5th Edition PMBOK® Guide—Chapter 11: Process 11.3 Perform Qualitative Risk Analysis

1.  Introduction

The five risk-related project management processes in the Planning Process Group deal with setting up the Risk Management Plan (process 11.1), identifying (process 11.2), analyzing (processes 11.3 and 11.4), and then developing responses for risks to the project (process 11.5).

This post is devoted to the Inputs, Tools & Techniques, and the Outputs of the third of  these five processes, 11.3 Perform Qualitative Risk Analysis.

2.  Inputs

The main inputs comes from the risk management plan, the framework set up as part of process 11.1 for all risk management activities on the project, and the risk register, which contains the output of the last process.  At this stage, the risk register contains a list of the identified risks and possibly some potential risk responses (although these will be fully developed in the last planning process for risk management, process 11.5 Plan Risk Responses).

An analysis of the scope baseline may show in general whether the project is high risk compared to other projects by analyzing the level of technology involved and the level of complexity of the project.

Finally, information from industry sources or from the organization itself on risks involved in similar projects may also be useful for this process.

1. Risk Management Plan The key elements of the Risk Management Plan used in this process are

  • roles and responsibilities for conducting risk management
  • budget, schedule for risk management activities
  • definition of risk categories
  • definition of risk probability and impact
  • probability and impact matrix
  • stakeholder’s risk tolerances

These elements are normally developed during process 11.1 Plan Risk Management.

2. Scope Baseline An analysis of the scope baseline will indicate if the project has higher risk, which will occur if the project involves

  • state-of-the-art technology
  • high complexity
3. Risk Register This contains the risks and potential risk responses identified in process 11.2 Identify Risks.
4. EEFs
  • Industry studies of similar projects by risk specialists
  • Risk databases from industry or proprietary sources
5. OPAs
  • Historical information from similar projects
1. Risk probability and impact assessment
  • Risk probability assessment investigates likelihood of each risk.
  • Risk impact assessment investigates potential effect on project constraints (schedule, cost, quality, scope)
2. Probability and impact matrix Based on the risk probability and impact assessment, a matrix is created showing both the probability and the impact for each risk.  A risk rating is assigned of high, moderate, or low depending on the pre-determined preference of the organization.


Sometimes, the low risks are put in a watch list for further monitoring during the course of the project.

3. Risk data quality assessment The degree to which data about risks on the project has

  • Accuracy
  • Quality
  • Reliability
  • Integrity
4. Risk categorization Risks to the project can be categorized according to their source (using the Risk Breakdown Structure), the area of the project effected (using the Work Breakdown Structure), or the phase of the project effected.
5. Risk urgency assessment Based on whether the risk is likely to occur in the near-term.  Some risk rankings combine the risk probability, risk impact, AND the risk urgency.
6. Expert judgment Expert judgment is often used to determine the risk probability and impact.
1. Project Documents Updates Risk register—for each risk identified in process 11.2, the following information is added as an output to process 11.3:

  • Assessments of probability and impact
  • Risk urgency
  • Risk ranking
  • Risk categorization
  • Watch list for low probability risks

Assumptions log–the project scope statement may contain assumptions about the project which may be updated as a result of the qualitative risk analysis done in this process.

3.  Tools & Techniques

The main tool is taking each risk identified in the last process and assessing the risk probability, the risk impact, and for some organizations, the risk urgency.  These two or three factors are then combined in a matrix, the risk probability and impact matrix, which will the risk rating for each risk.  This risk rating is taken from the product of the probability, the impact, and possibly the urgency of the project.  Usually, these three factors are measured on a scale from 0 to 1.0 or from 0 to 10.   The purpose of this ranking of the risks is so that they can be grouped as a low, moderate, or high-level risk.    The purpose of this grouping is to figure out the general approach to the risks:  will they be avoided, mitigated, transferred, or accepted in the case of negative risks (threats), or will they be exploited, enhanced, shared, or accepted in the case of positive risks (opportunities)?

For example, in some organizations, the low-level risks are simply accepted for the time being, but put on a watch list for further monitoring during the course of the project to see if their status changes either in terms of probability of occurrence or potential impact on the project.

What have been described above are tools of qualitative risk analysis, but the most often used technique is that of expert judgment, where those with expertise in risk management are consulted to come up with the initial assessments of the risk probability and impact.

4.  Outputs

As with all of the risk management planning processes, the risk register is a place where the risks identified in process 11.2 will have more and more information attached to them in the course of processes 11.3-11.5.  In the case of this process 11.3, Perform Qualitative Risk Analysis, the risk categorization (what is the source of the risk, what activities on the project is it most associated with, etc.), and the risk probability, impact, and urgency, and then their combination in the risk probability and impact matrix, are the important additions to the risk register.

The next process is taking the qualitative risk analysis of the risks done in this process and taking it to the next step, to performing a quantitative analysis of the risks.  That is the subject of the next post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: