Risk analysis is the second step
in risk assessment, in which an understanding of the risk is developed. Analysis
includes understanding the causes of the risks, possible positive and negative
consequences should the risk turn into an event, and the likelihood of the risk
actually transitioning into an event, and the likelihood of the risk actually
into an event with positive or negative impacts 36.
risk analysis “the combination of knowledge about risk-related phenomena,
processes, events, etc. and the application of concepts, theories, frameworks,
approaches, principles, methods, and models to understand, assess,
characterize, communicate, and manage risk”.
On a global scale, risk analysis
gathers data and synthesize information to develop an understanding of each
identified risk and the activities associated with them. It involves making a
decision about how to assess each risk, how to rank risks and how to promote
consensus within the different organizational actors
80. For 62, “defines that risk analysis
is about developing an understanding of the risk”. It provides an input to risk
assessment and to decision about whether risks need to be treated and about the
most appropriate treatment strategies and methods.
Risk analysis consist of
determining the consequences and their probabilities for identified risk
events, taking into account the presence (or not) and the effectiveness of any existing
controls. The consequences and their probabilities are then combined to
determine a level of risk.
Risk analysis involves
consideration of the causes and sources of risk, their consequences and the
probability that those consequences can occur. Factors that affect consequences
and probability should be identified. An event can have multiple consequences
and can affect multiple objectives.
Risk analysis normally includes
an estimation of the range of potential consequences that might arise from an
event, situation or circumstance, and their associated probabilities, in order
to measure the level of risk. However in some instances, such as where the consequences
are likely to be insignificant, or the probability is expected to be extremely
low, a single parameter estimate may be sufficient for a decision to be made. In
some circumstances, a consequence can occur as a result of a range of different
events or conditions, or where the specific event is not identified. In this
case, the focus of risk -assessment is on analyzing the importance and vulnerability
of components of the system with a view to defining treatments which relate to
levels of protection or recovery strategies. Methods used in analyzing risks
can be qualitative, semi-quantitative or quantitative. The degree of detail
required will depend upon the particular application, the availability of
reliable data and the decision-making needs of the organization. Some methods
and the degree of detail of the analysis may be prescribed by legislation.
Risk analysis and risk evaluation can be qualitative,
quantitative or a combination of both depending on the enterprise approach to
risk management 80.