Make Better Decisions Using Qualitative and Quantitative Risk Analysis
What is Risk Analysis?
According to the Society for Risk Analysis, risk analysis is defined as “a distinct science covering risk assessment, perception, communication, management, governance and policy.” Investopedia narrows this somewhat, describing risk analysis as “the process of assessing the likelihood of an adverse event occurring within the corporate, government, or environmental sector. Risk analysis is the study of the underlying uncertainty of a given course of action.” Risk analysis is practiced in science, industry, academia, and in government. It is critical for business, engineering, healthcare, legal, policy, and countless other disciplines.
Enterprise Risk Management
However you look at it, the analysis of risk seeks to identify, understand, and mitigate adverse or hazardous events. We would argue that, as SRA points out, this concept extends beyond just naming specific risks and figuring out how to control them; rather, risk analysis needs to encompass the way risk is thought about, discussed, and communicated within and between organizations. Too often, risk management (of which risk analysis is typically considered a subset) is relegated to distinct silos within an organization, a check-the-box function whose purpose is to meet regulatory and shareholder requirements. However, the data is clear that successful organizations incorporate risk management throughout, making it a consideration with every conversation. This enterprise approach – Enterprise Risk Management – breaks down communication barriers and tackles biases, instituting new ways of thinking based more on objective fact, data, or experience and less on subjective opinion.
The Role of Expert Judgment
This is not to say that personal judgment has no role to play in good risk management. Indeed, there are two primary categories of risk analysis: qualitative (relying on judgment) and quantitative (relying on numbers). Each adds value to the process, and each involves the same fundamental steps:
1) Identify what could go wrong;
2) Assign some probability or likelihood of the risk occurring; and
3) Estimate the impact the event will have if it happens.
Quantitative risk analysis leverages quantitative estimates, Monte Carlo simulation, and, sometimes, data to numerically measure risk. Unlike qualitative risk analysis, quantitative approaches allow for the inclusion of random variables, thus more accurately reflecting real life situations. Furthermore, quantitative models enable you to perform sensitivity and scenario analysis in order to determine which individual factors or combinations of factors (scenarios) drive risk the most. This is powerful diagnostic tool for determining how to mitigate or reduce risks; if you don’t know what is causing risk, you can’t begin to treat it.
There are two types of quantitative risk analysis: deterministic and stochastic.
Deterministic Risk Analysis
- Worst case scenario – All costs are the highest possible value, and revenues are the lowest of possible projections. The outcome is losing money.
- Best case scenario – All costs are the lowest possible value, and revenues are the highest of possible projections. The outcome is making a lot of money.
- Most likely scenario – Values are chosen in the middle for costs and revenue, and the outcome shows making a moderate amount of money.
There are several problems with the deterministic risk analysis approach:
- It considers only a few discrete outcomes, which are often subjectively defined without regard for how realistic they may be, while ignoring thousands of others.
- It gives equal weight to each outcome. That is, no attempt is made to assess the likelihood of each outcome.
- Interdependence between inputs, the impact of different inputs relative to the outcome, and other nuances are ignored, oversimplifying the model and reducing its accuracy.
Stochastic Risk Analysis
Earlier we mentioned that qualitative risk analysis has a role to play in making good decisions involving risk. The definition of unknown input variables for a Monte Carlo simulation is a perfect example of this. Expert opinion is very important in the construction of any risk model, particularly in the absence of data. A further example is the interpretation of the results from a Monte Carlo simulation. It takes context and judgment to follow the insights a simulation can produce, and to leverage those results into effective mitigation and go-forward strategies.
Stochastic risk analysis has a number of advantages:
- The outcomes can be graphed many different ways to visually communicate information such as the probabilities of achieving targets and the variance in the results, such as the histogram shown below.
- It’s possible to understand the spread of possible outcomes and determine the sensitivity of the results to different inputs. The tornado diagram below is an example of this.
- Relationships between unknown variables can be modeled using correlations to accurately reflect interdependencies in the results.
The results of a Monte Carlo simulation as shown in histogram form.
A tornado graph showing most important factors, ranked, from a Monte Carlo simulation.
Qualitative Risk Analysis
Qualitative risk analysis relies on the subjective opinions of analysts and experts in order to construct a theoretical risk model. It does not need to rely on numerical measures or metrics, but rather utilizes written descriptions of risk events and their impacts. Qualitative risk analysis often involves assessing a situation by instinct or “gut feel,” and may be characterized by statements like, “That seems too risky” or “We’ll probably get a good return on this.” Examples of qualitative risk analysis include SWOT analysis, game theory, questionnaires, scoring methods, and risk heat maps.
Risk heat maps are a very common qualitative technique. Heat maps are a visual, matrix-based approach to risk analysis where the likelihood of a risk event occurring is mapped against the impact those events will have. How likely or how severe a risk will be is determined by asking experts to provide an opinion. The results are plotted on a color-coded chart, as shown.
Advantages of such an approach include ease of communicating results to others, and low participation barriers for stakeholders (i.e., there is little effort required to give an opinion). As a result, such matrices are very common. The main problem with them is they fail to provide an accurate view of risk, and decisions made based heavily on such heat maps usually run into unexpected negative outcomes.