Risk analysis is the systematic process of identifying potential threats, evaluating the likelihood and impact of each threat, and determining appropriate responses to protect organisational objectives. It forms the analytical core of the broader risk management process and is used across every industry β from construction and healthcare to financial services and IT.
According to the ISO 31000:2018 standard, risk analysis sits within the risk assessment phase and involves understanding the nature of risk, its sources, and the level of risk exposure. Organisations that conduct structured risk analysis are better positioned to allocate resources, make informed decisions, and build long-term operational resilience.
This guide covers the full scope of risk analysis: what it is, how it works, the different methods available, and how to apply it within a risk management framework.
Summary
- Risk analysis is the process of evaluating the likelihood and consequences of identified risks to support decision-making.
- It encompasses both qualitative methods (expert judgement, risk matrices) and quantitative methods (Monte Carlo simulation, expected monetary value).
- Risk analysis is a component of risk assessment, which itself sits within the broader risk management lifecycle.
- Organisations that embed risk analysis into planning reduce unexpected losses by up to 30%, according to PwCβs Global Risk Survey 2023.
- Effective risk analysis supports compliance with frameworks including ISO 31000, COSO ERM, and NIST RMF.
π Risk Analysis at a Glance
The Essential Framework for Informed Decision-Making
losses (PwC 2023)
for risk management
& Semi-Quantitative
What Is Risk Analysis? Definition and Overview
Risk analysis is the structured evaluation of identified risks to determine their likelihood of occurring and the severity of their potential impact on organisational objectives.
It answers three fundamental questions:
- What could go wrong? β Identifying threats, vulnerabilities, and adverse events
- How likely is it? β Estimating the probability of each risk materialising
- What would the consequences be? β Assessing the potential impact on operations, finances, reputation, and compliance
Risk analysis does not operate in isolation. It is the second stage within the risk assessment process β preceded by risk identification and followed by risk evaluation. Together, these stages feed into risk treatment decisions within a complete risk management framework.
π The Three Fundamental Questions of Risk Analysis
Why Risk Analysis Matters: Key Benefits
1. Better-Informed Decision-Making
Risk analysis provides decision-makers with structured data about potential outcomes. Rather than relying on intuition, leaders can evaluate options based on assessed probabilities and impacts. See: strategic planning.
2. Proactive Threat Mitigation
By identifying risks before they materialise, organisations can develop mitigation strategies that reduce both the likelihood and impact of adverse events. See: mitigation strategies.
3. Optimised Resource Allocation
Not all risks warrant the same level of attention. Risk analysis enables prioritisation so that limited resources are directed toward the highest-priority threats. See: risk register.
4. Regulatory Compliance
Frameworks including ISO 31000, COSO ERM, Basel III, and Solvency II all require documented risk analysis as part of compliance. See: ISO 31000.
5. Enhanced Organisational Resilience
Organisations that routinely analyse risks develop stronger business continuity capabilities and can recover faster from disruptions. See: business continuity capabilities.
π 5 Key Benefits of Risk Analysis
Types of Risk Analysis: Qualitative vs Quantitative
There are two primary approaches to risk analysis, each serving different purposes and decision contexts. Most organisations use both in combination.
| Criteria | Qualitative | Quantitative |
| Approach | Descriptive scales | Numerical models |
| Data Needed | Expert judgement | Historical / statistical data |
| Output | Risk ratings (High/Med/Low) | Financial values / probabilities |
| Common Tools | Risk matrix, RCSA, Delphi | Monte Carlo, EMV, VaR |
| Speed | Fast β days to weeks | Slower β weeks to months |
| Cost | Low to moderate | Moderate to high |
| Best For | Initial screening, broad risk prioritisation | High-stakes decisions, financial risk modelling |
| Limitation | Subjective, less precise | Data-dependent, complex |
β‘ Qualitative vs Quantitative Risk Analysis
Qualitative Risk Analysis
Qualitative risk analysis evaluates risks using descriptive categories rather than numerical values. Analysts assess each riskβs likelihood and impact on defined scales β typically rated from 1 (very low) to 5 (very high) β and plot results on a risk matrix.
