Risk Analysis
The term risk analysis refers to the assessment process that identifies the potential for any adverse events that may negatively affect organizations and the environment. Risk analysis is commonly performed by corporations (banks, construction groups, health care, etc.), governments, and nonprofits. Conducting a risk analysis can help organizations determine whether they should undertake a project or approve a financial application, and what actions they may need to take to protect their interests. This type of analysis facilitates?a balance between risks and risk reduction. Risk analysts often work in with forecasting professionals to minimize future negative unforeseen effects.
Key Takeaways
Understanding Risk Analysis
Risk assessment enables corporations, governments, and investors to assess the probability that an adverse event might negatively impact a business, economy, project, or investment. It is essential for determining the worth of a specific project or investment and the best process(es) to mitigate those risks.?Risk analysis?provides different approaches that can be used to assess the risk and reward tradeoff of a potential investment opportunity.
A risk analyst starts by identifying what could potentially go wrong. These negatives must be weighed against a probability metric that measures the likelihood of the event occurring.
Finally, risk analysis attempts to estimate the extent of the impact that will be made if the event happens. Many identified risks, such as market risk, credit risk, currency risk, and so on, can be reduced through hedging or by purchasing insurance.
Almost all large businesses require a minimum level of risk analysis. For example, commercial banks need to properly hedge the foreign exchange exposure of overseas loans, while large department stores must factor in the possibility of reduced revenues due to a global recession. Risk analysis allows professionals to identify and mitigate risks but not completely avoid them.
Types of Risk Analysis
Risk-Benefits
Many people are aware of a cost-benefit analysis. In this type of analysis, an analyst compares the benefits a company receives to the financial and non-financial expenses related to the benefits. The potential benefits may cause other, new types of potential expenses to occur. In a similar manner, a risk-benefit analysis compares potential benefits with associated potential risks. Benefits may be ranked and evaluated based on their likelihood of success or the projected impact the benefits may have.
Needs Assessment
A needs risk analysis is an analysis of the current state of a company. Often, a company will undergo a needs assessment to better understand a need or gap that is already known. Alternatively, a needs assessment may be done if management is not aware of gaps or deficiencies. This analysis lets the company know where they need to spending more resources in.
Business Impact Analysis
In many cases, a business may see a potential risk looming and wants to know how the situation may impact the business. For example, consider the probability of a concrete worker strike to a real estate developer. The real estate developer may perform a business impact analysis to understand how each additional day of the delay may impact their operations.
Root Cause Analysis
Opposite of a needs analysis, a root cause analysis is performed because something is happening that shouldn't be. This type of risk analysis strives to identify and eliminate processes that cause issues. Whereas other types of risk analysis often forecast what needs to be done or what could be getting done, a root cause analysis aims to identify the impact of things that have already happened or continue to happen.
How to Perform a Risk Analysis
Though there are different types of risk analysis, many have overlapping steps and objectives. Each company may also choose to add or change the steps below, but these six steps outline the most common process of performing a risk analysis.
Step #1: Identify Risks
The first step in many types of risk analysis to is to make a list of potential risks you may encounter. These may be internal threats that arise from within a company, though most risks will be external that occur from outside forces. It is important to incorporate many different members of a company for this brainstorming session as different departments may have different perspectives and inputs.
A company may have already addressed the major risks of the company through a SWOT analysis. Although a SWOT analysis may prove to be a launching point for further discussion, risk analysis often addresses a specific question while SWOT analysis are often broader. Some risks may be listed on both, but a risk analysis should be more specific when trying to address a specific problem.
Step #2: Identify Uncertainty
The primary concern of risk analysis is to identify troublesome areas for a company. Most often, the riskiest aspects may be the areas that are undefined. Therefore, a critical aspect of risk analysis is to understand how each potential risk has uncertainty and to quantify the range of risk that uncertainty may hold.
Consider the example of a product recall of defective products after they have been shipped. A company may not know how many units were defective, so it may project different scenarios where either a partial or full product recall is performed. The company may also run various scenarios on how to resolve the issue with customers (i.e. a low, medium, or high engagement solution.
Step #3: Estimate Impact
Most often, the goal of a risk analysis is to better understand how risk will financially impact a company. This is usually calculated as the risk value, which is the probability of an event happening multiplied by the cost of the event.
For example, in the example above, the company may assess that there is a 1% chance a product defection occurs. If the event were to occur, it would cost the company $100 million. In this example, the risk value of the defective product would be assigned $1 million.
The important piece to remember here is management's ability to prioritize avoiding potentially devastating results. For example, if the company above only yielded $40 million of sales each year, a single defect product that could ruin brand image and customer trust may put the company out of business. Even though this example led to a risk value of only $1 million, the company may choose to prioritize addressing this due to the higher stakes nature of the risk.
Step #4: Build Analysis Model(s)
The inputs from above are often fed into an analysis model. The analysis model will take all available pieces of data and information, and the model will attempt to yield different outcomes, probabilities, and financial projections of what may occur. In more advanced situations, scenario analysis or simulations can determine an average outcome value that can be used to quantify the average instance of an event occurring.
Step #5: Analyze Results
With the model run and the data available to be reviewed, it's time to analyze the results. Management often takes the information and determines the best course of action by comparing the likelihood of risk, projected financial impact, and model simulations. Management may also request to see different scenarios run for different risks based on different variables or inputs.
Step #6: Implement Solutions
After management has digested the information, it is time to put a plan in action. Sometimes, the plan is to do nothing; in risk acceptance strategies, a company has decided it will not change course as it makes most financial sense to simply live with the risk of something happening and dealing with it after it occurs. In other cases, management may want to reduce or eliminate the risk.
Implementing solutions does not necessarily mean risk avoidance. A company can decide to simply live with the current risks it faces. Other potential solutions may include buying insurance, divesting from a product, restricting trade in certain geographical regions, or sharing operational risk with a partner company.
Qualitative vs. Quantitative Risk Analysis
Quantitative Risk Analysis
Under quantitative risk analysis, a risk model is built using simulation or deterministic statistics to assign numerical values to risk. The inputs are mostly assumptions and?random variables.
For any given range of input, the model generates a range of output or outcomes. Risk managers analyze the model's output using graphs,?scenario analysis, and/or?sensitivity analysis?to make decisions about mitigating and dealing with the risks.
A Monte Carlo simulation can generate a range of possible outcomes of a decision or action. The simulation is a quantitative technique that repeatedly calculates results for the random input variables using a different set of input values. The resulting outcome from each input is recorded, and the final result of the model is a probability distribution of all possible outcomes.
The outcomes can be summarized on a distribution graph showing some measures of central tendency such as the mean and median, and assessing the variability of the data through standard deviation and variance. The outcomes can also be assessed using risk management tools such as scenario analysis and sensitivity tables. A scenario analysis shows the best, middle, and worst outcome of any event. Separating the different outcomes from best to worst provides a reasonable spread of insight for a risk manager.
For example, an American company that operates globally might want to know how its bottom line would fare if the exchange rate of select countries strengthened. A sensitivity table shows how outcomes vary when one or more random variables or assumptions are changed.
Elsewhere, a portfolio manager might use a sensitivity table to assess how changes to the different values of each security in a portfolio will impact the portfolio's variance. Other types of risk management tools include decision trees and break-even analysis.
Qualitative Risk Analysis
Qualitative risk analysis is an analytical method that does not identify and evaluate risks with numerical and quantitative ratings. It involves a written definition of the uncertainties, an evaluation of the extent of the impact (if the risk ensues), and countermeasure plans in the case of a negative event.
Examples of qualitative risk tools include SWOT analysis, cause-and-effect diagrams, decision matrixes, and?game theory. A firm that wants to measure the impact of a security breach on its servers may use a qualitative risk technique to help prepare it for any lost income that may occur from a data breach.