What Is Risk Analysis?
The term risk analysis refers to the assessment process that identifies the potential for any adverse events that may negatively affect organizations and the environment. Risk analysis is commonly performed by corporations (banks, construction groups, health care, etc.), governments, and nonprofits. Conducting a risk analysis can help organizations determine whether they should undertake a project or approve a financial application, and what actions they may need to take to protect their interests. This type of analysis facilitates a balance between risks and risk reduction. Risk analysts often work in with forecasting professionals to minimize future negative unforeseen effects.
- Risk analysis seeks to identify, measure, and mitigate various risk exposures or hazards facing a business, investment, or project.
- Quantitative risk analysis uses mathematical models and simulations to assign numerical values to risk.
- Qualitative risk analysis relies on a person’s subjective judgment to build a theoretical model of risk for a given scenario.
- Risk analysis can include risk benefit, needs assessment, or root cause analysis.
- Risk analysis entails identifying risk, defining uncertainty, completing analysis models, and implementing solutions.
Understanding Risk Analysis
Risk assessment enables corporations, governments, and investors to assess the probability that an adverse event might negatively impact a business, economy, project, or investment. Assessing risk is essential for determining how worthwhile a specific project or investment is and the best process(es) to mitigate those risks. Risk analysis provides different approaches that can be used to assess the risk and reward tradeoff of a potential investment opportunity.
A risk analyst starts by identifying what could potentially go wrong. These negatives must be weighed against a probability metric that measures the likelihood of the event occurring.
Finally, risk analysis attempts to estimate the extent of the impact that will be made if the event happens. Many risks that are identified, such as market risk, credit risk, currency risk, and so on, can be reduced through hedging or by purchasing insurance.
Almost all sorts of large businesses require a minimum sort of risk analysis. For example, commercial banks need to properly hedge foreign exchange exposure of overseas loans, while large department stores must factor in the possibility of reduced revenues due to a global recession. It is important to know that risk analysis allows professionals to identify and mitigate risks, but not avoid them completely.
Types of Risk Analysis
Many people are aware of a cost-benefit analysis. In this type of analysis, an analyst compares the benefits a company receives to the financial and non-financial expenses related to the benefits. The potential benefits may cause other, new types of potential expenses to occur. In a similar manner, a risk-benefit analysis compares potential benefits with associated potential risks. Benefits may be ranked and evaluated based on their likelihood of success or the projected impact the benefits may have.
A needs risk analysis is an analysis of the current state of a company. Often, a company will undergo a needs assessment to better understand a need or gap that is already known. Alternatively, a needs assessment may be done if management is not aware of gaps or deficiencies. This analysis lets the company know where they need to spending more resources in.
Business Impact Analysis
In many cases, a business may see a potential risk looming and wants to know how the situation may impact the business. For example, consider the probability of a concrete worker strike to a real estate developer. The real estate developer may perform a business impact analysis to understand how each additional day of the delay may impact their operations.
Root Cause Analysis
Opposite of a needs analysis, a root cause analysis is performed because something is happening that shouldn’t be. This type of risk analysis strives to identify and eliminate processes that cause issues. Whereas other types of risk analysis often forecast what needs to be done or what could be getting done, a root cause analysis aims to identify the impact of things that have already happened or continue to happen.
How to Perform a Risk Analysis
Though there are different types of risk analysis, many have overlapping steps and objectives. Each company may also choose to add or change the steps below, but these six steps outline the most common process of performing a risk analysis.
Step #1: Identify Risks
The first step in many types of risk analysis to is to make a list of potential risks you may encounter. These may be internal threats that arise from within a company, though most risks will be external that occur from outside forces. It is important to incorporate many different members of a company for this brainstorming session as different departments may have different perspectives and inputs.
A company may have already addressed the major risks of the company through a SWOT analysis. Although a SWOT analysis may prove to be a launching point for further discussion, risk analysis often addresses a specific question while SWOT analysis are often broader. Some risks may be listed on both, but a risk analysis should be more specific when trying to address a specific problem.
Step #2: Identify Uncertainty
The primary concern of risk analysis is to identify troublesome areas for a company. Most often, the riskiest aspects may be the areas that are undefined. Therefore, a critical aspect of risk analysis is to understand how each potential risk has uncertainty and to quantify the range of risk that uncertainty may hold.
