=====Data quality risk analysis=====

===Definition===
A data quality risk analysis is a [[[general_term/risk_analysis|risk analysis]] with regards to [[data_quality_general:data quality|data quality]].

===Note===
Objective of a DQMS is that the [[data_quality_management_system/data_quality_requirement|data quality requirements]] are met. A risk analysis shows which situations or events could lead to these objectives not being met and which measures should be taken to reduce the risk to an acceptable level.

===Purpose===
Purpose of a risk analysis is to determine actions that prevent [[data_quality_management_system:data_quality_issue|data issues]].

===Life cycle===
^ Phase  ^ Activity                                             ^
| Plan   | * Plan risk analysis                                 |
| Do     | * Compose a risk analysis\\ * Use the risk analysis  |
| Check  | * Review/Evaluate risk analysis\\ * Audit risk analysis       |
| Act    | * Update risk analysis                               |

===Characteristics===
^ Characteristic  ^ Requirement                                                           ^
| Completeness    | The risk analysis contains the most important situations and events.  |
| Effectiveness   | The risk analysis leads to preventive actions that produce results.   |


===Relations===
| Data quality risk analysis  | is an element of a   | [[data_quality_general/data_quality_management_system|data quality management system]]  |
| Data quality risk analysis  | is aimed at meeting  | [[data_quality_management_system/data_quality_requirement|data quality requirements]]   |
| Data quality risk analysis  | prevents             | [[data_quality_management_system:data_quality_issue|data issues]]                       |
| Data quality risk analysis  | is assessed in a     | [[data_quality_management_system/internal audit|internal audit]]                        |
| Data quality risk analysis  | is discussed in the  | [[data_quality_management_system/management review|management review]]                  |
| Data quality risk analysis  | leads to             | [[data_quality_general/preventive_action|preventive action]]                            |

===Method===

A risk analysis consists of the next elements:
  - Asset that has effect on the objectives, e.g., supplier, input file, producer, applications, infra structure, communication, procedures, metadata, etc.
  - Situation with regard to the asset that can cause an event
  - Event that can take place that has a negative effect on the objectives
  - [[general_term/measure|Measures]] already taken to prevent or correct the situation or event
  - Exposure: frequency that the situation can occur
  - Probability: chance that the event will take place
  - Severity: gravety of the effect on the objectives
  - Risk-index: Exposure x Likelyhood x Severity
  - Additional [[general_term/measure|measures]] needed to decrease the risk-index if the risk index is too high (preventive actions).
The Fine and Kinney method shows which values should be assigned to exposure, probability and severity.

==Exposure (E)==
The factor exposure indicates the duration that a risk can occur. The scale varies from 0.5 to 10.\\ 
  * 0,5 Very rarely (less than once a year)
  * 1 Rarely (yearly)
  * 2 Sometimes (monthly)
  * 3 Occasionally (weekly)
  * 6 Frequently (daily)
  * 10 Constantly (multiple times a day)

==Probability (P)==
The probability or (mathematical) chance an incident will occur. The expectation is represented by ascribing a value from 0.1 to 10.
  * 0,1 Next to impossible / unthinkable
  * 0,2 Almost unimaginable
  * 0,5 Highly unlikely, but conceivable
  * 1 Unlikely, but possible in the long term
  * 3 Unusual (but possible)
  * 6 Possible
  * 10 To be expected

==Severity (S)==
The factor severity indicates the possible damage, effects and consequences linked to a hazard. The scale reaches from 1 to 40.
  * 1 Slight effect
  * 3 Important effect
  * 7 Severe effect
  * 15 Very severe effect
  * 40 Disaster

==Risk-index (R)==
The result of multiplying the parameters defines the risk-index: R = S x E x P.

==Classification Risk-index==
  * R < 21 Slight risk; acceptable
  * 21 < R = 71 Little risk; attention required
  * 71 < R = 201 Moderate risk; apply simple measures
  * 20 < R = 401 High risk; apply large measures immediately
  * R > 401 Risk is too high; stop activities / operations

===Example===
Objective: Timely reporting to an external party.

^ Asset          ^ Situation   ^ Event               ^ Measures taken      ^ Exposure  ^ Probability  ^ Severity  ^ Risk-index   ^ Additional measures    ^
| Data supplier  | Unreliable  | Delayed delivery    | SLA                 |  3        |  6           |  7        |  126 (high)  | Meet supplier monthly  |
| Application    | Unavailble  | Delayed processing  | Incident procedure  |  3        |  0,5         |  1        | 1,5   (slight)       | None                   |


===Reference===
Euronorm. [[https://www.euronorm.net/content/ce-marking/category/risk-analysis/fine-and-kinney-method.php|Fine and Kinney Method]].

{{tag>All DQMS}}