Risk Analysis

What is Risk Analysis?

Risk analysis is a process of identifying, evaluating, and planning for potential negative events or threats that could impact a business or organization. It assesses the likelihood of each event occurring and the potential severity of its consequences, with the goal of taking proactive measures to mitigate or avoid hazards.1 Essentially, it's about understanding and managing potential risks by analyzing their probability and possible impacts.

risk analysis

The Basic Idea

Consider a teenager and her elderly grandmother heading up to the mountain, debating whether they should take snowboarding lessons for the day. Snowboarding can be dangerous for anyone at any age, but for the teenager, her risks are comparatively low: she has great balance, and she’s equipped with wrist guards and a helmet. The rewards are also high: she’s always wanted to snowboard, and if she can get the hang of it, she’ll be able to join her friends next season. For the teen’s grandmother, though, the risks are much higher: the grandmother’s aging bones are more fragile, she could get frostbite more easily, and she’s in danger of dislocating a hip. She also isn’t too interested in snowboarding and would rather sit in the lodge and enjoy a nice hot cocoa. For the teen and her grandmother, their different risk versus reward calculations may lead to different outcomes, and rightfully so. It might be easy to guess what the grandmother and teen should each do in this situation based on their individual risk factors, but some situations are more nuanced. 

While some risks are obviously much greater than others (like driving in a snowstorm or while under the influence of drugs or alcohol), there is no way to live completely risk-free; that’s the price of being mortal. Some risks are so high and their reward so low (like driving without a seatbelt) that there may be a clear consensus on whether the risk is worth taking. However, other situations may be more complicated, and whether or not a risk should be taken depends on the individual and their circumstances. 

This is where a risk analysis can be incredibly helpful, as it offers a structured way of understanding and evaluating the potential for harm or adverse outcomes in a specific situation, as well as the likelihood of those outcomes occurring. It involves examining human behaviors, environmental factors, and decision-making processes that contribute to risks, as well as the consequences of those threats if they materialize. In practice, risk analysis involves identifying the risk, evaluating the likelihood and potential impacts, and then mitigating the risk by figuring out what can be done to reduce either the likelihood or the impact.1 

“Risk is a function of how poorly a strategy will perform if the 'wrong' scenario occurs.”


— Michael E. Porter, Competitive Advantage: Creating and Sustaining Superior Performance (1985).

Key Terms

Hazard: Any potential source of harm or adverse effects. In risk analysis, identifying hazards is the first step in assessing risks, as it helps determine what could go wrong in a system, environment, or process. Hazards may include physical, chemical, biological, or operational factors.

Cost-Benefit Analysis: A method used to evaluate the pros and cons of a project or decision by comparing its total expected costs and benefits, often expressed in monetary terms. This approach helps decision-makers determine whether the benefits outweigh the costs, ensuring that resources are allocated efficiently. 

Real Options Analysis: An investment evaluation method that values flexibility and strategic decision-making in uncertain environments. Unlike traditional approaches, ROA acknowledges that investments often involve a series of choices over time, allowing businesses to adapt, expand, or abandon projects based on evolving circumstances. This approach provides a more dynamic and comprehensive assessment of an investment's true economic potential, especially in projects with high uncertainty.

Opportunity Cost: The value of the next best alternative foregone when a particular decision is made.

Indirect Costs: These are typically fixed expenses, such as utilities and rent, that contribute to the overhead of conducting business.

Intangible Costs: Any current and future costs that are difficult to measure and quantify, such as decreases in productivity levels while a new business process is rolled out, or reduced customer satisfaction after a change in customer service processes that leads to fewer repeat buys.

