Qualitative Risk Analysis

CEM 807
Lecture 4b

Chapter 4: Qualitative Risk Assessment

(Project Risk Management Guidelines: Managing Risks in Large Projects and Complex Procurements)
Introduction
• As per PMBOK Risk Management knowledge area:

• Perform Qualitative Risk Analysis is the process of prioritizing individual project risks
for further analysis or action by assessing their probability of occurrence and impact
as well as other characteristics.

• The key benefit of this process is that it focuses efforts on high-priority risks. This
process is performed throughout the project.

• The relative priorities of individual project risks for “Planning Risk Response” is
determined and a risk owner is identified for each risk who will take responsibility for
planning an appropriate risk response and ensuring that it is implemented.
Introduction
Introduction
• Risk identification generates a list of the risks that might impact on the
project.
• Often the list will be extensive, and it is necessary to separate the
important items from the less important ones. This process is called risk
assessment.
• Risk assessment has several objectives:
• it gives an overview of the general level and pattern of risk facing the project;
• it focuses management attention on the high-risk items in the list;
• it helps to decide where action is needed immediately, and where action plans
should be developed for future activities; and
• it facilitates the allocation of resources to support management’s action decisions.
• Risk assessment is composed of analysis (deals with determination of risks’
frequency and impact) and evaluation (determination of significance of a
risk)
Qualitative Risk Analysis
• The risk analysis step assigns each risk a priority rating, taking into account
existing activities, processes or plans that operate to reduce or control the
risk. It may use forms of analysis that range from simple qualitative
methods to more sophisticated quantitative approaches.
• Qualitative analysis is based on nominal or descriptive scales for describing the
likelihoods and consequences of risks. This is particularly useful for an initial review
or screening or when a quick assessment is required.

• Semi-quantitative analysis extends the qualitative analysis process by allocating

numerical values to the descriptive scales. The numbers are then used to derive
quantitative risk factors.

• Quantitative analysis uses numerical ratio scales for likelihoods and consequences,
rather than descriptive scales.
• P. 18, Victoria Roads – Risk Register
Qualitative Risk Analysis
• The significance of a risk can be expressed as a combination of its consequences or
impacts on project objectives, and the likelihood of those consequences arising.

• This can be accomplished with qualitative consequence and likelihood scales and a
matrix defining the significance of various combinations of these.

• Table 4.1 illustrates the general principle contained in most priority-setting processes:
risks are high-priority if problems are likely to arise and if they have large potential
consequences.

• This is a very simple structure. In practice, it is often too simple, because the two-way
distinctions between high and low likelihood and high and low consequence produce
only four combinations. This is rarely enough discrimination for effective decision
making.

• Table 4.2 shows an extension of the structure to a five-by-five matrix. This provides
greater discrimination, and allows more classifications of priority.
Qualitative Risk Analysis
Qualitative Risk Analysis

• A matrix like Table 4.2 can be structured according to the kinds of risks involved in
the project and the organization’s objectives, criteria and attitudes to risk.
• For example, the specific example in Table 4.2 is not symmetric, indicating that
the organization is concerned about most catastrophic events, even if they are
rare. This might be appropriate where human safety is threatened and the
organization needs to ensure the associated risks are being managed whatever
the likelihood of their occurrence.
Qualitative Risk Analysis
• To implement a structure like this, it is important that clear and
consistent definitions of the consequence and likelihood scales are
used.

• These are likely to depend on the nature of the project, its objectives
and criteria, and the kinds of risks anticipated.
Qualitative Risk Analysis
• The project team may consider other characteristics of risk (in
addition to probability/likelihood and impact/consequence) when
prioritizing individual project risks for further analysis and action.

• The consideration of some of these characteristics can provide a more

robust prioritization of risks than is possible by only assessing
probability and impact.

• These characteristics may include but are not limited to: (next slide)
Consequences (Impact) of Risks
• Consequences are rated in terms of the potential impact on the criteria, often on
five-point descriptive scales linked to the criteria identified in the context step.

• Where a risk has several consequences on different parts of the scale, the highest
consequence is used to generate the rating. This generates a conservative view of
the overall consequences of the risk.

• The limits established for each risk on the scale are contextual (notice the impact
of risk attitude) – involves corporate/executive management.

• Consequence scales established are influenced by organization’s objectives and

criteria for success hence they should be reviewed for each project.
Consequences (Impact) of Risks
• For a small/simple project
Likelihood (Probability) of Risks
• Likelihoods are rated in terms of annual occurrence on a five-point descriptive
scale, showing the likelihoods of specific risks arising and leading to the assessed
levels of consequences.

