Study smarter with Fiveable
Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.
Risk assessment is about making smarter decisions under uncertainty. In business decision-making, the real skill is choosing the right tool for the right situation: when to use qualitative judgment versus quantitative modeling, how to prioritize limited resources, and how to communicate risk to stakeholders who need to act on it. These techniques connect directly to capital budgeting, strategic planning, financial management, and operational efficiency.
Every technique here represents a different philosophy of risk. Some focus on expert judgment, others on statistical probability, and still others on systematic process analysis. Don't just memorize definitions. Understand what type of uncertainty each method handles best and when you'd recommend one over another.
These techniques rely on structured judgment rather than statistical calculations. They're ideal when historical data is limited or when you need to capture organizational knowledge quickly.
SWOT maps internal factors (Strengths, Weaknesses) against external factors (Opportunities, Threats) to give you a snapshot of strategic positioning. It's a competitive analysis foundation that reveals where an organization is vulnerable or advantaged relative to rivals.
Because it's low-cost and fast to deploy, SWOT works best for initial strategic planning sessions and brainstorming. The tradeoff is that it doesn't quantify anything or rank risks by severity.
The Delphi Technique is an expert consensus method that uses multiple anonymous rounds of questioning to reduce groupthink bias. After each round, participants see the aggregated group responses and can revise their opinions. This iterative refinement continues until the group converges on a consensus.
It's best suited for novel risks where historical data doesn't exist and specialized judgment is essential. Think emerging technologies, unprecedented regulatory changes, or new market entry decisions where no one has reliable numbers yet.
A Risk Breakdown Structure is a hierarchical categorization that organizes risks into manageable, logical groupings: technical, external, organizational, and project management risks, among others. Its main value is comprehensiveness. By working through the hierarchy, you ensure no risk category gets overlooked.
It also serves as a communication framework, standardizing how risks are reported across departments and projects.
Compare: SWOT Analysis vs. Delphi Technique: both rely on human judgment, but SWOT captures internal team perspectives quickly while Delphi seeks external expert consensus over time. Use SWOT for strategic planning kickoffs; use Delphi when you need specialized forecasting for unprecedented situations.
These methods help you rank risks by combining likelihood with consequences. The underlying principle: not all risks deserve equal attention. Focus resources where exposure is greatest.
This is a two-dimensional risk ranking that plots likelihood on one axis against severity on the other, creating priority zones. Risks landing in the "red zone" (high probability, high impact) demand immediate attention, while those in the "green zone" can often be accepted without further action.
The matrix serves as a resource allocation guide, giving you a defensible basis for where to invest in mitigation versus where to simply monitor.
Risk mapping takes the prioritization concept further by creating a heat map visualization that communicates risk exposure to non-technical stakeholders at a glance. Unlike the probability and impact matrix, which often focuses on individual project risks, risk mapping provides a portfolio-level view of aggregate organizational risk.
These maps support dynamic updating, allowing real-time tracking as risks evolve throughout a project lifecycle.
VaR is a statistical loss measure that quantifies the maximum expected loss over a specific time period at a given confidence level. For example, a 1-day VaR of at 95% confidence means there's only a 5% chance the portfolio will lose more than in a single day.
The basic formula is:
where is the expected return, is the z-score corresponding to your confidence level (1.65 for 95%, 2.33 for 99%), and is the standard deviation of returns.
VaR is a regulatory requirement for financial institutions managing market risk and capital reserves. Its main limitation is that it tells you the threshold of loss but nothing about how bad losses could get beyond that threshold (that's where Conditional VaR, or CVaR, comes in).
Compare: Probability and Impact Matrix vs. VaR: both prioritize risks, but the matrix uses qualitative rankings while VaR produces a precise dollar figure. For financial portfolio risk, VaR is your quantitative answer; for project risk prioritization, reach for the matrix.
These techniques model uncertainty mathematically, generating probability distributions rather than single-point estimates. They're essential when you need to understand the range of possible outcomes, not just the most likely one.
Monte Carlo simulation is a random sampling engine that runs thousands (or millions) of iterations, drawing values from probability distributions assigned to each uncertain variable. The output isn't a single number. It's a distribution of outcomes showing, for example, that there's a 70% chance a project's NPV exceeds and a 10% chance it falls below zero.
Common applications in business include:
Sensitivity analysis is "what-if" testing that changes one input variable at a time while holding everything else constant, then measures the effect on the output. The goal is to identify key drivers: variables with the largest impact deserve the most accurate estimates and the closest monitoring.
Results are often displayed in tornado diagrams, which visually rank variables by their influence on the outcome. The variable with the widest bar has the most impact on your result.
Unlike Monte Carlo's continuous distributions, scenario analysis models discrete future states: typically a best case, worst case, and most likely case. You define each scenario with a specific set of assumptions, then evaluate whether your strategy remains viable under each one.
