In the most basic form of risk analysis you look at risk and severity and use them together to identify the steps you should take to either mitigate the risk or prepare for the occurrence.
Basically it's the following steps.
• Identify Risk: “What could go wrong?”
• Analyse Risk: “What is the likelihood of this happening, and what’s the impact?”
• Plan Risk Response: “What do I need to do about it?” (This is what I can do to prevent the risk from occurring.)
• Monitor and Control Risk: “How is the risk changing?” (is it growing, lessening, or staying the same over time)
• Execute Contingency Plan: “What do we do if the risk happens anyway?” (this is what I do if my plan to prevent the risk didn't work or if it is something I have no ability to control)
It's very useful to list the risks and then give a weighted value by multiplying the the likelihood and the impact to get a risk factor. I like to use a 1 - 3 - 5 scale. Where for likely-hood 1 is not likely to occur, 3 is somewhat likely to occur, 5 is almost certainly going to occur. For severity 1 is not severe at all, 3 - somewhat severe, 5 - severe.
Those items with the highest risk factors should be addressed first. In many cases there is nothing you can do to change the likely-hood of an event, you can only have a contingency plan. For example if I have an office building in the midwest there is nothing I can do to prevent a tornado from hitting it but I should have a plan in place for what I will do if one does hit it.
Statistics come in when I'm looking at establishing what bucket to classify a risk into. Statistics are great for predicting the behavior of groups of a type of event but not individual occurrences. They let me make some very educated guesses about an individual occurrence but the larger the group I am describing the more accurate my prediction can be. For example (and I'm making up the numbers) if analysis shows that out of 1,000,000 armed assaults where the victim was armed they only had to actually shoot the aggressor 20% of the time and that only 1% of those shootings was fatal I cannot tell you which percentage an armed assault you are involved in will fall into. What I could tell you is that if you were involved in an armed assault you are 4x more likely to not have to shoot as to shoot and you are very unlikely to kill the attacker if you do have to shoot.