Risk and Uncertainty Analysis and Methods | Commerce & Accountancy Optional Notes for UPSC PDF Download

Risk Analysis: Definition, Types, Limitations, and Examples

The term risk analysis refers to the assessment process that identifies the potential for any adverse events that may negatively affect organizations and the environment. Risk analysis is commonly performed by corporations (banks, construction groups, health care, etc.), governments, and nonprofits. Conducting a risk analysis can help organizations determine whether they should undertake a project or approve a financial application, and what actions they may need to take to protect their interests. This type of analysis facilitates a balance between risks and risk reduction. Risk analysts often work with forecasting professionals to minimize future negative unforeseen effects.

Understanding Risk Analysis

• Risk assessment enables corporations, governments, and investors to assess the probability that an adverse event might negatively impact a business, economy, project, or investment.  Assessing risk is essential for determining how worthwhile a specific project or investment is and the best process(es) to mitigate those risks. Risk analysis provides different approaches that can be used to assess the risk and reward tradeoff of a potential investment opportunity.
• A risk analyst starts by identifying what could potentially go wrong. These negatives must be weighed against a probability metric that measures the likelihood of the event occurring.
• Finally, risk analysis attempts to estimate the extent of the impact that will be made if the event happens. Many risks that are identified, such as market risk, credit risk, currency risk, and so on, can be reduced through hedging or by purchasing insurance.
• Almost all sorts of large businesses require a minimum sort of risk analysis. For example, commercial banks need to properly hedge foreign exchange exposure of overseas loans, while large department stores must factor in the possibility of reduced revenues due to a global recession. It is important to know that risk analysis allows professionals to identify and mitigate risks, but not avoid them completely.

Types of Risk Analysis

Risk-Benefits

Many people are aware of a cost-benefit analysis. In this type of analysis, an analyst compares the benefits a company receives to the financial and non-financial expenses related to the benefits. The potential benefits may cause other, new types of potential expenses to occur. In a similar manner, a risk-benefit analysis compares potential benefits with associated potential risks. Benefits may be ranked and evaluated based on their likelihood of success or the projected impact the benefits may have.

Needs Assessment

A needs risk analysis is an analysis of the current state of a company. Often, a company will undergo a needs assessment to better understand a need or gap that is already known. Alternatively, a needs assessment may be done if management is not aware of gaps or deficiencies. This analysis lets the company know where they need to spending more resources in.

Business Impact Analysis

In many cases, a business may see a potential risk looming and wants to know how the situation may impact the business. For example, consider the probability of a concrete worker strike to a real estate developer. The real estate developer may perform a business impact analysis to understand how each additional day of the delay may impact their operations.

Root Cause Analysis

Opposite of a needs analysis, a root cause analysis is performed because something is happening that shouldn't be. This type of risk analysis strives to identify and eliminate processes that cause issues. Whereas other types of risk analysis often forecast what needs to be done or what could be getting done, a root cause analysis aims to identify the impact of things that have already happened or continue to happen.

How to Perform a Risk Analysis

Though there are different types of risk analysis, many have overlapping steps and objectives. Each company may also choose to add or change the steps below, but these six steps outline the most common process of performing a risk analysis.

Step #1: Identify Risks

• The first step in many types of risk analysis to is to make a list of potential risks you may encounter. These may be internal threats that arise from within a company, though most risks will be external that occur from outside forces. It is important to incorporate many different members of a company for this brainstorming session as different departments may have different perspectives and inputs.
• A company may have already addressed the major risks of the company through a SWOT analysis. Although a SWOT analysis may prove to be a launching point for further discussion, risk analysis often addresses a specific question while SWOT analysis are often broader. Some risks may be listed on both, but a risk analysis should be more specific when trying to address a specific problem.

Step #2: Identify Uncertainty

• The primary concern of risk analysis is to identify troublesome areas for a company. Most often, the riskiest aspects may be the areas that are undefined. Therefore, a critical aspect of risk analysis is to understand how each potential risk has uncertainty and to quantify the range of risk that uncertainty may hold.
• Consider the example of a product recall of defective products after they have been shipped. A company may not know how many units were defective, so it may project different scenarios where either a partial or full product recall is performed. The company may also run various scenarios on how to resolve the issue with customers (i.e. a low, medium, or high engagement solution.

Step #3: Estimate Impact

• Most often, the goal of a risk analysis is to better understand how risk will financially impact a company. This is usually calculated as the risk value, which is the probability of an event happening multiplied by the cost of the event.
• For example, in the example above, the company may assess that there is a 1% chance a product defection occurs. If the event were to occur, it would cost the company $100 million. In this example, the risk value of the defective product would be assigned $1 million.
• The important piece to remember here is management's ability to prioritize avoiding potentially devastating results. For example, if the company above only yielded $40 million of sales each year, a single defect product that could ruin brand image and customer trust may put the company out of business. Even though this example led to a risk value of only $1 million, the company may choose to prioritize addressing this due to the higher stakes nature of the risk.

