Do you take the time to analyze your risks during qualitative risk analysis? Do you have standardized risk management processes in your organization? Are your projects failing due to unforeseen circumstances?
Maybe you need to follow the PMI Pulse of the Profession 2023, which states that the third key driver for project management success is the “frequent use of standardized risk management practices.”
Today, we will review one of those standardized risk management practices: analyzing risk qualitatively.
First, A Very Quick Risk Management Overview
Risk Management
The Project Management Book of Knowledge (PMBOK) defines risk management as:
The process that shapes decison making across the organiation and within each of the domains and involves identifying, analyzing, responding to, and monitoring risks.
Risk management involves identifying risks, analyzing them, and planning responses. It aims to increase opportunities and limit threats. To learn more about the risk management process, check out my article stressing these steps to success.
The risk management lifecycle includes:
Plan Risk Management
Identify Risks
Perform Qualitative Risk Analysis
Perform Quantitative Risk Analysis
Plan Risk Responses
Implement Risk Responses
Monitor Risks
For today’s blog, we will examine one facet of the risk management lifecycle: “Perform Qualitative Risk Analysis,” specifically the importance of diagrams, techniques, and simplified risk matrices.
Qualitative Risk Analysis
After a risk is identified and put into the risk register, the risk needs to go through qualitative risk analysis. The PMBOK defines Qualitative Risk Analysis as:
"The consideration of a range of characteristics such as probabiltiy of occurrence, degree of impact on the objectives, manageability, timing of possible impacts, relationships with other risks, and common causes or effects."
Qualitative risk analysis comes after “Identify Risks” and is the process of prioritizing risks. This analysis is vital in determining whether to proceed to the next step, which is quantitative risk analysis.
The risk matrix is an essential element of qualitative analysis that is often overlooked. Today, though, we will show why this is one step you should not skip in your risk management processes.
Ways of Conducting Qualitative Risk Analysis
In “The Standard for Risk Management in Portfolios, Programs, and Projects,” multiple ways exist to analyze your risks qualitatively. They are:
Brainstorming
Affinity Diagrams
Analytic Hierarchy Process
Influence Diagrams
Nominal Group Technique
Probability and Impact Matrix (The Risk Matrix)
Brainstorming
The first and most straightforward technique is brainstorming, which involves less qualitative analysis and more risk identification. This collaborative technique allows you to generate multiple ideas, solutions, and approaches to your risks and issues.
The goal of a brainstorming session is to get the team to think outside the box. No idea should be off-limits, and criticism should be low. You do not want to discourage anyone from putting their idea down on the paper.
Everyone’s opinion matters as that idea could solve a significant problem for the project. Brainstorming aims to foster innovation and creativity while identifying many risks.
Through this exchange of brainstorming, team members cannot only come up with new ideas but also build upon someone else’s ideas. The focus does not have to be only on risks but can include solutions or questions to answer later.
When brainstorming, remember that you focus on quantity over quality—quality will come during the next steps.
The overall goal is to build a list of as many risks as possible for your analysis. Once you have the list, you can group all these risks into similar categories and priorities. You can also use an Affinity Diagram.
Affinity Diagrams
After a good brainstorming session, you need to organize your thoughts. The affinity diagram is a great way to categorize and prioritize your thoughts.
Affinity diagrams expand outside of just risk management for project managers. For our case today, affinity diagrams are a quick and easy way to categorize risks for a risk register.
To build an affinity diagram, you will want to cluster your risks (hopefully from a brainstorming session) into common banks of risks. You can also cluster them per relationship. The main goal of the clusters is to group the risks to build a bigger risk picture of the project.
The affinity diagram is used to organize thoughts, and it is extremely effective after brainstorming.
Analytic Hierarchy Process
Thomas L. Saaty developed the Analytic Hierarchy Process (AHP), a matrix, method-based technique. With a base for multi-criteria decision-making in importance and impact, this structured approach breaks down decisions into an analysis hierarchy.
