Risk Quantification
Translating technical findings into financial impact
Risk quantification transforms technical findings into financial terms that deal teams can use for valuation adjustments and negotiation. It's the bridge between "here's what we found" and "here's what it means for the deal."
Why Quantification Matters
Technical jargon doesn't influence deal terms:
| What Technologists Say | What Deal Teams Hear | What Changes Deals |
|---|---|---|
| "High cyclomatic complexity" | "Technical stuff" | "$750K to remediate, 6 months" |
| "Legacy architecture" | "Old but working" | "$2M platform migration needed" |
| "Key person dependency" | "Need retention bonus" | "$500K knowledge risk if CTO leaves" |
| "Security vulnerabilities" | "Fixable issues" | "15% breach probability = $300K expected loss" |
Quantification Methodologies
1. Remediation Cost Estimation
The most straightforward approach—what will it cost to fix?
Formula:
Total Cost = (Engineering Hours × Loaded Rate) + Tools + External Resources + Contingency
| Component | Calculation | Example |
|---|---|---|
| Engineering Effort | Hours × $150-200/hour loaded | 2,000 hrs × $175 = $350,000 |
| External Consultants | Specialist time × rates | 400 hrs × $300 = $120,000 |
| Tools & Licenses | One-time + annual costs | $50,000 |
| Contingency (30-50%) | Base estimate × factor | $520K × 40% = $208,000 |
| Total | $728,000 |
2. Expected Value (Risk-Adjusted)
For uncertain outcomes, weight by probability:
Formula:
Expected Value = Probability × Impact
| Risk | Probability | Impact | Expected Value |
|---|---|---|---|
| Data breach | 15% | $4.5M | $675,000 |
| CTO departure | 30% | $500K | $150,000 |
| Compliance fine | 10% | $1M | $100,000 |
| Platform failure | 5% | $2M | $100,000 |
| Total Expected Loss | $1,025,000 |
3. Range Estimation (Three-Point)
For uncertainty, provide ranges:
Formula:
Expected = (Optimistic + 4×Most Likely + Pessimistic) / 6
| Scenario | Platform Migration Cost |
|---|---|
| Optimistic | $800,000 |
| Most Likely | $1,500,000 |
| Pessimistic | $3,000,000 |
| Expected | $1,633,000 |
Detailed Quantification Examples
Technical Debt Remediation
| Finding | Calculation | Cost |
|---|---|---|
| Test coverage 25% → 70% | 1,200 hrs × $175 | $210,000 |
| Refactor payment module | 800 hrs × $175 | $140,000 |
| Upgrade dependencies | 400 hrs × $175 | $70,000 |
| Documentation debt | 300 hrs × $175 | $52,500 |
| Contingency (40%) | $188,000 | |
| Total Technical Debt | $660,500 |
Security Remediation
| Finding | Approach | Cost |
|---|---|---|
| 15 critical CVEs | Emergency patching (2 weeks) | $35,000 |
| No SAST/DAST | Tool implementation + training | $75,000 |
| Missing SOC 2 | Certification process (6 months) | $150,000 |
| Penetration testing | Initial + annual | $40,000 |
| Security team hire | 1 FTE security engineer | $180,000/year |
| Year 1 Security Investment | $480,000 |
Key Person Risk
| Person | Departure Probability | Impact if Leaves | Expected Value |
|---|---|---|---|
| CTO (founder) | 20% | $600K (replacement + transition) | $120,000 |
| Lead Architect | 35% | $400K | $140,000 |
| Sr Engineer (DB expert) | 40% | $250K | $100,000 |
| Total Key Person Risk | $360,000 |
Mitigation: Retention packages totaling $200K can reduce expected value by 50%.
Platform Migration
| Component | Cost |
|---|---|
| Migration engineering (8 FTE × 12 months) | $1,680,000 |
| New infrastructure (first year) | $240,000 |
| Parallel running period (3 months) | $120,000 |
| Training and documentation | $80,000 |
| Business disruption buffer | $200,000 |
| Contingency (35%) | $812,000 |
| Total Migration Cost | $3,132,000 |
Presenting Financial Impact
Time-Phased Summary
| Timeframe | Category | Investment Required |
|---|---|---|
| Immediate (0-6 months) | Critical security fixes | $125,000 |
| Key person retention | $200,000 | |
| Compliance gaps | $150,000 | |
| Short-term (6-18 months) | Technical debt remediation | $660,000 |
| Security program build-out | $280,000 | |
| Long-term (18+ months) | Platform modernization | $2,500,000 |
| Total Technology Investment | $3,915,000 |
Deal Impact Summary
Structure recommendations for deal team:
- Purchase Price Adjustment: $X based on certain remediation costs
- Escrow/Holdback: $Y for uncertain risks with defined triggers
- R&W Insurance: Consider for $Z of residual risk
- Earnout Adjustment: If technology milestones at risk
Confidence Levels and Caveats
Always communicate uncertainty:
| Confidence | When to Use | Range Width |
|---|---|---|
| High (±15%) | Well-understood, similar prior work | $850K - $1.15M |
| Medium (±30%) | Reasonable estimates, some unknowns | $700K - $1.3M |
| Low (±50%) | Many unknowns, limited access | $500K - $1.5M |
Key Takeaway: Quantification requires judgment and assumptions—be transparent about methodology and confidence levels. Always provide ranges rather than false precision. A good estimate with caveats is more valuable than a precise-looking number with hidden assumptions.