The problem with any risk assessment approach whether qualitative or quantitive, lies in estimating the scope (how widespread the outcome the outcome might be) and scale (how significant it may be).
Often, looking outside of "traditional" approaches to organisational risk management cab be helpful. For instance, the area of earthquake prediction provides some helpful insights - areas that are most prone to earthquakes display common traits in the underlying geology and structural fault lines. This allows the identification of locations that are most EXPOSED to earthquakes because of factors such as geological profile and proximity to things like volcanos. However, even with the benefit of highly sophisticated sensor and data gathering technology, a wealth of reliable data gathered over decades and millions invested each year, scientists are still not in a position predict WHEN an earthquake will occur and how strong it will be EVEN WHEN TREMORS ARE INITIALLY DETECTED. the fact is, predicting earthquakes is very, very difficult both in terms of when and how bad they can be
What does this mean for corporate operational managers? We need to stop trying to "divine" risk predictions and move towards an approach where we can understand our intrinsic exposure to threats, based on focusing on understanding the conditions that allow threats to manifest themselves. For instance, government agencies in certain countries will be aware that different regions of their country, based on geological profile, are more EXPOSED to earthquakes than others. The exposure to such threats is mitigated by things such as building regulations, warning systems and specialised emergency response capabilities. Like wise, in terms of operational risk, we need to know what threats our data, people, premises & supply chain are EXPOSED to and what an exposed position actually looks like.
So as a particular type of terrain might be more exposed to earthquake than another based on its' geological profile, so we need to understand when our operational processes are potentially developing the kind of fault lines that could develop into significant failure. This approach leads towards identifying EXPOSURE rather than trying to guess