By the
Mind Tools
Editorial Team

Risk Analysis and Risk Management

Evaluating and Managing Risks

Learn how to conduct effective Risk Analysis to identify and manage risk in your organization.

Whatever your role, it's likely that you'll need to make a decision that involves an element of risk at some point.

Risk is made up of two parts: the probability of something going wrong, and the negative consequences if it does.

Risk can be hard to spot, however, let alone prepare for and manage. And, if you're hit by a consequence that you hadn't planned for, costs, time, and reputations could be on the line.

This makes Risk Analysis an essential tool when your work involves risk. It can help you identify and understand the risks that you could face in your role. In turn, this helps you manage these risks, and minimize their impact on your plans.

In this article, we'll look at how you can use Risk Analysis to identify and manage risk effectively.

What is Risk Analysis?

Risk Analysis is a process that helps you identify and manage potential problems that could undermine key business initiatives or projects.

To carry out a Risk Analysis, you must first identify the possible threats that you face, and then estimate the likelihood that these threats will materialize.

Risk Analysis can be complex, as you'll need to draw on detailed information such as project plans, financial data, security protocols, marketing forecasts, and other relevant information. However, it's an essential planning tool, and one that could save time, money, and reputations.

When to Use Risk Analysis

Risk analysis is useful in many situations:

  • When you're planning projects, to help you anticipate and neutralize possible problems.
  • When you're deciding whether or not to move forward with a project.
  • When you're improving safety and managing potential risks in the workplace.
  • When you're preparing for events such as equipment or technology failure, theft, staff sickness, or natural disasters.
  • When you're planning for changes in your environment, such as new competitors coming into the market, or changes to government policy.

How to Use Risk Analysis

To carry out a risk analysis, follow these steps:

1. Identify Threats

The first step in Risk Analysis is to identify the existing and possible threats that you might face. These can come from many different sources. For instance, they could be:

  • Human – Illness, death, injury, or other loss of a key individual.
  • Operational – Disruption to supplies and operations, loss of access to essential assets, or failures in distribution.
  • Reputational – Loss of customer or employee confidence, or damage to market reputation.
  • Procedural – Failures of accountability, internal systems, or controls, or from fraud.
  • Project – Going over budget, taking too long on key tasks, or experiencing issues with product or service quality.
  • Financial – Business failure, stock market fluctuations, interest rate changes, or non-availability of funding.
  • Technical – Advances in technology, or from technical failure.
  • Natural – Weather, natural disasters, or disease.
  • Political – Changes in tax, public opinion, government policy, or foreign influence.
  • Structural – Dangerous chemicals, poor lighting, falling boxes, or any situation where staff, products, or technology can be harmed.

You can use a number of different approaches to carry out a thorough analysis:

  • Run through a list such as the one above to see if any of these threats are relevant.
  • Think about the systems, processes, or structures that you use, and analyze risks to any part of these. What vulnerabilities can you spot within them?
  • Ask others who might have different perspectives. If you're leading a team, ask for input from your people, and consult others in your organization, or those who have run similar projects.

Tools such as SWOT Analysis and Failure Mode and Effects Analysis can also help you uncover threats, while Scenario Analysis helps you explore possible future threats.

2. Estimate Risk

Once you've identified the threats you're facing, you need to calculate out both the likelihood of these threats being realized, and their possible impact.

One way of doing this is to make your best estimate of the probability of the event occurring, and then to multiply this by the amount it will cost you to set things right if it happens. This gives you a value for the risk:

Risk Value = Probability of Event x Cost of Event

As a simple example, imagine that you've identified a risk that your rent may increase substantially.

You think that there's an 80 percent chance of this happening within the next year, because your landlord has recently increased rents for other businesses. If this happens, it will cost your business an extra $500,000 over the next year.

So the risk value of the rent increase is:

0.80 (Probability of Event) x $500,000 (Cost of Event) = $400,000 (Risk Value)

You can also use a Risk Impact/Probability Chart to assess risk. This will help you to identify which risks you need to focus on.

