9 Additional Considerations in Qualitative Risk Analysis

Risk identification involves teamwork and brainstorming.Throughout my career, my project teams were very good at risk planning. I do admit, however, that the qualitative risk analysis of our risk planning was limited to examining the probability of occurrence and impact.

What I learned over my many years in systems delivery then is that we need to employ other risk characteristics when prioritizing individual risks for further analysis or action. This will lead to a more thorough qualitative risk analysis.

Let me illustrate these additional risk characteristics by using a real-life example of a significant project risk.

On a large, complex human services project on which I worked, the Department’s CIO became aware that a large population of individuals in his state were approaching the end of their unemployment compensation benefits. Most of them would remain unemployed due to the severe economic downturn. While that situation had no direct effect on his department, the CIO quickly grasped that a vast number of those losing unemployment benefits would soon be applying for assistance from his department. Responsibility for lessening economic hardship for thousands of individuals was about to be transferred from another department to his. It was a potentially disastrous situation that would strain all the resources of the department, including the new system we had just implemented.

You’re probably already imagining various risk responses you might have used to work through this risk. This situation hadn’t become an issue yet, given that it’s probability of occurrence (estimated at over 90%) was still several months into the future; but it had become a gigantic concern for the department.

I also use this scenario to illustrate that so many of our decisions as Project Managers go beyond the process or technical aspects of project management. Often the people aspects of our decisions are paramount, and we need to get into the habit of focusing on these as well.

Let’s examine the scenario in light of other characteristics of risk that could be used to help analyze how best to mitigate this risk. These risk characteristics are taken directly from the PMBOK® Guide (Project Management Institute, 2017, p.200).

  1. Urgency – the period of time within which a risk response must be implemented in order to be effective. The CIO estimated he had several months before this huge bubble of unemployed individuals would flood his newly implemented system. Given that his preferred strategy was to add a self-service portal to the front end of the new system, several months was not a long time; therefore, urgency was high.
  2. Proximity – the period of time before the risk might have an impact. Similar to urgency, proximity in this case was high. The department would be inundated with new applications for assistance in a few short months.

  3. Dormancy – the period of time between the occurrence of the risk event and when its impact is discovered. In this scenario, the occurrence of the risk event would cause an immediate negative impact on the new system and the workforce. Therefore, dormancy was infinitesimally low.

  4. Manageability – the ease with which the risk owner can manage the occurrence or impact of the risk. At the time, the idea of a self-service portal was in its infancy in this domain, but there were few other options given the urgency and proximity. The solution was risky and might not be ready in time, thereby making manageability low.

  5. Controllability – the degree to which the risk owner is able to control the outcome of the risk. The CIO would have had little control over the outcome except for his strong relationship with his IT provider. Collaboratively, they agreed to meet the challenge head-on, thus giving the CIO high controllability.

  6. Detectability – the ease with which the results of the risk occurring can be detected. Clearly, having watched the economic forecasts for his state, CIO was able to detect this risk several months in advance. Detectability was high.

  7. Connectivity – the extent to which the risk is related to other project risks. At this point in the project, this was the only risk worth consideration. The system had been designed in a modular fashion, so bolting on a self-service portal to the front end was very low risk. Connectivity was low.

  8. Strategic impact – the potential for the risk to have a negative impact on the organization’s strategic goals. I have seldom seen higher strategic impact on a project.

  9. Propinquity – the degree to which a risk is perceived to matter by one or more stakeholders. This risk event had the potential to threaten the mission of the department, its very reason for being. To say that this risk had high propinquity is an understatement (that, and the risk of using “propinquity” correctly).

While probability of risk occurrence and impact remain the foundation of Qualitative Risk Analysis, these additional risk characteristics can help temper the prioritization of project risks. I feel that they also go to the heart of why we undertake projects – to benefit people. The people aspects of project management need to always be at the forefront of our project analysis and decision-maiking.


Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition. Newton Square, PA: PMI Publications, 2017, Print.

Get Your Free Guidebook

Subscribe and receive your free guidebook,
5 Ways to Master the Art of Managing People, Projects and Profits.