Assumptions: These are the beliefs or statements taken for granted in the risk analysis process. Clearly defining assumptions is crucial as they form the foundation for developing realistic scenarios or risk factors based on historical data and expert insights.2

External Factors: These factors encompass influences outside the organization that can impact its performance risks and strategic choices. This could include market conditions, the economic environment, technological changes, or social and cultural trends. Understanding external factors is essential for organizations so they can prepare for various possible future scenarios.2

Internal Factors: Elements under the control of an organization that can influence its decision-making, strategic direction, and the potential risks an organization faces. These could include the organization's culture and values, its resources, capabilities, or the organization’s established policies and procedures.2
Risk Mitigation: Strategies developed to minimize the impact of potential negative outcomes. Effective risk mitigation is a key benefit of risk analysis, as it prepares organizations for unforeseen challenges.3

History

According to historians, back in around 3200 B.C., in the southwestern Asian valley of Tigris-Euphrates, there lived a group called the Ashipu. Today, the Ashipu people might be known as the “consultants” of their time, providing an assessment and advice for those pondering a potentially risky decision. When someone was weighing a difficult venture, such as a marriage arrangement or a major building project, they would often turn to the Ashipu people. Just as a modern consultant conducting a risk analysis would do, the Ashipu would begin by identifying the important dimensions of the problem, listing any alternative actions, and collecting data on the most likely outcomes of each alternative, breaking down the consequences into potential profits or losses.4 

Unlike most consultants in any office today, the Ashipu people collected most of their data from the gods. To them, the most reliable information came in the form of divine signs, which they were qualified to interpret because of their special connection with the heavens. Although this type of data collection doesn’t hold up to twenty-first-century standards, the Ashipu process of reporting their findings is strikingly similar to the practices and procedures used in formal risk analysis today. First, these ancient risk analysts would create a ledger, listing each alternative option. If the signs from the gods were favorable, they would enter a plus, and if negative, they would enter a minus. Then, they’d tally up the results of the analysis and recommend the most favorable option through a final report, which, instead of taking the form of a lengthy slide deck, would be inscribed on a clay tablet.4 

Much later, as the Industrial Revolution of the 19th and early 20th centuries took hold, we began to turn to more objective techniques as a society, relying on probability theory to measure things like life expectancies and accident likelihood. These types of predictions had become necessary due to the growth of the insurance industry; in the financial context of insurance payouts, people needed a more formal and scientifically valid way to assess risk. In fact, Benjamin Franklin pioneered this concept in the previous century when he founded the first fire insurance company in America, inspired by the fire fighting clubs in Philadelphia. Franklin’s insurance board drafted a set of parameters that buildings needed to meet to receive insurance, including making the buildings low fire risk and easily accessible for the firefighters to enter and exit, should they need to put out any fires.6

During World War II, German engineer and mathematician Robert Lusser developed a technique to calculate the reliability of missile and aviation systems. This was an important advancement because it helped quantify the level of risk involved in different military operations, whereas most risk calculations up until that point were qualitative estimates. His quantitative, objective approach was later expanded on by M. Granger Morgan, a professor and pioneer of risk assessment in public policy. After the war, the development of Failure Modes and Effects Analysis (FMEA), a systematic approach to identifying potential failures in systems, marked a significant advancement in objective risk analysis measures.5

As environmental awareness increased throughout the 1970s, organizations like the U.S. Environmental Protection Agency (EPA) began to establish formal risk assessment processes to evaluate the impact of pollutants on human health, which proved to be severe. Influential psychologists like Paul Slovic have extensively researched risk perception and strive to educate people on the role of psychological factors in the risk analysis process, which is especially important to consider in a health setting.7 Today, risk analysis is integral to various sectors, including finance, healthcare, engineering, and public policy, aiding in informed decision-making and strategic planning.4

People

Benjamin Franklin

One of America's Founding Fathers, Franklin is considered an early risk manager. He founded the first fire insurance company in America, exemplifying proactive risk management by addressing fire hazards in Philadelphia. Franklin's emphasis on prevention and preparedness laid the groundwork for modern risk management practices.6

Paul Slovic

A psychologist renowned for his research on risk perception and decision-making. Slovic's work has illuminated how people evaluate risks, emphasizing the role of psychological factors in risk assessment. He co-founded Decision Research, an institute dedicated to studying human judgment, decision-making, and risk.7

M. Granger Morgan

An engineer and policy analyst who developed advanced methods for characterizing and incorporating uncertainty in quantitative policy analysis. His interdisciplinary approach has greatly influenced risk analysis, particularly in environmental and technological contexts. Morgan has authored numerous publications on risk analysis and has served as a professor at Carnegie Mellon University, contributing to the education of future experts in the field.8

Robert Lusser

A German engineer who contributed to the quantification of reliability during World War II. Lusser's work laid foundational principles for modern reliability engineering, a key component of risk analysis. He developed Lusser's Law, which addresses the reliability of complex systems, influencing how engineers approach system design and failure analysis.5

behavior change 101

Start your behavior change journey at the right place

Impacts

The crucial steps in a risk analysis involve identifying major risks, how likely they are to occur, and what their potential impacts would be, and then determining how to reduce any negative consequences that could come from the risk. These risk analysis steps can be applied to anything from the world of business to understanding how to mitigate important health risks for individuals. 

