Risk management is generally an activity aimed at using resources efficiently, focusing on the most significant risks, and determining the correct strategy. Let’s assume that the readers are familiar with the risk assessment process. The risk assessment process consists of risk identification, risk analysis, and risk evaluation. These processes are sequential, with the output of one becoming the input for the next. In the risk analysis process, the impacts and likelihoods of the desired/undesired event are estimated. It is clear that the magnitudes obtained through estimation or method must be consistent, valid, and comparable. Therefore, it is important to conduct preliminary analysis, uncertainty analysis, and sensitivity analysis at the end of the risk analysis process. This article will address these often overlooked analyses.

1. In this study

Depending on the simplicity or complexity of the process under risk analysis, whether it is technology-oriented, and whether there are automated systems, decisions to improve risks can be made without the need for further evaluation. The risk identification team may separate out process risks that are deemed insignificant. Risks requiring more detailed analyses can be separated, and the analyses can be deepened. There may be a need for more detailed expert opinions or the use of different likelihood estimation techniques.

This study aims to highlight the significant uncertainties encountered during risk analysis and to ensure that this information is included in the risk assessment report. Uncertainty refers to the range around an average value within which measured or estimated values lie with a certain probability. During the risk analysis process, it is important to remember that the magnitude of the risk is derived from the combination of the likelihood of the event, the current controls related to the event, and the consequences of the event. The values for the likelihood of the event, the effectiveness of current controls, and the impact of the event’s consequences may have been obtained from expert opinions, historical data, or other methods. These values are not precise and are centered around a certain average. The uncertainties from expert opinions, historical data, or methods used must be considered. Their potential deviations on the overall magnitude should be accounted for and included in the risk assessment report submitted to management.

This study examines the effect of changes in input parameters on the magnitude of risk during the risk analysis process. This analysis identifies sensitive and less sensitive values. For example, how much does the risk magnitude change if the likelihood of the event is decreased or increased by one level? The same consideration can be applied to the impact parameter. If a small change can bring the value below or above the acceptability threshold, it indicates high sensitivity, which should be taken into account.

In conclusion, the risk analysis should express uncertainty, sensitivity, completeness, and accuracy. If possible, the analysis results should be validated and verified. Verifications can be made possible with appropriate controls.