To conduct AHP, you conduct your assessment with an objective analysis. You start by identifying criteria and then comparing them against each other, building a preference factor for each criterion.
Once you have your criteria’s preference factor, you can build a relative weighting of the criteria. Once you have the weighted criteria, you can identify risks with the highest relative weight and determine the most important ones.
A systematic process, AHP allows you to use your judgment based on objective measures. In turn, you have project risks that are rated on your criteria, their importance, and their impact. Allowing you and your team to know which areas to focus on.
Influence Diagrams
Influence diagrams focus on cause-and-effect relationships across various risks. When building an influence diagram as a risk manager, you want to work towards finding the relationships across risks.
Using influence diagrams allows you to make better decisions when addressing the risks on your projects. By seeing relationships across the risks, you can make better decisions when planning risk responses since you know which risks impact each other.
Nominal Group Technique
The nominal group technique (NGT) is another brainstorming type technique that is built with more structure within it.
You must pull together a stakeholder group to correctly use the nominal group technique. Those stakeholders are given a question and limited time to answer. Then you move into the NGT process:
-
Generate an idea: Use the limited time to brainstorm ideas. By writing these ideas on paper, members avoid talking or interacting with each other, limiting groupthink.
-
Round Robin: When you are done generating ideas, you move into a round-robin. During this time, team members take turns listing one item off their list. When your list ends, you jump out of the rotation. The round-robin continues until all ideas are off participants’ papers and consolidated on a board.
-
Clarify & Discuss: Team members discuss their ideas throughout round robin and afterward. This justification helps clarify thought processes, allows others to ask questions, and provides context for the identified risks.
-
Voting: Once the team is ready, they vote on the criteria determined during round robin and clarity & discussion.
-
Consensus: Post voting, the team gains consensus as a group, allowing the team to move to the next question.
As you can tell, this more structured brainstorming method is highly effective in building a consensus around potential risks.
Probability and Impact Matrix
(The Risk Matrix)
The Risk Matrix, also known as the probability and impact matrix or a risk assessment matrix, is a resource used to prioritize risks.
By using risk matrix categories of your choice, you can create a risk matrix that aligns with your project requirements. By visually representing your risk categories and their associated probability and impact combination, you and your team can quickly determine the priority of your risks.
A Risk Assessment Matrix has an assessment process of:
Assess: You start by analyzing the risk’s probability of happening and the impact if it occurs. For this, you want to determine your risk-scoring criteria to determine the risk score. You can determine this through expert judgment and historical data from lessons learned.
Map: Once you know the probability and impact, you can map them to your risk matrix according to the risk rating score given in the assessment. This allows you to quickly see which risks are the highest and the lowest.
The risk matrix is an easy visual tool that shows low and high risks without calling a team together or using complicated mathematical analysis. It allows you to quickly see which risks are your highest risks, allowing you to focus on those threats or opportunities, leading to your project’s success.
Common Mistakes Around Qualitative Risk Analysis
Even the most senior project managers make mistakes when it comes to qualitative risk analysis and using the above techniques.
The most common of these mistakes are:
Insufficient Data Collection
Overlook Intersecting Factors
Lack of Stakeholder Involvement
Fail to Update and Review Regularly
Insufficient Data Collection
This is a common mistake in poor planning, as project managers often do not collect all the necessary data on risks or risk indicators. Lack of time, resources, and knowledge can drive this inability to collect enough risk data.
The number one way you do not gain sufficient data on your risks is to skip the risk management process. Instead of being a stand-alone process you deliberately attack during your projects, you fail to put risks into your risk log, not thinking about the details behind it.
You can mitigate this, though. You can ensure your project planning does not go to waste through detailed analysis (probably from the above risk techniques). Review your lessons learned, talk to experts, and look into industry trends.
Do what you need to do to assess risks appropriately for your project.
