According to the Society for Risk Analysis, risk analysis is defined as “a distinct science covering risk assessment, perception, communication, management, governance and policy.” Investopedia narrows this somewhat, describing risk analysis as “the process of assessing the likelihood of an adverse event occurring within the corporate, government, or environmental sector. Risk analysis is the study of the underlying uncertainty of a given course of action.” Risk analysis is practiced in science, industry, academia, and in government. It is critical for business, engineering, healthcare, legal, policy, and countless other disciplines.
This is not to say that personal judgment has no role to play in good risk management. Indeed, there are two primary categories of risk analysis: qualitative (relying on judgment) and quantitative (relying on numbers). Each adds value to the process, and each involves the same fundamental steps:
Quantitative risk analysis leverages quantitative estimates, Monte Carlo simulation, and, sometimes, data to numerically measure risk. Unlike qualitative risk analysis, quantitative approaches allow for the inclusion of random variables, thus more accurately reflecting real life situations. Furthermore, quantitative models enable you to perform sensitivity and scenario analysis in order to determine which individual factors or combinations of factors (scenarios) drive risk the most. This is a powerful diagnostic tool for determining how to mitigate or reduce risks; if you don’t know what is causing risk, you can’t begin to treat it.
Deterministic risk analysis relies on single-point estimates for unknown or uncertain variables and does not allow for any variability or randomness. Using this method, an analyst may assign values to discrete scenarios to see what outcome may result from each. It is very common to examine three arbitrary potential outcomes: worst case, best case, and most likely case, typically defined something like this:
There are several problems with the deterministic risk analysis approach:
Stochastic risk analysis, by contrast, accounts for uncertainty and randomness in risk models. It is performed using Monte Carlo simulation, an approach that represents unknown input variables with ranges of values, or statistical distribution functions. This allows you automatically calculate your risk model thousands of times, using a different set of input values each time. The result is a much more realistic picture of the many possible outcomes that exist, plus significant time savings for the user.
Earlier we mentioned that qualitative risk analysis has a role to play in making good decisions involving risk. The definition of unknown input variables for a Monte Carlo simulation is a perfect example of this. Expert opinion is very important in the construction of any risk model, particularly in the absence of data. A further example is the interpretation of the results from a Monte Carlo simulation. It takes context and judgment to follow the insights a simulation can produce, and to leverage those results into effective mitigation and go-forward strategies.
The results of a Monte Carlo simulation as shown in histogram form.
A tornado graph showing the most important factors, ranked, from a Monte Carlo simulation.