• Table 4.6 shows an example of a scale suitable for a major asset procurement,
where the time span of the scale is linked loosely to the 40-year nominal life of
the asset.
Likelihood (Probability) of Risks
Likelihood (Probability) of Risks
• For a small/simple project
Initial Risk Priorities
• A simple matrix is used to combine the likelihood and consequence
ratings to generate initial priorities for the risks.

• The outcome of this stage of the risk analysis is an initial view of the
significance of the identified risks.

• In some circumstances, particularly with simple scoring schemes, risks

can be honestly assigned too high or too low a significance on the
first pass. The next stage is designed to review this assignment and
adjust it where necessary.
Initial Risk Priorities
• A probability and impact matrix is a grid for mapping the probability of
each risk occurrence and its impact on project objectives if that risk occurs.

• Risks can be divided into priority groups and prioritized for further analysis
and planning of risk responses based on their probability and impacts.

• An organization can assess a risk separately for each objective (e.g., cost,
time, and scope) by having a separate probability and impact matrix for
each. Alternatively, it may develop ways to determine one overall priority
level for each risk, either by combining assessments for different
objectives, or by taking the highest priority level regardless of which
objective is affected.
Initial Risk Priorities
Initial Risk Priorities
Risk Evaluation
• Risk evaluation is about deciding whether risks are tolerable or not to the
project, taking into account:

• The evaluation step compares risk priorities from the initial analysis against
all the other risks and the organization’s known priorities and
requirements. Any risks that have been accorded too high or too low a
rating are adjusted, with a record of the adjustment being retained for
tracking purposes. The outcome is a list of risks with agreed priority
ratings.
Risk Evaluation
• Adjustments to the initial priorities may be made for several reasons.
Inherent Risks
• As an extension of the evaluation process, the inherent risk level for
each risk may be considered
• The inherent level of risk is the level that would exist if the controls
(to manage the risk) did not work as intended, or if there were a
credible failure of controls.
The Risk Register
• The risk register for a project provides a repository for current
information about the risks and the treatment actions relating to
them.
• It is a living database that is updated as the project progresses, and
risks change.
The Risk Register
Another
example
Hierarchical Charts
• Where risks have been categorized using more than two parameters,
the probability and impact matrix cannot be used and other graphical
representations are required.
• For example, a bubble chart displays three dimensions of data, where
each risk is plotted as a disk (bubble), and the three parameters are
represented by the x-axis value, the y-axis value, and the bubble size.
• An example bubble chart is shown in Figure 11-10, with detectability
and proximity plotted on the x and y axes, and impact value
represented by bubble size.
Hierarchical Charts
Some Important Points
• The priority of identified individual project risks is assessed using their probability
of occurrence, the corresponding impact on project objectives if the risks occur,
and other factors.

• Such assessments are subjective as they are based on perceptions of risk by the
project team and other stakeholders.

• Effective assessment therefore requires explicit identification and management of

the risk attitudes of key participants in this process.

• Risk perception introduces bias into the assessment of identified risks, so

attention should be paid to identifying bias and correcting for it.

• An evaluation of the quality of the available information on individual project

risks also helps to clarify the assessment of each risk’s importance to the project.
 Critical Success Factors for the Qualitative
Risk Analysis Process
• Use Agreed-Upon Approach
• probability, impact, urgency, manageability, impact external to the
project
• Use Agreed-Upon Definitions of Risk Terms
• e.g. definitions of levels of probability and of impact on objectives
• Collect High-Quality Information about Risks
• Often high-quality information is not available in any historic database
and should be gathered by interviews, workshops, and other means
using expert judgment.
• Data gathered from individuals may be subject to reporting or
intentional bias which has to be managed separately.
• Perform Iterative Qualitative Risk Analysis
• This will be required as more risks are identified during the duration of
the project
Categorization of Risk Causes
• Understanding the relationships between risks may provide a better understanding of the
possibility and magnitude of project risk than if risks are only considered as separate and
independent events.

• Identifying common root causes of a group of risks, for instance, may reveal both the
magnitude of the risk event for the group as a whole along with effective strategies that might
address several risks simultaneously.

• Some risks may be linked with others in a causal chain, and understanding the chain of risks
may lead to a better understanding of the implication of risk for the project.

• Identifying risks that can occur at the same time or using the same resources for recovery
might provide a realistic picture of problems of risk mitigation using scarce resources.

• Risk analysis information may be combined with risks grouped based on their source, WBS,
and objectives to reveal significant sources, areas of projects, and critical objectives,
respectively, that are most sensitive from a risk perspective.
Categorization of Risk Causes (Caltrans
sample risk list)

Source:
Guide to Risk Assessment and Allocation
for Highway Construction Management