Overlook Intersecting Factors
When you overlook intersecting factors, you fail to see the dependencies and correlations between your risks or risk events. Failure like this means that even though you might allocate resources or shift your schedule, you are only opening yourself up to another, hopefully, less serious risk.
When conducting a risk assessment, you need to understand how your risks either interact or how the secondary effects will impact your project. Overlooking two intersecting factors can create a world of hurt when you realize you shifted a resource to mitigate a problem to realize they were key to another task. You don’t want to create a risk while mitigating another.
To avoid this, ensure you are mapping out your risks. One way to do this is through the influence diagram shown earlier. You can also ensure that your risk responses are broader than just focusing on a singular individual risk but hit multiple systemic risks based on their interconnectivity.
Lack of Stakeholder Involvement
This is always a favorite amongst project managers and project risk managers. Everyone has had key stakeholders who are not willing to participate. However, this also happens the other way around when project managers don’t interact appropriately with their stakeholders.
A stakeholder engagement plan can quickly fix this mistake. This document can help you bring in the right people for the right risks at the right time. This plan also helps to ensure your communication aligns with the needs of that particular stakeholder.
Fail to Update and Review Risks Regularly
Risks are not a one-and-done. To reach a successful project completion that is on time and under budget, you have to review your risks. And you have to review them regularly.
The best way to keep up with your project risks is to have constant reviews with your team.
Set up time with your team and your risk owners. Have a plan to review everyone’s work and an environment that allows people to bring up new risks. Ensure this is spelled out in the risk management plan and under the project schedule, providing the authority you need to bring everyone together to discuss the project’s risks.
Now, this might sound like a lot, but it really is not that hard. Establish a weekly schedule to have a weekly or bi-weekly review of your risks. Build out that schedule by risk severity, sections of the company, or risk likelihood. Whichever way you do it, make sure it happens.
The Benefits of Simplicity
Simplicity is key to managing risks, and the risk matrix is the key to simplicity.
Now, I know, and it is very much a PMI testing concept, that qualitative analysis is a way to take your risks with the highest risk ratings and prep them for quantitative analysis. Also, not all risks have to go through quantitative analysis.
So, to start the weeding-out process and to understand which risks you want to analyze in depth, The Risk Matrix is my top choice for your risk management needs. It’s my choice due to its simplicity and its linkage to the other techniques.
Never Skip Brainstorming
First, I am a huge fan of brainstorming. This is the opportunity to get everything on the table, especially early in the project. Quality over quantity is the mission of a good brainstorming session.
Your brainstorming sessions do require some structure, though. Do not just put everyone in a room and say GO! Think “Controlled Chaos” while executing a brain storming session.
To do this, provide some limitations and guide the brainstorming team to focus on the problem at hand. If you are trying to solve Problem A, do not start working on Problem C.
Try to use a whiteboard and put up stickies or have yourself with the marker, writing ideas on the board. This allows you to guide the risk assessment discussions and keep the team on track.
DO NOT let anyone start taking ideas off the board during the brainstorming. You can pick off and combine ideas after the session.
And always have a time limit. Personally, I recommend using a round of the pomodoro – allowing the team to go hard for planning and then take a break before doing it again.
The Risk Probability and Impact Matrix
After going through all these planning sessions, you want to take the large number of risks you developed and start determining which are high risks, moderate risks, and which are low risks.
At the end of the day, you cannot track them all. So, you need a way to determine which risks you want to worry about during the project.
This is when you pull out your handy, Risk Assessment Matrix template and start determining which of all your risks hit the highest likelihood scale of happening and which have the highest probability of occurring.
But how do you implement this analysis?
How to Implement The Risk Matrix
To implement a risk matrix into your planning, you want to know a few things:
How do you define the parameters of your risk matrix?
What are you putting as your values within the risk matrix?
How are you going to define and assign risk ratings?
How Do You Define The Parameters of Your Risk Matrix's Probability and Impact Rating?
