PMP Prep: Qualitative vs. Quantitative Risk Analysis

As you’re preparing for your PMI PMP exam, you’ll want to understand the basics of qualitative risk analysis (QLRA) and quantitative risk analysis (QTRA), both processes that are part of the “Project Risk Management” knowledge area. While these two concepts sound similar and both use numbers in risk rating, they’re not the same at all. Test-takers often get confused about how they work, how they vary and what unique roles they play. Adding to the confusion, QTRA can be optional! Both QLRA and QTRA are powerful risk analytics, and both have a place in project risk management. In this article, I explain their distinctive roles, show where they differ and illustrate what happens when both are used.

The PM Book of Knowledge risk management knowledge area has six processes that interact with each other:

Satya Narayan Dash figure 1

All possible risks are identified in the “identify risks” process and put into a project document called the “risk register.” Then qualitative risk analysis is performed. From there, it may lead to quantitative risk analysis or directly to risk response planning. In other words, quantitative risk analysis is optional, as indicated by the dotted line. If both QLRA and QTRA are performed, they’ll be in close sequence and the risk register will be updated for both types of processes.

In its simplest form QLRA is the process of evaluating individual risks from the “Identify Risks” stage for their probability or likelihood of occurring (the “P” value), multiplying that with the impact the risk could have on the project objective (the “I” value) and then prioritizing the risks based on their ultimate “risk score.”

QTRA is the process of providing numerical estimates of the overall effect of risks on the project objectives when all risks are considered simultaneously. The numerical estimates are usually in terms of schedule and cost. The prioritized list of risks created in the QLRA process is further updated in the QTRA process, based on the numerical estimates.

Why is QTRA optional? As a project manager, you operate in a highly constrained environment. Sometimes, you have to leave something out because you lack time or budget, particularly in smaller projects. So why perform QTRA at all? We’ll look at that shortly.

When only qualitative risk analysis is conducted on a project, it’s known as “partial risk analysis.”

How QLRA and QTRA Differ

The fundamental difference between QLRA and QTRA is that the first addresses individual risks of a project, whereas the second considers the overall project risk. The overall risk to the project is due to the combined effect of all risks and their possible interdependencies and correlations. Overall risk applies to the project as whole, rather than individual activities or cost items in the project.

Note that both QLRA and QTRA use numbers for risk rating and prioritization of risks. But QLRA is a subjective evaluation, whereas QTRA is more objective in terms of value or cost terms. In QLRA, for example, the risk rating could be “5” or “10” after multiplying the P and I values of the individual risks. For QTRA you establish the overall cost or time impact on the project, such as: “$25,000.”

Let’s look at a sample risk register that has been compiled through the “Identify Risks” process. In this example positive risks are known as opportunities and negative risks are known as threats.

Satya Narayan Dash figure 2

In QLRA, the probability and impact values are assigned and the risk score is set. Probability values may be textual (low, medium, high); graphical (red, orange, green); or numerical (1 for low risks, 5 for high risks or somewhere in between). Each risk is assigned a probability value and an impact value and the risk score is calculated. It’s not uncommon to combine the numerical and graphical values to have a color-coded indicator.

The updated risk register in the figure above, which summarizes the output of the QLRA process, is sometimes known as the “qualitative risk register.” The register may contain other information, such as identification date, identifying person, cause, effect and risk exposure. Based on the risk scores, you perform the prioritization of risks; if the score crosses risk tolerance limits for your organization, then you know you have to take a risk response.

As I noted earlier, QTRA is performed after QLRA. In the QTRA, you quantify some of the items from the qualitative risk registers and assign a cost value. The updated risk register, as shown below, is sometimes referred to as the “quantitative risk register.”

Satya Narayan Dash figure 3

Notice that the register may contain other information such as impacted activities of the project, correlation and probabilistic distribution details, among others. In my example, I’ve used expected monetary value technique (EMV) for further prioritization and subsequent risk response planning on the quantified risks.

Differences between Qualitative and Quantitative Risk Analysis

In addition to the differences between QLRA and QTRA that I’ve already mentioned, others also exist, which I’ve summarized in the table below.

Qualitative Risk Analysis (QLRA)Quantitative Risk Analysis (QTRA)
Performed first.Performed after qualitative analysis is done.
Should be always done.Can be optional.
Examines individual project risks.Examines the combined effects of risks on the project as a whole to determine an overall project risk.
Day-to-day risk management is focused on individual project risks.Overall project risk is important for strategic decision making and project governance.
For smaller projects QLRA will suffice. QTRA is time-consuming and hence may not be desired.For large projects, QTRA is needed to know the overall risk of the project.
It's about the risk's discrete probability of occurrence and impact.It's about probabilistic distributions (discrete or continuous) to characterize the risk's probability and impact.
Risk scale is qualitative and can be textual (low, medium, high), color coded, numeric (from 1 to 5) or some combination.Risk scale and scores are quantitative, typically specified in monetary and schedule terms.
First level of risk prioritization happens in QLRA.

