Generally speaking, people aren’t great at analysing risk. Instead of taking a strictly objective view, we’re too easily swayed by our emotions and biases.
Given half a chance most of us will believe what we want to believe and selectively filter out information that doesn’t support our case. We’re just as bad at looking at probability in a holistic way. It’s easy to focus on the most recent risk and forget about one that happened last year.
Availability Heuristic
The tendency to overestimate the likelihood of events with greater ‘availability’ in memory. This can be influenced by how recent the memories are or how unusual or emotionally charged they may be.
Since we’re so bad at considering the big picture when it comes to risk, it makes sense to focus on quantitative risk analysis. Relying on data to determine risk removes bias and ensures accurate assessments. But how do you prioritize those risks? Using qualitative risk analysis.
Qualitative risk analysis is the process of assessing the likelihood of a risk occurring and the impact it would have on a project if it happened.
This guide will walk you through a full breakdown of qualitative risk analysis. You’ll learn:
This will give you insight into the tools and techniques you can use to undertake accurate and cost-effective risk analysis for your projects.
Qualitative analysis of risk serves 3 functions:
Projects are exposed to all sorts of risks and it’s impractical for project managers to deal with all of them. In many cases, the resources spent to mitigate a risk actually outweighs the risk itself.
As such, one of the primary goals for qualitative risk analysis is to prioritize risks based on their probability and impact. This allows project managers to focus on devising treatments for the most significant risks.
Using this method also gives project managers a better idea of the main areas of risk exposure. You can achieve this by categorising risks by their source. This is important when it comes to prioritizing risk areas and treatment schedules.
Qualitative risk analysis can also improve a project manager’s understanding of risks. This helps in devising more effective risk treatments and contingency budgeting for future projects. Project managers discover much more than risk probability and consequences. They also discover trigger conditions, assumptions and affected project elements. All of this helps build up a better picture for future projects.
Qualitative risk analysis involves identifying threats (or opportunities), how likely they are to happen, and the potential impacts if they do. The results are typically shown using a Probability/Impact ranking matrix. This type of analysis will also categorize risks, either by source or effect.
Unlike quantitative risk analysis, which applies numerical values and uses verifiable data, qualitative risk analysis operates in a more generalised, “big-picture” space. Quantitative risk analysis uses data to produce a value to measure the acceptability of a risk event outcome.
During a typical project, qualitative risk analysis will happen first. From there, risk managers can draw on data to address specific risks in more detail. So, while they do have two distinctions, they don’t compete for supremacy; they’re two parts of the larger risk management process.
It can be a serious logistical and financial challenge to undertake detailed quantitative modelling necessary for major projects. There are so many factors at play. A qualitative analysis of your risk environment will help give you the clarity to prioritise tasks quickly and cost-effectively.
Other benefits include:
The project team doesn't require training, as it doesn't rely on any complicated tools or software. The qualitative risk analysis doesn’t depend on the risk occurrence frequency. So, the team performing the analysis can save time by not predicting the frequency and the exact timing of each risk. Project teams can determine areas of greater risk in a short time and without expending cost.
Qualitative risk analysis classifies risks according to their likelihood and impact. This makes it easy to determine which risks an organization should focus on – the ones falling into the highest likelihood and impact categories.
Qualitative risk analysis classifies risks according to their likelihood and impact. This makes it easy to determine which risks an organization should focus on – the ones falling into the highest likelihood and impact categories.
Project risk management is a multi-step process. This is because qualitative risk analysis has its limitations. These include:
A qualitative risk analysis produces no metrics, it depends on the perception of a person carrying out the study. In order to minimise subjectivity, a qualitative risk analysis should involve several people. The accuracy and detail of the analysis depends on previous team experience. If the risk team hasn’t experienced a project type, they might miss some risks or assess them inadequately.
The qualitative risk analysis assesses each risk on a project but doesn't provide an assessment of the overall project risk exposure. The analysis also won't calculate how much risk management activities and risk treatment will cost.
Once several risks fall into the same category, for example, high likelihood and medium impact, there is no further way to differentiate between the severity of risks and no way to determine which risk should be dealt with first.
Different types of project demand different types of qualitative risk analysis. Availability of resources and personal experience also factor into the decision of how to approach assessing a project’s risk. The five most common types of analysis are:
To many, this is the standard method of establishing risk severity. Risk matrices will often vary in size, but they all essentially do the same thing. They provide a practical way to rank the overall severity of a risk by multiplying the likelihood of risk occurrence against the impact of the risk, should it still occur.
By ranking risk probability against risk consequence, you can see the main driver of risk severity, whether that’s a probability or a consequence. This information helps identify suitable treatments to manage the risk, based on its prominent drivers.
A bow-tie analysis is one of the most practical techniques for identifying risk mitigations. Bow-tie analysis starts by looking at a risk event and then projects it in two directions. On the left, you list all the potential causes of an event. On the right, you list all the potential consequences of the event.
Using this simple method, you can identify and apply treatments to each of the causes and consequences separately. This helps you tackle both sides of a risk by mitigating the probability of it occurring one side, while limiting the impact should the risk still occur.
Known as the Delphi Technique, experts in a field respond to several rounds of questionnaires. The responses are aggregated and shared with the group after each round.
When applied to risk management, this technique can be applied to both identify risk, and subsequently to assess the likelihood and impact. The experts are asked to form an opinion on how likely the risk is to occur, and the consequence of its occurrence. These responses are aggregated and reviewed by the experts until a consensus is achieved.
The Delphi technique was conceived in the 1950s by Olaf Helmer and Norman Dalkey of the Rand Corporation. The name refers to the Oracle of Delphi, a priestess at a temple of Apollo in ancient Greece, who was famous for her prophecies.
Standing for “Structured What-If Technique”, SWIFT applies a systematic, team-based approach to risk analysis in a workshop environment. Teams investigate how changes from an approved plan, may affect a project through a series of “What if” considerations. This technique is particularly useful in evaluating the viability of opportunity risks.
Better known as the "80/20 Rule", the Pareto Principle helps in identifying risks that will be most effective. It's known as 80/20 because the principle thesis holds that 80% of achievements realised originate from 20% of the effort.
Risk managers use Pareto analysis as a tool for rapidly identifying the most critical 20% of risks that will effectively mitigate 80% of the impact.
The challenge for risk managers is knowing how to effectively score each risk. Large projects may require multi-attribute weightings for business different priorities, such as security data, and operational or compliance policies.
But, once you understand where to look and what to look at will help you hone in on the most important 20%. This offers a crucial leg up in managing the threats and vulnerabilities that have the potential to have the largest impact.
Like any big task that's worth doing, risk management can seem daunting - especially when you're starting with a blank canvas. So, the best way to take on qualitative risk analysis is to break it down into smaller steps:
Risk identification is arguably the most important part of qualitative risk analysis. If you fail to identify risks ahead of time, it becomes extremely challenging to manage them.
The trick to risk identification is keeping it simple. Start thinking of anything which could have an uncertain effect on your project. Capturing the obvious risks will help lead you deeper into more oblique ones. Risk identification is all about quantity. So, reach out to as many people as you can to get a wide range of views.
Once you’ve identified possible risks, the next step is to consider their potential impact.
Simplicity is the major benefit of qualitative risk analysis; there’s no statistical model that relies heavily on the quality of the data you use.
The next stage in the qualitative risk analysis is to apply treatments to each risk. This can be approached in any number of ways depending on your industry or process. A simple example could show five options when it comes to risk treatment, but these are by no means definitive:
If a risk has low impact and low probability, or the cost of preventing it is too high, sometimes it’s more cost-effective to accept it.
Some risks have a high probability, which means you might not be able to avoid them. In order to reduce the impact of a risk when it becomes an issue, you could choose to mitigate it.
A few risks can be exploited to the benefit of your project. Having the ability to identify exploitable risks can be extremely advantageous and highlights the importance of seeking out experienced risk experts who can spot these opportunities.
Risks with financial impacts are a common example of risks that can be transferred to a third party. Insurance is designed to assume a risk on your behalf, so you don’t suffer as hard an impact if something goes wrong. Similarly, it is possible to transfer risk via a contract to a supplier or contractor.
If you can’t mitigate or transfer a risk, and that risk is too high to accept, the only recourse is to avoid it. Risks can be avoided by changing or removing certain scope items or changing the approach.
If a risk becomes an issue, you need a plan. You need to know:
Documenting a contingency plan saves time and money. When you know what to do in the event of an issue, you can reduce its impact by responding faster. The nature and detail of your contingency planning will depend on the nature of the risks themselves.
Risk management is never over, not even after the project has finished. As the project progresses, it’s important to keep risk logs up to date. At each stage of the project, risk probability will fluctuate. Some risks will disappear, while others might increase in likelihood. Reviewing your risks regularly will help keep you on top of these changes.
After the project, a full retrospective will provide valuable data and experience for future projects, making the next one more secure and helping to further your risk maturity.
The risk matrix can be used to set the risk appetite for the organisation. The simple use of colour can aid the decision-making process as well helping to set the risk culture across the group. A risk hungry company may have a large tolerance for taking risk, whereas a high-risk company, for example in the nuclear industry, may set their appetite a lot lower.
In the example, all risks in the red area are intolerable and must be treated to reduce them to acceptable levels.
Risk matrices should be used for subjective guidance, not to provide you with definitive quantitative risk ranking data.
What happens when a risk goes from Yellow to Red? Does the risk owner still have the authority to manage the risk effectively, or should it be escalated?
If the risk owner has the tools to manage that risk, there's no need to escalate. Simply maintain a clear line of communication on the progress of bringing the risk down to an acceptable level and there's no need for escalated action.
Why should you escalate?
Risk management is all about the creation of a culture in which decisions are made based on the assessment of data in order to maximise opportunity and minimise the consequence of threats.
Qualitative risk management is a key component in the risk professionals’ tool kit. It enables rapid prioritisation of risks to help project teams to achieve their objectives. Through using these techniques your project will have a greater chance of being delivered on time and within budget.
Experience Safran Risk ManagerSee Safran Risk Manager in action, 
.
