Qualitative risk analysis boosts the chances for project success dramatically. If I were to choose one thing to improve in my project management – it would be it.
Why? I honestly believe that this risk analysis in more than enough for small and medium projects.
Qualitative Risk Analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
Confusing a bit, don’t you think?
Skip it for now. The qualitative risk analysis process is quite simple.
It does not require much specific knowledge.
Moreover, it requires an adequate amount of efforts.
On the other hand, benefits are worthy:
- The Project Manager will have a focus on the problems that crucial for project success.
- The team is encouraged to share their concerns and fears rather than hiding them into the buffered estimates.
- The qualitative risk analysis process creates engagement opportunities for stakeholders.
- A project gets more transparency of threats and opportunities.
In this article, you will learn everything you need to know about qualitative risk analysis.
But here’s the catch:
Your risk management efforts are as good as each separate component. That’s why I’m also going to share my Special Resource Guide here:
Project Risk Management Overview
If you are not super proficient with Risk Management in general check this video first.
It will give you an overview of the Risk Management Framework and the place of Qualitative Risk Analysis.
Risk Management Definitions we Need to Know
Before we get into details of risk analysis, we need to clarify several other definitions.
First of all, what is a Risk?
A risk is an event that was identified in advance that may or may not happen.
If this event has an adverse effect on the project – it is a Threat.
When it has a positive effect – it is an Opportunity.
It is important to understand:
A project manager must work with both types of risks. He or she must protect the project from threats. Likewise, one must take advantage of opportunities.
Here is an example of threats and opportunities:
You know that one of the key experts on your project is going to leave the company soon.
It is a threat.
For sure, you need to reduce the negative effects of his leaving.
For example, you can try to get a substitution in advance to ensure knowledge transfer.
On the other hand, you can try to look for opportunities here!
Such an unfortunate even many help you to force your management to find you a better expert.
Therefore, it is a good idea always to be informed of the resources that will be released soon. You may try to secure their acquirement in advance.
Risk Appetites, Risk Tolerance, Risk Threshold
Now, some characteristics describe the attitude of Stakeholders towards risks:
Risk Appetites is a general and subjective description of an acceptable risk level.
Risk Tolerance is a measurable and specific level of risk.
Risk Threshold is a particular point at which risks become unacceptable.
For example, the customer or sponsor may state that the budget is limited.
However, we do not have any strict deadlines.
It means that risk appetites for costs are low, while the schedule may take a higher level of risks.
On the other hand, they may say that we can take up to 10000 dollars of risks. That is their tolerance for risks to budget.
Also if they say that we can not accept risks on more than 10000 dollars. That will be the risk threshold.
It is important to know these levels for sure.
It is wise to find out these values directly from stakeholders.
Why do you need them?
Knowing these characteristics will help you:
- To define a correct Risk Management approach.
- Prioritize and escalate certain risks.
- To develop an effective risk response strategy.
We will discuss this point in a later post.
Impact and Probability
Let me now interpret the PMBOK® Guide’s definition.
Qualitative risk analysis is the process of grading each risk in terms of its probability and impact using a predefined ranking system.
Based on the results of the grading, a project manager can perform analysis to prioritize risks and develop action plans (Risk Response Plans).
The impact is a level of effect that risk will have on the project.
From the definition of a risk, it may be positive or negative.
Probability is a level of likelihood of occurrence of the risk.
The first problem for the analysis is to define the ranking system for impact and probability.
You can represent the system as a simple spreadsheet.
However, it should meet the following criteria:
- Should be aligned with the project management approach.
- Should be brought into line with internal policies and procedures. At least for the purpose of communication and reporting.
- Should be clearly understood by stakeholders in the same way.
You can find examples of impact and probability interpretations on the Internet. Moreover, I will share some below.
However, I strongly recommend you to refer to them as a starting point only.
I suggest you take some time to develop the interpretations that are aligned with your organizational environment.
Here is an example of Impact Interpretation Map:
The Probability Interpretation Map is even more simplistic:
Qualitative Risk Analysis Matrix
There are different names for this chart. Impact/Probability Matrix, Qualitative Risk Analysis Matrix, or just Risk Matrix.
All of these names refer to the following:
Taking into account your Impact and Probability Interpretations and values of Risk Appetites, Tolerance, and Threshold you can mark with:
Red – risks that warrant a response.
Yellow – risks that require further analysis and investigation.
Green – risks that can be ignored.
Qualitative Risk Analysis Process
Now let us put it all together.
The process is quite simple:
- Put all identified risks into the Risk Register. Also, I do suggest that you first perform the risk identification process separately.
- Using impact and probability ranks, evaluate each risk. Write them down into the Risk Register.
- Prioritize the list of risks.
- Analyze the list for the required outputs. See the next point below.
When does this happen?
In general, the analysis can occur at any moment.
You can work with any amount of known risks. Nevertheless, in real-life projects, I would define the next moments.
During project initiation. Usually is an analysis of known risks on a high level to ensure feasibility.
During the planning phase. There should be one or several sessions where the bulk of analysis happens. Here you work with the long list of identified risks, in all details, and this is the part of your project planning efforts.
It may include an analysis of separate deliverables or the project plan in general.
During project execution. After your project kicks off, there will be changes. You need to analyze their impact in regard to risks.
Moreover, you must also periodically reassess known risks.
Who should be involved?
You. Some risks impact project management. Here you are the key expert. However, even so, I would recommend consulting with your peers.
Separate Stakeholders. In some cases, it is efficient to analyze some specific risks one on one.
Expert Groups. Most of the time you will work with a group of dedicated people who possess the best expertise.
Whole Project Team. If the size of the team allows, it may be beneficial to involve the whole team. At least to collect additional points of view.
As you can see in most cases, you need to arrange interviews, meetings, and brainstorming sessions.
Therefore, keep in mind the rules of productive meetings.
The outputs of Risk Analysis
What should you get in the end?
Here are the main qualitative risk analysis outputs:
- A prioritized list of risks. Your Risk Register should clearly communicate which risks should be dealt with.
- List of risks grouped by categories. By grouping risks, you get an opportunity to identify major root causes of problems. Therefore, you may find a universal solution for them. Alternatively, address the cause in the first place.
- List of risks for additional analysis and investigation. In some cases, you will not have all the required expertise at hand. So, you will not be able to assess the risk correctly. Therefore, you will need additional consultation on the risks.
- List of urgent risks. Some serious risks may require immediate action. Otherwise, they may cause a severe impact on the project that has not even started yet.
- Watch List is a list of risks that you need to keep an eye on. They do not require a response now. However, they might cause problems in the future.
As you can see the qualitative risk analysis is simple.
Nevertheless, it gives you focus on the important risks of your project.
On the other hand, it removes uncertainty in planning as you will allocate resources for the evaluated threats and opportunities.
I also recommend to read:
- Featured Article: How to Become an IT Project Manager Without Experience
- Next in the series: How to Perform Qualitative Risk Analysis for the First Time
- Previous in the series: 43 Important Risk Categories for Effective Risk Identification
Test Yourself in Risk Management
Do you think you know enough about Project Risk Management?
Take this short quiz and identify gaps in your knowledge.
In the end, I provide correct answers and explanations.