Skip to content
English
More support
piranirisk.com
  • There are no suggestions because the search field is empty.

How do risk rating methods work?

When we rate a risk we are faced with the subjectivity that it represents for each user to put a level to that risk.

Now, with Pirani you will be able to rate your risks under the direct method or by variables, to help you reduce the subjectivity in risk rating.

→ You can access this update in the Enterprise plan.

Learn key terms here before using the parameterization module.

How to parameterize risk ratings?

1.Within the “Parameterization” module, click on the “Risk Rating” section.

2. Here you must choose the type of calculation that the rating will use: “By Average” or “By Highest Rating.”

  • By Average: a weighted average is calculated among the variables that have been assigned a value.
  • By Highest Rating: the variable with the highest value is selected, considering both its rating and its weight.

Remember: Each type of rating is independent.

3.You can define the rating type for “Impact” (direct or by variables) and “Frequency” (direct, by variables, or by causes).

Available ratings for “Impact”

Available ratings for “Frequency”

4. Define the “Impact” and “Frequency” variables according to your organization’s requirements.

We offer the following models:

Direct qualification

Qualitative direct risk rating
 Maintains the traditional approach used by most risk management models and uses the levels from your heat map. Applies to both Impact and Frequency variables.


Remember: No additional configurations are required for this type of rating.

Quantitative direct risk rating by Impact
The evaluation window is set to 12 months by default. You can adjust the evaluation window to 6, 12, 24, or 36 months, depending on how the system will use the risk history to suggest the rating during the assessment.

Additionally, the “Levels” and “Weight” come from the heat map. Keep in mind that you cannot modify them directly; if you want to make adjustments, you will need to go to the heat map parameterization and return.

For this type of rating, you will need to define the monetary impact ranges for each variable in order to save and execute the configuration.

Remember: The ranges must be incremental and must not overlap to ensure correct data interpretation. Use the following image as a reference.

Quantitative direct risk rating by Frequency

Adjust the respective values according to the number of materialized events, and remember that the values must always be incremental.

Qualification by variables

Qualitative variable-based rating for Impact and Frequency
 Maintains the traditional approach used by most risk management models that utilize variables in their analysis. For each variable, you must assign a percentage weight and configure the different heat map levels using the pencil/edit option.

To correctly configure a variable, follow these steps:

Step 1: Click on “Create Variable.”

Step 2: Provide a name, a weight for the variable, and a description.

Step 3: Review the linked heat map levels and create a description to provide a more objective guide when rating your risks.

Step 4: Click “Create.”

Remember: Keep in mind that the sum of the weights of all variables must equal 100% in order to save the configuration.

Quantitative variable-based rating by Impact
If a quantitative variable-based rating with a suggested loss distribution is selected, the loss can be redistributed so that the sum of the relative shares equals 100%.

A warning icon will appear next to the pencil, indicating that you need to define ranges for each heat map level.

Step 1: Proceed to edit each variable using the pencil icon.

Step 2: You will see a new column called “Impact” (average COP over the number of months you defined as the evaluation window). Here, you must define the ranges for each heat map level.

For correct range distribution, remember that the values must be incremental and distinct from one another.

Step 3: Once the changes are configured and saved, you will be able to view the variable with its established ranges.

Remember that the sum of both the loss distribution and the weight must equal 100% in order to save the configuration.

Step 4: The evaluation will appear as follows: when applying the variables quantitatively, the system will suggest a “New Rating” along with a justification. If your risk does not have associated losses, it will suggest the same rating.

Mixed-variable risk rating by Impact

In this rating, you can select only the variables you want to evaluate and assign a loss distribution. Additionally, in the “Actions” column under the pencil icon, you must adjust the rating ranges for the selected variable. This will be reflected in the evaluation, showing the suggested new quantitative rating previously selected, along with its justification.

Step 1: To make a variable quantitative, click the check box in the “Quantify” column.


Step 2: When you select a variable to quantify, the “Loss Distribution” column will become editable, where you must assign a weight between 0 and 100%.
Keep in mind that the sum of all quantifiable variables must equal 100%.

Step 3: Fill in the quantifiable ranges for the selected variable in the edit form. You can do this using the pencil icon in the “Actions” column.

Step 4: Once all the ranges are configured, click “Save Changes” or “Create” if you are creating a new variable.

Mixed-variable risk rating by Frequency

In this rating, you can select only one variable to assign the entire loss percentage. Additionally, unlike the mixed-variable rating by Impact, the ranges are defined by materialized events for each level of the heat map.

Adjust the frequency ranges for each rating variable and save the changes to apply the configuration
.

