February 7, 2007
Qualitative Risk Analysis
Qualitative Risk Analysis assesses the impact and likelihood of the identified risks in a rapid and cost-effective manner. By evaluating the priority of risks with consideration to impact on the project’s cost, schedule, scope and quality objectives, Qualitative Risk Analysis provides a foundation for a focused quantitative analysis or Risk Response Plan.
The inputs to the Qualitative Risk Analysis process are:
- Organizational process assets - Organizational process assets are any of your company's policies or procedures which assist in understanding the current project's risks. Another component of organizational process assets is information regarding risks from previous projects. This information yields understanding of how a risk was either successfully or unsuccessfully managed in the past, provides insights into the departments or organization’s risk tolerance, and may provide a standard operating policy of how risks are to be managed.
- Project Scope Statement – The Project Scope Statement details the project objectives, deliverables, assumptions, constraints, schedule, budget, and configuration management requirements. Typically a component of the project scope statement is whether the technology or process is a new endeavor for your organization. As we all know the bleeding razor edge is wrought with high levels of risk.
- Risk Management Plan – The Risk Management Plan details the roles and responsibilities, risk management budgets, risk management scheduled activities, risk categories, probability and impact definitions, probability and impact matrix, and stockholder’s risk tolerances. These components are useful in risk analysis.
- Risk Register – The Risk Register is a listing of the risk the project team identified.
Once you have garnered all of the inputs it is time to perform qualitative risk analysis. Thankfully there are best practices which are usefully to rate and prioritize the project risks in a rapid and cost-effective manner. These tools and techniques are:
- Risk probability and impact assessment – Risk probability and impact is the team rating of the project’s risks and opportunities. It is best to use a team of project members, subject matter experts, individuals listed on the roles and responsibilities section of the risk management plan, and any other usefule knowledgeable participants. There are to tactical methods for deriving a risk rating. First have a meeting with the team. Secondly conduct risk interviews. Generally, the first approach is to tackle the probability question of all identified risks, then review and determine the impact of all identified risks. Finally the risk score is calculated by multiplying probability by impact. The successful outcome of a risk probability and impact assessment is a Risk Register that has been updated with risk ratings for probability, impact, and score.
- Probability and impact matrix – The probability and impact matrix illustrates a risk rating assignment for identified risks. Each risk is rated on its probability of occurrence and impact upon objective. From a spotlight analysis reds are in the high risk zone, yellows are medium risk, and greens are low rated risks which should just be added to the watch list.
ProbabilityThreatsOpportunities0.9000.0450.0900.1800.3600.7200.7200.3600.1800.0900.0450.7000.0350.0700.1400.2800.5600.5600.2800.1400.0700.0350.5000.0250.0500.1000.2000.4000.4000.2000.1000.0500.0250.3000.0150.0300.0600.1200.2400.2400.1200.0600.0300.0150.1000.0050.0100.0200.0400.0800.0800.0400.0200.0100.0050.0500.1000.2000.4000.8000.8000.4000.2000.1000.050
- Risk data quality assessment – A qualitative risk analysis needs to have unbiased and accurate data for credibility. A risk data quality assessment is a means to evaluate the reliability and accuracy of the information from which the risk rating is derived.
- Extent to which the risk is understood – How well is the risk grokked? The data should be clear, concise and easily explained. Evaluate your data source? Did the wolf caller just tell you another wolf was after the sheep.
- Data availability - Is the data complete? A common whole is to base risk ratings on incomplete data.
- Data Quality – Is the data timely and relevant? Honestly evaluating a CPOE install by data that is 20 years old isn’t good practice. Most like the information isn’t timely and relevant.
- Data integrity and reliability - How objective is the data? Qualitative Risk Analysis is imprecise; ratings reflect subjective opinions and judgment. However, with this fact in mind, try to obtain the most accurate and unbiased information you can. For example if in a rampant war of office politics, is it objective what stones one side is throwing at the other?
- Risk urgency assessment – Risk requiring near-term responses are have a higher level of urgency than risk way off in the future land.
- Risk categorization - Risks can be grouped in different ways for example they can be categorized by source, area impacted, or project phase.
- Relative ranking or priority of project risks – The overall risk ranking is determined by summing the individual risk scores and then dividing by the number of risks.
- Risks grouped by categories – Placing risks in categories reveal areas of risk concentration and highlights common causes of risk. For example, if every risk is surrounding a lack of project resources, then maybe actually planning the project work to the resources available is necessary.
- Lists of risks requiring response in the near term – The most urgent risks commonly need responses in the short term. By sorting according to urgency, it is easy to identify the most severe risk event which need almost immediate action.
- List of risks for additional analysis and response – Risks which need additional analysis and management are classified as high sometimes even moderate.
- Watchlist of low priority risks – Risks which are not urgent and require action in the distant future are commonly detailed on a watchlist for monitoring.
- Trends in qualitative risk analysis results - With each iteration of Qualitative Risk Analysis, a trend may result which necessitates a response or further analysis.
Posted by Elyse at February 7, 2007 1:41 PM
Comments
Post a comment
Did you miss?
IT Governance, the decisions needs by whom
Finally passed the test
Managing in light of McGregor's Theory X and Theory Y
CMMI
Kicking HIT Leadership Up a Notch
That's just some mumbo jumbo project management BS
Outcomes - The tactic to get to the strategy
Nurse Call, VOIP, and Wi-Fi: Its just cool when things come together!
Finally passed the test
Managing in light of McGregor's Theory X and Theory Y
CMMI
Kicking HIT Leadership Up a Notch
That's just some mumbo jumbo project management BS
Outcomes - The tactic to get to the strategy
Nurse Call, VOIP, and Wi-Fi: Its just cool when things come together!
Archives
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
August 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
November 2005
October 2005
September 2005
August 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
August 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
November 2005
October 2005
September 2005
August 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
Blogs
Cafe au Lait
Joel on Software
David Ross
Edward Prevost
Martin Fowler
The Health Care Blog
The Tales of Hoffman
The Business Word
Medical Rants
Christina's Considerations
Paul Levy
HIS Talk
Appropriate IT
Candid CIO
Joel on Software
David Ross
Edward Prevost
Martin Fowler
The Health Care Blog
The Tales of Hoffman
The Business Word
Medical Rants
Christina's Considerations
Paul Levy
HIS Talk
Appropriate IT
Candid CIO
Subscribe
RSS feed
© Copyright 2003 - 2007 Elyse Nielsen