Quick Links

PMP Prep: Qualitative vs. Quantitative Risk Analysis

Quality vs quantity imageAs you’re preparing for your PMI PMP exam, you’ll want to understand the basics of qualitative risk analysis (QLRA) and quantitative risk analysis (QTRA), both processes that are part of the “Project Risk Management” knowledge area. While these two concepts sound similar and both use numbers in risk rating, they’re not the same at all. Test-takers often get confused about how they work, how they vary and what unique roles they play. Adding to the confusion, QTRA can be optional! Both QLRA and QTRA are powerful risk analytics, and both have a place in project risk management. In this article, I explain their distinctive roles, show where they differ and illustrate what happens when both are used.

The PM Book of Knowledge risk management knowledge area has six processes that interact with each other:

Satya Narayan Dash figure 1

All possible risks are identified in the “identify risks” process and put into a project document called the “risk register.” Then qualitative risk analysis is performed. From there, it may lead to quantitative risk analysis or directly to risk response planning. In other words, quantitative risk analysis is optional, as indicated by the dotted line. If both QLRA and QTRA are performed, they’ll be in close sequence and the risk register will be updated for both types of processes.

In its simplest form QLRA is the process of evaluating individual risks from the “Identify Risks” stage for their probability or likelihood of occurring (the “P” value), multiplying that with the impact the risk could have on the project objective (the “I” value) and then prioritizing the risks based on their ultimate “risk score.”

QTRA is the process of providing numerical estimates of the overall effect of risks on the project objectives when all risks are considered simultaneously. The numerical estimates are usually in terms of schedule and cost. The prioritized list of risks created in the QLRA process is further updated in the QTRA process, based on the numerical estimates.

Why is QTRA optional? As a project manager, you operate in a highly constrained environment. Sometimes, you have to leave something out because you lack time or budget, particularly in smaller projects. So why perform QTRA at all? We’ll look at that shortly.

When only qualitative risk analysis is conducted on a project, it’s known as “partial risk analysis.”

How QLRA and QTRA Differ

The fundamental difference between QLRA and QTRA is that the first addresses individual risks of a project, whereas the second considers the overall project risk. The overall risk to the project is due to the combined effect of all risks and their possible interdependencies and correlations. Overall risk applies to the project as whole, rather than individual activities or cost items in the project.

Note that both QLRA and QTRA use numbers for risk rating and prioritization of risks. But QLRA is a subjective evaluation, whereas QTRA is more objective in terms of value or cost terms. In QLRA, for example, the risk rating could be “5” or “10” after multiplying the P and I values of the individual risks. For QTRA you establish the overall cost or time impact on the project, such as: “$25,000.”

Let’s look at a sample risk register that has been compiled through the “Identify Risks” process. In this example positive risks are known as opportunities and negative risks are known as threats.

Satya Narayan Dash figure 2

In QLRA, the probability and impact values are assigned and the risk score is set. Probability values may be textual (low, medium, high); graphical (red, orange, green); or numerical (1 for low risks, 5 for high risks or somewhere in between). Each risk is assigned a probability value and an impact value and the risk score is calculated. It’s not uncommon to combine the numerical and graphical values to have a color-coded indicator.

The updated risk register in the figure above, which summarizes the output of the QLRA process, is sometimes known as the “qualitative risk register.” The register may contain other information, such as identification date, identifying person, cause, effect and risk exposure. Based on the risk scores, you perform the prioritization of risks; if the score crosses risk tolerance limits for your organization, then you know you have to take a risk response.

As I noted earlier, QTRA is performed after QLRA. In the QTRA, you quantify some of the items from the qualitative risk registers and assign a cost value. The updated risk register, as shown below, is sometimes referred to as the “quantitative risk register.”

Satya Narayan Dash figure 3

Notice that the register may contain other information such as impacted activities of the project, correlation and probabilistic distribution details, among others. In my example, I’ve used expected monetary value technique (EMV) for further prioritization and subsequent risk response planning on the quantified risks.

Differences between Qualitative and Quantitative Risk Analysis

In addition to the differences between QLRA and QTRA that I’ve already mentioned, others also exist, which I’ve summarized in the table below.

Qualitative Risk Analysis (QLRA)Quantitative Risk Analysis (QTRA)
Performed first.Performed after qualitative analysis is done.
Should be always done.Can be optional.
Examines individual project risks.Examines the combined effects of risks on the project as a whole to determine an overall project risk.
Day-to-day risk management is focused on individual project risks.Overall project risk is important for strategic decision making and project governance.
For smaller projects QLRA will suffice. QTRA is time-consuming and hence may not be desired.For large projects, QTRA is needed to know the overall risk of the project.
It's about the risk's discrete probability of occurrence and impact.It's about probabilistic distributions (discrete or continuous) to characterize the risk's probability and impact.
Risk scale is qualitative and can be textual (low, medium, high), color coded, numeric (from 1 to 5) or some combination.Risk scale and scores are quantitative, typically specified in monetary and schedule terms.
First level of risk prioritization happens in QLRA.

The "P" and "I" values are determined and the priority is determined, based on "risk attitude" -- to what extent individual risk or overall project risk matters.
In QTRA, further prioritization happens based on cost impact and/or schedule impact. On this prioritized list, the risk response is planned.
Risk watch list, a list of low-priority risks (those with low probability and impact values) is created here. For the risks on the watch list, no risk response planning is done, but they're kept for future monitoring.Not applicable
In QLRA, risk urgency assessment happens. Risk urgency informs how close a risk is. Risk urgency is also called risk proximity. Not applicable
Risk manageability, which suggests how manageable a risk is, is checked in QLRA. Here's where the decision is taken to go forward, stop or inform the customer of the risk.Not applicable
Not applicableIn QTRA, estimates for contingency reserve are determined. Contingency reserve is allocated for known risks that can't be managed proactively.
Degree of confidence for overall risk is undetermined.Degree of confidence for overall risk is determined (for example, 80th percentile or 75th percentile). This is reviewed when the identified risk occurs or ceases to be current.
Not applicableRisk aggregation is performed in QTRA. For instance, five small, related risks when combined may pose a big risk to the project as a whole. Aggregated risks are considered in plan risk responses and a generic response can be developed.
Not applicableUses quantitative methods such as sensitivity analysis, tornado diagram and expected monetary value.
Not applicableUses project models, such as a schedule model or cost estimate. Probabilistic distribution can be applied to them and iterated over many times, as in Monte Carlo simulation. With this, we can know the likelihood of project completion on schedule and the likelihood of bringing the project in on budget.

Both qualitative and quantitative risks analysis are important for project risk management. As aspirants for PMP certification, you need to know that both QLRA and QTRA play distinct roles in project risk management. Also, you need to understand the key differences between them to tackle your exam.

Sorting image courtesy of California Avocado Commission under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) license.

Related Content

Webinars (watch for free now!):
“EVM” – Earned Value Management – Not Just Another 3 Letter Acronym!
Webinar: Risk Management with Microsoft Project and Project Server

PMP® Prep: Understanding Internal Rate of Return
PMP® Prep: Calculating EAC and ETC for Forecasting


Avatar photo
Written by Satya Narayan Dash

Satya Narayan Dash is a management professional, coach, and author of multiple books. Under his guidance, over 2,000 professionals have successfully cracked PMP, ACP, RMP, and CAPM examinations – in fact, there are over 100 documented success stories written by these professionals. His course, PMP Live Lessons – Guaranteed Pass, has made many successful PMPs, and he’s recently launched RMP Live Lessons – Guaranteed Pass and ACP Live Lessons – Guaranteed Pass. His web presence is at https://managementyogi.com, and he can be contacted via email at managementyogi@gmail.com.


Share This Post
  1. Very useful article. But to understand risk analysis, one has to gain a lot more knowledge, and practice it in all Projects.

  2. Very useful article. But a lot more detailed knowledge is needed for practice at Projects.

  3. Really enjoyed your article. Well written and informative. I have a question about how to assess the value of QTRA. In the last example (#4), there is probability that the project will require automated software. The value of the risk is calculated to be a percentage of the “impact’ which I assume is the cost of purchasing /implementing the software package which is valued at $55000. However, if the risk materializes, isn’t the value of the risk $55000, and not $33000? You wouldn’t be able to purchase/deploy the software for $33000 and so my thinking is, for QTRA you would need to know the entire exposure – not a percentage. For Risks #1 and #2, I agree that the value is as stated. You might be able to get away with using just one sr designer, for example.
    I understand for QLRA, you simply multiply to get a risk factor but, since I haven’t used QTRA very much, I would have to think the quantification should state the whole exposure to the project should the risk materialize.

