As you’re preparing for your PMI PMP exam, you’ll want to understand the basics of qualitative risk analysis (QLRA) and quantitative risk analysis (QTRA), both processes that are part of the “Project Risk Management” knowledge area. While these two concepts sound similar and both use numbers in risk rating, they’re not the same at all. Test-takers often get confused about how they work, how they vary and what unique roles they play. Adding to the confusion, QTRA can be optional! Both QLRA and QTRA are powerful risk analytics, and both have a place in project risk management. In this article, I explain their distinctive roles, show where they differ and illustrate what happens when both are used.
The PM Book of Knowledge risk management knowledge area has six processes that interact with each other:
All possible risks are identified in the “identify risks” process and put into a project document called the “risk register.” Then qualitative risk analysis is performed. From there, it may lead to quantitative risk analysis or directly to risk response planning. In other words, quantitative risk analysis is optional, as indicated by the dotted line. If both QLRA and QTRA are performed, they’ll be in close sequence and the risk register will be updated for both types of processes.
In its simplest form QLRA is the process of evaluating individual risks from the “Identify Risks” stage for their probability or likelihood of occurring (the “P” value), multiplying that with the impact the risk could have on the project objective (the “I” value) and then prioritizing the risks based on their ultimate “risk score.”
QTRA is the process of providing numerical estimates of the overall effect of risks on the project objectives when all risks are considered simultaneously. The numerical estimates are usually in terms of schedule and cost. The prioritized list of risks created in the QLRA process is further updated in the QTRA process, based on the numerical estimates.
Why is QTRA optional? As a project manager, you operate in a highly constrained environment. Sometimes, you have to leave something out because you lack time or budget, particularly in smaller projects. So why perform QTRA at all? We’ll look at that shortly.
When only qualitative risk analysis is conducted on a project, it’s known as “partial risk analysis.”
How QLRA and QTRA Differ
The fundamental difference between QLRA and QTRA is that the first addresses individual risks of a project, whereas the second considers the overall project risk. The overall risk to the project is due to the combined effect of all risks and their possible interdependencies and correlations. Overall risk applies to the project as whole, rather than individual activities or cost items in the project.
Note that both QLRA and QTRA use numbers for risk rating and prioritization of risks. But QLRA is a subjective evaluation, whereas QTRA is more objective in terms of value or cost terms. In QLRA, for example, the risk rating could be “5” or “10” after multiplying the P and I values of the individual risks. For QTRA you establish the overall cost or time impact on the project, such as: “$25,000.”
Let’s look at a sample risk register that has been compiled through the “Identify Risks” process. In this example positive risks are known as opportunities and negative risks are known as threats.
In QLRA, the probability and impact values are assigned and the risk score is set. Probability values may be textual (low, medium, high); graphical (red, orange, green); or numerical (1 for low risks, 5 for high risks or somewhere in between). Each risk is assigned a probability value and an impact value and the risk score is calculated. It’s not uncommon to combine the numerical and graphical values to have a color-coded indicator.
The updated risk register in the figure above, which summarizes the output of the QLRA process, is sometimes known as the “qualitative risk register.” The register may contain other information, such as identification date, identifying person, cause, effect and risk exposure. Based on the risk scores, you perform the prioritization of risks; if the score crosses risk tolerance limits for your organization, then you know you have to take a risk response.
As I noted earlier, QTRA is performed after QLRA. In the QTRA, you quantify some of the items from the qualitative risk registers and assign a cost value. The updated risk register, as shown below, is sometimes referred to as the “quantitative risk register.”
Notice that the register may contain other information such as impacted activities of the project, correlation and probabilistic distribution details, among others. In my example, I’ve used expected monetary value technique (EMV) for further prioritization and subsequent risk response planning on the quantified risks.
Differences between Qualitative and Quantitative Risk Analysis
In addition to the differences between QLRA and QTRA that I’ve already mentioned, others also exist, which I’ve summarized in the table below.
|Qualitative Risk Analysis (QLRA)||Quantitative Risk Analysis (QTRA)|
|Performed first.||Performed after qualitative analysis is done.|
|Should be always done.||Can be optional.|
|Examines individual project risks.||Examines the combined effects of risks on the project as a whole to determine an overall project risk.|
|Day-to-day risk management is focused on individual project risks.||Overall project risk is important for strategic decision making and project governance.|
|For smaller projects QLRA will suffice. QTRA is time-consuming and hence may not be desired.||For large projects, QTRA is needed to know the overall risk of the project.|
|It's about the risk's discrete probability of occurrence and impact.||It's about probabilistic distributions (discrete or continuous) to characterize the risk's probability and impact.|
|Risk scale is qualitative and can be textual (low, medium, high), color coded, numeric (from 1 to 5) or some combination.||Risk scale and scores are quantitative, typically specified in monetary and schedule terms.|
|First level of risk prioritization happens in QLRA.|
The "P" and "I" values are determined and the priority is determined, based on "risk attitude" -- to what extent individual risk or overall project risk matters.
|In QTRA, further prioritization happens based on cost impact and/or schedule impact. On this prioritized list, the risk response is planned.|
|Risk watch list, a list of low-priority risks (those with low probability and impact values) is created here. For the risks on the watch list, no risk response planning is done, but they're kept for future monitoring.||Not applicable|
|In QLRA, risk urgency assessment happens. Risk urgency informs how close a risk is. Risk urgency is also called risk proximity.||Not applicable|
|Risk manageability, which suggests how manageable a risk is, is checked in QLRA. Here's where the decision is taken to go forward, stop or inform the customer of the risk.||Not applicable|
|Not applicable||In QTRA, estimates for contingency reserve are determined. Contingency reserve is allocated for known risks that can't be managed proactively.|
|Degree of confidence for overall risk is undetermined.||Degree of confidence for overall risk is determined (for example, 80th percentile or 75th percentile). This is reviewed when the identified risk occurs or ceases to be current.|
|Not applicable||Risk aggregation is performed in QTRA. For instance, five small, related risks when combined may pose a big risk to the project as a whole. Aggregated risks are considered in plan risk responses and a generic response can be developed.|
|Not applicable||Uses quantitative methods such as sensitivity analysis, tornado diagram and expected monetary value.|
|Not applicable||Uses project models, such as a schedule model or cost estimate. Probabilistic distribution can be applied to them and iterated over many times, as in Monte Carlo simulation. With this, we can know the likelihood of project completion on schedule and the likelihood of bringing the project in on budget.|
Both qualitative and quantitative risks analysis are important for project risk management. As aspirants for PMP certification, you need to know that both QLRA and QTRA play distinct roles in project risk management. Also, you need to understand the key differences between them to tackle your exam.
Sorting image courtesy of California Avocado Commission under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) license.