Risk Analysis: A Comprehensive Guide

Difference Between Risk Assessment and Risk Analysis

Risk assessment is just one component of risk analysis. The other components of risk analysis are risk management and risk communication. Risk management is the proactive control and evaluation of risks while risk communication is the exchange of information involving risks. Unlike risk analysis, risk assessment is primarily focused on safety and hazard identification.

Risk Analysis Framework

Types of Risk Analysis

As risk analysis covers a wide range of topics, there are many approaches to analyzing risks or types of risk analysis. These include, but are not limited to, the following:

• Risk Benefit & Cost Benefit Analysis
  A risk benefit analysis involves weighing the pros and cons (benefits and risks) of an action. Elements are ranked and evaluated against the impact of their potential success or failure. Meanwhile, a cost benefit analysis sums the projected or estimated costs of an action and weighs the total cost against the potential benefits and opportunities.Both types of analysis help leaders carefully weigh their decision in pursuing a plan or action. Choosing to pursue a risk-heavy or cost-heavy action can result in losses.

• Needs Assessment
  A needs assessment is a systematic process of identifying and evaluating organizational needs and gaps. It gives leaders an idea of where the business may be lacking and helps them refocus resources towards achieving goals more efficiently.

• Business Impact Analysis
  A business impact analysis entails planning for operational disruptions caused by natural disasters and other external factors. It is the basis for investment in recovery, prevention, and mitigation strategies.

• Failure Mode and Effect Analysis
  A failure mode and effects analysis is a systematic method of anticipating potential failures in business processes and mitigating their impact on customers. It improves product and service reliability and reduces the cost of failures.

• Root Cause Analysis
  A root cause analysis focuses on identifying and eliminating root causes to solve problems. It helps in the prevention of recurring problems by targeting the ineffective systems behind them. Aside from failure mode and effects analysis, other root cause analysis tools are 5 Whys, 8D, and DMAIC (part of Six Sigma).

Risk Analysis Methods

There are two main risk analysis methods. The easier and more convenient method is qualitative risk analysis. Qualitative risk analysis rates or scores risk based on the perception of the severity and likelihood of its consequences. Quantitative risk analysis, on the other hand, calculates risk based on available data.

Types of risk analysis associated with qualitative risk analysis are all root cause analysis (RCA) tools except for failure mode and effects analysis, needs assessment, and risk matrix. Furthermore, the most common types of the latter are the 3×3 risk matrix, 4×4 risk matrix, and 5×5 risk matrix.

Risk Matrix

Types of risk analysis included in quantitative risk analysis are business impact analysis (BIA), failure mode and effects analysis (FMEA), and risk benefit analysis.

A key difference between qualitative and quantitative risk analysis is the type of risk each method results in. For qualitative risk analysis, this is projected risk, which is an estimation or guess of how the risk will manifest. Meanwhile, quantitative risk analysis deals with statistical risk. Unlike projected risk, statistical risk is specific and verified. For this reason, it’s often used in the calculation of insurance premiums.

Risk Analysis Example

Though risk analysis is used across industries by businesses of all sizes and types, some leaders may find a risk analysis example that’s specific to their industry more helpful than a generic one. Here are risk analysis examples for three major industries: construction, transport & logistics, and manufacturing.

Construction Risk Analysis Example: The owner of a construction company was presented with a project proposal to build a luxury resort. While pursuing this project may lead to good press for the company, the owner is hesitant to accept the project because her company specializes in mid-range residential buildings. Taking on this project would be both a leap and a challenge. Before making a final decision, she performs a risk-benefit analysis together with her team to see if the benefits of pursuing this project outweigh the risks.

Transport & Logistics Risk Analysis Example: The director of a multinational shipping company is anxious about the impact an upcoming storm will have on business operations. She believes the company should set aside some money for recovery after the storm hits. Her colleague, however, thinks differently. He argues that the storm won’t affect them that much. To convince her colleague and fellow directors, she performs a business impact analysis and presents its results in the next board meeting.

Manufacturing Risk Analysis Example: A newly hired manager is in charge of preparing a factory and its workers for a large influx of customer orders due to the summer season. To get an understanding of what he needs to do for this factory to succeed in producing enough units, he performs a quick needs assessment by asking the workers to fill out a survey on the factory’s processes.

How to Perform Risk Analysis

For leaders who have already decided on the type of risk analysis to perform, here are steps and instructions on how to perform risk analysis for each type:

How to Perform Needs Assessment

• Step 1: Identify requirements – What must the business deliver to succeed?
• Step 2: Assess existing resources – What can be used to achieve success?
• Step 3: Identify needs – What does the business lack that is critical to success?
• Step 4: Develop a plan of action – What must be done to fill the gaps and succeed?

Needs Assessment Template

Use this digital template to identify business/department, performance, and learning needs. It has all the tools leaders need to improve the management of their businesses.