Don't rush this step. Gather as much information as you can so that you can accurately estimate the probability of an event occurring, and the associated costs. Use past data as a guide if you don't have an accurate means of forecasting.

How to Manage Risk

Once you've identified the value of the risks you face, you can start to look at ways of managing them.

Look for cost-effective approaches – it's rarely sensible to spend more on eliminating a risk than the cost of the event if it occurs. It may be better to accept the risk than it is to use excessive resources to eliminate it.

Be sensible in how you apply this, though, especially if ethics or personal safety are in question.

Avoid the Risk

In some cases, you may want to avoid the risk altogether. This could mean not getting involved in a business venture, passing on a project, or skipping a high-risk activity. This is a good option when taking the risk involves no advantage to your organization, or when the cost of addressing the effects is not worthwhile.

Remember that when you avoid a potential risk entirely, you might miss out on an opportunity. Conduct a "What If?" Analysis to explore your options when making your decision.

Share the Risk

You could also opt to share the risk – and the potential gain – with other people, teams, organizations, or third parties.

For instance, you share risk when you insure your office building and your inventory with a third-party insurance company, or when you partner with another organization in a joint product development initiative.

Accept the Risk

Your last option is to accept the risk. This option is usually best when there's nothing you can do to prevent or mitigate a risk, when the potential loss is less than the cost of insuring against the risk, or when the potential gain is worth accepting the risk.

For example, you might accept the risk of a project launching late if the potential sales will still cover your costs.

Before you decide to accept a risk, conduct an Impact Analysis to see the full consequences of the risk. You may not be able to do anything about the risk itself, but you can likely come up with a contingency plan to cope with its consequences.

Controlling Risk

If you choose to accept the risk, there are a number of ways in which you can reduce its impact.

Business Experiments are an effective way to reduce risk. They involve rolling out the high-risk activity but on a small scale, and in a controlled way. You can use experiments to observe where problems occur, and to find ways to introduce preventative and detective actions before you introduce the activity on a larger scale.

  • Preventative action involves aiming to prevent a high-risk situation from happening. It includes health and safety training, firewall protection on corporate servers, and cross-training your team.
  • Detective action involves identifying the points in a process where something could go wrong, and then putting steps in place to fix the problems promptly if they occur. Detective actions include double-checking finance reports, conducting safety testing before a product is released, or installing sensors to detect product defects.

Plan-Do-Check-Act is a similar method of controlling the impact of a risky situation. Like a Business Experiment, it involves testing possible ways to reduce a risk. The tool's four phases guide you though an analysis of the situation, creating and testing a solution, checking how well this worked, and implementing the solution.

Key Points

Risk Analysis is a proven way of identifying and assessing factors that could negatively affect the success of a business or project. It allows you to examine the risks that you or your organization face, and helps you decide whether or not to move forward with a decision.

You do a Risk Analysis by identify threats, and estimating the likelihood of those threats being realized.

Once you've worked out the value of the risks you face, you can start looking at ways to manage them effectively. This may include choosing to avoid the risk, sharing it, or accepting it while reducing its impact.

It's essential that you're thorough when you're working through your Risk Analysis, and that you're aware of all of the possible impacts of the risks revealed. This includes being mindful of costs, ethics, and people's safety.

This site teaches you the skills you need for a happy and successful career; and this is just one of many tools and resources that you'll find here at Mind Tools. Subscribe to our free newsletter, or join the Mind Tools Club and really supercharge your career!

Add this article to My Learning Plan
Mark article as Complete
Comments (14)
  • Over a month ago Midgie wrote
    Hi imikh,
    Thanks for that feedback!

    Mind Tools Team
  • Over a month ago Midgie wrote
    Hi cpflores,
    Thank for asking the question about how the changes on the new version for ISO 9001:2015 will be documented. I do not know the answer myself and wonder if any other reader here has an answer and willing to share. Anyone ... thoughts or ideas on how the change will be documented?

    Mind Tools Team
  • Over a month ago imikh wrote
    well organized ;)
View All Comments