Risk Analysis is a process that helps identify and assess potential threats that could affect the success of a business or project. It allows to examine the risks and includes means to measure, mitigate and control them effectively. It is part of the larger process of risk management although risk management can also refer to the process of controlling and monitoring risks.
Risk analysis is an essential tool when the work involves threats and risks. Many industries have recognized the increasing importance of risk analysis such as medical, food, automotive, transportation, military, aerospace and nuclear. Many companies have established risk management functions and procedures to perform risk analysis on a continual basis. These companies may need to assess their financial stability, assess the financial feasibility of an investment, or assess the impact of new government policies or new competitors coming into the market.
Risk analysis is also used to assess the potential health effects resulting from human exposures to hazardous agents or situations. It is also widely used in manufacturing environments to improve safety and manage potential risks in production lines. It can also be used in all types of engineering of sophisticated systems to ensure safety and reliability of systems, processes and products.
Risk analysis is a key process area in project management. It helps deciding whether to proceed with a project and ensures that only those projects with the highest chance of success are selected. It is used in project planning and during project implementation to evaluate how a project can be brought to a successful completion. If risks are not considered and controlled, you will not be able to minimize their impact on the schedule, scope, cost or quality of your project. It is possible for a project to be stopped for example if the availability of resources become an issue.
Risk analysis is an essential tool that could save time and money, reduce the level of uncertainty, decrease the impact of negative events, improve project controls, and improve organizational learning. There are four stages to risk analysis: risk identification, risk assessment, response planning and implementation, and risk monitoring and control.
The first step is to identify the existing and possible threats that may affect your objectives. Risk Identification is the process of determining and documenting the potential risk that could occur. It is an iterative process as new risks may evolve or become known as the project progresses. You may interview experts or consult people who have gone through similar projects to find their perspectives. Tools such as SWOT analysis, scenario analysis and brainstorming can provide information about what the risks are or might be. Identified risks and their characteristics are then recorded in a log which is commonly referred to as a risk register.
Risk Register
A Risk Register is a document that is used to record and track all information about the identified risks. It contains information about the risks and the results from the risk analysis process as it is conducted. It should be updated as new information becomes available and is used to support future risk analysis processes. High priority risks are often addressed in more details while low priority risks are often included in what is called a Watch List for future monitoring.
Risk Assessment
Risk Assessment helps to evaluate the significance of each risk and highlight those that present the greatest threat on the overall objectives. Once risks have been identified, they should be prioritized according to their potential impact and probability of occurring. Risk Impact is the effect the risk will cause if it occurs. Risk probability is a measure of the likelihood of the risk occurring. Numeric values may be used to indicate the rating. However, an ordinal scale is sometimes applied to rate the probability and impact of the risks (such as a 1-5 scale).
With your risks identified, assessed and prioritized, it is now time to apply strategies to deal with them effectively. In the Risk Response Planning and Implementation, you need to respond to the assessed risks by developing options and actions to reduce the probability or impact of risks. This process should be realistic, cost effective, agreed upon by key stakeholders and owned by a responsible person. This may include options such as: avoiding the risk, transferring it, mitigating it, or accepting it altogether.
- Avoidance – It usually involves changing in the project plan such as extending the schedule, reducing the scope, or spending money or hiring resources to eliminate the risk. An example is when you hire a more skilled resource who is likely to get the tasks done in less time.
- Transference – In some cases, you may want to share the risk with someone else. It is simply handling off the risk to another team, organization or a third party. Examples are: outsourcing a service and buying an insurance.
- Mitigation – It involves carrying out work now to reduce the probability and/or impact of a risk to be within the acceptable threshold limits. It may include preventive, detective or testing possible ways to reduce the risk. Examples are: backing up the data to an offsite location and choosing a more stable supplier.
- Acceptance – You may choose to just accept the risk than using any of the costly risk response options. An acceptable risk is the one that is tolerated because there is nothing you can do to prevent or mitigate it, or because of its cost or difficulty of implementation. One of the common acceptance strategies is to come up with a contingency plan to cope with its consequences.
Controlling risks improves the efficiency of the risk analysis process. It involves monitoring and re-assessing risks overtime, identifying new risks, and evaluating the effectiveness of the risk response strategies. Performance information should be reviewed regularly (including the schedule progress and costs incurred). Risks and risk response plans should be reviewed in regular meetings to ensure plans are being implemented. In these meetings, key risks should be given more attention and new risks should be raised and discussed.
P-I Matrix
A Probability-Impact Matrix is a method that helps to identify which risks need your attention most. The combined probability and impact scores of individual risks are simply plotted into the two dimensional matrix. Thresholds for low, moderate or high risks can be shown on the matrix which help in rating the risks. Risks can be moved around the matrix as a result of implementing the risk response plans.
Example
The following risk register and P-I matrix are part of the results of a risk analysis study that has been performed by an external consultant to facilitate a change initiative within an organization.