  4. Good paper, but there are still questions.
    1. I’d like to elaborate at author’s approach to risk mitigation. If all “impacts” are implemented to eliminate all risks, then a project could significantly deplete resources (budget and manpower). What if some risks are not materialized? What would be an optimal risk mitigation strategy under limited resources?
    2. I believe that it is hard to eliminate all risks. What about partial risk reduction? It means that each risk is associated with multiple risk mitigation strategies (RMS) including two extreme ones – (1) do nothing; and (2) eliminate risk. How to select optimal combination of RMS?
    3. What is level of acceptable risk?
    4. How about risk dependencies?
    Best regards,

  5. Great article especially as a first look at PMP Exam Prep alone.
    There will always definitely be more questions. In the real world, more detailed study and analysis will need to be done to fully explore the gamut of risk management possibilities across various industries. I think the author’s goal was to cover just those 2 processes QUALITATIVE and QUANTITATIVE risk analysis and not the entire 6 since those are the ones people mix up a lot on the PMP Exam. The philosophy of risk response strategies and deep decision tree analysis and expected monetary value is a whole different discussion.

  6. Avatar photo

    Thank you. Indeed, risk analysis is a big topic. However, this article is written from PMP exam preparation point of view and particularly on the differences between qualitative and quantitative risk analysis.

  7. Avatar photo

    Glad that you enjoyed the article. Let me answer the questions that you have raised.

    Risk always comes with a probability (likelihood of occurrence) as it is uncertain. If there is no probability and it is certain and it has occurred, then it is not a risk. It becomes an issue (considering negative risk). So, for both QLRA and QTRA, probability (P value) will be always there.

    Now, if it happens, it has to be multiplied with impact (I value). For risk#4, $55,000 is not the cost of the software, but what cost impact it will have on the project. So, how the value is derived? For for Risk 001, what you have got is multiplied value of 60% *50,000 = 30,000. This is in its simplest form and you will see that form in PMP exam. So, for risk-004, it will be 58% * $55,000 = $33,640. But then, how the expected value is at $33,000? Because I have applied probabilistic distribution, which is not mentioned in the table for brevity and simplicity. I have noted below the qualitative risk register.

    Coming to your 3rd part of the query, quantification should state the overall exposure to the project. Yes, that in fact, is the main difference as noted in this article. However, QTRA is also used for further prioritization based on cost impact and/or schedule impact, correlation among risks and to know which individual risks contribute the most to the overall project risk. In this case, risk-004 is one of the risks contributing the most to the overall project risk.

  8. Avatar photo

    Thanks for the kind words.

    1 and 2 will be out of the scope of the current article. Risk mitigation happens in plan risk responses process. It is a big topic and there are many strategies for positive and negative risks. This is post QLRA and QTRA.

    Coming to 3: Acceptable risk is determined from the risk governance parameters. Not every risk is looked into for response, though all possible risks should be identified. As noted in this article, if the risk threshold is crossed,then formal risk response is planned. Also, for risks with low priority, which are in watch-list, no formal risk response is taken.

    For 4: Risk dependencies is addressed in QTRA. This where risk aggregation comes in. Check the item no. 15 in the table under section – ‘Differences between Qualitative and Quantitative Risk Analysis’.

  9. Avatar photo


    Thank you for liking the piece. Yes, the current scope of the article is on QLRA and QTRA and particularly on the differences between them.

  10. Avatar photo

    The P*I value for risk-004 should have been $31,900, not $33,640. Sorry for the typo. Rest of the explanation remains same.

  11. Very good article Satya. A good explanation of the differences between the two types of risk analysis and their uses. Thanks for sharing.

  12. Simple and to the point.

    Thank You

  13. Could you please define how ‘risk ranking’ and ‘overall project risk’ differ? (apart from the fact that one is the output of QNRA while other is of QLRA).


  14. This debate is relevant to any examination prep not only PMP. Majority of them go for quantitative form of preparation which may work to some extent but for continued learning qualitative form prep is the best.

  15. Satya,
    Thanks for the detailed information.


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>