Identifying the Risks

The first thing to figure out in a risk analysis is what exactly could go wrong. Insurance companies, like Benjamin Franklin’s original fire insurance organization, accomplish this by listing out as many potential barriers as possible that are related to the situation at hand. From a public health perspective, a risk analysis could involve analyzing the hazards associated with a new smoking device. When a new smoking or vaping product is being developed, it’s important to assess whether the use of this product might increase health risks. Someone researching the impacts of the device might discover some obvious impacts from smoking: increased rates of lung cancer, a higher chance of developing bronchitis or other infections, and an increased rate of stroke with those using the product.9 However, there may be other, less obvious risks associated with the new device: the chemicals could also cause symptoms like reproductive issues and vision loss (both of which are actual side effects of cigarette use).9 Although these risks may not be intuitive consequences of the behavior, they illustrate the importance of thorough data collection when conducting a risk analysis. Though every risk may not be immediately apparent or even documented, determining the most obvious potential risks sets the parameters for further analysis. 

Evaluating Likelihood and Impact

With the risks identified, the next thing to determine is how likely they are to occur and what the potential consequences would be. The process of quantifying probabilities and possible consequences is exactly what both Morgan and Lusser worked on, although they applied the risk analysis to different industries. In the case of smoking-related diseases, those conducting a risk analysis can collect data or use any readily available data to generate models and estimate the probability of each risk. For example, while a heavy smoker’s chance of developing a chronic cough may be incredibly high, their chances of developing oral cancer, even as a smoker, are quite low. However, the consequences of developing a mouth cancer (or any cancer for that matter) are fierce. The risk of developing cancer as a result of long-term smoking has potentially fatal consequences, so, compared to the risk of a chronic cough, the consequences of a cancer diagnosis should be weighed more heavily. There will also probably be differences in the likelihood of various risks with similar consequences; while smoking can increase your odds of developing lung cancer by 15-30 times, smoking only increases your odds of developing pancreatic cancer by a factor of about two9 (however, anything that doubles your chances of developing pancreatic cancer is still an incredibly risky endeavor).

Mitigating the Risk

The last step in a thorough risk analysis is asking what can be done to reduce either the likelihood or the impact of this risk. This could mean promoting public health campaigns to reduce smoking initiation rates or implementing more intensive regulations in the industry. A new smoking or vaping product, for example, might need to meet additional safety standards or include warning labels if a high likelihood of addiction or harm is established. On an individual level, people may face lower risks if they can engage in other healthy lifestyle choices, like improving their diet, sleep schedules, and exercise routines. More frequent screenings and doctor visits for those who know they’re at risk for diseases related to smoking might go a long way in identifying the diseases earlier and limiting their impact. The risks that come with smoking appear to go up exponentially as the frequency and years of smoking increase,9 so it is prudent to promote that people try to lower their use of smoking and vaping products over time (or, for the most powerful risk reduction, eventually eliminate the behavior completely). 

Controversies

You may think that a risk analysis is itself risk-free. However, several potential pitfalls can arise. Even if the data collection and calculations are all accurate, an emphasis on risk can make people overly cautious, and a feeling of assured education regarding one’s risks can make people overconfident.

False Sense of Security

It may be easy to assume that, once a thorough risk analysis has been conducted, any possible dangers have been accounted for and eliminated, so long as you make the correct decisions. Unfortunately, this isn’t the case. While a risk analysis can provide insight into what potential hazards you or your organization should be on the lookout for, no risk analysis can ever provide perfect clarity about the future. The information we gather during a risk analysis could be imperfect, our analyses might be flawed, and any predictions about the future will always be based on probability and speculation, not fact. 

