A risk is any uncertain event (fire, flood, rain) or condition (unavailability of resources) that might affect your business analysis effort through its impact on the outcome. Businesses are often faced with a multitude of risks that need to be analysed and managed. Risk Management is not only about what can go wrong - it's also about what can go right. You start by identifying all the events that can affect you, your organization & the solution and then determine how to deal with them, should they occur.
The purpose of the risk analysis technique is to identify all the uncertainties that may have an impact on your initiative. Risks can come up whether or not you decide to take action in a specific direction. For instance, there could be risks associated with doing nothing.
Here are 3 steps to performing effective risk analysis:
Step One: Consider Your Organization's Attitude Towards Risks
Organizations accept different levels of risk depending on their risk attitude. The risk tolerance, appetite and threshold of the organization and its stakeholders must be fully understood, defined and communicated. An organization may be risk-averse, risk-neutral or risk-seeking. A risk-averse organisation seeks to reduce risk as much as possible and gravitates towards attaining a high level of certainty on its projects. For risk-neutral organizations, the benefits of the risk response must be equal to or outweigh the costs. Risk-seekers on the other hand, accept low chances of success as long as the benefits of success are considerably high.
Step Two: Assess Risks
Once risks have been identified by the team, risk assessment should be carried out in a collaborative setting where team members can gather to determine the probability (what is the likelihood that the risk will happen?) and the impact (what level of damage, costs or benefits will be incurred, should the risk happen?) of the risks. This offers a way of prioritizing risks to determine which should be addressed and in what order.
Step Three: identify a Risk Response Strategy
The entire exercise of risk analysis culminates in the identification of a strategy that will enable the organization respond to risks accordingly, instead of being caught by surprise.
For negative risks, there are 4 ways in which an organization may choose to respond:
- Transfer: The responsibilities of bearing the risk are transferred to another entity, usually in the form of insurance.
- Avoidance: The organization does all it can to ensure that the risk does not occur.
- Mitigation: The organization reduces the chances of the risk occurring and also identifies alternatives for reducing the consequences.
- Acceptance: When there’s no way to avoid, transfer or mitigate a risk, the organization accepts that there is nothing that can be done and makes no effort to deal with it.
For positive risks (opportunities), there are 4 different ways in which an organization can respond:
- Acceptance: The organization chooses to accept the opportunity once it lands.
- Exploit: The organization actively takes steps to ensure that the opportunity materialises.
- Enhance: This is the exact opposite of mitigate. The organization takes steps to increase the probability of an opportunity occurring and its associated benefits, should it occur.
- Share: Involves working with another entity to increase the probability of the opportunity occurring and sharing the benefits.