How it works:
- Assemble a cross-functional team with knowledge of the risk domain
- Rate each identified risk on likelihood and impact scales
- Calculate a risk score (Likelihood Γ Impact) to establish priority
- Plot risks on a heat map to visualise the overall risk profile
- Document findings in a risk register
Quantitative Risk Analysis
Quantitative risk analysis uses numerical data, statistical models, and mathematical techniques to calculate the probability and financial impact of risks. It assigns specific monetary values to potential adverse events and provides data-driven inputs for decision-making.
| Technique | What It Does | Best Application |
| Monte Carlo Simulation | Runs thousands of scenarios to model outcome distributions | Project schedules, cost estimates, construction risk |
| Expected Monetary Value | Calculates (Probability Γ Impact) for each risk | Decision tree analysis, project budgeting |
| Value at Risk (VaR) | Estimates maximum likely loss within a confidence interval | Financial risk management, portfolio risk |
| Sensitivity Analysis | Tests how changes in variables affect outcomes | Identifying key risk drivers |
| Fault Tree Analysis | Maps causal chains leading to system failures | Engineering, cybersecurity |
Semi-Quantitative Risk Analysis
A third approach β semi-quantitative analysis β bridges both methods by assigning numerical scores to qualitative categories. For example, a βHighβ likelihood might be scored as 4 out of 5, and a βMajorβ impact as $500,000β1 million.
This produces more consistent results than pure qualitative analysis without the full data requirements of quantitative methods.
The Risk Analysis Process: A Step-by-Step Guide
π The 4-Step Risk Analysis Process
Step 1: Identify Risks
- Workshops and brainstorming with cross-functional teams
- Historical data from past incidents and near-misses
- Industry benchmarking using key risk indicators (KRIs)
- Framework checklists from ISO 31000, COSO, or sector-specific standards
- SWOT and PESTLE analysis for strategic and environmental risks
Step 2: Analyse the Impact
- Qualitative methods rate risks on defined scales (e.g., 1β5 for likelihood and impact)
- Quantitative methods calculate financial exposure using statistical models
- Combined approaches using semi-quantitative methods provide a middle ground
- Always assess both inherent risk (before controls) and residual risk (after existing controls)
Step 3: Prioritise the Risks
- Risk heat maps that visually plot likelihood against impact
- Risk appetite thresholds defined by leadership
- Velocity and proximity β how quickly could the risk materialise?
- Interconnectedness β could one risk trigger others?
Step 4: Develop a Treatment Plan
- Select strategy: Avoid, Reduce, Transfer, or Accept
- Assign risk owners and due dates
- Conduct cost-benefit analysis
- Business impact analysis (BIA) for critical functions
- Root cause analysis for systemic risks
Risk Treatment Strategies:
| Strategy | When to Use | Example |
| Avoid | Eliminate the activity causing the risk | Cancel a project in an unstable market |
| Reduce | Lower probability or impact through controls | Implement cybersecurity controls |
| Transfer | Shift risk to a third party | Purchase insurance, outsource to specialists |
| Accept | Tolerate when treatment costs exceed benefits | Accept minor operational disruptions |
π― Risk Treatment Decision Matrix
Risk Assessment vs Risk Analysis: What Is the Difference?
Risk assessment is the umbrella term for the complete process of identifying, analysing, and evaluating risks. Risk analysis is one component within that process β specifically, the stage where you measure each riskβs likelihood and impact.
| Aspect | Risk Assessment | Risk Analysis |
| Scope | Full process: identify β analyse β evaluate | Focused: measure likelihood and impact |
| Purpose | Determine which risks need treatment | Understand the nature and level of each risk |
| Output | Prioritised risk register with treatment recommendations | Risk scores, probability distributions, financial estimates |
| Standards | Defined in ISO 31000 Clause 6.4 | Defined in ISO 31000 Clause 6.4.3 |
π Risk Assessment vs Risk Analysis
β¦ Analyse risks
β¦ Evaluate risks
β¦ Prioritised risk register
β¦ Treatment recommendations
β¦ ISO 31000 Clause 6.4
β¦ Measure impact
β¦ Calculate risk scores
β¦ Probability distributions
β¦ Financial estimates
β¦ ISO 31000 Clause 6.4.3
How Risk Analysis Fits into Risk Management
- Informs Risk Treatment Decisions β Without analysis, treatment decisions are based on assumption rather than evidence. Analysis provides the data to select between avoidance, reduction, transfer, and acceptance.
- Reduces the Impact of Uncertainty β By modelling potential outcomes before they occur, organisations can prepare contingency plans and allocate reserves.
- Enables Logical, Repeatable Risk Governance β A structured analysis process ensures consistency across departments and reporting periods.
