The perform qualitative risk analysis process is shown as a picture below:
Input to Qualitative Risk Analysis
The Risk Register is a default input to this process. Apart from the risk register, the other inputs to this process are:
Project scope statement - When you are performing qualitative risk analysis, you want to know what kinds of risks you are dealing with. For example, are you already familiar with these risks? If your project is similar to previous projects, it might have well-understood risks. If it is a new and complex project, it might involve risks that are not well understood in your organization. So, how do you know what kind of project you are dealing with? Simply put, you have to take a look at the project scope statement and search for uncertainties.
Risk management plan - To generate the output of qualitative risk analysis, you will need the following elements of the risk management plan:
• Roles and responsibilities for performing risk management
• Definitions of probabilities and impacts
• The probability and impact matrices
• Risk categories
• Risk timing and scheduling
• Stakeholders’ risk tolerances
If any of these input items was not developed during risk management planning, it can be developed during qualitative analysis.
Risk register - The risk register contains the list of identified risks that will be the key input to the qualitative risk analysis. Updated risk categories and causes of risks can also be useful elements of the risk register, which can be used in the qualitative risk analysis.
Organizational process assets - While analyzing risks, you will make use of the risk-related components of the knowledge base from previous projects, such as data about risks and lessons learned. You can also look into risk databases that may be available from industry organizations and proprietary sources.
Tools and Techniques for Qualitative Risk Analysis
Prioritizing risks based on their probability of occurrence and their impact if they do occur is the central goal of qualitative risk analysis. Accordingly, most of the tools and techniques used involve estimating probability and impact.
Risk probability and impact assessment - Risk probability refers to the likelihood that a risk will occur, and impact refers to the effect the risk will have on a project objective if it occurs. The probability for each risk and the impact of each risk on project objectives, such as cost, quality, scope, and time, must be assessed. Note that probability and impact are assessed for each identified risk.
Methods used in making the probability and impact assessment include holding meetings, interviewing, considering expert judgment, and using an information base from previous projects.
A risk with a high probability might have a very low impact, and a risk with a low probability might have a very high impact. To prioritize the risks, you need to look at both probability and impact.
Assessment of the risk data quality - Qualitative risk analysis is performed to analyze the risk data to prioritize risks. However, before you do it, you must examine the risk data for its quality, which is crucial because the credibility of the results of qualitative risk analysis depend upon the quality of the risk data. If the quality of the risk data is found to be unacceptable, you might decide to gather better quality data. The technique to assess the risk data quality involves examining the accuracy, reliability, and integrity of the data and also examining how good that data is relevant to the specific risk and project for which it is being used.
Risk urgency assessment - This is a risk prioritization technique based on time urgency. For example, a risk that is going to occur now is more urgent to address than a risk that might occur a few months from now.
Probability and impact matrix - Risks need to be prioritized for quantitative analysis, response planning, or both. The prioritization can be performed by using a probability and impact matrix; a lookup table that can be used to rate a risk based on where it falls both on the probability scale and on the impact scale.
Look at the table below: RXY, where X and Y are integers that represent risks in the two-dimensional (probability and impact) space.
How to calculate the numerical scales for the probability and impact matrix and what they mean depends upon the project and the organization. However, remember the relative meaning: Higher value of a risk on the probability scale means greater likelihood of risk occurrence, and higher value on the impact scale means greater effect on the project objectives.
Each risk is rated (prioritized) according to the probability and the impact value assigned to it separately for each objective. Generally, you can divide the matrix in the table above into three areas; high-priority risks represented by higher numbers, such as R49, medium-priority risks represented by moderate numbers, such as R25, and low-priority risks represented by lower numbers, such as R12. However, each organization has to design its own risk score and risk threshold to guide the risk response plan.
Note that impact can be a threat (a negative effect) or an opportunity (a positive effect). You will have separate matrices for threats and opportunities. Threats in the high-priority area might require priority actions and aggressive responses. Also, you will want to capitalize on those opportunities in the high-priority area, which you can do with relatively little effort. Risks posing threats in the low-priority area might not need any response, but they must be kept on the watch list to ensure that you don't get any unwanted or unexpected surprises towards the end of the project.
Risk categorization - You defined the risk categories during the risk management planning and risk identification processes. Now you can assign the identified risks to those categories. You can also revisit the categorization scheme, such as RBS, that you developed for your project, because now you have more information about risks for the project. Categorizing risks by their causes often helps you develop effective risk responses.
Expert judgment - You may need expert judgment to assess the probability and impact of each risk. To find an expert, look for people who’ve had experience with similar projects in the not too distant past. While weighing the expert judgment, look for possible biases. Often experts are biased toward their area or idea.
Output of the Qualitative Risk Analysis: Updated Risk Register
The risk register was initiated during the Identify Risks process and is updated with the results from the qualitative risk analysis. The updates will be:
• Risks categorizations - This means arranging risks in different categories. This helps you identify the common root causes of the risks and the areas of the project that might require special attention. Furthermore, categorizing risks can bring order to a chaotic situation and makes the management of these risks easier and more effective.
• Prioritized list of risks - The risk register has lists of risks prioritized according to the probability and impact matrix discussed earlier in this article. A separate list can be created for each project objective, such as cost, quality, scope, and time. These lists help you prioritize efforts for preparing and executing risk responses. The risks may be ranked as high, medium, or low.
• Lists of risks - Using some criteria, you can make different lists of risks for effective management. Following are some examples:
o List of risks with time urgency - This list includes urgent risks that require attention now or in the near future.• Trends in the analysis results - By examining the results from the qualitative risk analysis, you might recognize a trend for specific risks. That trend might suggest further analysis or a specific risk response.
o Watch list of low-priority risks - This list contains risks that are deemed unimportant by the qualitative risk analysis but that need to be monitored continually.
o List of risks for additional analysis and response - This list includes risks that need further analysis, such as quantitative analysis or a response action.
The main output of qualitative risk analysis is the prioritization of risks based on a probability and impact matrix for each objective. So each objective can have its own prioritized list of risks.
Qualitative risk analysis is a relatively quick and cost-effective way to prioritize risks for risk planning. It also lays the groundwork for the quantitative risk analysis if one is required for some of the identified risks.
Prev: Analyzing Risks
Next: Performing Quantitative Analysis