How to Perform a Qualitative Risk Analysis

Our best-laid plans don't always work out, often for reasons beyond our control. The COVID-19 outbreak has been an unwelcome reminder of that fact. It has also underscored the importance of anticipating risk and preparing for the worst.

A qualitative risk analysis protects your plans by identifying threats and taking steps to mitigate them before they can do real harm. This article breaks down the qualitative risk analysis process so you can give your projects and plans the best chance of success.

Overview: What is qualitative risk analysis?

Qualitative risk analysis is a formal process for evaluating the likelihood and potential impact of project risks. It provides a framework for ranking risks according to the level of threat they pose to inform project risk management strategies.

Qualitative risk analysis is an important tool for managing projects and keeping them on schedule. Incorporating risks assessment into business activities more widely also supports quality and efficiency across your enterprise.

Qualitative vs. quantitative risk analysis: What’s the difference?

Qualitative risk analysis describes risks in subjective, relative terms. Knowing that something poses a very high risk, or a higher risk than the next factor on your list, is good enough for qualitative analysis.

A quantitative risk analysis describes the same risks in hard numbers. It may require more rigorous measures such as proof of concept testing or statistical modeling.

For example, a qualitative risk analysis for a home building project might find that a looming lumber shortage is highly likely to delay completion and send the build over budget.

A quantitative analysis might find that the lumber shortage has a 40% chance of delaying the project by more than 30 days and driving it over budget by up to 6%.

How to perform a qualitative risk analysis

Qualitative risk analysis is an important responsibility of project managers. It should be conducted during the earliest phase of project planning and then revisited as the project progresses and conditions change.

Consider the example above of the lumber shortage. In the early phase of the project, the shortage might be little more than a rumor. By the time construction begins, supplies might be drying up and prices shooting through the proverbial roof.

Updating risk parameters throughout the project could allow you to buy at the right time to beat the price hikes.

A qualitative risk analysis consists of the following five steps:

Step 1: Identify risks

The first step in a qualitative risk analysis is identifying potential risks to your project. The goal of this step is to capture as many risks as possible. You're not prioritizing at this point, so even if a risk seems nominal or beyond your control, you should include it.

Tips for identifying risks:

Follow these best practices for identifying risks:

• Consider technical risks: What technology does your project depend on, and what would happen if it failed? Consider all of the potential technical breakdowns that could affect your project, from inaccurate data to quality problems to software glitches.
• Include external risks: There are many factors outside your organization that can affect project outcomes, from procurement management issues to a sloppy statement of work to bad weather. Try to capture as many external factors as you can.
• Factor in organizational risks: This includes threats within your business such as budget constraints, capacity limits, and interdepartmental conflict.
• Identify project management risks: Be sure to consider project quality management risks such as delayed approvals, loss of a key project team member, or scope creep.
• Involve all stakeholders: The best way to get a comprehensive list of risks is to brainstorm with everyone involved in the project.

Step 2: Estimate probability

Once you have an inclusive list of risks, it's time to move on to estimating their likelihood. For this part of the analysis, you're considering just the probability of the risk materializing, not the nature or scope of damages that might result.

Tips for estimating probability:

Following are tips for estimating probability of risks:

• Consider a four-point scale: A four-point scale from very unlikely to highly likely is helpful because it forces you out of a neutral middle position.
• Assign values: You can express probability in simple numbers, such as a scale of 1 to 4, or as percentages. For example, you could assign a score of 20% for very unlikely, 40% for unlikely, 60% for likely, and 80% for very likely.
• Rank each risk: Once you have decided on a numeric scale, assign a probability value to each risk on your list. It may take some discussion before you have all of your risks aligned on the scale to everyone's satisfaction.
• Get varied perspectives: Ask as many stakeholders as you can to rank probability and average the results for the greatest accuracy.

Step 3: Estimate potential impact

The next step in your risk analysis is to measure the potential business impact from each risk you've identified. In this step, you're ignoring probability completely and treating every variable as a certainty. If the event happened, what would it do to your project?

As with probability, you're working with the best estimates you can make based on available data. Once again, involving your entire project team and other stakeholders will give you the best results.

