As the project manager you cannot deal with all the risks that are identified, or every minute of the day would be spent assessing and planning for risks. The first step is to apply a sift process to label the more important risks to be addressed. This is best achieved by completing some form of subjective analysis for each identified risk. The task therefore involves assessing each risk against an agreed scale of probability and impact, such as low, medium or high. Figure 11.3 shows the inputs, tools and techniques and the sole output (in fact a revision to one of the inputs, the risk register) of the qualitative risk analysis process. Once the qualitative risk analysis has been completed, this information can be used to start the quantitative risk analysis (see below), if this stage of the process is required. The quality of the information being used can distort the results, so the assumptions made do need to be clear, because they can alter the assessment process. Information gained during the interviewing process can be useful in maintaining an unbiased approach to the assessed data. The specification quoted for the level of impact and probability is defined, therefore an increase in its score cannot occur just because the issue is close to the project manager's heart.
Figure 11.3. The qualitative risk analysis process
The scope statement should not be forgotten as an input here. In the enthusiasm to manage risks carefully, it can be easy to forget that some of the risk may fall outside scope. The main way in which the risk register is updated as a result of this process is with more descriptive detail (i.e. qualitative detail) about the nature of each risk. Risks were identified in the previous process, but identification does not necessarily mean reaching a full enough understanding of each risk to enable it to be properly managed. Qualitative risk analysis is the first step in reaching that state, and quantitative analysis the next. Adapted from PMBOK Guide (p.250)
This level of analysis is useful because it allows your project to be compared to other projects. The outputs can also lead to your project being selected ahead of others. For an ongoing project, the analysis can be used to give reason for the continued support of the project, or it can justify why the project should be terminated. The information produced at this stage can also be used as an input to the quantitative risk analysis, covered later in this chapter.
Each risk can be plotted on a risk rating matrix which plots the assessed severity of impact against its probability, so the higher the rating the more important a response is required (Table 11.2). The need to standardize the matrix within an organization is important because the task of risk rating becomes a more repeatable process across all projects. The other benefit of standardization means that people moving between projects will see the same application and layout wherever they are. Standardization is the goal, but there may be a need to adapt the matrix due to the specific nature of the project. If the tolerance threshold is different for elements contained in the 'triple constraint', then a separate risk matrix for scope, cost and time will be needed to cater for their varying level of importance.
Risk data quality assessment
To ensure the analysis is correct, the data being used must be as consistent and true as possible. The key question to ask is how confident are you about the accuracy of the data. If you are unsure about the quality of the data, the next action must involve digging below the surface to find out more. Once you are content that you have the right information, you are then able to complete the qualitative assessment. Before starting the assessment process, each risk must be able to provide the answers to the following questions about the data quality:
Rather than having an overall prospective of the level of risk, you would prefer to know where the majority of the risk is located and what work could be affected. Categorizing the risk means that more definition is provided to aid the project manager in the task. Once it is known where much of the risk resides, risk response planning can use this information to remove a number of risks by eliminating a root cause.
Risk urgency assessment
Certain risks that are identified could pose an immediate threat to your project if early action is not taken to resolve the problem. As an example, if a component requires a long lead time and is needed early in the project, the urgency to start the procurement process to source the item is high. This risk is assessed as urgent, therefore a quick response is necessary to avoid your head being on the block. If an urgent risk is detected during the qualitative risk analysis, the issue should be fast-tracked so the response is quickly planned, developed and implemented to meet the project deadlines.
Outputs of qualitative risk analysis risk register
The initial risk register produced after completion of risk identification must be updated to include the following outputs from the qualitative risk analysis:
Top of Page