User guideRisk managementQuantitative risk assessment (FAIR)
Risk management

Quantitative risk assessment (FAIR)

Use the FAIR model to quantify AI risks in financial terms with ALE calculations, industry benchmarks, and ROI analysis.

Overview

Qualitative labels like "high" or "low" tell you something about a risk, but they do not tell you what it could actually cost. Quantitative risk assessment fills that gap. It uses the FAIR methodology (Factor Analysis of Information Risk) to put a dollar figure on each risk in your register: how much you stand to lose per year and whether your controls justify their cost.

Once enabled, every risk gains a Quantitative tab. You enter event frequency, loss estimates across four categories, control effectiveness, and mitigation cost. VerifyWise runs the math in real time and shows your Annualized Loss Expectancy, residual exposure, and ROI right at the top of the form.

Enabling quantitative assessment does not replace qualitative scoring. Severity and likelihood ratings stay in place. You get both views on every risk.

Turning it on

This is an organization-wide setting. An admin needs to flip the switch before anyone can use it.

  1. Go to Settings in the sidebar
  2. Open the Features tab
  3. Toggle "Quantitative risk assessment" on
  4. A Quantitative tab now appears whenever you create or edit a risk
Only admins can change this setting. Other roles can see the toggle but cannot switch it.

How the FAIR math works

FAIR is a widely adopted framework for expressing risk in monetary terms. VerifyWise uses a simplified version built around four calculations:

  • PERT estimate: Takes your min, most likely, and max values and produces a weighted average: (min + 4 x likely + max) / 6. The formula gives more weight to the most likely outcome while still accounting for the extremes.
  • Annualized Loss Expectancy (ALE): Your expected yearly loss. Multiply the PERT of your event frequency by the total PERT loss across all four categories.
  • Residual ALE: What remains after your controls take effect. If you rate your controls at 70% effective, residual ALE drops to 30% of the original.
  • Return on Investment (ROI): Tells you whether mitigation spending pays for itself. The formula is ((ALE minus Residual ALE) minus mitigation cost) / mitigation cost x 100. Positive means your spend is justified; negative means you are paying more for controls than the risk reduction you get back.

Walking through the form

Open any risk and click the Quantitative tab. The form has five sections. The Risk Exposure Summary sits at the top and recalculates as you type.

Risk Exposure Summary

A live dashboard at the top of the form. It shows Total Loss (PERT), ALE, Residual ALE, and ROI. Until you enter numbers, it displays a placeholder. Once you start filling in values, the metrics update with every keystroke.

Starting from a benchmark

You do not have to estimate from zero. Pick an industry benchmark from the dropdown and VerifyWise fills in all fifteen frequency and loss fields for you. There are 19 benchmarks across six industries, drawn from published regulatory penalty data and incident reports.

  • Cross-Industry: EU AI Act prohibited practices, high-risk system non-compliance, governance failures, data quality issues, deepfake and synthetic media
  • Technology: Hiring bias, training data privacy breaches, adversarial attacks, supply chain compromise, IP infringement
  • Financial Services: Lending bias, data breaches, model failure in critical decisions, transparency failures
  • Healthcare: Diagnostic bias, patient data breaches, model failure in clinical diagnosis
  • Automotive & Transport: Autonomous system failure
  • Government: Transparency failures in public-facing AI services
Benchmarks give you a calibrated starting point, not a finished assessment. Adjust the numbers after applying one to reflect your organization, risk appetite, and scale.

Event frequency

How often do you expect this risk event to happen each year? Enter three values:

  • Min: Best case. The lowest realistic frequency.
  • Most likely: Your best single estimate of actual frequency.
  • Max: Worst case. The highest realistic frequency.

A frequency of min 0.1, most likely 0.3, max 0.8 means you expect the event roughly once every three years on average, with a range from once in ten years to about once every fifteen months.

Loss magnitude

For each occurrence, estimate the cost across four categories. Each one takes a min, most likely, and max value.

  • Regulatory fines: What regulators could charge you. GDPR penalties run up to 4% of global turnover; EU AI Act fines can reach 7% or EUR 35M.
  • Operational costs: What it takes to respond and recover internally: staff hours, system fixes, downtime.
  • Litigation costs: Legal fees, settlements, and court judgments.
  • Reputational damage: Lost customers, eroded brand value, and foregone revenue from negative coverage.

Mitigation and ROI

With your exposure estimated, gauge the value of your defenses:

  • Control effectiveness: Drag the slider from 0% (no controls at all) to 100% (risk fully contained). This directly shrinks your Residual ALE.
  • Annual mitigation cost: Enter what you spend each year on the controls. VerifyWise uses this to calculate whether the investment pays for itself.
Green ROI means your controls save more than they cost. Red ROI means the spend exceeds the risk reduction. Neither is automatically wrong, but red deserves a second look.

Portfolio view on the dashboard

Once you have at least one quantified risk, three new cards appear on the main dashboard:

  • AI portfolio exposure: Total ALE across every quantified risk, residual exposure, how much your controls have reduced the total, what you spend on mitigation, and your aggregate ROI.
  • Exposure trend (90 days): Two lines tracking total ALE and residual ALE over the past three months so you can see whether things are improving.
  • Loss category breakdown: Shows which of the four loss types (regulatory, operational, litigation, reputational) accounts for the largest share of your exposure.

Where this fits in compliance

Putting numbers to risk is not just good practice. Several frameworks require or strongly encourage it:

  • EU AI Act: Articles 9, 14, 15, and 99 call for documented risk management, human oversight, robustness testing, and proportionate penalties. Financial quantification strengthens every one of those requirements for high-risk systems.
  • ISO 42001: Clause 8.2 asks organizations to assess the likelihood and consequences of AI risks. FAIR-based estimates give you a structured, defensible way to meet that.
  • NIST AI RMF: The Map and Measure functions expect you to characterize risks and track their impacts over time. ALE and residual ALE give you the numbers to do that.
  • GDPR: Data protection impact assessments are sharper when you can attach a financial estimate to a potential breach, especially for risks involving training data.

Getting the most out of it

  1. Start from a benchmark, then adjust. The pre-loaded numbers come from published penalty data and real incidents, so they are a solid baseline. Tailor them to your size and context.
  2. Do not pretend you know more than you do. Wide min-max ranges are honest; artificially narrow ranges create a false sense of precision.
  3. Revisit every quarter. Regulations shift, models get updated, and new threat patterns emerge. Stale numbers are worse than no numbers.
  4. Use ALE to prioritize. When two risks compete for budget, the one with a higher ALE usually deserves attention first.
  5. Watch the trend chart. If your total ALE keeps climbing despite mitigation spending, something is not working.
PreviousConducting risk assessments
NextRisk mitigation strategies
Quantitative risk assessment (FAIR) - Risk management - VerifyWise User Guide