Using Qualitative Risk Analysis

Qualitative risk “qualifies” the risks that have been identified in the project. Specifically, qualitative risk analysis examines and prioritizes the risks based on their probability of occurring and the impact on the project if the risks did occur. Qualitative risk analysis is a broad approach to ranking risks by priority, which then guides the risk reaction process.

The end result of qualitative risk analysis (once risks have been identified and prioritized) can lead to more in-depth quantitative risk analysis, or move directly into risk response planning.

Exam Watch

When you think of “qualitative,” think of qualifying. You are qualifying, or justifying, the seriousness of the risk for further analysis. Some PMP candidates like to remember that qualitative is a list. The “L” in qualitative and list ties the two together.

Preparing for Qualitative Risk Analysis

The risk management plan is the first input to qualitative risk analysis. The plan will dictate the process, the methodologies to be used, and the scoring model for identified risks. In addition to the risk management plan, the identified risks, obviously, will be needed to perform an analysis. These are the risks that will be scored and ranked based on their probability and impact. Figure 11-3 demonstrates all of the inputs to qualitative risk analysis.

Figure 11-3: Many factors contribute to qualitative risk analysis.

The status of the project will also affect the process of qualitative risk analysis. Early in the project, there may be several risks that have not yet surfaced. Later in the project, new risks may become evident and need to pass through qualitative analysis. The status of the project is linked to the available time needed to analyze and study the risks. There may be more time early in the project, while a looming deadline near the project’s end may create a sense of urgency to find a solution for the newly identified risks.

The project type also has some bearing in the process. A project that has never been done before, such as the installation of a new technology has more uncertainty than projects that have been done over and over within an organization. Recurring projects have historical information to rely on, while first-time projects have limited resources to build a risk hypothesis upon.

All risks are based upon some belief, proof, and data. The accuracy and source of the data must be evaluated to determine the level of confidence in the identified risks. A hunch that an element is a risk is not as reliable as measured statistics, historical information, or expert knowledge that an element is a risk. The data precision is in proportion to the reality of the risk.

Prior to the risk analysis, a pre-determined scale of probability and impact must be in place. There are multiple scales a project manager can elect to use, but generally these should be in alignment with the risk management plan. If the performing organization has a risk management model, the scale identified by the performing organization should be used. (We’ll discuss the scale values in the next section.)

Finally, the assumptions used in the project must be revisited. During the risk identification process, the project team identified and documented the assumptions used within the project. These assumptions will be evaluated as risks to the project success.