Qualitative Risk Analysis

Most of what ISO 31000 expresses about risk analysis is Qualitative Risk Analysis (QlRA).

QlRA involves considering the causes and consequences of risks and their likelihood of occurrence. The scale of each of the applicable types of consequences is considered, as is the level of likelihood. QlRA considers risks individually rather than the overall effect of the identified risks on the project.

ISO 31000 is careful to use qualitative terms for levels of risk likelihood and consequence and emphasises that the extent of uncertainty applicable to the determination of likelihood and consequence levels should be documented. It distinguishes between qualitative likelihood (expressed in levels) and quantitative probability (expressed in fractions of 1 or percentages). Likewise, it distinguishes between qualitative consequences (expressed in levels) and quantitative impacts (expressed in quantifiable units such as time or cost).

The UK Association for Project Management (APM), in its publication Project Risk Analysis and Management (PRAM) Guide (2nd Edition 2004), defines qualitative (risk) assessment as “an assessment of risk relating to the qualities and subjective elements of the risk – those that cannot be quantified accurately. Qualitative techniques include the definition of risk, the recording of risk details and relationships and the categorisation and prioritisation of risks relative to each other” (the last aspect referring to the risk evaluation step of risk assessment).

PMI does not distinguish between qualitative and quantitative terminology in its Practice Standard for Risk Management. It equates likelihood with probability and consequence with impact and defines the performance of Qualitative Risk Analysis as “The process of prioritising risks for further analysis or action by assessing and combining their probability of occurrence and impact.”

Our recommendation is to accept that QlRA is the subjective assignment of levels of likelihood and consequences (of various categories as applicable) to risk events and, where possible, to express the lower and upper thresholds of those levels semi-quantitatively, as probability percentages and impact values (cost, time relative to the total project budget and duration), during the initial step of the risk management process: Setting the Context.

In qualitative risk analysis, a Probability / Impact (PI) Matrix is usually used to represent the severity of a risk, using the assumption that risk severity or magnitude is the combination of likelihood and consequence. In semi-quantitative terms, Risk Exposure = Probability x Impact.

Risks are assessed for probability along the vertical axis, and impact is assessed along the horizontal axis. However, the impact units and thresholds are different for different category consequences. This is what enables risks of differing consequence categories to be combined in the one PI matrix and ranked in the one qualitative risk analysis register.

An example Probability and Exposure Level Guide to the PI Matrix that follows is shown below, for both Threats and Opportunities. The Exposure Level colour matches the level number in the scheme illustrated.

Qualitative Risk Analysis is the entry step for risk analysis. It must be performed before quantitative risk analysis can be used. In addition it is the only way by which risks of all kinds of impact categories can be integrated into the one register. So risks describing Environmental, Health and Safety, Operational, Business and Reputational Impacts can all be included in a single Project Risk Register even though they do not have a commonly quantifiable metric for impact.

As noted above Qualitative Risk Assessment enables the comparative rating of environmental, reputational, health and safety, and other qualitative impacts that cannot readily be reduced to a single unifying metric such as a financial or durational impact. Taking safety risk as an example, a risk could be rated for impact on a scale ranging from “First Aid Injury” through to “Multiple Fatalities”.

Furthermore, where risks cover difficult or intractable problems for which no obvious treatments are apparent, qualitative risk analysis offers the best means of continued management and development of resolution.

However, qualitative approaches to risk analysis are unable to provide an overall measure of how risky a project is. For this Quantitative Risk Analysis is required. In addition, qualitative risk analyses start to show their limitations when a greater level of definition is required to inform decision making. Qualitative systems become cumbersome to work with when increasing the number of likelihood and consequence levels, and may still fall short of truly identifying the relative exposures of different risks in the register.

Additionally, qualitative systems are hampered by linguistic barriers associated with the individual’s interpretation of the qualitative terms. This is because the meaning inferred through usage of terms changes both between individuals and cultures. Some methodologies take a semi-quantitative approach to defining qualitative risk metrics to deal with this difficulty. This is achieved by defining quantitative thresholds associated with each qualitative label, as described above and distributing these at the start of the risk identification / rating process.