Cause-based rating for Frequency

With the “By Causes” rating, this method allows you to rate only the frequency of the risk based on its causes.
Important: This configuration only affects the frequency of new risks or risks that are being edited. Risks created previously will retain their existing rating.




Step 1: After selecting the rating type, click “Save.”
 In this section, you can create the probability levels of occurrence for the causes.

Step 2: Click the “Create Range” button and create the levels you consider appropriate by choosing a percentage between 0–100.

Important: You can edit the created ranges; however, if you are going to delete an existing level or range that has been used, you must replace it with another existing level within the variable, because the frequency cannot remain unrated.

For the cause-based rating, you must also choose the type of calculation: by Average or by Highest Rating. Finally, to apply the parameterization, click the green “Save” button.

How to set the rating method when creating a risk

When creating a risk, the pop-up window will display the “Impact” and “Frequency” fields, which can be defined individually as direct or by variables.

If by variables is selected: a list of all the Variables configured in the tool will be displayed, allowing for both qualitative and quantitative ratings, along with a description that helps provide an objective evaluation.

If Direct is selected: the list will display all the variables from the heat map determined by the organization, without providing further details for each of them.

If By Causes is selected: when choosing the frequency during the creation or editing of a risk, you will find the cause-based rating option.

Here, you can associate the causes previously created with your risk.

After associating the corresponding causes, you must assign a rating to each of the associated causes. The rating options are those previously created in your organization’s parameterization section.

After rating each of the causes, click Save, and you will now be able to see your risk on the heat map.

Key Terms to Know After Using the Module

What are the risk ratings?

Impact and Frequency Variables:

Direct: This is the global way of rating risk, using the current list composed of impact and frequency variables. This method does not provide insight into which perspective or elements are being evaluated, making the rating subjective.

Qualitative Direct: Maintains the traditional approach used by most risk management models. In this method, each risk is rated based on two dimensions: Impact and Frequency (probability of occurrence). A heat map with predefined categories is used (e.g., insignificant / minor / moderate / major / catastrophic, according to the organization’s scale). The combination of the categories assigned to impact and frequency determines an overall risk level. This approach relies on expert judgment, qualitative criteria, or past experience, making it ideal for organizations that require an agile, interpretable, and easy-to-implement method when reliable numerical data is not available.

Quantitative Direct: A risk assessment method in which numerical values, especially estimates of expected (or potential) losses, are assigned for each identified risk, and the frequency of occurrence is quantified. Using this data, an objective risk value is calculated (e.g., expected loss, estimated cost, economic exposure), allowing for a more precise and objective determination of risk level. This approach prioritizes risks based on their estimated real impact, facilitates data-driven decision-making, and reduces the subjectivity inherent in qualitative methods. It is especially useful for organizations with mature risk management practices and resources to collect historical data, model scenarios, and assign estimated loss amounts.

By Variables: The risk rating is performed based on parameterized variables, analyzing the risk from different dimensions.

Quantitative Variable: In a quantitative risk assessment approach, this refers to each impact variable—such as financial, operational, reputational, legal, or environmental—for which a numerical value is available (or can be estimated). In other words, a quantitative variable expresses the risk impact in measurable units (e.g., monetary loss, number of resources affected, percentage variation, downtime hours, physical units, etc.).
This method is particularly useful when the organization has historical data or can estimate concrete impacts, aiming for an objective risk evaluation.

Qualitative Variable: Evaluates each risk by breaking it down into its different impact dimensions or variables (e.g., financial, reputational, operational, legal, etc.), assigning a qualitative rating to each variable (e.g., insignificant / minor / moderate / major / catastrophic; or low / medium / high), as well as a qualitative rating of frequency when applicable. This methodology allows for a more detailed analysis of the multiple consequences of a risk, describing how it affects each dimension separately. Category selection is based on expert judgment, predefined criteria, or institutional experience, making it agile, transparent, flexible, and suitable when reliable quantitative data is unavailable. The outcome provides a more granular view of the risk, identifying the most critical dimensions, though without providing a precise numerical loss estimate.

Mixed Variable: In a variable-based risk assessment approach, this method allows some variables (both impact and frequency) to be measured quantitatively, with numerical values, historical data, or measurable estimates, while other variables are rated qualitatively, using categories, descriptors, or expert judgment. This way, when not all risk dimensions can be reliably quantified, measurable and subjective elements are combined, ensuring flexibility, realism, and completeness in the evaluation. This hybrid approach (qualitative + quantitative) balances objectivity and practicality, allowing the assessment to be rigorous while incorporating qualitative criteria when information is limited.

By Causes: The risk rating is performed based on parameterized descriptors, analyzing the risk according to its related causes. This method allows rating only the frequency of the risk through its causes.