This makes it a powerful stress testing tool. It reveals breaking points where a decision becomes unacceptable, helping you build contingency plans before problems arise.
Compare: Monte Carlo vs. Sensitivity Analysis: Monte Carlo varies all inputs simultaneously using probability distributions, while sensitivity analysis isolates one variable at a time. A good workflow is to use sensitivity analysis first to identify which variables matter most, then run Monte Carlo to model their combined uncertainty.
These engineering-derived methods systematically trace how failures occur and propagate. They're built on the principle that understanding failure pathways enables targeted prevention.
FMEA ranks failure modes using a Risk Priority Number (RPN), calculated as:
Each factor is scored on a scale (typically 1-10), so RPN ranges from 1 to 1,000. A high RPN means the failure is severe, likely to occur, and hard to detect before it causes harm. That combination demands immediate corrective action.
FMEA is a proactive prevention tool. It identifies vulnerabilities before failures occur. Applications span manufacturing, healthcare, and service delivery design.
Fault tree analysis uses top-down deductive logic. You start with an undesired event (the "top event") and trace backward to identify all possible root causes. The tree uses Boolean gate structures: AND gates (all sub-events must occur) and OR gates (any single sub-event triggers the failure).
You can calculate system failure probability by multiplying individual failure probabilities through AND gates and adding them through OR gates. This makes fault tree analysis a rigorous tool for quantifying system reliability.
Event tree analysis works in the opposite direction: bottom-up inductive logic. You start with an initiating event and trace forward through branching probability paths, evaluating how safety barriers and controls affect the final consequences at each branch.
This makes it a strong contingency planning tool. It shows whether existing safeguards adequately reduce risk and where additional controls would have the greatest effect.
HAZOP uses a guide-word methodology to systematically examine process deviations. Guide words like no, more, less, reverse, and other than are applied to process parameters (flow, pressure, temperature) to generate a comprehensive list of possible deviations.
A multidisciplinary team is required, bringing together engineering, operations, and safety expertise. HAZOP is a chemical and process industry standard, typically conducted before new equipment is installed or when processes are modified.
Compare: Fault Tree vs. Event Tree Analysis: fault trees work backward from failure to causes (deductive), while event trees work forward from an initiating event to consequences (inductive). Use fault trees to understand why something fails; use event trees to understand what happens next after a trigger event.
These methods organize complex decisions into logical frameworks that clarify trade-offs and quantify outcomes. They transform messy real-world choices into analyzable structures.
A decision tree is a sequential decision map that diagrams choices (square nodes), chance events (circle nodes), and outcomes in chronological order. At each chance node, you calculate the expected value:
Then you use rollback analysis, working from the end outcomes backward to determine which initial decision yields the highest expected value. This technique is especially useful when decisions unfold in stages and later choices depend on earlier outcomes.
Bow-tie analysis is an integrated visualization that combines a fault tree on the left side (causes) and an event tree on the right side (consequences), connected by a central risk event. Preventive barriers appear on the left; mitigating barriers appear on the right.
Its greatest strength is communication. A single bow-tie diagram can explain a complex risk scenario to executives and regulators, showing both how to prevent the event and how to limit damage if it occurs.
Compare: Decision Tree vs. Bow-Tie Analysis: decision trees focus on your choices and their outcomes, while bow-tie analysis focuses on risk events and their causes/consequences. Decision trees answer "what should we do?"; bow-tie answers "how do we prevent and respond to this risk?"
| Concept | Best Examples |
|---|---|
| Qualitative judgment methods | SWOT Analysis, Delphi Technique, Risk Breakdown Structure |
| Probability-based prioritization | Probability and Impact Matrix, Risk Mapping, VaR |
| Statistical simulation | Monte Carlo Simulation, Sensitivity Analysis, Scenario Analysis |
| Failure pathway analysis | FMEA, Fault Tree Analysis, Event Tree Analysis, HAZOP |
| Decision structuring | Decision Tree Analysis, Bow-Tie Analysis |
| Financial risk quantification | VaR, Monte Carlo Simulation, Sensitivity Analysis |
| Expert-dependent methods | Delphi Technique, HAZOP, SWOT Analysis |
| Visual communication tools | Bow-Tie Analysis, Risk Mapping, Decision Tree Analysis |
Which two techniques both use tree structures but apply opposite reasoning directions (deductive vs. inductive)? What situation would call for each?
A pharmaceutical company needs to assess risks for a new drug with no historical data. Which technique relies on expert consensus through iterative rounds, and why might it outperform a statistical approach here?
Compare Monte Carlo Simulation and Sensitivity Analysis: how does each handle multiple uncertain variables, and in what order would you typically apply them?
If you're asked to calculate the Risk Priority Number in FMEA, what three factors do you multiply together, and what does a high RPN indicate?
Your CFO wants a single dollar figure representing the maximum likely portfolio loss over the next quarter at 95% confidence. Which technique provides this, and what are its limitations compared to scenario analysis?