Project Management

Project Risk Qualitative Analysis

There are two cycles of analysis that can be done on risks after they have been identified before Risk Planning occurs. The first is Qualitative Risk Analysis which includes methods for prioritizing the identified risks for further action, such as Quantitative Risk Analysis or Risk Response Planning. Organizations can improve the project’s performance effectively by focusing on high-priority risks.


Qualitative Risk Analysis assesses the priority of identified risks using their probability of occurring, the corresponding impact on project objectives if the risks do occur, as well as other factors such as the time frame and risk tolerance of the project constraints of cost, schedule, scope, and quality. Stakeholder risk tolerances must be taken into account in this phase. Everyone knows that if you change one side of the triple constraint triangle (cost, schedule and scope/quality), then one of the other factors change. For example, if you add to the scope, either cost (hiring more engineers) or schedule will change. As the Project Manager, it is vital that you know which one of these factors drive the Stakeholders. It may be time to market (schedule), cost or functionality (scope/quality).


Definitions of the levels of probability and impact, and expert interviewing, can help to correct biases that are often present in the data used in this process. The time criticality of risk-related actions may magnify the importance of a risk. An evaluation of the quality of the available information on project risks also helps understand the assessment of the risk’s importance to the project.


Qualitative Risk Analysis is usually a rapid and cost-effective means of establishing priorities for Risk Response Planning, and lays the foundation for Quantitative Risk Analysis (a much more rigorous and expensive process)  if this is required. Qualitative Risk Analysis should be revisited during the project’s life cycle to stay current with changes in the project risks.


Qualitative Risk Analysis requires outputs of the Risk Management Planning and Risk Identification processes. This process can lead into Quantitative Risk Analysis or directly into Risk Response Planning.


Risk Probability and Impact Assessment

Risk probability assessment investigates the likelihood that each specific risk will occur. Risk impact assessment investigates the potential effect on a project objective such as time, cost, scope, or quality, including both negative effects for threats and positive effects for opportunities.


Probability and impact are assessed for each identified risk. Risks can be assessed in interviews or meetings with participants selected for their familiarity with the risk categories on the agenda. Project team members and, perhaps, knowledgeable persons from outside the project, are included. Expert judgment is required, since there may be little information on risks from the organization’s database of past projects. Using outside experts to help in the assessment is very helpful since they are experts and they are not as biased as the project team. I have found this technique to be very useful.


The level of probability for each risk and its impact on each objective is evaluated during the interview or meeting. Explanatory detail, including assumptions justifying the levels assigned, is also recorded. Risk probabilities and impacts are rated according to the definitions given in the risk management plan. Sometimes, risks with obviously low ratings of probability and impact will not be rated, but will be included on a watch-list for future monitoring.


Probability and Impact Matrix

Risks can be prioritized for further quantitative analysis and response, based on their risk rating. Ratings are assigned to risks based on their assessed probability and impact. Evaluation of each risk’s importance and, hence, priority for attention is typically conducted using a look-up table or a probability and impact matrix. Such a matrix specifies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority.


Descriptive terms or numeric values can be used, depending on organizational preference. The organization should determine which combinations of probability and impact result in a classification of high risk, moderate risk and low risk.


Usually, these risk rating rules are specified by the organization in advance of the project, and included in organizational process assets. Risk rating rules can be tailored in the Risk Management Planning process to the specific project.


An organization can rate a risk separately for each objective (e.g., cost, time, and scope). In addition, it can develop ways to determine one overall rating for each risk. Finally, opportunities and threats can be handled in the same matrix using definitions of the different levels of impact that are appropriate for each.


The risk score helps guide risk responses. For example, risks that have a negative impact on objectives if they occur (threats), and that are in the high-risk zone of the matrix, may require priority action and aggressive response strategies. Threats in the low-risk zone may not require proactive management action beyond being placed on a watch list or adding a contingency reserve.


Similarly for opportunities, those in the high-risk zone that can be obtained most easily and offer the greatest benefit should, therefore, be targeted first. Opportunities in the low-risk zone should be monitored. Earned Monetary Value (EMV) is a good technique to use here.


Risk Data Quality Assessment

A qualitative risk analysis requires accurate and unbiased data if it is to be credible. Analysis of the quality of risk data is a technique to evaluate the degree to which the data about risks is useful for risk management. It involves examining the degree to which the risk is understood and the accuracy, quality, reliability, and integrity of the data about the risk.

The use of low-quality risk data may lead to a qualitative risk analysis of little use to the project. If data quality is unacceptable, it may be necessary to gather better data.


Risk Categorization

Risks to the project can be categorized by sources of risk (e.g., using the RBS), the area of the project affected (e.g., using the WBS), or other useful category (e.g., project phase) to determine areas of the project most exposed to the effects of uncertainty. Grouping risks by common root causes can lead to developing effective risk responses.


Risk Urgency Assessment

Risks requiring near-term responses may be considered more urgent to address. Indicators of priority can include time to affect a risk response, symptoms and warning signs, and the risk rating.



October 14, 2008 - Posted by | PMP, Risk Management | , ,


  1. Great post, Donna. 🙂

    Data Quality is often overlooked as a project (or business) risk and you do well to point out its importance in this context. Completing a thorough data quality assessment should be an important milestone on any project that is dependent on complete and accurate information.

    Comment by Steve Tuck | October 20, 2008 | Reply

  2. Thank you so much and I greee with you. Great minds thing a lot!

    Peace, Donna

    Comment by Donna Ritter | October 21, 2008 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: