Please Share Feedback


Questions, comments, suggestions? Let us know what you think on our Forum.

To contact us privately, please use our contact form.

Author: Elyse, PMP, CPHIMS
February 7, 2007


Qualitative Risk Analysis assesses the impact and likelihood of the identified risks in a rapid and cost-effective manner. By evaluating the priority of risks with consideration to impact on the project's cost, schedule, scope and quality objectives, Qualitative Risk Analysis provides a foundation for a focused quantitative analysis or Risk Response Plan.
The inputs to the Qualitative Risk Analysis process are:


  • Organizational process assets - Organizational process assets are any of your company's policies or procedures which assist in understanding the current project's risks. Another component of organizational process assets is information regarding risks from previous projects. This information yields understanding of how a risk was either successfully or unsuccessfully managed in the past, provides insights into the departments or organization's risk tolerance, and may provide a standard operating policy of how risks are to be managed.

  • Project Scope Statement - The Project Scope Statement details the project objectives, deliverables, assumptions, constraints, schedule, budget, and configuration management requirements. Typically a component of the project scope statement is whether the technology or process is a new endeavor for your organization. As we all know the bleeding razor edge is wrought with high levels of risk.

  • Risk Management Plan - The Risk Management Plan details the roles and responsibilities, risk management budgets, risk management scheduled activities, risk categories, probability and impact definitions, probability and impact matrix, and stockholder's risk tolerances. These components are useful in risk analysis.

  • Risk Register - The Risk Register is a listing of the risk the project team identified.


Once you have garnered all of the inputs it is time to perform qualitative risk analysis. Thankfully there are best practices which are usefully to rate and prioritize the project risks in a rapid and cost-effective manner. These tools and techniques are:

  • Risk probability and impact assessment - Risk probability and impact is the team rating of the project's risks and opportunities. It is best to use a team of project members, subject matter experts, individuals listed on the roles and responsibilities section of the risk management plan, and any other usefule knowledgeable participants. There are to tactical methods for deriving a risk rating. First have a meeting with the team. Secondly conduct risk interviews. Generally, the first approach is to tackle the probability question of all identified risks, then review and determine the impact of all identified risks. Finally the risk score is calculated by multiplying probability by impact. The successful outcome of a risk probability and impact assessment is a Risk Register that has been updated with risk ratings for probability, impact, and score.

  • Probability and impact matrix - The probability and impact matrix illustrates a risk rating assignment for identified risks. Each risk is rated on its probability of occurrence and impact upon objective. From a spotlight analysis reds are in the high risk zone, yellows are medium risk, and greens are low rated risks which should just be added to the watch list.

    Probability
    Threats
    Opportunities
    0.900
    0.045
    0.090
    0.180
    0.360
    0.720
    0.720
    0.360
    0.180
    0.090
    0.045
    0.700
    0.035
    0.070
    0.140
    0.280
    0.560
    0.560
    0.280
    0.140
    0.070
    0.035
    0.500
    0.025
    0.050
    0.100
    0.200
    0.400
    0.400
    0.200
    0.100
    0.050
    0.025
    0.300
    0.015
    0.030
    0.060
    0.120
    0.240
    0.240
    0.120
    0.060
    0.030
    0.015
    0.100
    0.005
    0.010
    0.020
    0.040
    0.080
    0.080
    0.040
    0.020
    0.010
    0.005
    0.050
    0.100
    0.200
    0.400
    0.800
    0.800
    0.400
    0.200
    0.100
    0.050

  • Risk data quality assessment - A qualitative risk analysis needs to have unbiased and accurate data for credibility. A risk data quality assessment is a means to evaluate the reliability and accuracy of the information from which the risk rating is derived.
    1. Extent to which the risk is understood - How well is the risk grokked? The data should be clear, concise and easily explained. Evaluate your data source? Did the wolf caller just tell you another wolf was after the sheep.
    2. Data availability - Is the data complete? A common whole is to base risk ratings on incomplete data.
    3. Data Quality - Is the data timely and relevant? Honestly evaluating a CPOE install by data that is 20 years old isn't good practice. Most like the information isn't timely and relevant.
    4. Data integrity and reliability - How objective is the data? Qualitative Risk Analysis is imprecise; ratings reflect subjective opinions and judgment. However, with this fact in mind, try to obtain the most accurate and unbiased information you can. For example if in a rampant war of office politics, is it objective what stones one side is throwing at the other?
  • Risk urgency assessment - Risk requiring near-term responses are have a higher level of urgency than risk way off in the future land.
  • Risk categorization - Risks can be grouped in different ways for example they can be categorized by source, area impacted, or project phase.
The output of the Qualitative Risk Analysis process is an updated Risk Register. The risk register updates include:
  1. Relative ranking or priority of project risks - The overall risk ranking is determined by summing the individual risk scores and then dividing by the number of risks.
  2. Risks grouped by categories - Placing risks in categories reveal areas of risk concentration and highlights common causes of risk. For example, if every risk is surrounding a lack of project resources, then maybe actually planning the project work to the resources available is necessary.
  3. Lists of risks requiring response in the near term - The most urgent risks commonly need responses in the short term. By sorting according to urgency, it is easy to identify the most severe risk event which need almost immediate action.
  4. List of risks for additional analysis and response - Risks which need additional analysis and management are classified as high sometimes even moderate.
  5. Watchlist of low priority risks - Risks which are not urgent and require action in the distant future are commonly detailed on a watchlist for monitoring.
  6. Trends in qualitative risk analysis results - With each iteration of Qualitative Risk Analysis, a trend may result which necessitates a response or further analysis.

Further Reading:


Subscribe and Share!

Did you enjoy this article? Your feedback is very important! I'd like to invite you to keep up to date with the latest posts from Anticlue. We offer several venues. If you have some questions, help can be found here.
 

0 Comments to “Qualitative Risk Analysis”


« Risk Identification Communicating Expectations »

Please share your thoughts and suggestions