This technique is about identifying, analyzing, and evaluating risks that exist within the scope of an initiative. This includes defining and agreeing on controls for risks that do not yet have any controls in place.

The steps in risk analysis and management include identifying the risks and recording them in a risk register. Once a risk is identified, it is analyzed in terms of its impact level on a variety of aspects, such as (but not limited to) the scope, quality, cost, effort, duration, reputation, and social responsibility. 

Risks are prioritized based on their level of impact and can be expressed in terms of a function of probability and its impact. 

Risks are then evaluated by comparing the risk analysis results with the potential value of the solution implemented. Then, the team has to decide how to treat the risk. Here are some common solution options to consider: 

• Avoid the risk: Change plans to avoid the risk completely or remove the source of the risk.
• Transfer the risk: The liability of the risk is either shared or moved to a third party.
• Mitigate the risk: Actions can be taken to reduce the probability of the risk occurring.
• Accept the risk: This is a decision to accept the risk as it stands. If it occurs, the project will find a solution.
• Increase the risk: A decision is made to increase the risk in order to increase an opportunity.

Every organization has its own variation of these treatment options and the business analyst should bear this in mind in order to work effectively.