Risk Management: Terms, Tools, and Industry-Specific Risk Analysis Examples

When you drive your car, chances are you wear your seatbelt even though the likelihood of getting in an accident on any given day is low. The reason is that the potential consequences of an accident are severe, a risk mitigated by controls like seatbelts and anti-lock braking systems. 

It’s just one example of how we use risk analysis in everyday decision-making, a process also used by manufacturers to guide them to the right course of action.

In this article, we drill down into how risk analysis works, looking at steps in the risk analysis process, common tools, and industry-specific risk analysis examples.

Learn more about identifying underlying risks with our free Root Cause Analysis 101 Guidebook

Defining Risk

In the context of risk analysis, risk is defined as the probability or likelihood of an event multiplied by its severity or impact. ISO 31000 for Risk Management defines risk as “the effect of uncertainty on objectives,” highlighting that risk can have positive and negative consequences depending on how it impacts your objectives.

Risk Analysis vs. Risk Assessment: What’s the Difference?

People often use the terms risk analysis and risk assessment interchangeably, but there is an important difference between the two.

According to ISO 31000, qualitative ris analysis refers to a broader process, of which risk analysis is one part. The risk assessment process includes:

• Risk identification: Identifying and documenting hazards
• Risk analysis: Determining likelihood and potential impact of individual risks
• Risk evaluation: Comparing the risk against internal criteria for acceptable versus unacceptable risk levels

Risk assessment itself is part of the larger risk management process, which is comprised of the following steps:

• Risk assessment: Identify, analyze and evaluate risks as described above.
• Risk treatment: Decide whether you will accept the risk or implement controls to mitigate the risk, including how you will communicate the risk to affected parties.
• Ongoing monitoring and review: Conduct regular monitoring and review of residual risks to ensure effectiveness of your controls.
• Documentation of risk: Document your risk management efforts to inform future activities and maintain a record of how you address risk in your organization.

Risk Analysis Methods and Tools

A multitude of tools exist to help organizations better understand the identified risks impacting their people and their operations as a whole. Below, we look at a few of the most prominent tools and how they work.

Risk Matrix

A risk matrix uses a chart to plot the likelihood of an event against its potential impact. The resulting score then determines the action that comes next, such as if the risk is unacceptably high and thus requires adding new controls to mitigate the risk.

Each organization must determine what is acceptable risk versus unacceptable risk, a process that typically involves reviewing historical data and criteria such as:

• Health and safety impacts
• Cost
• Regulatory compliance implications

They must also determine how they will handle risks that fall in the intermediate section of the risk matrix—perhaps assigning them for further review and investigation, for example.

Failure Mode and Effects Analysis (FMEA)

Failure mode and effects analysis (FMEA) is a systematic approach to identifying potential points of failure in a product or process and prioritizing how to mitigate their impact. FMEA can be used for root cause analysis as well as for risk analysis.

An FMEA is often used during product design or process design, and rates each failure mode or way a process or product could fail according to its severity, occurrence (likelihood), and detectability.

Multiplying severity, occurrence, and detection then provides a risk priority number (RPN). Those failure modes with a high RPN should be prioritized for additional controls, such as those that would prevent the potential cause, reduce its impact, or make it easier to detect.

Learn the basics of creating an FMEA, including how to set one up and a real-life example of how to use it: How to Use FMEA for Root Cause Analysis

Fishbone (Ishikawa) Diagrams

Fishbone or Ishikawa diagrams are useful for mapping out potential root causes of risks, helping identify underlying issues to prevent recurrence. A Fishbone diagram breaks down risk into different contributing factors, aligned with the 6Ms of process control:

• Man
• Machine
• Method
• Mother nature (environment)
• Material
• Measurement

Fault Tree Analysis (FTA)

Fault tree analysis uses a tree-shaped diagram to analyze potential failure causes and their interrelationships. With fault tree analysis, you start with a failure and work backwards to underlying root causes.

Fault tree analysis can be used to analyze causes of a failure after the fact, or to pinpoint potential failures during design. This method is especially helpful for investigating complex incidents and preventing recurrence.

Monte Carlo Simulation

A Monte Carlo simulation is a statistical modeling method widely used in manufacturing to predict potential outcomes in processes, projects, or systems. Monte Carlo modeling simulates a range of possible scenarios using thousands of iterations of variables, and is most commonly applied in areas like:

• Production forecasting
• Supply chain risk management
• Inventory management

Bowtie Method

Used in high-risk industries like aviation and energy, this tool visualizes risk in a simple format that is easy to understand at a glance.

At the center of the bowtie is the event driven by a hazard above it. On the left you have threats, plus the preventive barriers in place to keep the event from happening. On the right you have the consequences, plus the recovery barriers to prevent those consequences from occurring.

Each failure mode is evaluated based on severity, occurrence, and detection, with misalignment of modules scoring the highest RPN due to potentially catastrophic airbag deployment failures. As a result, the manufacturer adds new controls that include:

• Using alignment jigs to ensure proper module placement
• Introducing torque monitoring tools to validate housing assembly
• Adding plant floor checks to ensure compliance with pressure testing standards

After implementing the controls, the team updates the FMEA to confirm that the severity, occurrence, and detection ratings have improved.

From there, the company implements preventive barriers for each threat, including:

• Deploying pipeline coatings and regular corrosion monitoring
• Establishing no-anchoring zones monitored by marine traffic control to prevent anchor strikes
• Installing real-time pressure monitoring systems for early detection of any anomalous pressure fluctuations in the pipeline

Looking at potential consequences such as environmental impacts and health and safety risks, the company then adds mitigative barriers to reduce the severity of those consequences, including:

• Subsea shutoff valves to quickly isolate the affected section of pipeline
• Emergency response plans with pre-staged containment booms and dispersants
• Conducting regular oil spill response drills to ensure rapid deployment of mitigation tools

Assessing each risk based on likelihood and impact, the company determines that overloading is both likely and severe, placing it in the unacceptable risk zone, highlighting the importance of risk mitigation strategies. To mitigate the risk, the company installs load sensors to monitor weight and trains operators on maximum limits.

To address the intermediate risk presented by high winds and falling materials, they implement additional measures like:

• Monitoring weather forecasts
• Suspending operations when winds exceed predetermined thresholds
• Adding safety nets around the lifting zone
• Adding new checks to ensure loads are properly secured

Managing and Communicating Risk

All of the scenarios above underscore the importance of communication in risk management, which is also the focus of Clause 6.2 of ISO 31000. Goals here include:

• Developing robust training so that employees understand the hazards inherent in their daily work
• Communicating with key stakeholders about the risk management strategy and soliciting their feedback
• Tailoring communications to the specific needs of different stakeholder groups
• Providing risk information in a timely, accurate, and easily digestible format to promote informed decision-making
• Creating a culture of openness where people are encouraged to report hazards

Monitoring Risk on the Plant Floor

Communication is essential to fostering a risk-aware culture, but the above steps alone are not enough. Ongoing monitoring is also critical, not just for identifying instances of non-compliance but also for communicating that management takes risk seriously.

As the saying goes, people respect what you inspect. Adding plant floor checks such as layered process audits (LPAs) are a key example, providing multiple opportunities daily to emphasize key risks and engage operators in the risk management process.  

And while control activities like these are powerful, they’re not immune to their own sets of risk. Without the right tools, activities that mitigate risk get skipped, issues get overlooked, and management gets bogged down in paperwork, slowing the organization’s ability to effectively respond.

Plant floor audit software like EASE makes the process simpler. It facilitates frequent checks of known risks, ongoing LPA checklist updates, and closed-loop issues management to mitigate risk and drive accountability.  

Risk analysis is a core component of risk management, but it’s important to remember it’s still just one part of the overall process. Identifying hazards, verifying corrective actions on the plant floor, and workforce engagement are also critical to ensuring you close the loop on risk and foster a risk-aware culture.