How to Actually Perform a Qualitative Risk Analysis

Learn to do the right things faster by setting your project priorities

In his book Eat That Frog, Brian Tracy said, “The more thought you invest in planning and setting priorities before you begin, the more important things you will do and the faster you will get them done once you get started.” So, how can you set project priorities, not only at the beginning but as you progress through your projects? Project managers can use the qualitative risk analysis process to evaluate risks and determine where to invest their time.

Let’s start with a clear definition of risk.

What is Risk?

The concept of risk is confusing to many people. So, let’s review its definition. The Project Management Body of Knowledge (PMBOK) defines an individual risk as “an uncertain event or condition, that if it occurs, has a positive or negative effect on one or more project objectives.”

Let’s break this down a bit more.

Notice that risks are uncertain events or conditions. That is to say, a key attribute of risk is uncertainty. Think in terms of things that may or may not happen in the future.

Next, consider that the uncertainty may have a positive or negative effect. In every project, there are opportunities that we can exploit, enhance, and share. There are also threats that we can avoid, mitigate, and transfer.

Lastly, risks can affect one or more project objectives such as schedule, budget, scope, and quality. Effective risk management always focuses on achieving the project objectives–the result to be obtained.

Now that we understand risk, let’s turn our attention to evaluating risks.

Want to know how to identify risks? Read my post: How to Actually Identify Project Risks.

Why Evaluate Risks?

Project managers and teams must deal with competing demands. There is often more work to be done than there is time. Therefore, we must prioritize our work.

Here’s the bottom line:

The goal of evaluating risks is to discriminate between one risk and another. Then we can determine the time and budget to invest in responding to our risks.

With many risks, we will choose to do nothing. The probability and impact are not great enough to merit a response (more on this later). Thus, we simply accept the risk.

A common question at this point is whether we should perform qualitative or quantitative risk analysis.

The Difference Between Qualitative and Quantitative Risk Analysis

Project managers should always perform qualitative risk analysis which is a quicker than the quantitative risk analysis.  Quantitative risk analysis is optional but merited in some cases.

When should you perform quantitative risk analysis? When you need to quantify the risks and understand the risks at a deeper level. Think of a physical health exam. The doctor may ask you questions (qualitative analysis), but he or she may also choose to do blood work (qualitative analysis) to get a deeper understanding of what’s going on.

When we quantify a risk, we might say something like:

There is a 10% probability of a design defect causing $12,000 of rework.

This numeric analysis is different than just saying the risk is medium or the risk has a risk score of 10. See the difference?

Another good reason to quantify risks is to develop a contingency reserve for known/unknown risks (the risk is known but the impact is unknown).

Here’s a simple chart showing the differences:

Qualitative Risk Analysis

Quantitative Risk Analysis

Should always be performed

Optional

Subjective

Objective/Numeric

Quick

Takes more time

Provides more in-depth information about the probability of completing the project on schedule and within budget

Need to develop a contingency reserve

How to Perform a Qualitative Risk Analysis

There are several ways to perform qualitative risk analysis. These techniques require varying degrees of discipline and time.

For small projects, project managers can use what I call the KISS (Keep It Super Simple) Method. This one-dimensional technique involves rating risks as:

  • Very Low
  • Low
  • Medium
  • High
  • Very High

Rather, a more common method is the probability/impact matrix. This two-dimensional technique is used to rate probability and impact. Probability is the likelihood that a risk will occur.

The impact is the consequence or effect of the risk, normally associated with the project objectives such as schedule, cost, scope, and quality.

Rate probability and impact on a scale such as 1 to 5 where 5 is the highest probability and impact. Then we multiply probability times the impact to calculate our risk score. For example, we could rate a risk as a probability of 4 and an impact of 3. The risk score would be: 4 x 3 = 12.

The scale may be applied to both threats and opportunities. Higher risk scores for threats indicate negative impacts such as adverse impacts on the schedule or budget. And higher risk scores for opportunities indicate positive impacts such as a reduction in the schedule or budget.

You might be wondering: What do I do with the results?

Using Risk Scores to Set Priorities

Here’s where the prioritization comes into play. Consider the following risks:

Risk

Probability

Impact

Risk Score

A

2

4

8

B

5

5

25

C

4

5

20

D

3

4

12

E

4

4

16

F

3

3

9

Which risks are greatest? Let’s sort the table in descending order on the risk score.

Risk

Probability

Impact

Risk Score

B

5

5

25

C

4

5

20

E

4

4

16

D

3

4

12

F

3

3

9

A

2

4

8

Remember what we said earlier? We often choose to accept many of our risks. It’s important to understand that a response should not be made to every risk, only those that are most significant.

In this example, we could set the risk threshold at 16. Thus, we would create response plans including contingency plans, where needed, for the risk with a score of 16 or greater (urgent risks).

What about the other risks? We will watch these risks. It’s possible that the probability and impact could increase at a future time, raising the risk score to 16 or higher and requiring a response.

Now: Let’s talk about who evaluates risks.

Who Are Your Risk Owners?

Project managers own the process for analyzing risks, not the risks themselves. Hear me clearly–risk owners should evaluate risks. Who are risk owners?

A risk owner is an individual–typically a subject matter expert– who is responsible for evaluating the risk, developing response plans, monitoring the risk, and executing risk responses when necessary. The risk owner may engage others in the evaluation process.

When Should You Perform Qualitative Risk Analysis?

Project managers should facilitate the risk evaluation processes early in their projects. Throughout the project, risk reviews should be conducted. Current risks are reviewed again and new risks are identified and analyzed.

Read my article: Five Ways to Reduce Risk Exposure Early>>

Risk Analysis in an Agile World

For all projects including agile projects, the overall risks–the effect of uncertainty on the project as a whole–should be identified early. Individual risks should also be identified.

Before each iteration of an agile project, the project manager and team should review the completed sprints and identify and evaluate risks for the next sprint. If the project was a software development project, we would identify risks related to things such as requirements/user stories, development/configuration, and testing. Hence, we would be able to continually prioritize our risks.

How to Actually Perform a Qualitative Risk Analysis Mini-Course. I’ve developed this course to help you quickly review the concepts of qualitative risk analysis. You’ll be able to test your understanding through a quiz. Additional risk evaluation resources are provided including a FREE risk register template. Click here to enroll!

Join the 21 Day Challenge

Receive daily emails--learn to identify, evaluate, respond to, and control project risks.

Spend five minutes per day for 21 days--discover practical risk management techniques that can help you turn uncertainty into success!

Powered by ConvertKit