Introduction to risk analysis | Vose Software

# Introduction to risk analysis

Risk analysis is the process of systematically identifying and assessing the potential risks and uncertainties that occur when trying to achieve a certain goal (like reaching a target income or finishing a project), and then finding a feasible strategy for most efficiently controlling those risks.

## Why do a risk analysis?

In business and government one faces having to make decisions with uncertain outcome all the time. Understanding the uncertainty can help us make a much better decision.

Imagine that you are a national health care provider considering which of two vaccines to purchase. The two vaccines have the same reported level of efficacy (60%), but further study reveals that there is a difference in confidence attached to these two performance measure: one is twice as uncertain as the other.

All else being equal, the health care provider would purchase the vaccine with the smallest uncertainty about its performance: vaccine A.

Replace vaccine by investment and efficacy by profit and we have a problem in business, for which the answer is the same: pick the investment with the smallest uncertainty, all else being equal (investment A). The principal problem is determining that uncertainty which is the central focus of risk analysis.

We can think of two forms of uncertainty that we have to deal with in risk analysis.

The first is a general sense that the quantity we are trying to estimate has some uncertainty attached to it. This is usually described by a distribution like the one in the figure.

Then we have risk events, which are random events that may or may not occur and for which there is some impact of interest to us.

We can distinguish between two types of events.

A risk is an event that may possibly occur, and if it did occur would have a negative impact on the goals of the organization. Thus a risk is composed of three elements:

• The scenario.

• Its probability of occurrence.

• The size of its impact if it did occur (either a fixed value or a distribution).

An opportunity is an event that may possibly occur, and if it did occur would have a positive impact on the goals of the organization. Thus an opportunity is composed of the same three elements as a risk.

A risk and an opportunity can be considered the opposite sides of the same coin. It is usually easiest to consider a potential event to be a risk if it would have a negative impact and its probability is less than 50%, and if the risk had a probability in excess of 50%, to include it in a base plan and then consider the opportunity of it not occurring.

## Moving on from what-if scenarios

Single point or deterministic modelling involves using a single 'best guess' estimate of each variable within a model to determine the model's outcome(s). Sensitivities are then performed on the model to determine how much that outcome might in reality vary from the model outcome. This is achieved by selecting various combinations for each input variable.

These various combinations of possible values around the 'best guess' are commonly known as 'what if' scenarios. The model is often also 'stressed' by putting in values that represent worst case scenarios.

Consider a simple problem that is just the sum of five cost items.

We can use the three points, minimum, best guess and maximum, as values to use in a 'what if' analysis. Since there are five cost items and three values per item, there are 35 = 243 possible 'what if' combinations we could produce! Clearly, this is too large a set of scenarios to have any practical use.

This process suffers from two other important drawbacks:

• only three values are being used for each variable, where they could, in fact, take any number of values.

• no recognition is being given to the fact that the best guess value is much more likely to occur than the minimum and maximum values.

We can stress the model by adding up the minimum costs to find the best case scenario, and add up the maximum costs to get the worst case scenario, but in doing so the range is usually unrealistically large and offers no real insight. The exception is when the worst case scenario is still acceptable.

Quantitative risk analysis (QRA) using Monte Carlo simulation is similar to 'what if' scenarios in that it generates a number of possible scenarios.

However, it goes one step further by effectively accounting for every possible value that each variable could take and weighting each possible scenario by the probability of its occurrence.

QRA achieves this by modelling each variable within a model by a probability distribution. The structure of a QRA model is usually (there are some important exceptions!) very similar to a deterministic model, with all the multiplications, additions, etc. that link the variables together, except that each variable is represented by a probability distribution function instead of a single value.

The objective of a quantitative risk analysis is to calculate the combined impact of the uncertainty in the model's parameters in order to determine an uncertainty distribution of the possible model outcomes.

### Identifying Risks

Risk identification is the first step in a complete risk analysis, given that the objectives of the decision maker have been well defined. There are a number of techniques used to help formalise the identification of risks. This part of a formal risk analysis will often prove to be the most informative and constructive element of the whole process, improving company culture by encouraging greater team effort and reducing blame and should be executed with care.

The organizations participating in a formal risk analysis should take pains to create an open and blameless environment in which expressions of concern and doubt can be openly given.

### Brainstorming

Brainstorming is a general technique that can be used for identifying a project's risks, pooling the available information on each risk, and identifying possible risk management options. It involves gathering together a group of project stakeholders under the direction of a neutral and reasonably strong-willed chairperson.

It is prudent to have instructed brainstorm session participants well before the meeting about what one is hoping to achieve, together perhaps with some explanation of the meaning of a 'risk' and an 'opportunity'. They may also have been given prompt lists to think about, or any other means for helping them focus on the task.

