Risk Analysis – Process

Step # 1 – Risk Identification:

The first step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself. This can be done in two ways;

  1. Source analysis – Risk sources may be internal or external to the system that is the target of risk management. Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
  2. Problem analysis – Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.

Step # 2 – Risk Measurement and Evaluation:

  1. Once risks have been identified, they must then be assessed as to their potential severity of impact (generally a negative impact, such as damage or loss) and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring.
  2. Therefore, in the assessment process it is critical to make the best educated decisions in order to properly prioritize the implementation of the risk management plan.
  3. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:
    Rate (or probability) of occurrence X Impact of the event = Risk magnitude

Step # 3 – Risk Prioritization:

In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.

Step # 4 – Risk Management:

The fourth and final step involved is to chalk out a strategy to manage the risk. Four strategies are used to manage the risk;

  1. Avoidance (eliminate, withdraw from or not become involved)
  2. Reduction / Control (optimize – mitigate) c. Sharing (transfer – outsource or insure) d. Retention (accept and budget)
  3. Sharing (transfer – outsource or insure)
  4. Retention (accept and budget)