anonymously and confidentially - preferably without discussing
            their answer with any other participant. The responses are then
            collected and redistributed to everyone so that they can see all of
            the responses. The participants are then asked to rank the top
            priorities amongst all the responses. Everyone gets to contribute
            - work together towards a consensus and plan of action. This
            may overcome the disadvantage of a facilitated workshop where
            only select people may be invited and where one influential
            person can push their opinion over the entire group.

            The result of a qualitative risk assessment is a ranking of the
            most serious risk to the organization. It indicates the priorities,
            the risk that must be addressed immediately as compared to the
            risk that can be either addressed over a longer period as
            resources and opportunities are available and which risk may
            just be acknowledged and accepted.



            Problems with Qualitative Risk Assessment
            The problem with qualitative risk assessment is that it does not
            indicate the monetary cost of risk and yet the selection of
            controls must consider the cost of the control versus the benefit
            of the control in reducing the monetary value of the risk. This
            makes it hard to convince senior management to spend the
            money necessary to deal with the risk without being able to
            show any financial data or concrete results. As with all risk
            assessments, it is partially guesswork. An event may not happen
            for years and then may happen several times in one month. It is
            nearly impossible to predict the true cost of an incident,
            especially in a world of social media and unpredictable levels of
            media attention. As is often said - if you have an incident, hope