- Tools and Techniques for qualitative Risk Analysis
-
Risk probability and impact. Risk probability and risk impact may be described in qualitative terms such as very high, high, moderate, low and very low.
-
Risk probability is the likelihood that a risk will occur.
-
Risk impact is the effect on business objectives if the risk occurs.
These two dimensions of risk are applied to specific risks, not to the overall business. Analysis of risks using probability and impact helps identify those risks that should be managed aggressively.
-
Probability / impact risk rating matrix. A matrix may be constructed that assigns risk ratings (low, moderate and high) to risks or conditions based on combining probability and impact scales. Risks with high probability and high impact are likely to require further analysis, including quantification, and aggressive risk management. The risk rating is accomplished using a matrix and risk scales for each risk or condition.
A risk’s probability scale naturally falls between 0.0 (no probability) and 1.0 (certainty). Assessing risk probability may be difficult because expert judgment is used, often without benefit of historical data. A general scale (e.g. .1/.3/.5/.7/.9), representing probabilities from very unlikely to almost certain, could be used.
The risk’s impact scale reflects the severity of its impact on the business objective. Impact scales can be ordinal or cardinal depending on the culture of the organization conducting the analysis. Ordinal scales are simply rank-ordered values (e.g. very low, low, moderate, high and very high). Cardinal scales can be linear (e.g. .1 / .3 / .5 / .7 / .9) but are often non-linear (e.g. .05 / .1 / .2 / .4 / .8) reflecting the organization’s desire to avoid high-impact risks. The intent of both approaches is to assign a relative value to the impact on business objectives if the risk in question occurs. Well-defined scales, whether ordinal or cardinal, can be developed using definitions agreed upon by the organization. These definitions improve the quality of the data and make the process more repeatable. An example of evaluating risk impacts by business objective and illustrates its use for either ordinal or cardinal approach. These scales might have been prepared by the organization before the business begins.
Probability–Impact matrix. It illustrates the multiplication of the probability and impact, a common way to combine these two dimensions, to determine whether a risk is considered low, moderate or high. Alternatively, the P-I matrix can be developed using ordinal scales. The organization must determine which combinations of probability and impact result in a risk’s being classified as high risk (red condition), moderate risk (yellow condition), and low risk (green condition) for either approach. The risk score helps put the risk into a category that will guide risk response actions.
-
Business assumptions testing. Identified assumptions must be tested against two criteria: assumption stability and the impact on the business if the assumption is false. Alternative assumptions that may be true should be identified and their impact on the business objectives tested in the qualitative risk analysis process.
-
Data precision ranking. Qualitative risk analysis requires accurate and unbiased data if it is to be helpful to business management. Data precision ranking is a technique to evaluate the degree to which the data about risks are useful for risk management. It involves examining:
- Extent of understanding of a risk
- Data available about the risk
- Quality and integrity of data
- Reliability of data
The use of data of low precision, for instance if a risk is not well understood, may lead to a qualitative risk analysis of little use to the business manager. If a ranking of data precision is unacceptable, it may be possible to gather better data.
- Outputs from Qualitative Risk Analysis
-
Overall risk ranking for the business. Risk ranking may indicate the overall risk position of a business relative to other businesses by comparing risk scores. It can be used to assign personnel or other resources to businesses with different risk rankings, to make a benefit-cost analysis decision about the business, or to support a recommendation for business cancellation.
-
List of prioritized risks. Risks and conditions may be prioritized by their group category (high, moderate, and low) at a detailed level, perhaps at the lowest WBS level. Risks may also be grouped by those that require an immediate response and those that can be handled at a later date. Cost, schedule, functionality and quality risks may be assessed separately with different ratings. Significant risks should have a description of the basis for the assessed probability and impact.
-
List of risks for additional analysis and management. Risks classified as high or moderate would be prime candidates for more analysis, including quantitative risk analysis, and for risk management action.