This article provides a practical explanation of the concept of Risk Analysis. After reading it, you will understand the necessity and the benefits of Risk Analysis.
What is Risk Analysis?
Organisations are often exposed to countless threats accompanied by risks. A risk consists of the chance that the threat becomes a reality, and the consequences of this threat. Often, the threats are noticed on time and are adequately anticipated, but occasionally, organisations suffer significant losses due to poor risk management, which includes risk analysis. Risk analysis helps organisations to map the threats, following which possible suitable measures are taken.
A method to identify threats is the SWOT Analysis. With this analysis, strengths, weaknesses, opportunities and threats are determined. Subsequently, it must be established how great the risk is that the threat will become reality and what consequences this would have for the organisational processes. Afterwards, it must be assessed whether the costs of the measures outweigh the costs of the incident or consequence.
Forms of Risk Analysis
Generally speaking, two types of risk analyses are distinguished:
In a quantitative risk analysis, the financial risks of a threat are calculated, based on theoretical models. In a quantitative risk analysis, the risks are always expressed in measurable criteria. Often, it is the computer that simulates the risks in such a way. Quantitative risk analysis is used by investors who aim to justify an investment by demonstrating the ratio between the risk and the return.
In qualitative risk analyses, estimations are made of the run risks. Qualitative risk analyses often assume possible scenarios from which a ‘worst case’ and ‘best case’ scenario often follow. It provides better insight into the behaviour and culture of the people in an organisation. Qualitative risk analyses occur more often in small enterprises. The threats are often estimated by the use of rules of thumb or by means of gut feelings.
It is important that there is a proper balance between quantitative and qualitative risk management. Statistical data help to estimate the (financial) risks, but the human factor is also very important. This may provide insight into why people did or did not carry out certain actions in the past, how they approached the risks or how the organisational culture was changed.
A number of risks are the same for many organisations. These could be the risk of loss of customers, but also the risk of failing business processes or making wrong decisions. Other risks are related to a specific sector or enterprise.
Many factors lead to the fact that an organisation is exposed to risks. Here, internal and external factors are distinguished.
- Demographic factors
- Sociological developments
- Political situations
- Economic factors
- Natural causes
- Technological developments
- Organisational culture
- Personnel risk
- Internal organisation
Measures after Risk Analysis
Whether actual measures are taken after a risk has been identified depends on a number of factors. After the risks are identified, they can be entered into a risk assessment matrix. An example of such a matrix is given below. Filling in the matrix provides a good overview of which threats and risks are prioritised. The likelihood that the risk becomes reality is represented on the Y-axis. The X-axis provides clarity on the impact the expected threat will have on the business process or the organisation as a whole. The various threats can be assigned a colour based on urgency.
After all risks have been mapped, measures can be taken. Different kinds of measures that can be taken include:
Avoiding risks is something that happens often. When a policy or business process within an organisation carries too much risks, the decision can be made to terminate the policy or process, to adjust it or outsource it. These measures are preventive.
Reducing risks can occur in several ways. A frequently occurring measure that is taken is taking out insurance. Addressing the cause of the threat also belongs to risk reduction. The measures are repressive, the damage is limited.
When the organisation is risk averse, the choice can also be made to outsource the entire policy. The party involved also bears the financial risks.
If the risk is too small, or does not outweigh the positive outcomes, additional measures will not be taken immediately. In that case, the possible consequences are accepted. Even when the risk cannot be avoided, reduced or outsourced, a financial manager can decide to accept the risk. Accepting a risk does not mean that the risk cannot be influenced. It can also be opted to address the risk at a later time.
Evaluation and integration
Risk management is a continuous process, because the environment of organisations is constantly changing. Therefore, working effectively requires interim monitoring. It is possible that, after due course, the measure does not offer sufficient protection against the threat. The effect the measure has on the risk profile is minimal in that case and must be updated.
The risk information that becomes available after the analyses can be used for decisions that will be made in the future. In each new, large project or a different sizable process or decision, the risks to minimise the negative effect, if necessary, must be considered.
As has become clear, not all threats are the same for each organisation, but certain threats do reoccur more often than others. Risk analysis is critised for being subjective, inconsistent, time-consuming and monotonous. Therefore, the security baseline approach is gaining ground. This means that a system of general security measures is defined for the average organisation or for the average business process. By implementing these security baselines, organisations can defend themselves against a number of frequently occurring risks. The security baseline offers a minimal level of protection for an organisation or process under normal circumstances. For example, the security baseline is applied in information technology to provide a network with security, but a set of ready-for-use security measures is also implemented in other sectors increasingly often.
In order to maintain a favourable competitive position, but also to maintain cashflows, image or profitability, it is of vital importance for organisations that the risks are made comprehensible. When all risks are identified, it is important that these risks are prioritised. This could be done by means of a risk matrix. When it turns out that the risk demands anticipation, measures can be taken. Which measure best suits the specific threat is shown in analyses that are conducted into the possible effect of the threat and the likelihood that the threat becomes a reality. By monitoring measures and risks, information is gained that can be used for future decisions.
It’s Your Turn
What do you think? Are you familiar with Risk Analysis? Do you recognize different types of risks and how do you handle these?
Share your experience and knowledge in the comments box below.
- Vose, D. (2008). Risk analysis: a quantitative guide. John Wiley & Sons.
- Schott, J. R. (2016). Matrix analysis for statistics. John Wiley & Sons.
- Wang, J. J., Jing, Y. Y., Zhang, C. F., & Zhao, J. H. (2009). Review on multi-criteria decision analysis aid in sustainable energy decision-making. Renewable and Sustainable Energy Reviews, 13(9), 2263-2278.
How to cite this article:
Janse, B. (2018). Risk Analysis. Retrieved [insert date] from toolshero: https://www.toolshero.com/decision-making/risk-analysis/
Add a link to this page on your website:
<a href=” https://www.toolshero.com/decision-making/risk-analysis/”>toolshero: Risk Analysis</a>
Did you find this article interesting?
Your rating is more than welcome or share this article via Social media!