6th Edition PMBOK® Guide: Process 11.3 Perform Qualitative Risk Analysis: Tools and Techniques

This process takes the individual project risks identified in the last process 11.2 Identify Risks and starts to categorize them by assessing their probability of occurring and their potential impact on the project if they do occur.   Why do this assessment?   Because it allows you to prioritize them so that you are concentrating on higher risks.   There are four basic ways of dealing with negative risk to a project:

  • Accept–for low-impact, low-probability risks
  • Transfer–for high-impact, low-probability risks:   transferring some of the risk via insurance.
  • Mitigate–for low-impact, high-probability risks:   taking preventive measures to lower the probability that the risk may occur, or to mitigate the impact if it does occur.   You can’t stop it from raining, for example, but you can take an umbrella to prevent yourself from getting soaked if it does rain.
  • Avoid–for high-probability, high-impact risks:   figuring out possible alternatives to reduce the probability, or by outsourcing higher-risk activities to other companies more experienced in dealing with that risk.

This general framework of generic risk strategies comes from the 5th Edition PMBOK® Guide,; although it does not explicitly appear in the 6th Edition, I still found it a useful framework for conceptualizing how the qualitative analysis of risk leads to some generic strategies for dealing with individual project risks based on their category according to probability and impact.    It is in the next process with quantitative risk analysis that an individual risk response can be crafted.

11.3.2  Perform Qualitative Analysis:   Tools and Techniques  Expert Judgment

This is one of the “generic” techniques used in a lot of planning processes.   It means asking for subject matter experts, in this case on the subject of qualitative risk analysis, to help your project team assess the probability and impacts of individual project risks.   These are people who have either done a similar analysis before, and particularly those who have analyzed a similar project to the one currently being done by your organization.  Data Gathering

Interviews with stakeholders are one way of assessing the probability and impact of individual project risks.  Data Analysis

  • Risk probability and impact statement:   risk probability is the likelihood that a specific risk will occur, and risk impact is the potential effect on one or more project objectives such as schedule, cost, quality or overall performance of scope.  Although it is a qualitative analysis meaning that is based on the subjective impressions of people, it can be nonetheless quantified to a certain extent by giving a scale or range for the probability and/or impact.   For example, you could use the following scheme to rate each risk from 1 to 5:
    • Very low (1)
    • Low (2)
    • Moderate (3)
    • High (4)
    • Very high (5)

Or you could try rating each risk from between 0 and 1, with “very low” being close to 0 and “very high” being close to 1.   It depends on how your organization classifies risk and this should be included in the risk management plan.

When you combine the two factors together, you will get a combined probability and impact rating.   In the top scheme above, the combined rating will be from 1 to 25, and in the bottom rating, it will be between 0 and 1.   An example of such a combined probability and impact rating matrix is given in Figure 11-5 on page 408 of the 6th edition of PMBOK® Guide.

Usually risks that are both low impact and probability are put on a “watch list”, where they are simply accepted (meaning that there is no specific risk response to try to mitigate the impact or probability), but are monitored to see if they increase in probability or impact during the course of the project, in which case a risk response may have to be developed.

  • Risk data quality assessment–although this is most often done during the monitoring and control process group, it is important to review the results of the qualitative risk analysis to make sure they are accurate.
  • Assessment of other risk parameters–although probability and impact are the most important parameters to assess, your organization may add others, such as “urgency”, the period of time within which a risk response needs to be implemented for that particular risk.   The complete list of these additional parameters are listed on p. 424 of the 6th edition of PMBOK® Guide.  Interpersonal and Team Skills

Here is another “generic” tool and technique used in conjunction with gathering data in many planning processes.   Facilitation is like a group interview technique where participants focus on the risk analysis task  and reach a consensus on assessments of probability and impact rather than just having individual interviews.  Risk Categorization

There is a tool called a Risk Breakdown Structure which helps categorize risks based on their source such as the following suggested categories listed in Figure 11-4 on p. 406 of the 6th edition of PMBOK® Guide:

  • Technical risk
  • Management risk
  • Commercial risk
  • External risk

Grouping risk into these categories can help in focusing on particular types of risk, and developing generic risk responses to address groups of risks related to the same source.  Data Representation

  • Probability and impact matrix–this is a grid for mapping the probability and impact of each individual risk, with an example being given in Figure 11.5 on p. 408 of the 6th edition of PMBOK® Guide.
  • Hierarchical charts–another possible form of data representation would be if there are three parameters, so for example, the probability and urgency would be represented by the x- and y-axis, and the impact denoted by a bubble which represents the size of the potential impact on the project.   An example of what this looks like is included on Figure 11-10 on p. 426 of the 6th edition of the PMBOK® Guide.  Meetings

PMI recommends that there be special meetings devoted specifically to the discussion of individual project risks.   This is not just during the planning phase, like in this process of assessing their probability and impact, but also during other processes.

The meeting related to this process should include the following:

  • Review of the list of previous identified risks
  • Risk owner allocated to each individual project risk
  • Reviewing the probability and impact scales to be used during the analysis
  • Conducting an assessment of the probability and impact of the individual project risks and using probability/impact matrix to get combined rating
  • Categorization and prioritization of risks based on combined probability/impact rating
  • Identification of additional risks (to be added to the risk register)

The next post will be on the outputs of this process.




One Response

  1. […] judgment, knowledge gathering, and knowledge evaluation are simply among the qualitative danger evaluation instruments groups can use. Every has its advantages and downsides. Skilled judgment supplies perception based […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: