Analyzing a risk means dealing with a possible incident in advance. This incident should be evaluated realistically (as far as possible). What could happen in the worst case? What would it mean for us or for our company? In this article I am going to explain how to approach and conduct a risk analysis in a proper way.
You should use the risk argument in everyday business. When asked, “Where do you specifically see a risk at this point?” many people who were just in a rage immediately become more quiet or even silent. Because evaluating a risk in a structured way requires a bit more than just venting one’s gut feeling.
But let’s not beat around the bush. Let’s get specific. Let’s identify and assess risks. We will also show you a risk analysis example.
Not only in ISO 31000, the ISO standard for risk management (Risk management – Principles and guidelines) or the ISO/IEC 27001 – management system for information security, risk is defined as follows:
risk = damage x probability of occurrence
In short, risk is the product of the potential damage and the associated probability of occurrence. We can’t do without mathematics at this point. But don’t panic! It shouldn’t be that difficult to multiply these two values.
The bigger challenge lies in the preliminary work. In order to multiply harm and probability of occurrence, we must “convert” or classify those factors into values.
Definition of Risk criteria
Risk analysis must follow a systematic structure. The results must be reproducible. That is, if another person with the same expertise were to assess the same risk, it should come to the same conclusion based on the objective criteria.
Therefore, it is extremely important to define these objective criteria in advance. They vary from company to company. Even within a single company, the risk criteria may differ.
Definition of Damage Classes
Instead of working with damage classes, you can of course also work directly with financial values. That is, you quantify each potential damage with a sum x in euros. This makes it easy for our mathematical formula. In practice, however, this turns out to be difficult. After all, who can judge what (relatively exact) financial damage, for example, a reputational loss due to defectively delivered products will result in?
So unless you are forced by internal or external requirements to actually value the damage in euros, I recommend that you create damage classes. Four classes are useful to start with from my experience:
- low, medium, high, very high
- very low, low, medium, high
Both variants ultimately lead to the same result. The difference is purely in the wording and the message you are conveying.
That’s it? What is so difficult about that?
We have now formed our damage classes, but we cannot yet meet the requirement that our assessments should be reproducible. We have to ensure that project manager Müller evaluates the project risks according to the same criteria as his deputy Mr. Schmitt. This will only work if we provide them with additional guidance on what is meant by the damage classes.
The following table shows one possible interpretation of the damage classes.
| Damage Class | Financial Loss | Failure Core Processes | Reputational Damage | Impact on Natural Persons |
|---|---|---|---|---|
| low | < 5.000 € | minimal delays in subsequent processes (up to 2 hours) | incident is known only to internal employees, no media impact | disadvantages (economic, social) on a small scale for the person |
| medium | between 5.000 € and 20.000 € | leads to a delay of approx. one day in the subsequent internal processes | regional media impact | financial damage (not threatening the existence of the company) |
| high | between 20.000 € and 50.000 € | leads to a delay of more than one day in subsequent internal processes | incident has national media impact, negative image even in job postings | identity theft, discrimination |
| very high | > 50.000 € | leads to a delay in planned delivery times; customer deadlines cannot be met | incident has international media impact loss of customers | life-threatening, existential |
My primary concern here is to show by means of an example how damage classes can be defined. The content of the definition, as well as the number of criteria you define, are of course to be related to your own company.
Definition of Probability of Occurrence
Same thing, only this time for probability of occurrence. Whether you name the classes low, medium, high, very high, or otherwise is up to you.
| Probability of Occurence | Future Estimate | Look Into the Past |
|---|---|---|
| low | incident occurs at the earliest in 6 years or later | incident never occurred before or occurred more than 6 years ago |
| middle | incident occurs in the next 4-6 years | incident occurred in the last 4-6 years |
| high | incident occurs in the next 1-3 years | incident occurred in the last 1-3 years |
| very high | incident occurs in the next year | incident occurred in the last year |
As with the damage classes, the content of the table is based on your company and not on my example!
Risk Matrix
We now know our damage classes and probabilities of occurrence, which we provide in the assessment. From that, we get the potential risk. Since we have quantified the greatest damage as “very high” and the greatest probability of occurrence as “very high”, our maximum risk is:
maximum risk = very high damage x very high probability of occurrence
The same way, all other potential risks are determined which are possible in our matrix.