Although understanding the risks we face is important and enables us to prepare for potential pitfalls, there is no perfect protection against all dangers. Sometimes, an attempt to prevent harm can even backfire to the point where people take on more risk than they would’ve previously, known as the Peltzman Effect. For example, most people know the importance of wearing a helmet. If you are unfortunate to be in a crash while cycling, skiing, skateboarding, or doing any other activity with the potential for a major crash, it is an essential step to reduce your risk of brain damage or even death.10 

One caveat to this advice, though, is that a study on helmet use has shown that the act of wearing a helmet (in an attempt to reduce the risk of major injury) can actually increase people’s propensity to engage in risky behaviors. They might subconsciously think that because their head is protected, they can take a bigger jump, ski a bit faster, or try just one more flip that they might not have otherwise taken.10 It’s thus important that helmet-wearing, like any other risk-avoidance strategy, does not provide a false sense of security. Even if a risk analysis provides a clear plan for how to defend oneself, other reasonable precautions shouldn’t be thrown out the window completely. Too often, overconfidence can get in the way of both proper risk assessment and necessary risk mitigation.11

bar chart risk analysis

Slippery Slope into Overcaution

No matter how well we try to plan, and no matter how much we desperately try to avoid danger or unnecessary risk, we can never be 100% safe. Many people are aware of the risks associated with getting behind the wheel of a vehicle. Regardless of how responsibly you drive, there will always be other reckless drivers out on the road. Even if you could somehow drive only on empty streets, you could encounter ice, animals, or faulty brakes. If you were to give up driving on your commute altogether, deciding it wasn’t worth the risk, you could still be hit by a car as you walked into work. You could stay inside, but there’s always the possibility of tripping and falling, electrocution, carbon monoxide poisoning... 

None of this is meant to come across as a gruesome threat but instead to serve as a reminder that we always face some level of risk, just by existing. While the fear of an accident might be enough to make you want to stay inside forever, this would certainly leave you isolated, antsy, and in need of some fresh air! In the same way that we don’t want people to have a false sense of security, it’s also important that an attempt to avoid risk doesn’t lead to an overly cautious approach. 

Although some risks are obviously much greater than others (like driving without a seatbelt), there is no way to live completely risk-free. Everyone’s risk tolerance is personal, so logical choices look different for each person. One particularly tricky component of personal risk analysis is assessing the right course of action in gray areas; somewhere between the extremes of driving blindfolded and refusing to drive altogether, there lies an appropriate level of not-too-risky and not-too-cautious. It may be frustrating to think that we can never eliminate the possibility of accidents, but this should also be a bit freeing. Framed another way, we are just as safe doing nothing as we are (safely) doing something, so you might as well keep living your life!

Hindsight Bias

Hindsight bias describes our tendency to think that unpredictable events are predictable only after they occur. Because risk analyses can identify risks that may not have otherwise been spotted, if and when the hazards do actually occur, people may be better prepared for the outcomes but consequently less appreciative of the key role of the risk analysis process in preparing for them. Although a proper risk analysis can help organizations identify weaknesses and figure out the situations for which they should plan, if the risk that an organization has been planning for actually does occur, the analysis process may seem less valuable in the aftermath, as leaders might assume that they would’ve prepared for the situation regardless. This impact of hindsight bias can detract from the value experts place on proper risk analysis.

Case Studies

Rapid Response to Public Health Emergencies

Remember the COVID-19 pandemic? You might prefer not to, but the World Health Organization (WHO) spends quite a bit of time reflecting on and preparing for all sorts of public health emergencies like the recent pandemic. In fact, the WHO has a manual entitled "Rapid Risk Assessment of Acute Public Health Events," which aims to guide national departments in conducting rapid risk analyses for various public health hazards.12 These dangers could be anything from biological, chemical, or radionuclide hazards, to natural disasters and deliberate acts like terrorism threats. 

In the event of a public health emergency, an efficient risk analysis and assessment procedure is crucial for directing decision-making. It is key to have a system in place before the emergency actually happens so that people know what their roles are and what to expect. The WHO’s manual breaks down the steps of risk assessment and risk management into distinct phases. 

