Qualitative Risk Analysis
What is Qualitative Risk Analysis?
Most of what ISO 31000 expresses about risk analysis is Qualitative Risk Analysis (QlRA).
QlRA involves considering the causes and consequences of risks and their likelihood of occurrence. The scale of each of the applicable types of consequences is considered, as is the level of likelihood. QlRA considers risks individually rather than the overall effect of the identified risks on the project.
ISO 31000 is careful to use qualitative terms for levels of risk likelihood and consequence and emphasises that the extent of uncertainty applicable to the determination of likelihood and consequence levels should be documented. It distinguishes between qualitative likelihood (expressed in levels) and quantitative probability (expressed in fractions of 1 or percentages). Likewise, it distinguishes between qualitative consequences (expressed in levels) and quantitative impacts (expressed in quantifiable units such as time or cost).
The UK Association for Project Management (APM), in its publication Project Risk Analysis and Management (PRAM) Guide (2nd Edition 2004), defines qualitative (risk) assessment as “an assessment of risk relating to the qualities and subjective elements of the risk – those that cannot be quantified accurately. Qualitative techniques include the definition of risk, the recording of risk details and relationships and the categorisation and prioritisation of risks relative to each other” (the last aspect referring to the risk evaluation step of risk assessment).
PMI does not distinguish between qualitative and quantitative terminology in its Practice Standard for Risk Management. It equates likelihood with probability and consequence with impact and defines the performance of Qualitative Risk Analysis as “The process of prioritising risks for further analysis or action by assessing and combining their probability of occurrence and impact.”
Our recommendation is to accept that QlRA is the subjective assignment of levels of likelihood and consequences (of various categories as applicable) to risk events and, where possible, to express the lower and upper thresholds of those levels semi-quantitatively, as probability percentages and impact values (cost, time relative to the total project budget and duration), during the initial step of the risk management process: Setting the Context.
The Probability / Impact Matrix
In qualitative risk analysis, a Probability / Impact (PI) Matrix is usually used to represent the severity of a risk, using the assumption that risk severity or magnitude is the combination of likelihood and consequence. In semi-quantitative terms, Risk Exposure = Probability x Impact.
Risks are assessed for probability along the vertical axis, and impact is assessed along the horizontal axis. However, the impact units and thresholds are different for different category consequences. This is what enables risks of differing consequence categories to be combined in the one PI matrix and ranked in the one qualitative risk analysis register.
An example Probability and Exposure Level Guide to the PI Matrix that follows is shown below, for both Threats and Opportunities. The Exposure Level colour matches the level number in the scheme illustrated.
This approach is shown in the following PI Matrix for a Financial Impact matrix for a project with a value of $1.5 billion (100% impact). Each cell in the matrix is numbered according to the level of risk exposure. Organisations typically have different processes for handling risks according to the exposure level. Level 4 threats may be required to be referred to the Chief Executive or the Board Risk Committee, while level 3 threats may have to be dealt with by the Project Manager and level 2 threats and below may be managed by the project Risk Manager. Other numbering systems may be used, such as where each matrix cell has a unique number but the numbers within an exposure level are greater than the numbers in the level below and lower than the lowest number in the level above.
Semi-quantitative risk analysis extends this concept to apply numerical thresholds to the matrix cell edges. In the example above, a minor impact financial risk has been defined as being one with a value greater than $3.75 million but less than $37.5 million. These numbers define the vertical edges of the impact levels moving from left to right along the horizontal impact axis.
A similar process defines the horizontal edges of the five levels of the vertical probability axis. So for the Probability thresholds defined in the Probability and Exposure Level Guide above the PI matrix, the four boundary thresholds between Rare, Unlikely, Possible, Likely and Almost Certain are 2%, 10%, 50% and 80% respectively
The semi-quantitative matrix allows for finer delineation between risk exposures, as risks can be placed either low or high within each square. A qualitative matrix would place them at the mid-point of each cell.
When to Use Qualitative Risk Analysis
Qualitative Risk Analysis is the entry step for risk analysis. It must be performed before quantitative risk analysis can be used. In addition it is the only way by which risks of all kinds of impact categories can be integrated into the one register. So risks describing Environmental, Health and Safety, Operational, Business and Reputational Impacts can all be included in a single Project Risk Register even though they do not have a commonly quantifiable metric for impact.
Benefits and Limitations of Qualitative Risk Analysis
As noted above Qualitative Risk Assessment enables the comparative rating of environmental, reputational, health and safety, and other qualitative impacts that cannot readily be reduced to a single unifying metric such as a financial or durational impact. Taking safety risk as an example, a risk could be rated for impact on a scale ranging from “First Aid Injury” through to “Multiple Fatalities”.
Furthermore, where risks cover difficult or intractable problems for which no obvious treatments are apparent, qualitative risk analysis offers the best means of continued management and development of resolution.
However, qualitative approaches to risk analysis are unable to provide an overall measure of how risky a project is. For this Quantitative Risk Analysis is required. In addition, qualitative risk analyses start to show their limitations when a greater level of definition is required to inform decision making. Qualitative systems become cumbersome to work with when increasing the number of likelihood and consequence levels, and may still fall short of truly identifying the relative exposures of different risks in the register.
Additionally, qualitative systems are hampered by linguistic barriers associated with the individual’s interpretation of the qualitative terms. This is because the meaning inferred through usage of terms changes both between individuals and cultures. Some methodologies take a semi-quantitative approach to defining qualitative risk metrics to deal with this difficulty. This is achieved by defining quantitative thresholds associated with each qualitative label, as described above and distributing these at the start of the risk identification / rating process.