Step #4: Build Analysis Model(s)

The inputs from above are often fed into an analysis model. The analysis model will take all available pieces of data and information, and the model will attempt to yield different outcomes, probabilities, and financial projections of what may occur. In more advanced situations, scenario analysis or simulations can determine an average outcome value that can be used to quantify the average instance of an event occurring.

Step #5: Analyze Results

With the model run and the data available to be reviewed, it's time to analyze the results. Management often takes the information and determines the best course of action by comparing the likelihood of risk, projected financial impact, and model simulations. Management may also request to see different scenarios run for different risks based on different variables or inputs.

Step #6: Implement Solutions

After management has digested the information, it is time to put a plan in action. Sometimes, the plan is to do nothing; in risk acceptance strategies, a company has decided it will not change course as it makes most financial sense to simply live with the risk of something happening and dealing with it after it occurs. In other cases, management may want to reduce or eliminate the risk.

Qualitative vs. Quantitative Risk Analysis

Quantitative Risk Analysis

• Under quantitative risk analysis, a risk model is built using simulation or deterministic statistics to assign numerical values to risk. Inputs that are mostly assumptions and random variables are fed into a risk model.
• For any given range of input, the model generates a range of output or outcome. The model's output is analyzed using graphs, scenario analysis, and/or sensitivity analysis by risk managers to make decisions to mitigate and deal with the risks.
• A Monte Carlo simulation can be used to generate a range of possible outcomes of a decision made or action taken. The simulation is a quantitative technique that calculates results for the random input variables repeatedly, using a different set of input values each time. The resulting outcome from each input is recorded, and the final result of the model is a probability distribution of all possible outcomes.
• The outcomes can be summarized on a distribution graph showing some measures of central tendency such as the mean and median, and assessing the variability of the data through standard deviation and variance. The outcomes can also be assessed using risk management tools such as scenario analysis and sensitivity tables. A scenario analysis shows the best, middle, and worst outcome of any event. Separating the different outcomes from best to worst provides a reasonable spread of insight for a risk manager.
• For example, an American company that operates on a global scale might want to know how its bottom line would fare if the exchange rate of select countries strengthens. A sensitivity table shows how outcomes vary when one or more random variables or assumptions are changed.
• Elsewhere, a portfolio manager might use a sensitivity table to assess how changes to the different values of each security in a portfolio will impact the variance of the portfolio. Other types of risk management tools include decision trees and break-even analysis.

Qualitative Risk Analysis

• Qualitative risk analysis is an analytical method that does not identify and evaluate risks with numerical and quantitative ratings. Qualitative analysis involves a written definition of the uncertainties, an evaluation of the extent of the impact (if the risk ensues), and countermeasure plans in the case of a negative event occurring.
• Examples of qualitative risk tools include SWOT analysis, cause and effect diagrams, decision matrix, game theory, etc. A firm that wants to measure the impact of a security breach on its servers may use a qualitative risk technique to help prepare it for any lost income that may occur from a data breach.

Advantages and Disadvantages of Risk Analysis

Pros of Risk Analysis

• Risk analysis allows companies to make informed decisions and plan for contingencies before bad things happen. Not all risks may materialize, but it is important for a company to understand what may occur so it can at least choose to make plans ahead of time to avoid potential losses.
• Risk analysis also helps quantify risk, as management may not know the financial impact of something happening. In some cases, the information may help companies avoid unprofitable projects. In other cases, the information may help put plans in motion that reduce the likelihood of something happen that would have caused financial stress on a company.
• Risk analysis may detect early warning signs of potentially catastrophic events. For example, risk analysis may identify that customer information is not being adequately secured. In this example, risk analysis can lead to better processes, stronger documentation, more robust internal controls, and risk mitigation.

Cons of Risk Analysis

• Risk is a probabilistic measure and so can never tell you for sure what your precise risk exposure is at a given time, only what the distribution of possible losses is likely to be if and when they occur. There are also no standard methods for calculating and analyzing risk, and even VaR can have several different ways of approaching the task. Risk is often assumed to occur using normal distribution probabilities, which in reality rarely occur and cannot account for extreme or "black swan" events.
• The financial crisis of 2008, for example, exposed these problems as relatively benign VaR calculations that greatly understated the potential occurrence of risk events posed by portfolios of subprime mortgages.
• Risk magnitude was also underestimated, which resulted in extreme leverage ratios within subprime portfolios. As a result, the underestimations of occurrence and risk magnitude left institutions unable to cover billions of dollars in losses as subprime mortgage values collapsed.

Risk Analysis

Pros

• May aid in minimizing losses due to management preemptively forming a risk plan
• May allow management to quantify risks and assign dollars to future events
• May protect company resources, produce better processes, and mitigate overall risk

Cons

• Relies heavily on estimates, so it may be difficult to perform for certain risks
• Can not predict unpredictable, black swan events
• May underestimate risk magnitude or occurence, leading to overconfident operations

What Is Meant by Risk Analysis?

Risk analysis is the process of identifying and analyzing potential future events that may adversely impact a company. A company performs risk analysis to better understand what may occur, the financial implications of that event occurring, and what steps it can take to mitigate or eliminate that risk.