Security

Use these steps in qualitative analysis of project risks

When you use qualitative risk analysis you should evaluate each risk and designate each risk as high, medium, or low, depending on two criteria--the severity of impact and the probability of the event occurring. Here's how to do it.

The first part of the risk management process is to identify all of the potential risks on a project. Of course, you don't have the time to manage every possible risk. You have to triage the risks--that is, determine which ones are important enough to spend time on. You can do this through risk analysis techniques.

Most projects can use qualitative risk analysis techniques to determine which risks are important enough to manage. The technique is "qualitative" since it is a quick approximation and doesn't reflect the rigor of a detailed, numerical analysis. When you use qualitative risk analysis you should evaluate each risk and designate each risk as high, medium, or low, depending on two criteria--the severity of impact and the probability of the event occurring. Here are the steps involved in this technique:

  • Identify the severity of the impact to the project in terms of high, medium, and low.
  • Estimate the probability of the risk occurring in terms of high, medium, and low.

You will have to define what high, medium, and low mean for your project. That project-by-project definition is what makes this a more subjective risk analysis technique.

The following bullet points show one way that you can apply qualitative risk analysis. Notice that the first line shows a risk that is highly likely to occur and has a high impact to the project. This is obviously a high overall risk. On the other hand, the last line shows a risk that has a low impact and is not likely to happen anyway. This would certainly be considered a low risk. The other combinations fall somewhere within this continuum.

  • High negative impact to project / Highly likely to occur -- high risk
  • High negative impact to project / Medium likely to occur -- high risk
  • High negative impact to project / Not likely to occur -- medium/low risk
  • Medium negative impact to project / Highly likely to occur -- medium risk
  • Medium negative impact to project / Medium likely to occur -- medium/low risk
  • Medium negative impact to project / Not likely to occur -- low risk
  • Low negative impact to project / Highly likely to occur -- low risk
  • Low negative impact to project / Medium likely to occur -- low risk
  • Low negative impact to project / Not likely to occur - low risk

This is just one example of risk categorization. But this simple type of risk analysis can be used on most projects.

Once the risks are categorized, you would want to build a risk plan for all high risks. The medium-level risks can be evaluated individually to see if you should manage the risks or ignore them. You can ignore the low-level risks.

5 comments
hemarama
hemarama

I like the article very much.. Is it possible to brain storm to assess business risk?

sofya62
sofya62

I agree with what was said. To complete the risk analysis, I would go further into the mitigation issues. It is nice to know that you have a high risk and that your team can mitigate it. However, management needs to know if you are capable to mitigate the big risks, and how much this will cost. If you multiply the risk x impact by a mitigation capability percentage, this should give you the same scale (0 to 100) with the added information. For any manager, presenting the risks is one thing. Being able to show which risks can and cannot be mitigated with internal or external sources, shows leadership and a resolve to plan and act on the risk mitigation process before it gets out of hand. After that it becomes easier to sell the mitigation strategy, to cost it and to allocate the necessary resources for highest impact on the perceived risks. There are several mitigation strategies and all have their own capability measures that should also be included in the risk analysis. This topic though, should be for another response...

shagnthings
shagnthings

We do this type of risk analysis on our projects and find that if you use a 1-10 scale on impact & probability and multiply them it gives a rating out of 100. You can then define what rating windows equals a high, medium, etc. risk. It justs helps reduce the subjective approach to risk analysis. Just my 2 cents.

wparke
wparke

It would be extremely helpful to follow this article up with one explaining the development of the risk plan!

twsheely
twsheely

This was recommended in a recent workshop I attended on Risk Management: Probablity (1 to 8) Impact (1 to 10) Multiply them together to get an Overall Risk Rating. You can then easily see the "Top 5" or "Top 10" risks in the project by applying an agreed-upon risk threshold. The Probability and Impact rating scales are meant to convey a standard interpretation for consistancy. Also - a "risk" that has a greater than 80% probability is more likely to be a "certainty".