First, assessing the risk involves defining the hazard, who will potentially be exposed to it, and the context in which it’s occurring. When assessing the risk level, organizations need to systematically gather and assess the relevant data and meticulously document information. Although proper documentation might seem overly tedious in the midst of a time-sensitive emergency, it is actually incredibly important; having all the relevant information easily accessible is useful during a risk analysis and critical for identifying areas for improvement. Any good risk analysis should involve creating an evidence base for future assessments so that when the next major event occurs, there’s more data to draw on, and the response might go that much smoother. 

Most public health events are detected through either routine data collection (of predetermined categories of interest) or the rapid collection of ad hoc information (in response to a major event). For example, hospitals might routinely report all flu cases, but if there was a sudden and unexpected spike in cases, officials might investigate further to assess why so many people are getting sick and whether it indicates an emerging public health risk. There could also be a sudden event, like a leak from a biochemical lab, that leaves officials concerned. They might send out surveys to people who live near the facility, asking them about potential symptoms. These forms of data collection may or may not show an increase in people presenting with relevant symptoms, but determining a real public health risk requires further analysis. 

Before jumping to any conclusions, health officials would go through a number of steps to assess the possible risk, including hazard assessment. This involves identifying the hazard (or number of potential hazards) causing the event and the associated adverse health effects. If there are multiple possibilities, the hazards might be ranked based on things like history, speed of the event, location, and affected population. Officials will also analyze the exposure risks, including how people are exposed, how transmission occurs, and any specific population vulnerabilities. The WHO also takes into account factors like the social, economic, environmental, ethical, and political context in which the event is occurring, using these to understand how risks might vary across populations.12  

The WHO uses a risk matrix in their risk analysis, combining the findings from the hazard, exposure, and context assessments to assign a level of overall risk using categories for likelihood (ranging from “almost certain" to “very unlikely”) and consequences (from “minimal” to  “severe”). While quantitative methods are used in these risk matrices, qualitative assessments are often necessary, particularly in the early stages of a possible emergency when there’s limited data. With the risk matrix in place, public health organizations can begin to communicate with the public, translating all technical information into actionable warnings and recommendations.12

risk analysis matrix

Air Emissions Risk Analysis

National-level organizations like the U.S. Environmental Protection Agency, alongside local environmental organizations like the Minnesota Pollution Control Agency, spend a significant amount of time tracking air pollution levels and assessing the corresponding risks to human health.13 An air emissions risk analysis (AERA), as you may have guessed from the name, is a form of risk analysis specifically designed to study air pollution. The process uses spreadsheets, computer models, and health benchmarks to estimate the potential human health risks from air pollution emitted by different entities. 
When facilities like steel mills emit excess air pollutants, the neighborhoods closest to the factory are disproportionately affected. An AERA describes the potential risks posed to those communities, and the data collected in these analyses are often used by community rights organizations to protect those who are most vulnerable. An AERA can also help determine whether a permit or pollutant monitoring should be required. In Minnesota, the potential health effects from hazardous air pollutants are reviewed using this AERA process, as well as additional risk screening tools. If the AERA risk estimates are below the government and the facility’s risk guidelines, projects can proceed as planned. However, if the analysis finds that the risks are higher than what is considered safe, then adjustments need to be made to protect everyone’s health and safety.13

Related TDL Content

Real Options Analysis

Risk analyses focus on identifying major risks and mitigating their effects. Similarly, in a real options analysis (ROA), leaders can identify the best course of action in uncertain or precarious environments. Read here to understand how this investment evaluation method is used.

COVID-19 and the Science of Risk Perception

Any risk analysis project is subject to the influence of human biases. How we understand and perceive risk can have a huge impact not only on how we conduct a formal risk analysis but also on how we perceive risk on an individual level. This article unpacks the science of risk perception and its role in the COVID-19 pandemic. 

