Qualitative risk analysis and how to perform it
This process uses the risk from the risk register and analyses each in terms of the risks probability and impact to the project if it were to occur. This process is performed quickly to determine as soon as possible which risks are the highest priorities on the project. It uses the probability and impact matrix (PIM) to prioritise and rank risks, and this information is placed back on the risk register.
Not all risks are created equal, so by ranking and prioritising all known risks to the project objectives, so that appropriate time and resources can be applied to the right risks.
Like all the processes within risk management, perform qualitative risk analysis is performed often on a project because aspects and characteristics of existing risks will likely change throughout the project as well as new risks being identified as the project progresses.
There are four inputs to Qualitative risk analysis:
Risk register.
This of course, is the source of all of the known risks that are to be analysed.
Risk management plan.
Because this is in affect a risk management strategy document for the project, it will clarify the overall approach that needs to be taken to risk management on this particular project as well as stating how much risk is acceptable and who should be involved in carrying out the qualitative risk analysis of the project risks.
Project scope statement.
This key document describes both the project and product deliverables along with the objectives of the project and to the requirements, along with the constraints and assumptions. When it was first created within the define scope process, it also included all the identified risks known at that time, and these will be used along with the other information within this document for qualitative risk analysis.
Organisational process assets.
These will include aspects such as tools to help carry out qualitative risk analysis, policies, procedures and guidelines for risk management, and historical information including lessons learned from previous similar projects.
Risk register updates.
This is the only output from this process. Prior to qualitative risk analysis, the risk register contains a list of all of the risks, but now extra information can be added to the risk register including the priority of urgency of each risk, their categorisation and any trends of have been observed while carrying out this process.
There are five tools that are used for this process:
The risk probability and impact assessment and probability and impact matrix
These two tools and techniques assist in determining what the highest priorities should be by the evaluation of the likelihood of each risk occurring, and its potential impact on the project. Both the likelihood and impact are given a ranking category such as low, low to medium, medium, medium to high, and high.
These may be accompanied by a numeric evaluation, in this case 1 to 5.
Probability and impact for each risk is multiplied together to give it an individual risk score which is then used to determine and set the risk priority within qualitative risk analysis.
Risk categorization.
The risk breakdown structure (RBS) is the normal way to help structure and organize all identified risks into appropriate categories, and these will assist in determining which aspects of the project have the highest degree of uncertainty.
The risk data quality assessment.
This tool or technique evaluates the risk data to objectively determine whether it is accurate and of acceptable quality. For example if the data used to determine the risk of developing a piece of software, then the sources of such data (such as the number of times that rework was required), should be re-evaluated to determine if it was sufficient to estimate that particular risk’s probability of occurring and its impact.
Risk of urgency assessment.
This refers to when the risks are likely to happen and is sometimes called proximity. Such urgent risks require an immediate attention and action as they are likely to occur in the immediate future. Some form of agreed and recognized time scale should be used here.
Expert judgement.
This could come from the project manager or the team, or external to the project or the performing organization. It should be used whenever sufficient knowledge, skills, experience or expertise is needed. In this case expert judgement would relate to knowledge of typical risks for this project, or experience of probability and impact for particular risks.