The purpose of risk analysis is to help a manager better understand the risks (and opportunities) s/he faces and to evaluate the options available for their control. In general, risk management options can be divided into several groups:
Nothing is done to control the risk or one's exposure to that risk. Appropriate for risks where the cost of control is out of proportion with the risk. It is usually appropriate for low probability, low impact risks and opportunities of which one normally has a vast list, but you may be missing some high value risk mitigation or avoidance options, especially where they control several risks at once. If the chosen response is acceptance, some considerable thought should be given to risk contingency planning.
You may find that you are already spending considerable resources to manage a risk that is excessive compared to the level of protection that it affords you. In such cases, it is logical to reduce the level of protection and allocate the resources to manage other risks, thereby achieving a superior overall risk efficiency. Examples are:
Remove a costly safety regulation for nuclear power plants that affects a risk that would otherwise still be miniscule;
Cease requirement to test all slaughtered cows for BSE and use saved money for hospital upgrades.
It may be logical, but nonetheless politically unacceptable. There are not too many politicians or CEO's who want to explain to the public that they've just authorized less caution in handling a risk.
A risk analysis can describe the level of uncertainty there is about the decision problem (here we use uncertainty as distinct from inherent randomness). Uncertainty can often be reduced by acquiring more information (whereas randomness cannot). Thus, a decision-maker can determine that there is too much uncertainty to make a robust decision and request that more information be collected. Using a risk analysis model, the risk analyst can advise the least cost method of collecting extra data that would be needed to achieve the required level of precision. Value-of-information arguments can be used to assess how much, if any, extra information should be collected.
This involves changing a method of operation, a project plan, an investment strategy, etc. so that the identified risk is no longer relevant. Avoidance is usually employed for high probability, high impact type risks. Example are:
Use a tried and tested technology instead of the new one that was originally envisaged;
Change country location of a factory to avoid political instability;
Scrap the project altogether;
Note that there may be a very real chance of introducing new (and perhaps much more important) risks by changing your plans.
Reduction involves a range of techniques, which may be used together, to reduce the probability of the risk, its impact, or both. Examples are:
Build in redundancy (standby equipment, back-up computer at different location);
Perform more quality tests or inspections;
Provide better training to personnel;
Spread risk over several areas (portfolio effect);
Reduction strategies are used for any level of risk where the remaining risk is not of very high severity (very high probability and impact) and where the benefits (amount risk is reduced by) outweigh the reduction costs.
These are plans devised to optimize the response to risks should they occur. They can be used in conjunction with acceptance and reduction strategies. A contingency plan should identify individuals who take responsibility for monitoring the occurrence of the risk, and/or identified risk drivers for changes in the risk's probability or possible impact. The plan should identify what to do, who should do it and in which order, the window of opportunity, etc. Examples are:
Have a trained firefighting team on-site;
Have a pre-prepared press release;
Have a phone list visible (or email distribution list) of whom to contact if the risk occurs;
Reduce police and emergency service leave during a strike;
Fit lifeboats on ships.
Management's response to an identified risk is to add some reserve (buffer) to cover the risk should it occur. Appropriate for small to medium impact risks. Examples are:
Allocate extra funds to a project;
Allocate extra time to complete a project;
Have cash reserves;
Have extra stock in shop for a holiday weekend;
Stockpile medical and food supplies
Essentially, this is a risk reduction strategy, but it is so common that it is worth mentioning separately. If an insurance company has done its numbers correctly, in a competitive market you will pay a little above the expected cost of the risk (i.e. probability * expected impact should the risk occur). In general, we therefore insure for risks that have an impact outside our comfort zone, (i.e. where we value the risk higher than its expected value). Alternatively, you may feel that your exposure is higher than the average policy purchaser in which case insurance may be under your expected cost and therefore extremely attractive.
This involves manipulating the problem so that the risk is transferred from one party to another. A common method of transferring risk is through contracts, where some form of penalty is included into a contractor's performance. The idea is appealing used often but can be very inefficient. Examples are:
Penalty clause for running over agreed schedule;
Performance guarantee of product;
Lease a maintained building from the builder instead of purchasing;
Purchase an advertising campaign from some media body or advertising agency with payment contingent on some agreed measure of success;
You can also consider transferring risks to you, where there is some advantage to relieving another party of a risk. For example, if you can guarantee a second party against some small risk resultant from an activity you wish to take that provides you with much greater benefit than the other party's risk, the second party may remove its objection to your proposed activity.
In order for a risk analysis to help the manager determine which options are to be preferred, the manager must provide a clear question stated in terms of a quantitative estimate. For example:
"What is the risk of AIDS?"
is insufficient. The manager would need to specify:
The risk to whom?
The population in general, or a sub-group
In what units?
The measure of impact: is the analyst to evaluate a person living with AIDS the same as a person suffering symptoms, the same as a person who dies from the virus? Perhaps all three values are needed.
Over what period?
There has to be a unit of exposure: for example, per random person per year, or per lifetime
Perhaps the exposure is required per sexual contact with an AIDS sufferer, per new sexual partner, or birth (for transfer to children), etc.
How is the answer to be enumerated?
The choice of numerical representation can be very important. For example, the risk from some exposure or activity X in a country of 50 million population could be expressed as follows:
1 in a million chance of death per person per year
1 in a million chance of death per statistical person per year
An expected 50 deaths per year
10-6 risk of death per person per year
0.000 001 risk of death per person per year
0.000 1% risk of death per person per year
Same risk as dying from Y (Y is some recreational activity)
If these explanations of risk are presented to the population, they may engender quite different reactions. For example:
'Yes, but I'll be the "1". It's too risky'
'Not so risky'
'Completely unacceptable to condemn 50 people to death each year'
'What does 10-6 mean? They're trying to blind us with science'
'That's a lot of zeros. Not a problem'
'Doesn't look that small to me'
'How dare you impose a risk on me that I didn't ask for'
It is common and, in our view, very practical for analysts and managers to spend some time debating the question that can be answered, and the process is iterative: the collection of available data will often lead to a change or refinement to the question, and the asking of additional questions.