Consider the example of a product recall of defective products after they have been shipped. A company may not know how many units were defective, so it may project different scenarios where either a partial or full product recall is performed. The company may also run various scenarios on how to resolve the issue with customers (i.e. a low, medium, or high engagement solution.
Step #3: Estimate Impact
Most often, the goal of a risk analysis is to better understand how risk will financially impact a company. This is usually calculated as the risk value, which is the probability of an event happening multiplied by the cost of the event.
For example, in the example above, the company may assess that there is a 1% chance a product defection occurs. If the event were to occur, it would cost the company $100 million. In this example, the risk value of the defective product would be assigned $1 million.
The important piece to remember here is management’s ability to prioritize avoiding potentially devastating results. For example, if the company above only yielded $40 million of sales each year, a single defect product that could ruin brand image and customer trust may put the company out of business. Even though this example led to a risk value of only $1 million, the company may choose to prioritize addressing this due to the higher stakes nature of the risk.
Step #4: Build Analysis Model(s)
The inputs from above are often fed into an analysis model. The analysis model will take all available pieces of data and information, and the model will attempt to yield different outcomes, probabilities, and financial projections of what may occur. In more advanced situations, scenario analysis or simulations can determine an average outcome value that can be used to quantify the average instance of an event occurring.
Step #5: Analyze Results
With the model run and the data available to be reviewed, it’s time to analyze the results. Management often takes the information and determines the best course of action by comparing the likelihood of risk, projected financial impact, and model simulations. Management may also request to see different scenarios run for different risks based on different variables or inputs.
Step #6: Implement Solutions
After management has digested the information, it is time to put a plan in action. Sometimes, the plan is to do nothing; in risk acceptance strategies, a company has decided it will not change course as it makes most financial sense to simply live with the risk of something happening and dealing with it after it occurs. In other cases, management may want to reduce or eliminate the risk.
Implementing solutions does not necessarily mean risk avoidance. A company can decide to simply live with the current risks it faces. Other potential solutions may include buying insurance, divesting from a product, restricting trade in certain geographical regions, or sharing operational risk with a partner company.
Qualitative vs. Quantitative Risk Analysis
Quantitative Risk Analysis
Under quantitative risk analysis, a risk model is built using simulation or deterministic statistics to assign numerical values to risk. Inputs that are mostly assumptions and random variables are fed into a risk model.
For any given range of input, the model generates a range of output or outcome. The model’s output is analyzed using graphs, scenario analysis, and/or sensitivity analysis by risk managers to make decisions to mitigate and deal with the risks.
A Monte Carlo simulation can be used to generate a range of possible outcomes of a decision made or action taken. The simulation is a quantitative technique that calculates results for the random input variables repeatedly, using a different set of input values each time. The resulting outcome from each input is recorded, and the final result of the model is a probability distribution of all possible outcomes.
The outcomes can be summarized on a distribution graph showing some measures of central tendency such as the mean and median, and assessing the variability of the data through standard deviation and variance. The outcomes can also be assessed using risk management tools such as scenario analysis and sensitivity tables. A scenario analysis shows the best, middle, and worst outcome of any event. Separating the different outcomes from best to worst provides a reasonable spread of insight for a risk manager.
For example, an American company that operates on a global scale might want to know how its bottom line would fare if the exchange rate of select countries strengthens. A sensitivity table shows how outcomes vary when one or more random variables or assumptions are changed.
Elsewhere, a portfolio manager might use a sensitivity table to assess how changes to the different values of each security in a portfolio will impact the variance of the portfolio. Other types of risk management tools include decision trees and break-even analysis.
Qualitative Risk Analysis
Qualitative risk analysis is an analytical method that does not identify and evaluate risks with numerical and quantitative ratings. Qualitative analysis involves a written definition of the uncertainties, an evaluation of the extent of the impact (if the risk ensues), and countermeasure plans in the case of a negative event occurring.
Examples of qualitative risk tools include SWOT analysis, cause and effect diagrams, decision matrix, game theory, etc. A firm that wants to measure the impact of a security breach on its servers may use a qualitative risk technique to help prepare it for any lost income that may occur from a data breach.
While most investors are concerned about downside risk, mathematically, the risk is the variance both to the downside and the upside.
Example of Risk Analysis: Value at Risk (VaR)
Value at risk (VaR) is a statistic that measures and quantifies the level of financial risk within a firm, portfolio, or position over a specific time frame. This metric is most commonly used by investment and commercial banks to determine the extent and occurrence ratio of potential losses in their institutional portfolios. Risk managers use VaR to measure and control the level of risk exposure. One can apply VaR calculations to specific positions or whole portfolios or to measure firm-wide risk exposure.
