Qualitative risk analysis

As the project manager you cannot deal with all the risks that are identified, or every minute of the day would be spent assessing and planning for risks. The first step is to apply a sift process to label the more important risks to be addressed. This is best achieved by completing some form of subjective analysis for each identified risk. The task therefore involves assessing each risk against an agreed scale of probability and impact, such as low, medium or high. Figure 11.3 shows the inputs, tools and techniques and the sole output (in fact a revision to one of the inputs, the risk register) of the qualitative risk analysis process. Once the qualitative risk analysis has been completed, this information can be used to start the quantitative risk analysis (see below), if this stage of the process is required. The quality of the information being used can distort the results, so the assumptions made do need to be clear, because they can alter the assessment process. Information gained during the interviewing process can be useful in maintaining an unbiased approach to the assessed data. The specification quoted for the level of impact and probability is defined, therefore an increase in its score cannot occur just because the issue is close to the project manager's heart.

This level of analysis is useful because it allows your project to be compared to other projects. The outputs can also lead to your project being selected ahead of others. For an ongoing project, the analysis can be used to give reason for the continued support of the project, or it can justify why the project should be terminated. The information produced at this stage can also be used as an input to the quantitative risk analysis, covered later in this chapter.

Probability/impact matrix

Each risk can be plotted on a risk rating matrix which plots the assessed severity of impact against its probability, so the higher the rating the more important a response is required (Table 11.2). The need to standardize the matrix within an organization is important because the task of risk rating becomes a more repeatable process across all projects. The other benefit of standardization means that people moving between projects will see the same application and layout wherever they are. Standardization is the goal, but there may be a need to adapt the matrix due to the specific nature of the project. If the tolerance threshold is different for elements contained in the 'triple constraint', then a separate risk matrix for scope, cost and time will be needed to cater for their varying level of importance.

Risk data quality assessment

To ensure the analysis is correct, the data being used must be as consistent and true as possible. The key question to ask is how confident are you about the accuracy of the data. If you are unsure about the quality of the data, the next action must involve digging below the surface to find out more. Once you are content that you have the right information, you are then able to complete the qualitative assessment. Before starting the assessment process, each risk must be able to provide the answers to the following questions about the data quality:

• What level of understanding is there about each risk?

• What is the availability of the data for each risk?

• What is the quality of the data?

• What is the accuracy and consistency of the data?

Risk categorization

Rather than having an overall prospective of the level of risk, you would prefer to know where the majority of the risk is located and what work could be affected. Categorizing the risk means that more definition is provided to aid the project manager in the task. Once it is known where much of the risk resides, risk response planning can use this information to remove a number of risks by eliminating a root cause.

Risk urgency assessment

Certain risks that are identified could pose an immediate threat to your project if early action is not taken to resolve the problem. As an example, if a component requires a long lead time and is needed early in the project, the urgency to start the procurement process to source the item is high. This risk is assessed as urgent, therefore a quick response is necessary to avoid your head being on the block. If an urgent risk is detected during the qualitative risk analysis, the issue should be fast-tracked so the response is quickly planned, developed and implemented to meet the project deadlines.

Outputs of qualitative risk analysis risk register

The initial risk register produced after completion of risk identification must be updated to include the following outputs from the qualitative risk analysis:

• Compare the risk ranking of your project against other projects. The output can be reassessed after completing risk response planning.

• Place risks in priority order.

• Group risks by categories.

• Identify risks shortly requiring additional analysis.

• Identify risks to be taken forward for quantitative risk analysis and response planning.

• Document non-critical risks within the watchlist and review at regular stages during risk monitoring and control.

• Risk trends can be identified if the qualitative risk analysis is redone during the planning process group, or when the project is underway.