Suggesting that one should also consider opportunities adds a certain optimism that balances the rather pessimistic search for risks, although admittedly the ratio to risks to opportunities may well end up in the region of 10:1.

The chairperson's role is to structure the meeting so that all relevant aspects of the project are considered. A prompt list is often useful in this regard. The participants are encouraged to identify risks that they feel could impact on the project. The chairperson tries to ensure that a blameless and honest environment is maintained and that each person is allowed to express his or her opinion regardless of status or personality.

The chairperson may also have to question the group when he or she feels that certain areas are being ignored (this is sometimes not very popular). The group is encouraged to discuss each risk as it is identified and what may be done to reduce its probability and impacts. This aspect of a brainstorming session can be particularly valuable as newly identified risks can often be reduced, eliminated or discounted by agreed actions or extra information supplied from the parties sitting around the table.

Brainstorming sessions are sometimes difficult to organize since they require key (usually very busy) people involved in a project to be in the one place at the same time. They are also expensive in terms of personnel. Minutes from a brainstorming session should be circulated to the participants, so the chairperson needs to keep the group focused. The chairperson (risk analyst) then arranges meetings with each of the individuals to discuss the relevant risks and to collect their estimates of each risk's probability and impacts.

A rather more frank list of risks often appears as a result of these one-to-one meetings, especially if as chairperson one collates the identified risks without recording the originator. Eliciting individual estimates of risks is also a very good check on whether there is a consensus.

### Prompt Lists

Prompt lists provide a set of categories of risk that are pertinent to the type of project under consideration, or the type of risk being considered by an organization. The lists are used to help people think about and identify risks.

Sometimes different types of lists are used together to further improve the chance of identifying all of the important risks that may occur. For example, in analyzing the risks to some project, one prompt list might look at various aspects of the project (e.g. legal, commercial, technical, etc.) or types of tasks involved in the project (design, construction, testing). A project plan and a work breakdown structure, with all of the major tasks defined, are natural prompt lists. In analyzing the reliability of some manufacturing plant, a list of different types of failure (mechanical, electrical, electronic, human, etc.) or a list of the machines or processes involved could be used.

One could also cross-check with a plan of the site or a flow diagram of the manufacturing process. Check lists can be used at the same time: these are a series of questions one asks as a result of experience of previous problems or opportune events.

A prompt list will never be exhaustive but acts as a focus of attention in the identification of risks. Whether a risk falls into one category or another is not important, only that the risk is identified. The following list provides an example of a fairly general project prompt list. There will often be a number of sub-sections for each category:

• Project acceptance
• Commercial
• Communication
• Environmental
• Financial
• Knowledge and information
• Legal
• Management
• Partner
• Political
• Quality
• Resources
• Strategic
• Subcontractor
• Technical

The identified risks can then be stored and analyzed in the Pelican risk management software.

### 10 golden rules

Risk modeling should not be prescriptive, because that inhibits creative thinking, which is essential for solving problems - the fundamental purpose of risk analysis.  However, there are a few basic principles that are worth adhering to. Morgan and Henrion (1990) offer excellent "ten golden rules" in relation to quantitative risk and policy analysis. You might want to print these out as a big poster to put on your office's wall.

 10 golden rules for risk analysis Do your homework with literature, experts and users. Let the problem drive the analysis. Make the analysis as simple as possible, but no simpler. Identify all significant assumptions. Be explicit about decision criteria and policy strategies. Be explicit about uncertainties. Perform systematic sensitivity and uncertainty analysis. Iteratively refine the problem statement and the analysis. Document clearly and completely. Expose to peer review.

### The possible responses to risks

The response to correctly identified and evaluated risks generally falls into one of these categories:

• Increase! (the project plan may be overly cautious).

• Do nothing (because it would cost too much or there is nothing that can be done).

• Collect more data (to better understand the risk).

• Add a contingency (extra amount to budget, deadline, etc. to allow for possibility of risk).

• Reduce (e.g. build in redundancy, take a less risky approach, find ways to reduce the probability or impact).

• Share (e.g. with partner or contractor providing they can reasonably handle the impact).

• Transfer (e.g. insure, back-to-back contract).

• Eliminate (e.g. do it another way).

• Cancel project.

This list can be helpful in thinking of possible responses to identified risks. It should be borne in mind that these risks responses might in their turn carry secondary risks.

Fallback plans should be developed to deal with risks that are identified and not eliminated. If done well in advance, they can help the organization react efficiently, calmly and in unison in a situation where blame and havoc might normally reign.