This is Why Qualitative Risk Analysis is Important

Qualitative Risk Analysis is an important step in the Risk Management process.What if, as a Project Manager, you could be assured of reducing the level of uncertainty in any project that you undertake, thus allowing you to focus on the higher priority risks?

This is entirely possible by utilizing Qualitative Risk Analysis – a project management process for prioritizing potential project risks for further analysis or action. This analysis considers the likelihood of occurrence of each risk and, if the risk occurs, the potential impact to the project. High-priority risks are identified and handled immediately, while low-priority risks are placed on a watch list for periodic review throughout the project.

In a previous article, “Why You Should Identify Risks Early,” I discussed several techniques for identifying potential risks to the project. Would you believe that many projects stop right there? With the identification and documentation of potential risks in a Risk Register?

Such projects operate under the false pretense that once identified, and if reviewed regularly, then project risk is being actively managed. However, the next step (often not taken) is even more significant to the overall management of a project: the qualitative analysis of the identified risks.

Several factors play into this qualitative analysis:

  • the timeframe for response to the risk,
  • the organization’s risk tolerance, and
  • the project constraints of cost, schedule, scope, and quality.

The last bullet above directly affects the people aspects of project management. Negative impact on cost, schedule, scope, or quality contribute directly to the failure of a project. No one likes a project failure on their resume. No end-users like working with a substandard system. No customers of the procuring organization like the poor service from a badly performing system.

The value of Qualitative Risk Analysis is that it can be done rapidly and cost-effectively to establish priorities for managing risk. When performed regularly, it allows the project management team to continuously focus on managing the highest priority project risks. Projects of a common or recurrent type tend to have well-understood risks, which are more readily managed. Highly complex projects have more uncertainty.

Most of my project management experience was in a single industry, that of state government Human Services IT projects. These projects are typically fixed-price, fixed schedule, and extraordinarily complex. They tend to have a significant uncertainty.

For example, legislation and rules promulgation at the state or federal level can occur at any time, and the resulting mandates have direct effects on projects in progress. Many firms refuse to undertake such projects, not willing to accept this risk. Who can blame them? A typical Request for Proposals (RFP) may contain language such as: “The Procuring Agency will provide 15 IT staff and 5 Subject Matter Experts to this major task; however, should the Procuring Agency not provide this staff, the responsibility remains with the contractor to complete the task.”

The firms I worked for understood these types of risks. They were a constant. Government agencies, funded by taxpayer dollars, must necessarily be conservative and risk averse. When one understands that such agencies rely on the private sector to deliver major systems on their behalf, yet cannot always commit the necessary staff, then one understands the risk. Identified risk such as this can be managed from the outset of the project. These situations are common or recurrent, and we, the IT providers, understood the risks.

At the same time, projects using first-of-a-kind or “bleeding-edge” technology are less acceptable to such organizations. In a previous article, “This is Why a Risk Management Plan is Important,” I recounted the example of a proposal our firm submitted to a government entity. We had proposed new server-based technology to an organization which had always relied on mainframes. Although our price was 25% lower than the winning proposal, we lost the bid because our bid manager did not understand the risk-averse nature of this organization. Now, many years later, I doubt that organization is still using mainframes; however, at the time it considered our proposal too risky.

The assessment of risk considers the likelihood of occurrence of each risk event in the Risk Register, and its potential impact on the project objectives.

Think of the probability of a risk occurring as the y-axis on a graph. Probability can be measured, say, from 10% to 90%.

Think of potential impact to project objectives on the x-axis of a graph. The impact can be represented as “very low” to “very high”. The value for “very low” may be represented by .05 (insignificant), and the value for “very high” may be represented by a .8 or .9 (significant). One organization may choose the value of .5 to describe a moderate impact, while a more conservative organization may prefer .2. These are subjective judgments based on the organization’s past experience with projects of this nature, or with its project management processes in general.

A risk factor is derived by multiplying the probability of occurrence by the value of assessed impact, and then represented in a grid.A probability and impact factor is derived for each risk by multiplying the probability of occurrence by the value of the assessed impact. The higher the derived number, the greater the risk to the project. The greater the risk, the more immediate the required response. Risk events assessed with a high factor are identified for priority action and aggressive management; while those found in the low risk category are placed on a watch list for ongoing review.

While the identification and documentation of project risks (and opportunities) is important, their qualitative analysis is paramount. Otherwise, how would the Project Manager and her team differentiate and prioritize the many potential risks that require their attention? The utilization of Qualitative Risk Analysis is a strong indicator that the project team is taking the management of project seriously, and not merely paying lip service to it.

Threats, and even opportunities, that are attended to using this process answer the question that I asked when I began this article: “what if, as a Project Manager, you could be assured of reducing the level of uncertainty in any project that you undertake, thus allowing you to focus on the higher priority risks?”

Qualitative Risk Analysis may appear to be another of those burdensome process-related technique foisted on Project Managers, but its effect on the people aspects of project management is significant.


Get Your Free Guidebook

Subscribe and receive your free guidebook,
5 Ways to Master the Art of Managing People, Projects and Profits.