Risk Analysis explained plus example

Risk Analysis - toolshero

Risk Analysis: this article provides a practical explanation of the concept of Risk Analysis. The article begins with the definition of Risk Analysis, followed by a description of the difference between quantitative risk analysis and qualitative risk analysis. You will also find an example of the Risk Analysis Matrix, which is a populair tool to map risks, and you will read about various mitigation strategies. Enjoy reading!

What is Risk Analysis?

Organisations are often exposed to countless threats accompanied by potential risks. A risk consists of the chance that the threat becomes a reality, and the consequences of this threat.

Often, the threats are noticed on time and are adequately anticipated, but occasionally, organisations suffer significant losses due to poor risk management, which includes risk analysis.

Free Toolshero ebook

Risk analysis is the process that helps organisations to map the threats, evaluate risks and determine which suitable measures have to be taken.

A method to identify threats is the SWOT Analysis. With this analysis, strengths, weaknesses, opportunities and threats are determined. Subsequently, it must be established how great the risk is that the threat will become reality and what consequences this would have for the organisational processes. Afterwards, it must be assessed whether the costs of the measures outweigh the costs of the incident or consequence.

Risk Analysis: difference between quantitative risk analysis and qualitative risk analysis

Generally speaking, two types of risk analyses are distinguished: qualitative and quantitative risk analyis.
In a quantitative risk analysis, the financial risks of a threat are calculated, based on theoretical models. In a quantitative risk analysis, the risks are always expressed in measurable criteria.

Often, it is the computer that simulates the risks in such a way. Quantitative risk analysis is used by investors who aim to justify an investment by demonstrating the ratio between the level of risk and the return.

In qualitative risk analyses, estimations are made of the run risks. Qualitative risk analyses often assume possible scenarios from which a ‘worst case’ and ‘best case’ scenario often follow. It provides better insight into the behaviour and culture of the people in an organisation. Qualitative risk analyses occur more often in small enterprises. The threats are often estimated by the use of rules of thumb or by means of gut feelings.

It is important that there is a proper balance between quantitative and qualitative risk management. Statistical data help to estimate the (financial) risks, but the human factor is also very important. This may provide insight into why people did or did not carry out certain actions in the past, how they approached the risks or how the organisational culture was changed.

Risk Analysis and risk factors

A number of risks and risk factors are the same for many organisations. These could be the risk of loss of customers, but also the risk of failing business processes or making wrong decisions. Other risks are related to a specific sector or enterprise.

Many factors lead to the fact that an organisation is exposed to risks. Here, internal and external factors are distinguished.

External risk factors

  • Demographic factors
  • Sociological developments
  • Political situations
  • Economic factors
  • Natural causes
  • Technological developments

Internal risk factors

  • Organisational culture
  • Personnel risk
  • Internal organisation
  • Technology

Measures after Risk Analysis

Whether actual measures are taken after a risk has been identified depends on a number of factors. After the risks are identified and analyzing the risk, they can be entered into a risk assessment matrix.

An example of such a matrix is given below. Filling in the matrix provides a good overview of which threats and risks are prioritised. The likelihood that the risk becomes reality is represented on the Y-axis.

The X-axis provides clarity on the impact the expected threat will have on the business process or the organisation as a whole. The various threats can be assigned a colour based on urgency.

Risk Analysis example - toolshero

Figure 1 – Risk Analysis Matrix example

After all risks have been mapped, measures can be taken. Different kinds of measures that can be taken include:


Avoiding risks is something that happens often. When a policy or business process within an organisation carries too much risks, the decision can be made to terminate the policy or process, to adjust it or outsource it. These measures are preventive.


Reducing risks can occur in several ways. A frequently occurring measure that is taken is taking out insurance. Addressing the cause of the threat also belongs to risk reduction. The measures are repressive, the damage is limited.


When the organisation is risk averse, the choice can also be made to outsource the entire policy. The party involved also bears the financial risks.


If the risk is too small, or does not outweigh the positive outcomes, additional measures will not be taken immediately. In that case, the possible consequences are accepted. Even when the risk cannot be avoided, reduced or outsourced, a financial manager can decide to accept the risk. Accepting a risk does not mean that the risk cannot be influenced. It can also be opted to address the risk at a later time.

Evaluation and integration

Risk management is a continuous process, because the environment of organisations is constantly changing. Therefore, working effectively requires interim monitoring. It is possible that, after due course, the measure does not offer sufficient protection against the threat. The effect the measure has on the risk profile is minimal in that case and must be updated.

The risk information that becomes available after the analyses can be used for decisions that will be made in the future. In each new, large project or a different sizable process or decision, the risks to minimise the negative effect, if necessary, must be considered.

Basic security

As has become clear, not all threats are the same for each organisation, but certain threats do reoccur more often than others. Risk analysis is critised for being subjective, inconsistent, time-consuming and monotonous. Therefore, the security baseline approach is gaining ground.

This means that a system of general security measures is defined for the average organisation or for the average business process. By implementing these security baselines, organisations can defend themselves against a number of frequently occurring risks.

The security baseline offers a minimal level of protection for an organisation or process under normal circumstances. For example, the security baseline is applied in information technology to provide a network with security, but a set of ready-for-use security measures is also implemented in other sectors increasingly often.

Risk Analysis summary

In order to maintain a favourable competitive position, but also to maintain cashflows, image or profitability, it is of vital importance for organisations that the risks are made comprehensible. When all risks are identified, it is important that these risks are prioritised.

This could be done by means of a risk matrix. When it turns out that the risk demands anticipation, measures can be taken. Which measure best suits the specific threat is shown in analyses that are conducted into the possible effect of the threat and the likelihood that the threat becomes a reality.

By monitoring measures and risks, information is gained that can be used for future decisions.

Join the Toolshero community

It’s Your Turn

What do you think? Are you familiar with Risk Analysis and the process of identifying risks? Do you recognize different types of risks and how do you handle these?

Share your experience and knowledge in the comments box below.

More information

  1. Vose, D. (2008). Risk analysis: a quantitative guide. John Wiley & Sons.
  2. Schott, J. R. (2016). Matrix analysis for statistics. John Wiley & Sons.
  3. Wang, J. J., Jing, Y. Y., Zhang, C. F., & Zhao, J. H. (2009). Review on multi-criteria decision analysis aid in sustainable energy decision-making. Renewable and Sustainable Energy Reviews, 13(9), 2263-2278.

How to cite this article:
Janse, B. (2018). Risk Analysis. Retrieved [insert date] from Toolshero: https://www.toolshero.com/decision-making/risk-analysis/

Original publication date: 08/12/2018 | Last update: 06/05/2023

Add a link to this page on your website:
<a href=” https://www.toolshero.com/decision-making/risk-analysis/”> Toolshero: Risk Analysis</a>

Did you find this article interesting?

Your rating is more than welcome or share this article via Social media!

Average rating 4 / 5. Vote count: 12

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Ben Janse
Article by:

Ben Janse

Ben Janse is a young professional working at ToolsHero as Content Manager. He is also an International Business student at Rotterdam Business School where he focusses on analyzing and developing management models. Thanks to his theoretical and practical knowledge, he knows how to distinguish main- and side issues and to make the essence of each article clearly visible.


Leave a Reply