Risk Management Process - Part 3b: Risk Analysis - Zerto
Blog keyboard_arrow_down keyboard_arrow_up

Risk Management Process – Part 3b: Risk Analysis

August 2, 2023
Business & IT Resilience
Est. Reading Time: 6 minutes

The second stage of risk assessment is risk analysis, a process that delves deeper into the identified risks (see part 3-a) to gauge their likelihood and potential impact. This step provides a risk-scoring system that enables organizations to prioritize risks according to their specific risk appetite and tolerance.

The Importance of Risk Analysis

Risk analysis plays a critical role in the risk assessment process by enabling organizations to fully comprehend the likelihood and possible impact of each identified risk.

Understanding the potential harm that each risk may cause allows decision-makers to make informed choices about where to allocate resources and which risks require immediate attention. Organizations can identify the most pressing risks, minimize potential losses, and take proactive steps to protect their operations and assets.

Assessing a Risk: Qualitative and Quantitative Analyses

To effectively assess the potential risks identified in the risk assessment process, it’s crucial to evaluate both their likelihood and impact. This step is essential to developing a thorough understanding of the risks and formulating an appropriate response. The systematic approach to understanding risks is called risk analysis.

There are two primary methods of risk analysis: qualitative and quantitative. Qualitative analysis uses descriptive measures to evaluate the likelihood and impact of risks. In contrast, quantitative analysis employs numerical or statistical methods to evaluate risks with greater precision. Both methods can be useful in different contexts and provide valuable information to decision-makers.

  • Likelihood of a Risk—The likelihood of a risk refers to the probability that a particular event will occur. It can be assessed through qualitative or quantitative methods.

Qualitative analysis involves assigning a subjective score based on the perceived likelihood of the risk. Quantitative analysis, on the other hand, uses statistical methods to calculate the probability of the risk occurring.

  • Impact of a Risk—The impact of a risk denotes the potential consequences that could result if the risk were to materialize. Evaluating impact is a crucial aspect of risk assessment and can be analyzed through either qualitative or quantitative means.

Qualitative analysis assigns a score to the potential impact of the risk based on a subjective assessment of the severity of its consequences. Alternatively, quantitative analysis uses statistical methods to estimate the potential financial, reputational, or other impacts that could stem from the risk event.

  • Velocity in Risk Analysis—Velocity measures the speed at which an organization can respond to a risk event. It’s not always used in risk analysis, but it can be integrated into the analysis to provide a more comprehensive understanding of the risk.

Velocity takes into account factors such as the speed of detection, speed of response, and recovery time. By incorporating velocity into the risk analysis, organizations can develop more effective mitigation strategies that consider the response speed required to minimize risk impact.

Risk map showing risks related to some events, including the risk velocity of these events

Risk Analysis Versus Business Impact Analysis

Business impact analysis (BIA) and risk analysis are two important components of the overall risk management process. However, they serve different purposes and use different methodologies.

BIA is primarily concerned with the impact of disruptions to critical business processes or functions. It identifies and prioritizes critical processes, their dependencies, and the potential impacts of disruption. BIA provides information about the financial, legal, reputational, and other impacts that could arise from a disruption. It makes no attempt to consider the likelihood of any risk events.

Risk analysis, on the other hand, is focused on assessing both the likelihood and potential impact of identified risks. It attempts to score risks and prioritize them based on an organization’s risk appetite and tolerance.

BIA can be performed without any risk assessment and, therefore, without risk analysis. However, risk analysis requires at least some sort of BIA to be completed. This is because a BIA provides necessary information on critical business processes, dependencies, and potential impacts that is required for effective risk analysis.

Business Impact Analysis’s Output and Risk Analysis

The output of a BIA can be helpful in estimating the potential impact of identified risks. BIA provides financial impacts, but it also highlights other types of impacts, such as legal and reputational impacts and dependencies. However, if a BIA isn’t available, an impact estimation will need to take place before the risk analysis step.

The impact estimate is usually measured in terms of cost per minute, hour, or day and the maximum tolerable downtime (MTD). MTD is typically determined or strongly influenced by the maximum financial hit that the organization can endure.

It’s important to highlight that impacts beyond financial ones should be considered. For example, in the case of a hospital, the cost per hour or day for a particular disruption may be significant. Still, if an impact involves potential loss of life, it would take precedence over any financial consideration. In this example, the organization has a duty of care with legal and moral obligations that cannot be ignored.

This last point illustrates the need to combine both qualitative and quantitative analyses, as not everything is based on financial considerations alone. In some cases, nonfinancial factors play a more critical role in determining the impact of a particular risk. Therefore, organizations need to have a holistic view of the risks they face, considering both financial and nonfinancial factors, to develop effective risk management strategies.

Examples of Risk Analysis

Below are examples of qualitative and quantitative risk analysis and their applications:

Qualitative Example

One example of qualitative risk analysis is a risk map that uses qualitative scores. A risk map is a visual representation that helps organizations understand and prioritize their identified risks. Each risk is assigned a qualitative score based on the perceived likelihood and potential impact.

These scores are then plotted on a risk map, providing an intuitive and straightforward view of the organization’s risk profile. This approach is especially useful for organizations that lack the data or resources to perform more detailed risk analyses.

Quantitative Example

Quantitative risk analysis involves assigning numerical values to the likelihood and potential impact of each risk. The probability of risk occurrence, or rate of occurrence (on a scale of 0 to 1), is multiplied by the estimated cost value to determine the risk score.

The score is then plotted on a risk map, providing a detailed and precise view of the organization’s risk landscape. This method is ideal for organizations that have the data and resources to perform more in-depth risk analyses.

Risk map shown as a 5x5 matrix with semi-quantitative risk scores for each cell

Stay tuned for the next part of this risk management blog series where we will continue discussing the risk assessment process by diving into the third step: risk control.