The "P" and "I" values are determined and the priority is determined, based on "risk attitude" -- to what extent individual risk or overall project risk matters.
In QTRA, further prioritization happens based on cost impact and/or schedule impact. On this prioritized list, the risk response is planned.
Risk watch list, a list of low-priority risks (those with low probability and impact values) is created here. For the risks on the watch list, no risk response planning is done, but they're kept for future monitoring.Not applicable
In QLRA, risk urgency assessment happens. Risk urgency informs how close a risk is. Risk urgency is also called risk proximity. Not applicable
Risk manageability, which suggests how manageable a risk is, is checked in QLRA. Here's where the decision is taken to go forward, stop or inform the customer of the risk.Not applicable
Not applicableIn QTRA, estimates for contingency reserve are determined. Contingency reserve is allocated for known risks that can't be managed proactively.
Degree of confidence for overall risk is undetermined.Degree of confidence for overall risk is determined (for example, 80th percentile or 75th percentile). This is reviewed when the identified risk occurs or ceases to be current.
Not applicableRisk aggregation is performed in QTRA. For instance, five small, related risks when combined may pose a big risk to the project as a whole. Aggregated risks are considered in plan risk responses and a generic response can be developed.
Not applicableUses quantitative methods such as sensitivity analysis, tornado diagram and expected monetary value.
Not applicableUses project models, such as a schedule model or cost estimate. Probabilistic distribution can be applied to them and iterated over many times, as in Monte Carlo simulation. With this, we can know the likelihood of project completion on schedule and the likelihood of bringing the project in on budget.

Both qualitative and quantitative risks analysis are important for project risk management. As aspirants for PMP certification, you need to know that both QLRA and QTRA play distinct roles in project risk management. Also, you need to understand the key differences between them to tackle your exam.

Sorting image courtesy of California Avocado Commission under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) license.

Related Content

Webinars (watch for free now!):
“EVM” – Earned Value Management – Not Just Another 3 Letter Acronym!
Webinar: Risk Management with Microsoft Project and Project Server

PMP® Prep: Understanding Internal Rate of Return
PMP® Prep: Calculating EAC and ETC for Forecasting

Written by Satya Narayan Dash
Satya Narayan Dash is a management professional, coach, and author of multiple books. Under his guidance, over 2,000 professionals have successfully cracked PMP, ACP, RMP, and CAPM examinations – in fact, there are over 100 documented success stories written by these professionals. His course, PMP Live Lessons - Guaranteed Pass, has made many successful PMPs, and he’s recently launched RMP Live Lessons - Guaranteed Pass and ACP Live Lessons - Guaranteed Pass. His web presence is at, and he can be contacted via email at  
Share This Post
Have your say!
  1. Good paper, but there are still questions.
    1. I’d like to elaborate at author’s approach to risk mitigation. If all “impacts” are implemented to eliminate all risks, then a project could significantly deplete resources (budget and manpower). What if some risks are not materialized? What would be an optimal risk mitigation strategy under limited resources?
    2. I believe that it is hard to eliminate all risks. What about partial risk reduction? It means that each risk is associated with multiple risk mitigation strategies (RMS) including two extreme ones – (1) do nothing; and (2) eliminate risk. How to select optimal combination of RMS?
    3. What is level of acceptable risk?
    4. How about risk dependencies?
    Best regards,

  2. Suresh,
    Thank you. Indeed, risk analysis is a big topic. However, this article is written from PMP exam preparation point of view and particularly on the differences between qualitative and quantitative risk analysis.

  3. David,
    Glad that you enjoyed the article. Let me answer the questions that you have raised.

    Risk always comes with a probability (likelihood of occurrence) as it is uncertain. If there is no probability and it is certain and it has occurred, then it is not a risk. It becomes an issue (considering negative risk). So, for both QLRA and QTRA, probability (P value) will be always there.

    Now, if it happens, it has to be multiplied with impact (I value). For risk#4, $55,000 is not the cost of the software, but what cost impact it will have on the project. So, how the value is derived? For for Risk 001, what you have got is multiplied value of 60% *50,000 = 30,000. This is in its simplest form and you will see that form in PMP exam. So, for risk-004, it will be 58% * $55,000 = $33,640. But then, how the expected value is at $33,000? Because I have applied probabilistic distribution, which is not mentioned in the table for brevity and simplicity. I have noted below the qualitative risk register.

    Coming to your 3rd part of the query, quantification should state the overall exposure to the project. Yes, that in fact, is the main difference as noted in this article. However, QTRA is also used for further prioritization based on cost impact and/or schedule impact, correlation among risks and to know which individual risks contribute the most to the overall project risk. In this case, risk-004 is one of the risks contributing the most to the overall project risk.

  4. Vladimir,
    Thanks for the kind words.

    1 and 2 will be out of the scope of the current article. Risk mitigation happens in plan risk responses process. It is a big topic and there are many strategies for positive and negative risks. This is post QLRA and QTRA.

    Coming to 3: Acceptable risk is determined from the risk governance parameters. Not every risk is looked into for response, though all possible risks should be identified. As noted in this article, if the risk threshold is crossed,then formal risk response is planned. Also, for risks with low priority, which are in watch-list, no formal risk response is taken.

    For 4: Risk dependencies is addressed in QTRA. This where risk aggregation comes in. Check the item no. 15 in the table under section – ‘Differences between Qualitative and Quantitative Risk Analysis’.

  5. Colin,

    Thank you for liking the piece. Yes, the current scope of the article is on QLRA and QTRA and particularly on the differences between them.

  6. David,
    The P*I value for risk-004 should have been $31,900, not $33,640. Sorry for the typo. Rest of the explanation remains same.

Leave a Reply