Risk Analysis is a systematic way to fully assess risks, to get transparency into complexity and to address uncertainties or knowledge gaps. It facilitates making Risk Management decisions and communicating about risk. It comprises three components:
Risk Analysis involves the identification and quantification of events that could trigger losses for an organization. These events could be well outside of the normal issues experienced by a business, such as the possibility of a 100-year flood, an earthquake, or the expropriation of a facility in another country. Once these events have been identified, the risk analysis process is used to estimate the probability of occurrence and the amount of loss associated with each event. This step is intended to locate those events that will have the most serious negative impact on the firm. The results of this analysis can then be incorporated into a risk management process, where a range of risk mitigation actions are formulated. For example, certain activities can be avoided or insurance can be purchased to shift the risk to a third party.
When to Use Risk Analysis
When is Risk Analysis Used?
Risk analysis is useful in many situations:
- In planning projects, it helps anticipate and neutralize possible problems.
- In deciding whether or not to move forward with a project.
- In improving safety and managing potential risks in the workplace.
- In preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
- In planning for changes in your environment, such as new competitors coming into the market, or changes to government policy.
Risk Analysis Methods
What Methods are Used in Analyzing Risk
There are three kinds of methods used for determining the level of risk of our business.
- Qualitative Methods: This is the kind of risk analysis method most often used for decision making in business projects; entrepreneurs base themselves on their judgment, experience and intuition for decision making. These methods can be used when the level of risk is low and does not warrant the time and resources necessary for making a full analysis. These methods are also used when the numerical data available are not adequate for a more quantitative analysis that would serve as the basis for a subsequent and more detailed analysis of the entrepreneur’s global risk. The qualitative methods include:
- Semi-Quantitative Methods:
- Word classifications are used, such as high, medium or low, or more detailed descriptions of likelihood and consequences.
- These classifications are shown in relation to an appropriate scale for calculating the level of risk. We need to give careful attention to the scale used in order to avoid misunderstandings or misinterpretations of the results of the calculation.
- Quantitative Methods: Quantitative methods are considered to be those that enable us to assign values of occurrence to the various risks identified, that is, to calculate the level of risk of the project. Quantitative methods include:
- Analysis of likelihood
- Analysis of consequences
- Computer simulation
The development of these measurements can be effected by means of different mechanisms, among which we note particularly the Monte Carlo Method, which is characterized by: - A broad vision in order to show a range of possible scenarios - Simplicity in putting it into practice - Suitable for performing computer simulations
Risk Analysis Process
The Process of Risk Analysis
The process of risk analysis includes identifying and quantifying uncertainties, estimating their impact on outcomes that we care about, building a risk analysis model that expresses these elements in quantitative form, exploring the model through simulation and sensitivity analysis, and making risk management decisions that can help us avoid, mitigate, or otherwise deal with risk.
- Identify and Quantify Uncertainty: In risk analysis, our goal is to identify each important source of uncertainty, and quantify its magnitude as well as we can. For example, we may not know our competitor's exact price, but we can place bounds on it, based on known production and marketing costs. While we can't predict the exact number of people shopping at a store each day, we can examine past data for the frequency of days when (say) 10, 20, 30, ..., 100 people shopped, and use this to estimate a distribution of shoppers on future days. This process of identifying and quantifying uncertainties is a key step in risk analysis.
- Compute the Impact of Uncertainty: Our next step is to accurately estimate the impact of the uncertainties on the outcomes we care about. For example, we may not be able to predict demand for our product exactly; but given a number for demand, since we know our costs and margins, we can often calculate the impact on our Net Profit. We may not know the exact number of shoppers on any future day; but given a number of shoppers, we can calculate how many store salespeople we need to service them, and estimate the sales we're likely to generate. In doing this, we build a model that allows us to compute "outputs" -- outcomes such as Net Profit -- for any given "inputs".
- Complete a Risk Analysis Model: If we can complete these steps, we'll have a risk analysis model (or simply risk model). The model has inputs which are uncertain -- these may be called uncertain variables, random variables, assumptions, or simply inputs. For any given set of input values, the model calculates outputs -- outcomes such as Net Profit. Unlike other kinds of models, a risk analysis model requires us to think in ranges: Because the inputs are uncertain and may take on many different values, the outputs are also uncertain and may take on a range of values. If management asks, "Give me a number for next year's sales", a risk analyst must respond that a single number is not going to be meaningful -- it will defeat the purpose of risk analysis.
- Explore the Model with Simulation: We can use our risk model in several ways -- but one effective way is to explore the possible outcomes using simulation. Simulation performs many (thousands of) experiments or trials -- each one samples possible values for the uncertain inputs, and calculates the corresponding output values for that trial. The first run of a simulation model can often yield results that are surprising to the modelers or to management -- especially when there are several different sources of uncertainty that interact to produce an outcome. Even before an in-depth analysis of the results, simply seeing the range of outcomes -- for example, how low and how high Net Profit can be, given our model and sources of uncertainty -- can encourage a re-thinking of the risks we face, and the actions we can take.
- Analyze the Model Results: Because a simulation yields many possible values for the outcomes we care about -- from Net Profit to environmental impact -- some work is needed to analyze the results. For instance, we can summarize the range of outcomes using various kinds of statistics, such as the mean or median, the standard deviation and variance, or the 5th and 95th percentile or Value at Risk. It is also very useful to create charts to help us visualize the results -- such as frequency charts and cumulative frequency charts
- Make Decisions to Better Manage Risk: The payoff comes when we use our risk analysis model and simulation results to make choices or decisions, that may help us avoid or mitigate risk -- or perhaps earn greater returns that help compensate us for taking these risks. We can also compare the risk and return of different projects or investments, and we can seek to diversify our position so that no single risk can do too much harm. By doing this, we can practice risk management. While we can't avoid uncertainty and risk altogether, there are often many steps we can take to better cope with risk. Risk analysis helps us determine the right steps to take.
Risk Efficiency Measurement
The efficiency of risk analysis and management is measured by capturing the following metrics during project closure. The analysis results are used to decipher lessons learned, which is updated in the organization's lessons learned database.
- Number of risks that occurred / Number of risks that were identified
- Was the impact of the risks as severe as originally thought?
- How many risks recurred?
- How do the actual problems and issues faced in a project differ from the anticipated risks?
This is an independent expert analysis of risks, with recommendations to enhance maturity or effectiveness of risk management in the organization. This evaluates:
- How good are we at identifying risk?
- Exhaustiveness and granularity of risks identified
- Effectiveness of mitigation or contingency plan
- Linkage of project risks to organizational risks
This is not a “process adherence” audit, but an aid to enhance the quality of risk identification and risk analysis. This is also used as a forum to benchmark and identify good practices of risk management among various projects in the organization.
The risk audit is done by a group of independent domain or technical experts through documentation review and interviews. The key deliverables of this risk audit are:
- Customized checklist to evaluate the risks of a project
- Identify areas of importance for risk analysis for a project (risk taxonomy)
- Risk radar – risk-prone areas of the product group
- Potential additional risks identified based on the review
- Top 10 risks in the organization from key projects, which requires management attention
Assessment of Risk
Framework for Risk Assessment
Risk Based Testing
Risk IT Framework
Risk Management Framework (RMF)
Risk Maturity Model (RMM)
Corporate Governance of Information Technology (IT Governance)
Key Risk Indicator (KRI)
Business Continuity Planning (BCP)
Disaster Recovery Planning
Enterprise Risk Management (ERM)
Risk-Adjusted Return on Capital (RAROC)
Own Risk and Solvency Assessment (ORSA)