Skip to main content

Risk analysis

Risk analysis covers a range of techniques and analysis tools used to assess the likelihood of failure or undesirable outcomes from decisions or policies. As one researcher put it, risk assessment "is the application of…knowledge of past mistakes in an attempt to prevent new mistakes in a new situation" (Wilson and Crouch, 1987). The methods rely primarily on mathematical modeling, statistics, uncertainty, and decision analysis.

What is it?

A way to identify threats that can derail success. As applied to business case development and decision making in IT projects, the most important elements of risk analysis are identifying the threats to success and assessing the probabilities and potential costs of the threats materializing.

A method for learning from past mistakes. A variety of modeling, statistical, and analysis tools can be used to examine past projects, determine where mistakes were made, and devise methods to avoid repeating them.

What is it good for?

Identifying threats, possibility of damage. Careful risk analysis is needed to provide two kinds of information. One is a clear and detailed identification of threats or possible mistakes that can damage an initiative. The other is an estimate of the likelihood of each kind of damage actually occurring.

Outlining potential process problems. A number of important risks are associated with innovations in business processes. These include internal resistance to change or even subversion of objectives by unhappy participants. The costs and complexities of needed changes may be underestimated, leading to insufficient resource commitment. An inadequate or inaccurate model of the business process may be used, or inaccurate data about that process may lead to mistakes. Differences in the cultures of the organizations involved may produce conflicts that undermine success. Competition or lack of trust can inhibit communication and collaboration. And it may be impossible to generate the support from top leadership to sustain large-scale changes.

Identifying potential political opposition. Political opposition can lead to problems and barriers. Risk analysis should involve the positioning analysis described above, with special attention to estimating the strength of likely opposition from influential players. Risks can include failure to manage expectations about success or immediate results, as well as missing the possible influences of other large initiatives on the political agendas of supporters and champions.

Defining IT risks. A number of risks are associated with the use of information technology, including rapid obsolescence and emergence of alternative technologies after investments have been made. Avoid the tendency to over-promise the benefits of technology or underestimate the effort of implementation -- both lead to disillusionment and loss of support.

Describing environmental and organizational risks. Planning and risk analysis should take into account the kinds of policy shifts, as well as the sources of support and opposition to such policy changes, that constitute the greatest threat to your initiative. Demands and costs of human resources can also shift, due to labor market forces, and put a project in jeopardy. Careful environmental scanning can help mitigate or anticipate these possible threats.

Some limitations and considerations

Technical problems. The technical problems of statistical risk analysis can be substantial, since they depend on models of threats and probabilities. For complex projects, such models may be unavailable or even impossible to construct. In addition, statistical risk analysis often depends on historical information that may be unavailable for new projects, technologies, or collaborations. This problem may be mitigated in some circumstances by tools, such as system dynamics models or other simulations that allow for exploration of various scenarios or alternatives.

Long-term perspectives, short-term adaptability. This basic dilemma in mitigating and managing risk is especially acute in technology projects. IT plans and system designs based on current knowledge and technologies are unavoidably at risk. Systems built with smaller components or modules can provide for more flexible response to rapid changes, but their success depends in large part on accurate anticipation of technology trends, which is demanding and error-prone at best.

For more information

Chapman, C. and S. Ward (1996). Project Risk Management: Processes, Techniques and Insights. Chichester: John Wiley & Sons.

Bedford, T. and R. Cooke (2001) Probabilistic Risk Analysis: Foundations and Methods. Cambridge: Cabridge University Press.

Kammen, D. and D. Hassenzahl (1999) Should We Risk It? Exploring Environmental, Health, and Technological Problem Solving. Princeton, N.J.: Princeton University Press.

Kemshall, H. and J. Pritchard (1996) Good Practice in Risk Assessment and Risk Management. Bristol, PA: Jessica Kingsley.

Kemshall, H. and J. Pritchard (1997) Good Practice in Risk Assessment and Risk Management 2: Protection, Rights and Responsibility. Bristol, PA: Jessica Kingsley.

Stern, P., H. Fineberg, and the National Research Council (1999) Understanding Risk: Informing Decisions in a Democratic Society. Washington, D.C.: National Academy Press.

Wilson R., and E.A. Crouch (1987) “Risk Assessment and Comparisons: An Introduction.” Science, 236-267.