Perform Qualitative Risk Analysis follows risk identification, and it prioritizes risks based on their likelihood of occurring and their potential impact on the project objectives.
Prioritization is needed because risk identification uncovers a large number of risks having at least some potential to influence project objectives.
However, many of those risks will be of such a low priority or have such a small impact that it isn't cost-effective to address them, so qualitative analysis allows the project team to focus on the most important risks.
The risk register provides the list of identified risks to be evaluated, and the risk management plan provides the details on how probability and impact will be assessed and what risk scoring formula and ranking criteria will be used.
Risks are prioritized and ranked based on their overall risk rating score, but risks can also be prioritized by their expected monetary value, impact, or any combination of other methods.
Perform Qualitative Risk Analysis Process Decomposition
Perform Qualitative Risk Analysis Process: Inputs
- Risk register
The risk register is a comprehensive list of all threats and opportunities the project faces. It also contains supplementary data about each risk, including its impact, probability, risk response, budget, risk owner, and contingency and fallback plans.
- Risk management plan
The risk management plan is a component of the project management plan. It details and defines the risk management activities for the project.
The plan establishes the risk methodology, risk roles and responsibilities, risk categories, probability and impact scales, risk tolerances, frequencies of risk management activities and reporting, and the budget and schedule for risk management activities.
- Project scope statement
The project scope statement details the measurable goals, objectives, deliverables, and requirements of the project, and what the acceptance criteria of deliverables will be. It also describes the work required to meet all objectives and deliverables of the project, and it also contains milestones, assumptions, risks, and costs.
The scope statement helps determine the impact a risk may have on the project’s objectives and may help determine its probability.
- Organizational process assets
Data from similar, past projects and risk databases will help determine impacts and probabilities.
Perform Qualitative Risk Analysis Process: Tools and Techniques
- Risk probability and impact assessment
This assessment investigates each identified risks to expose the probability and impact of all the project objectives. This data is used to prioritize or rank risks.
- Probability and impact matrix
The probability and impact matrix uses established rating criteria and scoring formula for assigning a score to identified risks based on their probability and impact.
- Risk data quality assessment
Before the qualitative analysis is performed, the risk data gathered should be reviewed for accuracy, reliability, and integrity. Otherwise, the analysis will be based on flawed data.
- Risk categorization
To help in prioritization or ranking, risks can be categorized in any useful method, such as by deliverable, phase, objective, or technology.
- Risk urgency assessment
Qualitative analysis may uncover risks that are imminent. These may need fast-tracked into subsequent risk processes for immediate attention.
- Expert judgment
Qualitative analysis requires subject matter experts and expert judgment is needed to interpret, evaluate, and present the qualitative data uncovered.
Perform Qualitative Risk Analysis Process: Outputs
- Risk register updates
Qualitative analysis results in the prioritization of risks, which is shown on the risk register.
The risk register is a comprehensive list of all threats and opportunities the project faces.
It also contains supplementary data about each risk, including its impact, probability, risk response, budget, risk owner, and contingency and fallback plans.
Risk Data Quality Assessment
It's best to first make sure that the risk data uncovered so far is solid; otherwise, the analysis will be a wasted effort because it could be based on flawed data.
Risk data quality assessment reviews the quality, reliability, accuracy, and integrity of the risk data collected.
This includes making sure each risk and its potential impacts and causes are sufficiently described and reviewing where the risk information came from.
Any doubtful, unreliable, or incomplete data should be addressed before qualitative analysis is performed.
Risk Urgency Assessment
As risks are reviewed, it may be obvious that some risks are more likely to occur in the near term (or are already occurring), making these risks a top priority and requiring them to be fast-tracked to other risk processes for immediate planning and action.
Grouping and sorting risks in different manners can help to prioritize them. Though one aspect of this tool is resorting risks by the categories established in the risk management plan, that's only one approach to the name of this tool is misleading.
Regrouping risks into any helpful classification can expose similarities that could make prioritization and later risk response planning easier. Ways that risks can be grouped include by risk owner, deliverable, phase, or technology.
Risk Probability and Impact Assessment
The two components of any risk prioritization method are the risk's probability and a gauge of its potential impact. Both figures are converted into ratings accomplished through the risk probability and impact matrix.
The risk management plan establishes how the probability and impact assessments are to be made and where the data is to be gathered from.
Most of the probability and impact data can be gathered from experts at the same time as risk identification, but additional interviews and meetings may be necessary with subject matter experts and the project team.
Probability is usually estimated as a percentage while the impact is estimated as a cost, time, or quality measure. Both estimates are usually quite subjective and given in ranges.
Risk Probability and Impact Matrix
The probability and impact matrix assigns a rating or score to each risk based on its probability and impact assessments.
The rating or scoring method is established in the risk management plan, and it converts assessments into linear, nonlinear, or relative scales.
The matrix can be either paper- or software-based, but in either case, it will include columns and rows for recording the probability rating and the ratings for the impacts to different project objectives.
In order for assessments to be uniformly converted to ratings, there must be unambiguous definitions. If the scale used is not consistent from risk to risk or person to person then subsequent rankings, scores, and priorities will be flawed.
The probability and impact matrix often includes a "sample" page where the rating system is explained with descriptive legends.
A legend provides the mechanism for converting probability assessments into a rating that is normally a linear scale.
In this example, a relative scale is converted into an estimated probability percentage.
The impact scale may be tailored to each project objective, and very clear guidelines are provided for rating the impact assessments.
It is very common for there to be different ratings for different project objectives based on their importance, and opportunities (positive risks) often have different scales than threats (negative risks).
The probability rating and the impact rating provide the basis for the overall rating or score for each risk.
The formula used can depend upon any combination of policies and personal preferences of the organization, customer, industry, risk manager, or project manager.
A simple approach is to multiply the probability rating by the impact rating for each project objective, and then summing these up to obtain the risk score.
Overall Risk Rating
The risk score is correlated to a table or legend on the probability and impact matrix that provides the overall risk classification.
This is usually a color-coded scale of red (high), amber (medium), and green (low), often called a RAG rating.
Using the overall risk score, the entire list of identified risks can be ranked into a prioritized list allowing further risk management efforts to focus on the most dangerous or advantageous risks.
Cautionary Statements about the Risk Probability and Impact Matrix
The probability and impact matrix is a relatively simple and straight-forward way of forming the basis for risk prioritization.
However, if it isn't approached with forethought into the rating, scoring, and prioritization methods, it can lead to risk management problems.
The drawbacks arise from relying on the matrix as the only source for prioritizing risks and from perceiving it as an empirical source of data.
There are nearly always additional factors which cannot be represented by the matrix, and though the goal of the matrix is to provide an objective view of the risk, it is based only on subjective estimates.
- First, to keep the matrix from becoming too unwieldy, the impact is shown only for the most important project objectives. In some cases, this isn't adequate thus causing a risk's true potential impact not be reflected by the matrix.
- Second, the combination of the probability rating, impact rating, and scoring formula can cause a high impact/low probability risk to end up ranked as a low priority or a low impact/high probability risk to end up being ranked too high.
- Third, the scale and scoring method will need to be different for opportunities versus threats.
This is because there are usually different criteria needed to exploit opportunities.