How to Perform Business Impact Analysis 

• Step 1: Gather information on business processes, finances, and management.
• Step 2: Identify Recovery Time Objective (RTO) or how long it takes to restore business processes after disruption. RTO helps determine how long the business can function without normal business processes.
• Step 3: Identify Recovery Point Objective (RPO) or the acceptable loss to customers when a disruption occurs. RPO helps determine the estimated financial impact on the business.
• Step 4: Develop workaround procedures of the business in the event of disruption.
• Step 5: Decide business needs based on the information gathered in previous steps.

Business Impact Analysis Template

Use this digital template to assess the impact of possible disruptive events across key business functions. This template includes an assessment of losses in terms of operational activities and revenue. Leaders can use it to prioritize functions for recovery during crises.

How to Perform Failure Mode and Effects Analysis

• Step 1: Identify mechanism of failure

The mechanism of failure (potential failure modes, effects, and causes) can be identified properly when leaders in charge of FMEAs account for past failures, agree upon certain assumptions, and establish ground rules.

• Step 2: Determine RPN

The risk priority number is used to prioritize the potential failures that require additional planning. It’s a product of three factors: severity, occurrence, and detection.

FMEA RPN Risk Analysis

Leaders should focus their improvement efforts on potential failures at the top 20% of the highest RPNs. These high-risk failure modes must be addressed through effective action plans.

• Step 3: Follow-up on actions

After establishing and executing effective action plans, leaders should remember to continuously review these plans and the high-risk failure modes they address.

Failure Mode and Effects Analysis Template

Use this digital template to identify problems in processes or products. Describe the potential failure effect, the potential cause, and current controls. Add the severity, occurrence, and detection ratings. Finally, record the RPN and sign-off.

How to Perform Root Cause Analysis

• Step 1: Define the problem – In the context of risk analysis, a problem is an observable consequence of an unidentified risk or root cause.
• Step 2: Select a tool – 5 Whys, 8D, or DMAIC

5 Whys involves asking the question “why” five times. Though 5 Whys is the easiest to use, it can also oversimplify problems. 8D stands for the eight disciplines of problem-solving. While 8D provides long-term solutions, performing it correctly requires extensive training. 

DMAIC, on the other hand, is more comprehensive than 5 Whys, but also relatively easier to perform than 8D, especially if the third step (Analyze) is simplified.

• Step 3: Implement actions – Address root cause/s identified using the tool selected in the previous step by creating and implementing actions. These actions should be specific and directed to the person/s most capable of executing them. 

Root Cause Analysis Template

Use this digital template to analyze a recurring problem and its effect on productivity. List reasons why the problem occurs and rate how likely they are to be root causes. Once a root cause has been identified, choose its category and provide a prevention strategy.

For leaders who haven’t decided on a specific type or want a general outline of how to perform risk analysis, refer to the steps below:

1. Set the goal for risk analysis 
2. Collect data to identify risks
3. Add values to risks 
4. Identify highest-priority risks
5. Develop a plan to mitigate these risks
6. Follow through with the plan
7. Review the effectiveness of the plan

How to Manage and Communicate Risks

One way to manage risks effectively is to use the ISO 31000 standard. ISO 31000 is an internationally recognized benchmark for risk management. It can be summarized into three guiding rules for leaders to follow:

• Risk management must be structured, innovative, inclusive, dynamic, continuously improving, and customized to fit business objectives.
• Leaders must proactively integrate risk management on all levels of the business.
• Risk management policies and practices should support open risk communication.

Another key aspect of using ISO 31000 is to ensure that all employees are familiar with the standard and/or have received related training on how to apply the standard in their work. While leaders should take responsibility for the overall risk management, they should be careful to not alienate employees from this process. Without the support and input of employees, implementing ISO 31000 will be much harder than it needs to be.

ISO 31000:2018 Risk Management Template

Use this digital template to establish a solid risk management framework based on ISO 31000. Show leadership by making a commitment to risk management. Share the responsibility of managing risks with other stakeholders in the business, including employees.

Though adhering to the ISO 31000 standard is recommended, this can seem intimidating or overly complicated for smaller businesses or those with less resources to spend on risk management. A temporary alternative is to use a risk management plan, which should have the following parts:

• Descriptions of all identified risks, their consequences, and possible causes
• A model for estimating the likelihood and severity of consequences (risk analysis)
• Corrective actions to target possible causes or to lessen the severity of consequences

When using a risk management plan, it can be helpful to have a risk management plan template that’s easy to distribute to employees and update when needed. Without a template, it can be difficult to use or create a risk management plan for the entire business. 

Risk Management Plan Template

Use this digital template to assess the likelihood and severity of consequences. Specify planned mitigation strategies and the employee/s responsible for executing them. Give the estimated cost and timeline of mitigation actions.

Manage Risks with SafetyCulture (formerly iAuditor)

SafetyCulture is a digital inspection platform businesses can use to identify, analyze, communicate, and manage risks effectively. Together with Mitti, a technology-first insurance company, SafetyCulture rewards businesses that are proactive in managing their risks.