VaR is calculated by shifting historical returns from worst to best with the assumption that returns will be repeated, especially where it concerns risk. As a historical example, let’s look at the Nasdaq 100 ETF, which trades under the symbol QQQ (sometimes called the “cubes”) and which started trading in March of 1999.
In January 2000, the ETF returned 12.4%. But there are points at which the ETF resulted in losses as well. At its worst, the ETF ran daily losses of 4% to 8%. This period is referred to as the ETF’s worst 5%. Based on these historic returns, we can assume with 95% certainty that the ETF’s largest losses won’t go beyond 4%. So if we invest $100, we can say with 95% certainty that our losses won’t go beyond $4.
One important thing to keep in mind is that VaR doesn’t provide analysts with absolute certainty. Instead, it’s an estimate based on probabilities. The probability gets higher if you consider the higher returns, and only consider the worst 1% of the returns. The Nasdaq 100 ETF’s losses of 7% to 8% represent the worst 1% of its performance. We can thus assume with 99% certainty that our worst return won’t lose us $7 on our investment. We can also say with 99% certainty that a $100 investment will only lose us a maximum of $7.
Advantages and Disadvantages of Risk Analysis
Pros of Risk Analysis
Risk analysis allows companies to make informed decisions and plan for contingencies before bad things happen. Not all risks may materialize, but it is important for a company to understand what may occur so it can at least choose to make plans ahead of time to avoid potential losses.
Risk analysis also helps quantify risk, as management may not know the financial impact of something happening. In some cases, the information may help companies avoid unprofitable projects. In other cases, the information may help put plans in motion that reduce the likelihood of something happen that would have caused financial stress on a company.
Risk analysis may detect early warning signs of potentially catastrophic events. For example, risk analysis may identify that customer information is not being adequately secured. In this example, risk analysis can lead to better processes, stronger documentation, more robust internal controls, and risk mitigation.
Cons of Risk Analysis
Risk is a probabilistic measure and so can never tell you for sure what your precise risk exposure is at a given time, only what the distribution of possible losses are likely to be if and when they occur. There are also no standard methods for calculating and analyzing risk, and even VaR can have several different ways of approaching the task. Risk is often assumed to occur using normal distribution probabilities, which in reality rarely occur and cannot account for extreme or “black swan” events.
The financial crisis of 2008, for example, exposed these problems as relatively benign VaR calculations greatly understated the potential occurrence of risk events posed by portfolios of subprime mortgages.
Risk magnitude was also underestimated, which resulted in extreme leverage ratios within subprime portfolios. As a result, the underestimations of occurrence and risk magnitude left institutions unable to cover billions of dollars in losses as subprime mortgage values collapsed.
May aid in minimizing losses due to management preemptively forming a risk plan
May allow management to quantify risks and assign dollars to future events
May protect company resources, produce better processes, and mitigate overall risk
Relies heavily on estimates, so it may be difficult to perform for certain risks
Can not predict unpredictable, black swan events
May underestimate risk magnitude or occurence, leading to overconfident operations
What Is Meant by Risk Analysis?
Risk analysis is the process of identifying and analyzing potential future events that may adversely impact a company. A company performs risk analysis to better understand what may occur, the financial implications of that event occurring, and what steps it can take to mitigate or eliminate that risk.
What Are the Main Components of a Risk Analysis?
Risk analysis is sometimes broken into three components. First, risk assessment is the process of identifying what risks are present. Second, risk management is the procedures in place to minimize the damage done by risk. Third, risk communication is the company-wide approach to acknowledging and addressing risk. These three main components work in tandem to identify, mitigate, and communicate risk.
Why Is Risk Analysis Important?
Sometimes, risk analysis is important because it guides company decision-making. Consider the example of a company considering whether to move forward with a project. The decision may be as simple as identifying, quantifying, and analyzing the risk of the project.
Risk analysis is also important because it can help safeguard company assets. Whether it be proprietary data, physical goods, or the well-being of employees, risk is present everywhere. Companies must be mindful of where it most likely to occur as well as where it is most likely to have strong, negative implications.
The Bottom Line
Risk analysis is the process of identifying risk, understanding uncertainty, quantifying the uncertainty, running models, analyzing results, and devising a plan. Risk analysis may be qualitative or quantitative, and there are different types of risk analysis for various situations.