Risk analysis is a process or set of techniques used to investigate and quantify the new problems that might arise in implementing a solution to your original problem.
The potential risks could be related to a number of areas, including:
- Data protection
- End user impact
- Loss of key staff
- Market environment
- Legislation and regulatory compliance
- Disaster recovery and business continuity
Risk assessment is inherently uncertain, because you are having to weigh up the possible impact of something that has not yet happened, and which may never happened. Yet some risks are more predictable than others, and when you conduct a risk assessment, your aim is to prevent predictable risks from becoming real problems.
Risk assessment is a complete business process in itself, used in many industries to monitor potential hazards and safety risks. This kind of process really focuses on physical safety, and for our problem solving approach, we need to think about risk in a wider context.
In regulated markets, risk assessments are mandatory for many projects. Confidential information about customers must be protected, and you must demonstrate that you have given adequate consideration to this.
Risk assessment can be broken down into four stages as illustrated by the following diagram:
- Stage 1: Assess the risk: What can go wrong?
- Stage 2: Evaluate the risk: How likely it is to occur?
- Stage 3: Analyse the risk: What would be the consequences?
- Stage 4: Manage the risk: What preventative steps can be taken?
Document your risk assessments is key to your future tenure with your current company and employability in the market place. If something should ever go catastrophically wrong with an implemented solution, some seriously concerned people will be pointing some seriously fat, accusatory fingers at the project team. To cover your butt, you need to be able to demonstrate that you considered and evaluated the associated risks.
Most project managers use a format known as the ‘risk register’ or ‘risk log’ for recording the identified risk in a project. Typically, a risk register contains:
- Risk name: A description of the risk
- Impact: The impact of the risk
- Probability: The chance of the risk event actually happening
- Risk Score: (Probability x Impact)
- Contingency: Your planned response to the risk if it happens
- Mitigation: Your plan to minimise or prevent the risk
- Action: A named person who owns the risk, the mitigation action and the contingency action
Qualitative risks are usually scored in terms of high, medium and low impact.
Quantitative risks are usually scored in terms of their numeric impact, such as $10,000 or 20 days.
On the risk register, the risks are often ranked by Risk Score so that risk priorities can be easily communicated to everyone involved.
For more advanced analysts, there are many sophisticated risk assessment models that provide better insight and greater evaluative accuracy. Here are a few examples that you can use:
- Failure Mode and Effects Analysis
- Force field analysis
- Impact Analysis
- Ladder of Inference
- Probability Risk Analysis
- Value at Risk