side to the other; map accountable owners, reviewers, and approvers separately. |
|---|
| Trigger or threshold | Qualitative work is triggered by scope definition, implementation, certification readiness, customer assurance, control gaps, incidents, supplier changes, or management review. | Quantitative Method work is triggered by its own legal, assurance, framework, contract, customer, or risk-management event. | Route intake using this trigger for standards implementation, regulatory response, assurance report, framework mapping, customer request, or operational remediation. |
|---|
| Core obligations | Qualitative requires practical governance: scope, roles, risk or impact decisions, evidence, operating cadence, monitoring, review, and improvement. | Quantitative Method expects its own required or recommended outcomes, which may include legal duties, assurance criteria, control objectives, profiles, or risk methodology. | Translate both sides into a single task register only after labeling which requirement or guidance source each task satisfies. |
|---|
| Evidence and records | Qualitative evidence should show the process operating: owners, decisions, registers, control records, test results, review minutes, audit samples, or corrective actions. | Quantitative Method evidence should match its own proof model, such as regulatory records, attestation evidence, framework profiles, risk analysis, or contractual assurance. | Build an evidence matrix with one row per claim and columns for source, owner, artifact, date, review trigger, and reuse permission. |
|---|
| Timing and cadence | Qualitative timing follows implementation, audit, certification, review, supplier, incident, or change cycles rather than a single universal deadline. | Quantitative Method timing follows the legal effective date, assurance period, framework version, contract milestone, or publication lifecycle that applies to that side. | Track dates separately so an ISO review cycle does not get mistaken for a statutory deadline or assurance reporting period. |
|---|
| Enforcement or assurance route | Qualitative is usually tested through certification audits, internal audits, customer assurance, management review, or governance review, depending on how the organization adopts it. | Quantitative Method may be enforced, audited, attested, assessed, or used voluntarily depending on whether it is law, assurance criteria, a framework, or guidance. | Separate audit readiness from legal compliance and from voluntary framework maturity so executives see the actual consequence of gaps. |
|---|
| Overlap and reuse | Qualitative can supply reusable management-system evidence, control operation records, risk decisions, and review outputs. | Quantitative Method can reuse some of that evidence when the control, process, risk, or duty is genuinely the same. | Reuse evidence only after checking scope, actor, date, data type, service, supplier, and acceptance criteria; otherwise keep separate records. |
|---|
| Practical decision rule | Use Qualitative when the main work is building, operating, reviewing, or proving a management-system or standards-based control process. | Use Quantitative Method when the main work is satisfying that side's law, assurance route, framework outcome, risk method, or external reporting expectation. | If both apply, keep the primary obligation visible and use the other side as supporting structure, not as a substitute source. |
|---|