What is risk analysis? Definition and meaning
The definition and meaning of risk analysis is the process of analyzing, determining and defining the risk of danger to government agencies, businesses, individual, towns and cities, and whole national economies posed by potential natural and anthropogenic (human-caused) events. In the world of information technology, a risk analysis report is commonly used to align technology-related goals with a commercial enterprise’s aims and objectives. Risk analysis is both quantitative or qualitative.
According to Frontline Solvers, risk analysis is:
“The systematic study of uncertainties and risks we encounter in business, engineering, public policy, and many other areas.”
You don’t need to be an expert to determine that the risk of injury or death for a racing driver is considerably higher than for a librarian. However, calculating how much their monthly/annual insurance premiums should be is not so easy. Insurance underwriters carry out comprehensive risk analyses and determine whether to provide cover, and if so, at what rate.
Risk consists of two parts:
– The chances of something unpleasant happening.
– The consequences – negative ones – if it does.
Risk analysis involves studying the underlying probability of a given course of action actually taking place. In finance, it refers to the uncertainty of predicted future cash flows streams, statistical analysis to determine the likelihood of a project’s success or failure, variance of stock or portfolio returns, and potential future economic circumstances.
All large commercial enterprises in every field of business need a minimum sort of risk analysis. For example, large retailers need to factor in the possibility of declining revenues due to rising unemployment or a global recession, while financial institutions must adequately hedge against the foreign exchange exposure of overseas loans.
In most countries, regulators require that their banks identify and quantify their risks. They must make sure they have enough capital to withstand the shocks in worst or near-worst case scenarios.
Risk management follows risk analysis.
In order to prepare yourself for a possible adverse event, you first need to determine what the likelihood of it happening is.
The aim of risk analysis is not so much about avoiding adverse events completely, but rather being able to cope and survive if they occur – being ready for them if they happen.
It is a process that helps us identify and manage potential adverse events that could undermine key projects or business initiatives. When carrying out a risk analysis, we need to first identify what the possible threats are, estimate their chances of happening, and determine how much it would cost to get back on track.
When do we use risk analysis?
– When we are planning a project (or more than one). It helps us anticipate and neutralize possible adverse events.
– When we are planning for changes in our environment, such as government legislation or the emergence of new competitors.
– When we are preparing for adverse events, such as theft, fire, employee sickness, technology failure, or natural disasters.
– When we are deciding whether to approve or abandon a project.
Risk analysis: Identify threats & estimate possibility
When we carry out a risk analysis, we must follow two steps: Identify Threats and Estimate Risk.
Identify Threats: we first have to identify the existing and possible future threats that we might face, such as:
– Financial: examples include steep fluctuations in stock market prices, a sudden change in interest rates, or an unexpected withdrawal of funding.
– Human: these may come in the form of injury, death, illness, or the loss of key personnel.
– Natural: earthquake, volcanic eruption, hurricane, flood, or a disease (pandemic or epidemic).
– Operational: such as loss of access to a vital raw material needed to make a product, or distribution problems. If a shipping route is suddenly closed, it could mean the kiss of death for some companies.
– Reputational: the company’s brand name may be damaged due to an unfortunate incident. There may be loss of employee or customer confidence.
– Structural: any situation where staff, customers or visitors may be injured due to dangerous chemicals, inadequate lighting, falling boxes, etc.
– Technical: a virus or malware damages the company’s IT system, advances in technology, or a global crisis, such as a widespread and sustained shutdown of the Internet. For company’s like Amazon.com, no Internet would mean absolutely no business at all.
Estimate Risk: as soon as you have identified which threats you might face, the next step is to estimate how likely they are, and what their possible impact might be.
After estimating what the likelihood of a particular adverse event is, you then have to multiply that by how much you think it would cost to set things right if it did occur. You would then have a value for the risk:
Risk Value = Probability of Adverse Event x Cost of Event
For example, imagine your business is in the UK and an imported raw material represents half the cost of your finished product. You know there is a risk that your currency may decline significantly – this would make the import more expensive for you.
You believe there is an 80% probability that your currency will devalue sharply within the next 12 months, because there has been a referendum and the electorate voted to leave the European Union – they voted for Brexit. If this happens, your import costs will rise by £2 million over the next year.
Therefore, the risk value of the increased cost of raw material is:
0.80 (likelihood of Event) x £2,000,000 (Cost of Event) = £1,600,000 (Risk Value).
Computer simulations for risk analysis
We could create real-life situations to determine what the risk of an adverse event is, and what its impact might be. However, this is too dangerous, so we resort to computer simulations – also called risk models.
With some sophisticated computer models, the business is put through near real life simulations to determine how it would cope, just like engineers do with model airplanes in wind tunnels. These experiments pose no risk for the company, but give us vital data on what might unfold if something unpleasant happened.
With state-of-the-art computers and software, we can get fairly accurate risk analyses (plural of analysis is analyses). Several trials may be performed over a short time at very low cost.
Insurance companies use simulation software all the time to help determine how much they should charge their customers.
Risk analysis vs. risk management
Risk analysis looks at the probability of something happening and what the impact might be, while risk management is all about addressing that risk.
In order to know how to manage a risk, first we need to analyze or assess it.
Airsafe.com explains the difference between risk analysis (assessment) and management in the following way:
“Risk management is the process of combining a risk assessment with decisions on how to address that risk, and doing so in ways that consider the technical and social aspects of the risk assessment.”
“Risk management is part of a larger decision process that considers the technical and social aspects of the risk situation. Risk assessments are performed primarily for the purpose of providing information and insight to those who make decisions about how that risk should be managed.”
Put simply, risk analysis defines the risk while risk management determines what to do about it.
Qualitative Vs Quantitative Risk Analysis and What They Mean?
Qualitative risk analysis prioritises the project risks using a pre-defined rating scale. Risks will be scored on their probability of happening. Whereas Quantitative risk analysis is a further level of risk analysis of the highest priority threats and is usually assigned a numerical value e.g. cost of risk to the business and / or project tasks.
Video – What is risk analysis?
This Mind Tools video explains in simple and easy-to-understand language and examples what risk analysis is.