Since we also want to determine the risk mathematically, we have to assign values to the classes. Depending on the number of classes and the result values, it may make sense to assign the values not with 1-x, but perhaps with 10, 20, 30….
Anyway, we know now that in our example the maximum risk corresponds to a value of 16 and the minimum risk has a value of 1. I find it easier to use these values to set the risk acceptance level.
Definition Risk Acceptance Level
What a nice term … „risk acceptance level“ 🙂 That means … ?
We have now constructed our risk matrix. However, this does not yet reveal what is now an acceptable risk for the company. That, too, must be determined before the risk analysis is performed.
Using the risk matrix shown above, the company can now determine, for example, that all risks with an outcome value of < 4 are automatically accepted. Thus, the risk acceptance level for the company would be as follows:
For the subsequent risk analysis, this would mean that all risks with a score < 4 require no further action.
Risk Classes
Of course, you can choose the number of risk result categories yourself again. There should already be at least two – accepted risks and unaccepted risks.
It makes sense to have at least three risk classes. You are welcome to divide these again into low risks, medium risks, and high risks.
Low risks (in our example, those with a value < 4) you accept automatically. Medium risks (with values between 4 and 8 in the example) are accepted individually. You must also define who has the right to accept these risks. Is it the responsible department or project manager, or does something like this always have to go through management? High risks (with values greater than 8 in the example) always require risk handling and can only be accepted with justification by the management. You decide what this should look like in your case.
So much for the preliminary work. Now we get to the actual execution of the risk analysis.
Process Risk Analysis
A meaningful risk analysis is usually integrated into a risk management system . I dedicate a separate post in the blog to the risk management system. Therefore, I do not want to discuss it further at this point. Instead, we want to focus on how to perform a risk analysis, i.e. on the actual risk management process.
Taken more precisely, the actual risk analysis is only a subsection from the complete risk management process, as the process flow according to ISO 31000 shows.
Risk Identification
The first step is to determine what could happen in the first place. And who could do this better than the person(s) in the company who are directly confronted with the risk – the risk owner(s).The risk owner should know the risks for his area. It can be the department manager, but also the project manager. Depending on the size of the department or the project team, corresponding members of the team can also participate in recording the risks. However, as always in the job, the risk owner (=responsible person) is the the one who “wears the hat”, i.e. the department or project manager.
In the context of risk analysis, risk identification is about naming potential incidents. Nothing is assessed yet. Just ask yourself the question, “What could happen?”
And keep it real! In some risk workshops, I get the impression that the goal is to fill the risk list with lines. This really shouldn’t be the primary goal. Only include those incidents which actually exist for you in the Excel template or their risk analysis program.
Let’s re-enact the whole process with a risk analysis example. You are the commercial manager of a small medium-sized company and thus are also doing personnel management.
Scenario: The employee responsible for payroll is absent for several weeks (up to 6 weeks).
That is now our scenario. But is it actually a risk as well? No! This is a crucial point which I often encounter in practice during risk workshops. Even some books define a risk scenario that way. But we have merely described an incident here. In my opinion, it only becomes a risk if it results in a consequence that causes damage to the company. This is not apparent from the above scenario. Therefore, I have added a separate field “…leads to” in the Excel sample template in the appendix. It will remind you not to forget that important information.
Description of the damage („…leads to“): Payroll accounting for the entire company can no longer be carried out. Wages can no longer be paid.
Only now, the incident takes shape and is linked to a potential damage scenario. We have not yet considered the “why”. So what is the cause of the employee’s absence leading to the payroll failure? Because this is also important information, you will find a separate field for it in my Risk Analysis Excel template.
Cause / reason for the occurrence of the scenario (=vulnerability): Because the responsible employee is a single-source (that means, only one person has the appropriate know-how), the loss occurs when this employee is absent for several weeks. An incident with a particular loss can have several causes in practice. If this is the case, then I recommend that you copy this scenario in the Excel template accordingly – that is, as many times as the number of causes. The reason is because each cause can have a different probability of occurrence later in the assessment. Even if the damage is the same, different risk values can result in different causes in a risk scenario.
Risk Analysis
Only now do we get to the actual risk analysis. We analyze how big the damage is to the company and what the probability of occurrence for this risk scenario is.
