Qualitative Risk Analysis

University Degree Mathematical and Computer Sciences

Qualitative Risk Analysis

Qualitative risk analysis is the process of performing a qualitative analysis of identified risks. This process is intended to prioritize risks according to their potential effect on business objectives. Qualitative risk analysis is one way of determining the importance of addressing specific risks and guides risk response measures. The time-criticality of risk-related actions may magnify the importance of a risk. An evaluation of the quality of the available information also helps modify the assessment of the risk. Qualitative risk Analysis requires that the probability and impact of the risks be estimated using qualitative analysis methods and tools. Using these tools helps correct biases that are often present in a business plan. Qualitative risk analysis should be revisited during the business’s life cycle to stay current with changes in business risks. This process can lead to further analysis in quantitative risk analysis or directly to risk response planning .

Inputs to Qualitative Risk Analysis

Risk management plan.
Identified risks. Risks discovered during the risk identification process are evaluated along with their potential impacts on the business.
Business status. The uncertainty of a risk often depends on the business’s progress through its life cycle. Early in the business many risks have not surfaced, the design for the business is immature and changes can occur, making it likely that more risks will be discovered.
Business type. Businesses of a common or recurrent type tend to have less risk. Businesses using state-of-the-art or first-of-a-kind technology or highly complex businesses tend to have more risk.
Data precision. Precision describes the extent to which a risk is known and understood. It measures the extent of data available as well as the reliability of data. The source of the data that was used to identify the risk must be evaluated.
Scales of probability and impact. These scales are to be used in assessing the two key dimensions of risk.

Tools and Techniques for qualitative Risk Analysis

Risk probability and impact. Risk probability and risk impact may be described in qualitative terms such as very high, high, moderate, low and very low.

Risk probability is the likelihood that a risk will occur.
Risk impact is the effect on business objectives if the risk occurs.

These two dimensions of risk are applied to specific risks, not to the overall business. Analysis of risks using probability and impact helps identify those risks that should be managed aggressively.

Probability / impact risk rating matrix. A ...

This is a preview of the whole essay

Tools and Techniques for qualitative Risk Analysis

Risk probability and impact. Risk probability and risk impact may be described in qualitative terms such as very high, high, moderate, low and very low.

Risk probability is the likelihood that a risk will occur.
Risk impact is the effect on business objectives if the risk occurs.

These two dimensions of risk are applied to specific risks, not to the overall business. Analysis of risks using probability and impact helps identify those risks that should be managed aggressively.

Probability / impact risk rating matrix. A matrix may be constructed that assigns risk ratings (low, moderate and high) to risks or conditions based on combining probability and impact scales. Risks with high probability and high impact are likely to require further analysis, including quantification, and aggressive risk management. The risk rating is accomplished using a matrix and risk scales for each risk or condition.

A risk’s probability scale naturally falls between 0.0 (no probability) and 1.0 (certainty). Assessing risk probability may be difficult because expert judgment is used, often without benefit of historical data. A general scale (e.g. .1/.3/.5/.7/.9), representing probabilities from very unlikely to almost certain, could be used.

The risk’s impact scale reflects the severity of its impact on the business objective. Impact scales can be ordinal or cardinal depending on the culture of the organization conducting the analysis. Ordinal scales are simply rank-ordered values (e.g. very low, low, moderate, high and very high). Cardinal scales can be linear (e.g. .1 / .3 / .5 / .7 / .9) but are often non-linear (e.g. .05 / .1 / .2 / .4 / .8) reflecting the organization’s desire to avoid high-impact risks. The intent of both approaches is to assign a relative value to the impact on business objectives if the risk in question occurs. Well-defined scales, whether ordinal or cardinal, can be developed using definitions agreed upon by the organization. These definitions improve the quality of the data and make the process more repeatable. An example of evaluating risk impacts by business objective and illustrates its use for either ordinal or cardinal approach. These scales might have been prepared by the organization before the business begins.

Probability–Impact matrix. It illustrates the multiplication of the probability and impact, a common way to combine these two dimensions, to determine whether a risk is considered low, moderate or high. Alternatively, the P-I matrix can be developed using ordinal scales. The organization must determine which combinations of probability and impact result in a risk’s being classified as high risk (red condition), moderate risk (yellow condition), and low risk (green condition) for either approach. The risk score helps put the risk into a category that will guide risk response actions.

Business assumptions testing. Identified assumptions must be tested against two criteria: assumption stability and the impact on the business if the assumption is false. Alternative assumptions that may be true should be identified and their impact on the business objectives tested in the qualitative risk analysis process.
Data precision ranking. Qualitative risk analysis requires accurate and unbiased data if it is to be helpful to business management. Data precision ranking is a technique to evaluate the degree to which the data about risks are useful for risk management. It involves examining:

Extent of understanding of a risk
Data available about the risk
Quality and integrity of data
Reliability of data

The use of data of low precision, for instance if a risk is not well understood, may lead to a qualitative risk analysis of little use to the business manager. If a ranking of data precision is unacceptable, it may be possible to gather better data.

Outputs from Qualitative Risk Analysis

Overall risk ranking for the business. Risk ranking may indicate the overall risk position of a business relative to other businesses by comparing risk scores. It can be used to assign personnel or other resources to businesses with different risk rankings, to make a benefit-cost analysis decision about the business, or to support a recommendation for business cancellation.
List of prioritized risks. Risks and conditions may be prioritized by their group category (high, moderate, and low) at a detailed level, perhaps at the lowest WBS level. Risks may also be grouped by those that require an immediate response and those that can be handled at a later date. Cost, schedule, functionality and quality risks may be assessed separately with different ratings. Significant risks should have a description of the basis for the assessed probability and impact.
List of risks for additional analysis and management. Risks classified as high or moderate would be prime candidates for more analysis, including quantitative risk analysis, and for risk management action.