Effective risk analysis and management are fundamental to project success. Irrespective of the size or scale of your project, delivering it on time and within budget (not to mention preserving stakeholder confidence) is impossible if you don't take the time to identify, analyze, categorize, prioritize, and gauge the impact of external risks before work commences.
Two well-established methodologies dominate risk analysis: qualitative and quantitative. Yet, despite their universality, a surprising number of people within the project management bubble struggle to understand how best to deploy these methodologies.
In this article, we will define both approaches. Then, we explore why quantitative risk analysis, while mechanically more complex, is better suited to the demands of today's megaprojects.
Qualitative Risk Analysis is Subjective
The most obvious difference between qualitative and quantitative risk analysis is their approach to the process.
Qualitative risk analysis tends to be more subjective. It focuses on identifying risks to measure both the likelihood of a specific risk event occurring during the project life cycle and the impact it will have on the overall schedule should it hit.
The goal is to determine severity. Results are then recorded in a risk assessment matrix (or any other form of an intuitive graphical report) in order to communicate outstanding hazards to stakeholders.
Quantitative Risk Analysis is Objective
Quantitative risk analysis uses verifiable data to analyze the effects of risk in terms of cost overruns, scope creep, resource consumption, and schedule delays.
In layman’s terms, quantitative risk analysis assigns a numerical value to extant risks — risk A has a 40% chance of occurring, based on quantifiable data (fluctuations in resource costs, average activity completion time, logistics etc.) and a 15% chance of causing a delay of X number of days. It’s entirely dependent upon the quantity and accuracy of your data.
Mechanics of Quantitative Risk Analysis
In his Journeymap to Project Risk Analysis, David Hulett outlines the mechanics of quantitative risk analysis.
Uncertainty and Identified Risks
Uncertainty and identified risks are two distinct factors that influence the variability of results for schedule and cost. These are the factors we're trying to quantify.
Uncertainty is background variability, distinct from variation caused by identifiable risks. It's caused by at least 3 common factors in projects:
- The inherent variability of the work not caused by identified risks
- Estimating error or error of prediction
- Bias in estimation or prediction
Uncertainty is always present at some level of impact, so its probability is 100%. Since its source is unknown, uncertainty can't be mitigated during the time of one project.
The typical expression of uncertainty is in multiplicative terms such as 90%, 105%, and 120%, where the most likely value is expressing a 5% correction for optimistic bias in the durations of the schedule analyzed.
Identified risks are root causes of variability that can be measured and moderated or mitigated. There are two types of these risks:
- Project-specific risks
- Systemic risks
Quantifying an identified risk using Risk Drivers represents the probability that the risk will occur on this project and the impact the risk has on the duration of the activities it affects if it occurs.
For example: 40% probability means that the risk occurs in 2,000 of 5,000 iterations, chosen at random, during a Monte Carlo simulation.
Impact percentage is a multiplicative factor chosen from a probability distribution (e.g., 90%, 100%, 120%). Due to proportionality, the multiplicative factor can be applied to long and short duration activities equally.
Which is Better for Risk Management?
The quantitative approach to risk analysis is better for managing the risk of modern projects. It provides a better means of understanding how risk and uncertainty affect project outcomes. But that doesn't mean that qualitative risk analysis is totally useless.
By ranking severity in broader terms, qualitative risk analysis is useful for gauging probability and prioritizing risk in a way that’s easy for non-project controls people to understand. This can help with stakeholder buy-in by offering a small sample of the wider risk landscape.
Speed & Simplicity vs. Accuracy & Complexity
Quantitative risk analysis relies on accurate statistical data to produce actionable insights — the kind that hasn't been historically available. So instead, project managers used a more subjective, qualitative approach to risk management.
So while it might be quicker, the best way to get the most robust risk analysis is through quantitative means. It allows you to:
- Quantify outcomes
- Clear up uncertainty surrounding the results of initial qualitative analysis
- Set achievable cost and scheduling targets
- Assess the probability of successfully achieving these goals
High-risk industries in particular — mining, oil and gas, or construction — rely heavily on quantitative risk analysis. Indeed, it’s a legal requirement.
Fortunately, as technology has evolved, so too has the way we perform quantitative risk analysis. New tools are available to help improve the validity of your risk analysis and understand the steps needed to mitigate potential issues.
Use a High-Quality Risk Analysis Platform
Qualitative risk analysis has its place in project controls. But a quantitative risk analysis gives you the best possible insight into the risks and their potential impact on the successful execution of your project.
For this reason, we’ve spent the last few years working on a brand-new tool: Safran Risk Manager.
Risk Manager takes a holistic approach to risk management and integrates seamlessly with Safran Risk, giving you all the data you need to perform effective analysis, from a single platform.