ISO 31000:2018 Risk Management Framework
The ISO 31000:2018 standard provides the most widely adopted framework for integrating risk analysis into organisational risk management. It consists of three components:
- Principles β risk management should create value, be part of decision-making, and be systematic
- Framework β leadership, integration, design, implementation, evaluation, and improvement
- Process β communication, scope definition, risk assessment, risk treatment, monitoring, and review
ποΈ ISO 31000:2018 Risk Management Framework
Three Integrated Components
β§ Part of decision-making
β§ Systematic & structured
β§ Based on best info available
β§ Integration into processes
β§ Design & implementation
β§ Evaluation & improvement
β§ Risk assessment
β§ Risk treatment
β§ Monitoring & review
Risk Analysis Templates and Tools
| Template | Purpose | Key Components |
| Risk Register | Central repository for all identified and assessed risks | Description, likelihood, impact, score, owner, controls |
| Risk Matrix (Heat Map) | Visual prioritisation of risks | 5Γ5 grid plotting likelihood vs impact |
| Business Impact Analysis | Assesses operational consequences of disruptions | Critical functions, recovery time objectives |
| RCSA Template | Self-assessment of risks and control effectiveness | Process mapping, control descriptions, residual risk |
πΊοΈ 5Γ5 Risk Matrix Heat Map
Certain
Best Practices for Conducting Risk Analysis
- Start with clear objectives β define what you are protecting and what success looks like
- Use the right method for the context β qualitative for screening, quantitative for high-stakes decisions
- Involve diverse perspectives β cross-functional teams identify more risks than siloed groups
- Document everything β maintain a living risk register with version control
- Review regularly β risk profiles change; schedule quarterly reassessments at minimum
- Link to key risk indicators β establish metrics that provide early warning of emerging risks
- Communicate findings β use KRI dashboards and risk reports to keep stakeholders informed
Challenges and Limitations of Risk Analysis
| Challenge | Description | Mitigation |
| Data limitations | Quantitative methods require historical data that may not exist | Supplement with expert judgement and scenario analysis |
| Cognitive biases | Anchoring, confirmation bias, and groupthink distort assessments | Use structured facilitation and independent review |
| Interconnected risks | Cascading effects are difficult to model | Employ systems thinking and bow-tie analysis |
| False precision | Quantitative outputs can create an illusion of certainty | Communicate confidence intervals and assumptions |
| Resource intensity | Thorough analysis requires significant time and expertise | Tier your approach β qualitative first, then quantitative |
| Dynamic landscape | Risk profiles change faster than assessment cycles | Implement continuous monitoring via KRI dashboards |
β οΈ Common Challenges & How to Overcome Them
Frequently Asked Questions
What is the main difference between risk analysis and risk management?
Risk analysis is the process of evaluating identified risks to determine their likelihood and potential impact.
Risk management is the broader discipline that encompasses all activities related to identifying, assessing, treating, and monitoring risks across an organisation. Risk analysis provides the analytical foundation that informs risk treatment decisions.
What does a risk analyst do?
A risk analyst evaluates specific risks using qualitative and quantitative methods to provide data-driven insights for decision-making.
Their responsibilities typically include maintaining risk registers, conducting risk assessments, building risk models, monitoring key risk indicators, and presenting risk reports to management.
What are the three types of risk analysis?
The three types are: (1) Qualitative risk analysis β uses descriptive scales and expert judgement; (2) Quantitative risk analysis β uses statistical models and financial data; (3) Semi-quantitative risk analysis β bridges both approaches by assigning numerical scores to qualitative categories.
What is the difference between risk assessment and risk analysis?
Risk assessment is the complete process that includes risk identification, risk analysis, and risk evaluation.
Risk analysis is one stage within risk assessment β specifically, the stage where each identified risk is measured for probability and impact. The distinction is defined in ISO 31000:2018, Clause 6.4.
What tools are used for risk analysis?
Common tools include risk matrices (heat maps), risk registers, Monte Carlo simulation software, decision trees, bow-tie diagrams, and enterprise risk management platforms. The choice depends on the organisationβs size, industry, and complexity of risks.
How often should risk analysis be conducted?
At minimum, organisations should conduct a formal risk analysis annually, with quarterly reviews of the risk register and continuous monitoring of key risk indicators. Major organisational changes, regulatory updates, or significant incidents should trigger ad-hoc risk analysis.
Related Resources on Risk Publishing
- What Is Risk Management?
- Risk Management Process Flow Chart
- Risk Register Template and Guide
- ISO 31000 Guide
- Operational Resilience Framework Guide
- Enterprise Risk Management Cyber Security
- Best ERM Software Platforms Compared
- AI Risk Management Framework
External References
- ISO 31000:2018 β Risk Management Guidelines
- COSO Enterprise Risk Management Framework
- PMI PMBOK Guide
- NIST Risk Management Framework
- Basel III Framework
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.