Sources

  1. Lele D. V. (2012). Risk assessment: A neglected tool for health, safety, and environment management. Indian journal of occupational and environmental medicine, 16(2), 57–58. https://doi.org/10.4103/0019-5278.107064 
  2. Cordova-Pozo, K., & Rouwette, E. A. J. A. (2023). Types of scenario planning and their effectiveness: A review of reviews. Futures, 149, 103153. https://doi.org/10.1016/j.futures.2023.103153 
  3. Bullis, J. (2024, May 22). Scenario planning: Strategies, techniques, & examples. Cube Software. https://www.cubesoftware.com/blog/scenario-planning 
  4. Covello, V. T., & Mumpower, J. (1986). Risk analysis and risk management. In V. T. Covello, J. Menkes, & J. Mumpower (Eds.), Risk evaluation and management (Vol. 1, pp. 3–11). Springer. https://doi-org.gate3.library.lse.ac.uk/10.1007/978-1-4613-2103-3_22
  5. Rausand, M., & Haugen, S. (2020). Risk assessment: Theory, methods, and applications (2nd ed.). Wiley. 
  6. O'Rourke, M. (2012, April 18). Benjamin Franklin: America’s original risk manager. Risk Management Monitor
  7. Slovic, P., & Weber, E. U. (2002, April 12-13). Perception of risk posed by extreme events. Paper presented at the conference "Risk Management Strategies in an Uncertain World," Palisades, NY. 
  8. Morgan, M. G. (1985). Scientific and technological uncertainty in quantitative assessment and policy analysis. In V. T. Covello, J. L. Mumpower, P. J. M. Stallen, & V. R. R. Uppuluri (Eds.), Environmental impact assessment, technology assessment, and risk analysis (pp. 671–688). Springer. https://doi.org/10.1007/978-3-642-70634-9_24 
  9. Varghese, J., & Muntode Gharde, P. (2023). A Comprehensive Review on the Impacts of Smoking on the Health of an Individual. Cureus, 15(10), e46532. https://doi.org/10.7759/cureus.46532 
  10. Kang, L., Vij, A., Hubbard, A., & Shaw, D. (2021). The unintended impact of helmet use on bicyclists' risk-taking behaviors. Journal of safety research, 79, 135–147. https://doi.org/10.1016/j.jsr.2021.08.014 
  11. Fabricius, G., Büttgen, M. Project managers’ overconfidence: how is risk reflected in anticipated project success?. Bus Res 8, 239–263 (2015). https://doi.org/10.1007/s40685-015-0022-3 
  12. World Health Organization. (2012). Rapid risk assessment of acute public health events. World Health Organization. https://iris.who.int/handle/10665/70810 
  13. Minnesota Pollution Control Agency. (n.d.). Air emissions risk analysis (AERA). Retrieved December 19, 2024, fromhttps://www.pca.state.mn.us/business-with-us/air-emissions-risk-analysis-aera

About the Author

A smiling woman with long blonde hair is standing, wearing a dark button-up shirt, set against a backdrop of green foliage and a brick wall.

Annika Steele

Annika completed her Masters at the London School of Economics in an interdisciplinary program combining behavioral science, behavioral economics, social psychology, and sustainability. Professionally, she’s applied data-driven insights in project management, consulting, data analytics, and policy proposal. Passionate about the power of psychology to influence an array of social systems, her research has looked at reproductive health, animal welfare, and perfectionism in female distance runners.

About us

We are the leading applied research & innovation consultancy

Our insights are leveraged by the most ambitious organizations

Image

I was blown away with their application and translation of behavioral science into practice. They took a very complex ecosystem and created a series of interventions using an innovative mix of the latest research and creative client co-creation. I was so impressed at the final product they created, which was hugely comprehensive despite the large scope of the client being of the world's most far-reaching and best known consumer brands. I'm excited to see what we can create together in the future.

Heather McKee

BEHAVIORAL SCIENTIST

GLOBAL COFFEEHOUSE CHAIN PROJECT

OUR CLIENT SUCCESS

$0M

Annual Revenue Increase

By launching a behavioral science practice at the core of the organization, we helped one of the largest insurers in North America realize $30M increase in annual revenue.

0%

Increase in Monthly Users

By redesigning North America's first national digital platform for mental health, we achieved a 52% lift in monthly users and an 83% improvement on clinical assessment.

0%

Reduction In Design Time

By designing a new process and getting buy-in from the C-Suite team, we helped one of the largest smartphone manufacturers in the world reduce software design time by 75%.

0%

Reduction in Client Drop-Off

By implementing targeted nudges based on proactive interventions, we reduced drop-off rates for 450,000 clients belonging to USA's oldest debt consolidation organizations by 46%

Read Next

Notes illustration

Eager to learn about how behavioral science can help your organization?