Tips for estimating potential impact:

Consider these best practices for estimating impact:

• Assume the worst: When estimating impact, be a pessimist. What's the worst possible damage this risk could do to your project? Score the risk according to the most severe outcome.
• Consider cost, schedule, deliverables, and scope: Estimate potential effects across each of these project areas. How might a risk drive up costs, or stretch out your timeline? What impact might it have on project deliverables? Sum up the effects in a final impact score.
• Use available data: Even though qualitative analyses are subjective, you should factor in all the data you can to make your estimates as accurate as possible.
• Choose a scale: Once you've considered the full potential threat posed by each risk, you need to assign a severity score. A simple numeric scale such as 1 for very low impact, 2 for low, 3 for high, and 4 for very high works well.

Step 4: Create a risk matrix

Now it's time to bring all of that analysis together in a qualitative risk analysis matrix. Using the scales you established, lay out probability on one axis and severity of impact on the other.

Multiply the rankings for probability and impact across each row and column to arrive at exposure scores for every cell in your matrix. The exposure score sums up the threat level posed by risks in each cell.

Each cell in a risk matrix contains an exposure score equal to probability times impact. Image source: Author

Tips for creating a risk matrix:

The following tips will help you create a project risk matrix:

• Set up your chart to suit your preferences: It doesn't matter which axis becomes the horizontal or vertical row in your chart, or whether your scale runs in ascending or descending order.
• Plot your risks: Once you've created your matrix, you can plot all of your risks according to the probability and impact rankings you assigned in your analysis.

Step 5: Develop a risk response plan

Based on your risk matrix, your team can prioritize which exposures require further action or analysis and create an actionable risk response plan.

Like other phases of qualitative risk analysis, risk response planning is subjective. Your risk tolerance and the nature of the risks you've uncovered will determine which exposures require

further action or analysis and which can be ignored. For those requiring action, you will need to choose a risk mitigation strategy. Cost-benefit analysis can help you determine which strategies are worth pursuing.

The simplest and most common risk response is acceptance: You determine that a risk is an acceptable part of the work ahead with no mitigation action required. You can also choose to avoid a risk by eliminating an activity from your project.

A sample risk matrix from Image source: Author

Project Management Institute with a three-tier, 100-point impact scale and four-tier, percentage-based probability scale.

You may decide to transfer risk through insurance or other financial protections, or you can share a risk through a partnership or contractual arrangement. Finally, you can mitigate risk through preventive measures such as quality controls.

For larger projects, you may want to create a written risk response plan including a risk register. A risk register is a formal summary of your analysis, including a full list of identified risks, exposure scores, and recommended actions.

Risk registers are sometimes required documentation for regulatory purposes. Tasks outlined in your response plan can be assigned to team members and tracked through your existing project management system.

Tips for developing a risk response plan:

Use the following practices to develop an effective risk response plan:

• Set exposure tiers: Break your risks into categories based on urgency. The tiers are arbitrary, so set them to suit your preferences. In the matrix below from the Project Management Institute, for example, scores of 0 to 29 are considered low; 30 to 49, moderate; 50 to 69, high; and 80 to 100, very high.
• Color by exposure: Use colors to reflect priorities and next steps in your risk response plan. For example, in the matrix below, red might apply to risks that require mitigation action, orange to risks that require further analysis, yellow to risks that merit watching or further analysis at a later date, and green to risks that are acceptable with no further action.
• Choose mitigation strategies: You may need to consult a new group of experts to find the best solutions for your risks. Financial advisors, legal counsel, insurance agents, and technical specialists can provide valuable advice to safeguard your project.
• Monitor risks continually: As your project progresses, you may need to meet continually to assess how risks have developed and whether your risk response and project management plans need to change in response. Software can make it easier to track and manage this process.

Safeguard the road ahead

It's a long road from vision statement to victory lap, and a lot can happen in between. Qualitative risk analysis is a relatively fast and easy way to identify threats and prevent them from ruining your plans.

It's also highly adaptable for use with projects or decisions of any type, big or small. Whether you're considering opening a new location or weighing the benefits of various organizational structure types, taking time up front for risk analysis can bring clarity and security to the road ahead.