Nearly all projects, new systems, development of products or changes in companies face risks. Managers and specialists do their best to minimize risks and avoid losses. Risk analysis is a process that helps to identify types of risks which can occur, and which can have the most significant impact on the losses. We will show you how to make such risk analysis.

Risks always exist. No matter whether you start up a new company - where such risks might be a “leakage” of confidential information to competitors, a breakdown of technology, a central bank currency rate interventions etc. - or whether you decide to change your manufacturing technology. In the latter case you can face risks such as a failure of overvoltage protection, an unexpected chemical reaction, a failure to meet terms and conditions of concluded contract attributable to your supplier etc. Whatever you do, you always work in the environment with higher or lower degree of risk. Each individual risk can have a different impact on your plans. The risk analysis will help you to identify and assess such risks.

Identification of risk significance

The result of risk analysis is the identification of significance of defined risks. Each risk, in the light of assignment, has various impacts to consider. Impacts of risks, or - in other words - consequences, we can evaluate using a five-point scale matrix, e.g.:

Points Impact of risk Description of impact
5 CRISIS Situation limits or terminates the operation of the company significantly (e.g., bankruptcy, casualties etc.).
4 MAJOR Situation influences both internal and external operation of the company very dangerously (e.g., high financial losses - 100% budget overrun, time losses, litigations, injuries etc.). 
3 MEDIUM Situation influences both internal and external operation of the company dangerously (e.g., some losses, but the company is still able to work, financial losses up to 30% of the budget etc.)
2 MINOR Situation influences internal operation of the company (e.g., time delays not longer than 30 days).
1 INSIGNIFICANT In spite of the fact that the situation influences the operation of the company negatively, losses over 5% are not suffered.

In addition to their consequences the individual risks may, or may not, occur; therefore, probability of risk occurrence is identified. Again, we can evaluate such probability using a five-point scale matrix, e.g.:

Points Probability or risk occurrence Description of occurrence
5 VERY LIKELY Risk occurs nearly always, or with probability 90-100%.
4 LIKELY Risk probably occurs. 
3 UNLIKELY Risk might sometimes occur (e.g., under specific conditions).
2 VERY UNLIKELY Risk might sometimes occur, but it is very unlikely.
1 IMPOSSIBLE Risk might occur only in exceptional cases and under specific conditions.

The level of risk significance “V” we can calculate by the product.

Significance = impacts * probability

The level of significance classifies risks into 3 main zones (see Figure):

  • low < 12 - impacts of the activity on the company not significant
  • medium 12 < 16 - impacts significant, but not critical
  • high > 16 - critical impacts and consequences to the activity of the company

The fact that high risks, as well as medium risks, must be preferentially solved is absolutely clear. Nevertheless, take into account that you can only eliminate risks, and absolute prevention of their occurrence is not always possible. In many cases you will find that you will have to live permanently with your risks. An example of such risk might be great human errors. You can eliminate such errors by inspections, trainings, tests etc. However, you can never be sure that all people will follow defined procedure.

How to Write a Risk Analysis

The purpose of the risk analysis is to prepare an analysis and identify hazards or undesirable conditions, which can occur within our subject-matter of the interest. The method itself is not enough. The correct procedure must be followed.

  1. Assignment and description of the environment - firstly, we must clearly define our working environment. Whether we are involved in a mechanical engineering production or we produce computer chips, or provide analytical services. We must clarify components included in our analyzed system, and components already standing beyond. As soon as we clearly define our system and environment, our assignment must be described - why we make analysis and under which conditions.
  2. Team establishment - the analysis should be made by experienced staff, well-knowing the system and experienced in various situations, which can occur. Definitely, the analysis carried-out by a single person is not recommended.
  3. Risk definition - involved specialists working in the team analyze assigned system in order to define its risks. Specialists can use different approaches, such as simulation, brainstorming or brainwriting. The main questions asked are as follows (the list is not exhaustive):
  • What hazards can be encountered?
  • Can a bankruptcy be declared?
  • Can a staff casualty incur?
  • What are the conditions under which the production can be interrupted?
  • etc.
  1. Classification of risks into sections - each risk is registered in a template, prepared in advance. Risks for further assessment and identification of risk areas can be classified into defined areas, sections or even processes.
  2. Calculation of level of risk significance - the team assesses each defined risk by the probability of its occurrence (1-5) and impact (1-5). After made assessment the significance level will be calculated by multiplication and identified risks will be classified into individual zones.
  3. Selection of risks and sections to be solved - risks, which can be solved and their occurrence and impacts eliminated, will be selected from the analysis. Alternatively, sections with the highest number of risks can be selected, or sections with the most risks classified into the category “high”.
  4. Definition of measures to eliminate risks - the analysis may be completed not later than on the definition of appropriate measures to eliminate identified risks, prepared by the team,
  5. Repetition of risk analysis - risks can change in the course of time. Furthermore, you need to know whether your adopted measures have been effective. This is the reason why the risk assessment should be repeated after a certain period of time (half a year, year) and compared with original analysis.

The analysis should be used continuously. Most usually the team would keep revealing of other risks during the project implementation, not known or anticipated in the beginning. Thus, the analysis should be regularly completed. Furthermore, even the ISO 9001 focuses on risk management.

Should you need any training for a particular method, please contact our advisors. If you have any personal experience with the risk assessment, please share your views with other readers in the discussion section. Thank you.