Before we went into the execution of the risk process, we did our homework and defined what damage classes and probabilities of occurrence we wanted to provide.
Damage class: If we now refer to our damage class definition, we can assume reputational damage. This incident is likely to make it into the regional press. In addition, it would have a financial impact with the individuals involved. With these criteria, we would be at the “medium” damage class.
Probability of occurrence: An absence for several weeks can possibly occur in the current constellation in the next one to three years, according to the company’s estimate. This would level the probability of occurrence as “high.”
Risk Assessment
With the classifications made for damage and probability of occurrence, we now have a risk value. Since we did our homework beforehand and defined the risk classes, this step is now automatic (see image above)
A medium loss multiplied by a high probability of occurrence results in a medium risk with a risk value of 8. Thus, we have a risk which requires further decision. It is not automatically accepted as a medium risk.
The commercial manager does not want to bear this risk. That is, by definition, it is not accepted. The risk owner also does not choose to accept the risk. Thus, the risk must be mitigated in some way.
Risk Treatment
This step is only necessary if the risk is not accepted. Risk treatment may vary.
- Minimize the risk by implementing measures which reduce either the harm or the probability of occurrence.
- Eliminate the risk by completely avoiding the occurrence of the incident.
- Transfer the risk to a third party, for example, an insurance company.
- Accept and regularly monitor the risk.
In the attached Excel template you will find a field “planned additional measure”. Here you can specify which measure you want to use to minimize the probability of occurrence or damage.
Other actions such as transferring or eliminating the risk should also be documented here. Note that the risk owner himself can only release actions to a limited extent. Depending on the time, resources, and costs involved, management may need to be consulted for an action.
Planned additional measure in our example: The commercial manager proposes to familiarize another person with payroll accounting as a measure. This minimizes the loss after implementation of the measure . It now falls into the “low” class. The loss of an employee thus does not lead to an interruption in payroll accounting. However, the probability of an employee being absent for several weeks remains the same.
Thus, we have an accepted risk with low damage and high probability.
Regarding the planned additional measure: You can also provide the details about the status of the measure, costs, responsibilities, and implementation times in the risk treatment right away, if you want.
Risk Report / Risk Presentation of a Risk Analysis
Often one reads about a “risk report”. However, there is no mandatory form and presentation for it. However, if you use the Excel template from this post, you will have a risk report of your risk analysis right away. You have a clear presentation of all identified risks. You can filter by different risk classes and display the measures. So it’s all there.
Nevertheless, in order for the risk report to be valid, it is important to present it to senior management.
Presenting the Risks to Senior Management
We are back again in the risk management system now, but I would still like to briefly discuss that aspect at this point. Even if the small risks are automatically accepted by definition, the higher-level managers should be aware of them. It is clear that the “small risks” should not eat up time of the management. Nevertheless, you should provide an update to management on risk status either at the quarterly meeting or when there is current risk.
For “red” risks, i.e., high risks, you usually need a statement from senior management anyway. This is very important. And don’t forget to then document this management decision on high risks. Either directly in the risk analysis or in a separate protocol.
Graphical Overview of Risks
I personally like it when especially the high risks are graphically represented in the risk matrix. That way, the high and medium risks get a point in the risk matrix according to their classification in damage and probability of occurrence.
This requires a little bit of extra effort, but it is great for a management meeting.
Template Risk Analysis
As promised, here is a free template in Excel that complies with the requirements of ISO 31000.
If you like the template, then why not leave us 5 stars with the article and rate us on Google.
Privacy Risk AnalysisRights and Freedoms of Natural Persons
Since our blog also revolves around the main topic of data protection, I would like to discuss this aspect separately. The GDPR talks about risks to the rights and freedom of natural persons. This includes the protection of fundamental rights and freedom. Article 2 of the constitutional law implies the fundamental right to informational self-determination. This means that every natural person has the right to determine his or her own data.The legal basis is: Charter of Fundamental Rights and Freedoms of the EU (GrCh), Human Rights Convention (MRK), national laws (z.B. Grundgesetz (GG) der Bundesrepublik Deutschland)
What Does Risk Mean According to the GDPR?
The term “risk” is not explicitly defined in the GDPR. However, recital 75 of the GDPR can be used here.
