Security

Use these steps in qualitative analysis of project risks

When you use qualitative risk analysis you should evaluate each risk and designate each risk as high, medium, or low, depending on two criteria--the severity of impact and the probability of the event occurring. Here's how to do it.

The first part of the risk management process is to identify all of the potential risks on a project. Of course, you don't have the time to manage every possible risk. You have to triage the risks—that is, determine which ones are important enough to spend time on. You can do this through risk analysis techniques.

Most projects can use qualitative risk analysis techniques to determine which risks are important enough to manage. The technique is "qualitative" since it is a quick approximation and doesn't reflect the rigor of a detailed, numerical analysis. When you use qualitative risk analysis you should evaluate each risk and designate each risk as high, medium, or low, depending on two criteria—the severity of impact and the probability of the event occurring. Here are the steps involved in this technique:

  • Identify the severity of the impact to the project in terms of high, medium, and low.
  • Estimate the probability of the risk occurring in terms of high, medium, and low.

You will have to define what high, medium, and low mean for your project. That project-by-project definition is what makes this a more subjective risk analysis technique.

The following bullet points show one way that you can apply qualitative risk analysis. Notice that the first line shows a risk that is highly likely to occur and has a high impact to the project. This is obviously a high overall risk. On the other hand, the last line shows a risk that has a low impact and is not likely to happen anyway. This would certainly be considered a low risk. The other combinations fall somewhere within this continuum.

  • High negative impact to project / Highly likely to occur — high risk
  • High negative impact to project / Medium likely to occur — high risk
  • High negative impact to project / Not likely to occur — medium/low risk
  • Medium negative impact to project / Highly likely to occur — medium risk
  • Medium negative impact to project / Medium likely to occur — medium/low risk
  • Medium negative impact to project / Not likely to occur — low risk
  • Low negative impact to project / Highly likely to occur — low risk
  • Low negative impact to project / Medium likely to occur — low risk
  • Low negative impact to project / Not likely to occur - low risk

This is just one example of risk categorization. But this simple type of risk analysis can be used on most projects.

Once the risks are categorized, you would want to build a risk plan for all high risks. The medium-level risks can be evaluated individually to see if you should manage the risks or ignore them. You can ignore the low-level risks.

Editor's Picks