Risk Analysis

Make Better Decisions Using Qualitative and Quantitative Risk Analysis

orange triangle
woman leading meeting

What is Risk Analysis?

According to the Society for Risk Analysis, risk analysis is defined as “a distinct science covering risk assessment, perception, communication, management, governance and policy.”  Investopedia narrows this somewhat, describing risk analysis as “the process of assessing the likelihood of an adverse event occurring within the corporate, government, or environmental sector. Risk analysis is the study of the underlying uncertainty of a given course of action.”  Risk analysis is practiced in science, industry, academia, and in government.  It is critical for business, engineering, healthcare, legal, policy, and countless other disciplines.

Enterprise Risk Management

However you look at it, the analysis of risk seeks to identify, understand, and mitigate adverse or hazardous events. We would argue that, as SRA points out, this concept extends beyond just naming specific risks and figuring out how to control them; rather, risk analysis needs to encompass the way risk is thought about, discussed, and communicated within and between organizations. Too often, risk management (of which risk analysis is typically considered a subset) is relegated to distinct silos within an organization, a check-the-box function whose purpose is to meet regulatory and shareholder requirements. However, the data is clear that successful organizations incorporate risk management throughout, making it a consideration with every conversation. This enterprise approach – Enterprise Risk Management – breaks down communication barriers and tackles biases, instituting new ways of thinking based more on objective fact, data, or experience and less on subjective opinion.

hands pointing at charts
two business people pointing at a computer

The Role of Expert Judgment

This is not to say that personal judgment has no role to play in good risk management. Indeed, there are two primary categories of risk analysis: qualitative (relying on judgment) and quantitative (relying on numbers). Each adds value to the process, and each involves the same fundamental steps:

1) Identify what could go wrong;
2) Assign some probability or likelihood of the risk occurring; and
3) Estimate the impact the event will have if it happens.

Quantitative risk analysis leverages quantitative estimates, Monte Carlo simulation, and, sometimes, data to numerically measure risk. Unlike qualitative risk analysis, quantitative approaches allow for the inclusion of random variables, thus more accurately reflecting real life situations. Furthermore, quantitative models enable you to perform sensitivity and scenario analysis in order to determine which individual factors or combinations of factors (scenarios) drive risk the most. This is powerful diagnostic tool for determining how to mitigate or reduce risks; if you don’t know what is causing risk, you can’t begin to treat it.

There are two types of quantitative risk analysis: deterministic and stochastic.

Deterministic Risk Analysis

Deterministic risk analysis relies on single-point estimates for unknown or uncertain variables, and does not allow for any variability or randomness. Using this method, an analyst may assign values to discrete scenarios to see what outcome may result from each. It is very common to examine three arbitrary potential outcomes: worst case, best case, and most likely case, typically defined something like this:

  • Worst case scenario – All costs are the highest possible value, and revenues are the lowest of possible projections. The outcome is losing money.
  • Best case scenario – All costs are the lowest possible value, and revenues are the highest of possible projections. The outcome is making a lot of money.
  • Most likely scenario – Values are chosen in the middle for costs and revenue, and the outcome shows making a moderate amount of money.

There are several problems with the deterministic risk analysis approach:

  • It considers only a few discrete outcomes, which are often subjectively defined without regard for how realistic they may be, while ignoring thousands of others.
  • It gives equal weight to each outcome. That is, no attempt is made to assess the likelihood of each outcome.
  • Interdependence between inputs, the impact of different inputs relative to the outcome, and other nuances are ignored, oversimplifying the model and reducing its accuracy.

Stochastic Risk Analysis

Stochastic risk analysis, by contrast, accounts for uncertain and randomness in risk models. It is performed using Monte Carlo simulation, an approach that represents unknown input variables with ranges of values, or statistical distribution functions. This allows you automatically calculate your risk model thousands of times, using a different set of input values each time. The result is a much more realistic picture of the many possible outcomes that exist, plus significant time savings for the user.

Earlier we mentioned that qualitative risk analysis has a role to play in making good decisions involving risk. The definition of unknown input variables for a Monte Carlo simulation is a perfect example of this. Expert opinion is very important in the construction of any risk model, particularly in the absence of data. A further example is the interpretation of the results from a Monte Carlo simulation. It takes context and judgment to follow the insights a simulation can produce, and to leverage those results into effective mitigation and go-forward strategies.

Stochastic risk analysis has a number of advantages:

  • The outcomes can be graphed many different ways to visually communicate information such as the probabilities of achieving targets and the variance in the results, such as the histogram shown below.
  • It’s possible to understand the spread of possible outcomes and determine the sensitivity of the results to different inputs. The tornado diagram below is an example of this.
  • Relationships between unknown variables can be modeled using correlations to accurately reflect interdependencies in the results.
The results of a Monte Carlo simulation as shown in histogram form.

The results of a Monte Carlo simulation as shown in histogram form.

A tornado graph showing most important factors, ranked, from a Monte Carlo simulation.

A tornado graph showing most important factors, ranked, from a Monte Carlo simulation.

Despite the intensity of its calculations, Monte Carlo simulation is a highly accessible and intuitive technique that is available at the desktop level within Microsoft Excel.

Qualitative Risk Analysis

Qualitative risk analysis relies on the subjective opinions of analysts and experts in order to construct a theoretical risk model. It does not need to rely on numerical measures or metrics, but rather utilizes written descriptions of risk events and their impacts. Qualitative risk analysis often involves assessing a situation by instinct or “gut feel,” and may be characterized by statements like, “That seems too risky” or “We’ll probably get a good return on this.” Examples of qualitative risk analysis include SWOT analysis, game theory, questionnaires, scoring methods, and risk heat maps.

Risk heat maps are a very common qualitative technique. Heat maps are a visual, matrix-based approach to risk analysis where the likelihood of a risk event occurring is mapped against the impact those events will have. How likely or how severe a risk will be is determined by asking experts to provide an opinion. The results are plotted on a color-coded chart, as shown.

Advantages of such an approach include ease of communicating results to others, and low participation barriers for stakeholders (i.e., there is little effort required to give an opinion).  As a result, such matrices are very common.  The main problem with them is they fail to provide an accurate view of risk, and decisions made based heavily on such heat maps usually run into unexpected negative outcomes.

Risk Analysis with Palisade

@RISK is the leading Monte Carlo simulation add-in for Excel. First introduced for Lotus 1-2-3 for DOS in 1987, @RISK has a long-established reputation for computational accuracy, modeling flexibility, and ease of use.

Join decision-makers around the world who