A risk within the meaning of the GDPR is the existence of the possibility of the occurence of an event which itself causes harm (including unjustified interference with the rights and freedom of natural persons) or may lead to further harm to one or more natural persons.It has two dimensions: First, the seriousness of the harm, and second, the likelihood that the event and consequential harm will occur,
Recital 75 GDPR
It does not matter whether risks affect natural persons or companies. The approach to identifying, assessing, analyzing, and addressing them remains the same.The DSK short paper number 18 provides an overview of data protection risk analysis. There are also some examples in the document.DSK Kurzpapier Nr. 18 – RisikoanalyseDownload
Your Experience with Risk Analysis
I’m curious what your experience has been so far with conducting a risk analysis. Where do you see the stumbling stones? What comes easily to you in the risk process? Let us know about your experience in a comment.
Risk Management Support
Of course, we are happy to support you with on-site workshops or online meetings when it comes to creating a risk management process or implementing a risk analysis. Whether ISO 31000, ISO 9001 oder ISO 27001…. – just contact us: [email protected]
FAQs on Risk AnalysisWhat is Risk Analysis?
Risk analysis is a structured approach to identifying potential events which may cause harm. Apart from identification, assessment and treatment of risks are a fundamental components of risk analysis.
Are There Normative Requirements for Performing a Risk Analysis?
Risk management is defined in the international ISO standard 31000 (Risk management – Principles and guidelines). ISO/IEC 27001 also provides guidelines for conducting risk analysis.
How is Risk Defined?
A risk is composed of the potential possible harm and the possible probability of occurrence.definition of risk = damage x probability of occurrenceTo multiply damage and probability of occurrence, one calculates with classes of damage and classes of probability of occurrence.
How Define Classes of Damage and Probability of Occurence?
Often, one encounters the following categorization for the classification of damage classes: high / medium / low. However, it is even more crucial to define what lies behind these classes. It has to be clearly defined when a damage is seen as high, medium or low. The same applies to the classes of probability of occurrence. You can find tables for this in corresponding section.
What is a Risk Matrix?
The risk matrix graphically shows which risks are possible. The previously defined damage classes and classes for the probability of occurrence result in the possible values for the risk. The matrix mostly shows a quadrant of the coordinate system. On the x-axis is the potential damage, on the y-axis the probability of occurrence.According to the familiar formula risk = damage x probability of occurrence, the possible risk values can now be seen in the matrix.Most of the time, the risk values in the matrix are also highlighted. The values which are considered very high are represented in red. Yellow and green are commonly used for downgrading. However, there are no color specifications for this.
What is the Risk Acceptance Level?
On the basis of the risk matrix, it is possible to show in a visually clear way which maximum risk values are theoretically possible. As a rule, the maximum values will not be accepted. That means, the company will take care of treating the risks. The risk acceptance level characterizes where exactly the threshold lies, which risks are considered accepted and from which point risk treatment must be carried out.The risk acceptance level draws a diagonal boundary through the quadrant in the risk matrix (see graphic in article).
What Steps Must be Taken in a Risk Analysis?
The process of a risk analysis should always be structured. The following four points should be worked through:
- Risk identification (What events can occur?)Risk analysis (What damage can the event trigger, what is the underlying probability of occurence?) Risk assessment (Is the risk accepted or must it be treated?)Risk treatment (If the risk is not acceptable, either the risk must be minimized, eliminated or transferred. In special cases, it may also be accepted and monitored regularly.) What are Risks to the Rights and Freedom of Natural Persons?
Data protection sees in the risk analysis only those risks which have an impact on natural persons. A risk is also defined in data protection as damage x probability of occurrence. That is, for privacy risks, the harm relates to the individual. Thus, the harm could be, for example:
- Financial damageEconomic disadvantagesSocial disadvantagesIdentity theftDanger to lifeExistential threat… Is a Privacy Risk Analysis the Same as a Privacy Impact Assessment?
A privacy impact assessment is based on the risk analysis. However, it goes a bit further or deeper. Before getting into data protection impact assessment, a general risk analysis must have been performed already. Indeed, a privacy impact assessment solely needs to be performed if there is a risk. And this question can only be answered if a rough assessment of the risk has already been made beforehand.