There is no “You Must Have It This Way” for a risk matrix. You can use a 5×5, a 3×3, or even a 7×7, the only true limitation is you have to use odd numbers for your both your probability and impact.
The risk matrix probability and impact needs to have set parameters for your project. You can use whatever you need as long as you all understand and consistently use the same terminology for all risks. Some example are:
Severe, Major, Significant, Minor, Insignificant & Highly Likely, Likely, Maybe, Unlikely, Least Likely
Likely, High, Moderate [Medium], Unlikely, Highly Unlikely
Severe, Minor, Negligible & Unlikey, Likely, Most Likely
You can even add numbers to these values if that’s works best for you.
How you set this up, is truly up to you – just be consistent with how you do it.
What Are You Putting As Your Values Within The Risk Matrix?
Again, this is up to you. You can use values like we have above:
Most High, High, Medium, Low
High, Medium, Low
This is another area that is up to you, your team, and your company’s standard procedures. The important part is that you are consistent in how you use this throughout your risk matrix analysis.
How are you going to define and assign risk ratings?
This is where you take your identified risks and assign the proper probability and risk rating. Consider this the science behind the art regarding qualitative risk analysis.
First, for both probability and impact ratings, you want to rely on expert judgment. These individuals can give you the most accurate information for an educated guess on your risks.
Although you can use historical data, data gathering, and data analysis for this decision.
The important part is to use your available information without going into deep mathematical equations (We will get plenty of this in Quantitative Risk Analysis).
Once you have a good idea of the probability and impact, all you need to do is plot the risk on your matrix, and your work for now is complete.
The Final Step
Once you have completed your risk assessment matrix, you will end up with a list of risks prioritized according to your assigned value. Again, what value you give them is less important as long as you end up with a list of prioritized risks for your project.
Now, you come to your outputs of Qualitative Risk Analysis: Project Document Updates.
Project Document Updates means updating your risk register with your newly defined list of risks based on their priority (from your risk ratings).
You might also need to update any risk reports you have for your stakeholders. Risk reports show the overall risk picture while the risk register shows the individual risk data.
Your issue and assumption log might also require some additional updates based on your analysis. These issues and assumptions require additional work that we will have to address at a later date and time, but just know they will need updating.
When All Else Fails, Use a Risk Matrix!
As we wrap up today, you should reflect on this part of the risk management lifecycle. Like most parts of the lifecycle, qualitative risk analysis requires adherence to the PMBOK and vigilance in addressing all identified risks.
Qualitative risk analysis falls within the risk management process of:
Identifying
Analyzing
Responding to
Monitoring and Controlling
Qualitative risk analysis is just one step in this process, but it is the lynchpin for risk assessments and prioritizing risks for further analysis. Without a detailed look into risks for prioritization, you could end up working on the wrong risk and missing the suitable risk during the execution of your project.
To complete qualitative risk analysis, we use:
Brainstorming
Affinity Diagrams
Analytic Hierarchy Process
Influence Diagrams
Nominal Group Technique
The Risk Matrix
The Risk Matrix stands out as a simplistic method that offers us a visual representation for the final prioritization of risks. Mixing this technique with all the techniques listed above it creates a great way to ensure you get the most out of your qualitative risk assessments.
Keep The Work Going
If you use the above techniques during the planning phase of your project, I want you to remember that the journey does not end once you have prioritized your risk register. Qualitative risk analysis is an ongoing process throughout the project’s execution.
Avoid common pitfalls like:
Insufficient data collection
Overlooking Intersecting Factors
Lack of Stakeholder Involvement
Neglecting Regular Updates and Reviews
Qualitative Risk Analysis is not a one-and-done. It is a continuous process that builds upon itself throughout the life of your project.
Ensure you avoid any of the shortfalls, commit to the process, and lean on your project team. If you do so, your risk assessments will go a long way!
-Russ Parker
The Risk Blog is reader supported – Please consider contributing to the operating costs of running this blog!
