The risk analysis process involves developing a clear understanding of the level and nature of each risk identified. Risk analysis informs decisions on whether additional treatment is required and what strategies will be most appropriate and cost-effective to implement. Risk analysis incorporates consideration of the sources of risk, the potential consequences should the risk be realised and likelihood those consequences will occur. The level of each risk is defined by combining the consequences and likelihood to establish a risk rating.

Risk analysis may be undertaken using qualitative risk analysis, quantitative risk analysis or semi-quantitative risk analysis. Detailed information on each method of risk analysis and their associated processes can be found within the Risk Management Guidelines - Companion to AS/NZS 4360:2004.

Consequences and likelihood

Similar to the risk identification process, the use of reliable information is used to inform the risk analysis of consequence and likelihood. The magnitude and severity of consequences, should a risk be realised and the likelihood of the event occurring and its associated consequences, are analysed in the context of the effectiveness of existing risk controls.

A rating is assigned to the consequences and likelihood of each risk to establish a risk rating. The overall level of risk supports establishment of risk treatment priorities and informs development of risk treatment options.

Uncertainty of risk

Uncertainty is inherent in risk. Even when robust risk management is in place, uncertainty around some risks can prevail. Such uncertainty can be characterised by the fact that:

"We don't know what we don't know".

There are ways to deal with uncertainty and variability, including sourcing additional information where uncertainty prevails.  However, in some circumstances it will not be possible to resolve such uncertainty.