In his book Eat That Frog, Brian Tracy said, “The more thought you invest in planning and setting priorities before you begin, the more important things you will do and the faster you will get them done once you get started.” So, how can you set project priorities, not only at the beginning but as you progress through your projects? After identifying risks, project managers can use the qualitative risk analysis process to evaluate risks and determine where to invest their time.
What is Qualitative Risk Analysis?
"The consideration of a range of characteristics such as probability of occurrence, degree of impact on the objectives, manageability, timing of possible impacts, relationships with other risks, and common causes or effects." —PMI Standard for Risk Management in Portfolios, Programs, and Projects
What is Risk?
The concept of risk is confusing to many people. So, let’s review its definition. The Project Management Body of Knowledge (PMBOK) defines an individual risk as “an uncertain event or condition, that if it occurs, has a positive or negative effect on one or more project objectives.”
Let’s break this down a bit more.
Notice that risks are uncertain events or conditions. That is to say, a key attribute of risk is uncertainty. Think in terms of things that may or may not happen in the future.
Next, consider that the uncertainty may have a positive or negative effect. In every project, there are opportunities that we can exploit, enhance, and share. There are also threats that we can avoid, mitigate, and transfer.
Lastly, risks can affect one or more project objectives such as schedule, budget, scope, and quality. Effective risk management always focuses on achieving the project objectives–the result to be obtained.
Now that we understand risk, let’s turn our attention to evaluating risks.
Want to know how to identify risks? Read my post: How to Actually Identify Project Risks.
Take the
Qualitative Risk Analysis Course (FREE)
This FREE course has been developed to help individuals who are preparing for the PMI-RMP exam, individuals who are preparing for the project risk management portion of the PMP exam, and those who wish to apply qualitative risk analysis to prioritize project risks quickly and improve project success.
Why Perform Qualitative Risk Analysis?
Project managers and teams must deal with competing demands. There is often more work to be done than there is time. Therefore, we must prioritize our work.
Here’s the bottom line:
The goal of evaluating risks is to discriminate between one risk and another. Then we can determine the time and budget to invest in responding to our risks.
With many risks, we will choose to do nothing. The probability and impact are not great enough to merit a response (more on this later). Thus, we simply accept the risk.
A common question at this point is whether we should perform qualitative or quantitative risk analysis.
Qualitative Versus Quantitative Risk Analysis
Project managers should always perform qualitative risk analysis which is quicker than the quantitative risk analysis. Quantitative risk analysis is optional but merited in some cases.
When should you perform quantitative risk analysis? When you need to quantify the risks and understand the risks at a deeper level. Think of a physical health exam. The doctor may ask you simple questions (qualitative analysis), but he or she may also choose to do blood work (quantitative analysis) to get a deeper understanding of what’s going on.
When we quantify a risk, we might say something like:
There is a 10% probability of a design defect causing $12,000 of rework.
This numeric analysis is different than just saying the risk is medium or the risk has a risk score of 10. See the difference?
Another good reason to quantify risks is to develop a contingency reserve for known/unknown risks (the risk is known but the impact is unknown).
Difference Between Qualitative and Quantitative Risk Analysis
Qualitative
Quantitative
Qualitative Risk Analysis Process
There are several ways to perform a qualitative risk analysis. These techniques require varying degrees of discipline and time.
Simple Qualitative Risk Assessment
For small projects, project managers can use what I call the KISS (Keep It Super Simple) Method. This one-dimensional technique involves rating risks as:
- Very Low
- Low
- Medium
- High
- Very High
Probability and Impact Assessment
Rather, a more common method is the probability/impact assessment. This two-dimensional technique is used to rate probability and impact. Probability is the likelihood that a risk will occur.
The impact is the consequence or effect of the risk, normally associated with the project objectives such as schedule, cost, scope, and quality.
Rate probability and impact on a scale such as 1 to 5 where 5 is the highest probability and impact. Then we multiply probability times the impact to calculate our risk score. For example, we could rate a risk as a probability of 4 and an impact of 3. The risk score would be 4 x 3 = 12.
The scale may be applied to both threats and opportunities. Higher risk scores for threats indicate negative impacts such as adverse impacts on the schedule or budget. And higher risk scores for opportunities indicate positive impacts such as a reduction in the schedule or budget.
You might be wondering: What do I do with the results?
Using Risk Scores to Set Priorities
Here’s where the prioritization comes into play. Consider the following risks:
Risk | Probability | Impact | Risk Score |
A | 2 | 4 | 8 |
B | 5 | 5 | 25 |
C | 4 | 5 | 20 |
D | 3 | 4 | 12 |
E | 4 | 4 | 16 |
F | 3 | 3 | 9 |
Which risks are greatest? Let’s sort the table in descending order on the risk score.
Risk | Probability | Impact | Risk Score |
B | 5 | 5 | 25 |
C | 4 | 5 | 20 |
E | 4 | 4 | 16 |
D | 3 | 4 | 12 |
F | 3 | 3 | 9 |
A | 2 | 4 | 8 |
Remember what we said earlier? We often choose to accept many of our risks. It’s important to understand that a response should not be made to every risk, only those that are most significant.
In this example, we could set the risk threshold at 16. Thus, we would create response plans including contingency plans, where needed, for the risk with a score of 16 or greater (urgent risks).
What about the other risks? We will watch these risks. It’s possible that the probability and impact could increase at a future time, raising the risk score to 16 or higher and requiring a response.
Now: Let’s talk about who evaluates risks.
Who Are Your Risk Owners?
Project managers own the process for analyzing risks, not the risks themselves. Hear me clearly–risk owners should evaluate risks. Who are risk owners?
A risk owner is an individual–typically a subject matter expert– who is responsible for evaluating the risk, developing response plans, monitoring the risk, and executing risk responses when necessary. The risk owner may engage others in the evaluation process.
When Should You Perform Qualitative Risk Analysis?
Project managers should facilitate the risk evaluation processes early in their projects. Throughout the project, risk reviews should be conducted. Current risks are reviewed again and new risks are identified and analyzed.
Risk Analysis in an Agile World
For all projects including agile projects, the overall risks–the effect of uncertainty on the project as a whole–should be identified early. Individual risks should also be identified.
Before each iteration of an agile project, the project manager and team should review the completed sprints and identify and evaluate risks for the next sprint. If the project was a software development project, we would identify risks related to things such as requirements/user stories, development/configuration, and testing. Hence, we would be able to continually prioritize our risks.