1999. October 29. A super cyclone measuring 160 mph hit Gopalpur in Odisha, a coastal state of India, with horrifying fury. It resulted over 10,000 people losing their lives and over $US4 billion in damages. The devastation caused was barely reported. In fact, little is known about the event, but it changed the way India braces itself for natural calamities.
2013. October 13. Another super cyclone, named Phailin, running at 160 mph landed on the same state and also at the same place just around midnight. This time, the loss of lives was less than 50 – little to none due to the cyclone, but more due to flooding. This time, the estimated cost of damages (mostly loss of property) was around $US400 million.
Two events occurred, but each one had entirely different outcomes. What was the difference? Risk Management.
A cyclone doesn’t come alone. First, it blows away everything in its path like an uncontrolled train rampaging through, in this case, a densely populated area. Then, about two weeks later, another natural calamity strikes – flooding driven by the river Mahanadi (meaning “Great River”) running across the heartlands of the state. A third calamity strikes in another couple of weeks. Water-borne diseases grow uncontrolled as public works systems are in disarray. Are the calamities over? Not yet. Two other issues arise, which cause the longest-term impact. These are that food and shelter become scare. Food scarcity because the fertile land in the river delta becomes saturated with salt water pouring up the shore and is no longer cultivable, and a shelter crisis because homes destroyed often take years to rebuild. Perhaps no other event demands risk management with such high urgency! A cyclone and its cousin disasters create a highly volatile situation and risk in a short timeframe (three to four weeks). Despite this short timeframe, the impact continues on for decades. Obviously, an event such as this can severely cripple growth, if not managed well.
Of course, we can all see that a cyclone causes quite a disaster, but every one of us takes up risks. Just driving on a road, or even getting out of bed in the morning can pose risk. You might stub your toe in the dark on the way to the light switch or trip over a wire lying next to your bed. These events don’t usually happen, but the possibility exists.
Individual Project Risks
Project Management Institute (PMI) defines an individual project risk as:
“An uncertain event or condition, if it occurs, will have a positive or negative impact on one or more objectives of the project.”
As noted in the above definition, there are two characteristics for an event to be defined as a risk:
- Risk occurs from elements of uncertainty (probability). Other descriptors, in place of ‘uncertainty’ can be ‘likelihood’ or ‘chances.’
- Risk might have negative or positive effects on meeting the project objectives. Other descriptors of ‘effect’ can be ‘impact’ or ‘consequences.’
But, why are we looking at both the characteristics? I’d like to suggest it is because we don’t really manage all the risks we face. We have to look at both the likelihood or probability, as well as the impact or consequences.
Consider the earlier example of the cyclone(s). Here, taking steps to reduce the risk doesn’t change the likelihood of such events occurring. Can we change the course of nature? No. However, we can definitely mitigate the impact. On the other hand, removing the cord which lies on your path to the light switch (our second example), removes the likelihood of you tripping over it, but does not change the impact, (i.e., that if you do over it, you will get hurt).
Note that the definition of risk says that it must positively or negatively impact or effect at least one project objective such as scope, schedule, or cost. If it doesn’t, then it is not a risk. If the risk negatively impacts the objectives, then it is called a threat and if the impact is positive, it is called an opportunity.
For many, the term “risk” typically comes with a negative connotation. Hence, negative impact is quickly understood. But, what about the positive risks? Say you have a good team member working on your project, or that you can reuse an existing design framework. In those cases, you can enhance the chances of your project being completed early. These are examples of positive risks or opportunities.
Risk Score, Risk Appetite, and Risk Threshold
Once we have the probability and impact values, we multiply them. This gives us the Risk Score. Putting it into a formula, it will look like this:
The higher the risk score, the higher the priority to take these prioritized risks into account and plan responses accordingly. This is what actually happens in qualitative risk analysis.
The probability scale can be numeric (1, 2, 5, etc.), textual (high, low, medium), color coded (red, amber, green), or a combination of factors. A possible probability scale is shown in the table below:
While building the impact scale you can consider various traditional objectives (i.e. scope, time, cost, and/or quality). A possible impact scale is shown in the table below:
As we have seen before, when you combine the probability and impact, you get the risk score. It can also be numeric, textual, color coded, or a combination of those factors. This is represented in a matrix format, which is known as the Probability and Impact matrix/grid, or simply the PI matrix.
A possible PI matrix is shown below. In this case, I’ve considered both the probability and impact scales from 1 (very low) to 5 (very high). This is to keep things simple. It is possible that you can individually consider the impacts on the objectives, such as scope, schedule, cost, quality, etc. as noted in the earlier impact scale table, and then determine the score by applying mathematical formulas.
While calculating the risk score in the above table, I’ve multiplied the probability and impact values. The color coding in the above PI matrix is based on the risk appetite level of the stakeholders. You may wonder what I mean by “Risk Appetite.” Let’s define it.
Risk Appetite, as the name itself suggests, is an indication of how much hunger or appetite exists for taking risks. Let’s consider another example. When you take on an investment or mutual fund, the fund manager will ask, “What is your risk appetite?” If you are a risk seeking person (i.e. a risk seeker or one with high risk appetite), the fund manager may present equity related financial products. However, if you are a person who avoids risks (i.e. risk averse or with low risk appetite), then the fund manager may, instead, present debt related financial products.
In project risk management for projects, similar things happen. Risk appetite informs what you as an individual (or an organization) are willing to accept in anticipation of a reward. A related term to risk appetite is Risk Threshold. Risk threshold informs the level of risk exposure above which risks are addressed and below which risks may not be actively pursued (or even accepted).
The risk appetite level of the stakeholders can be represented with risk score ranges. For this article, I’ve included three categories for risk appetite level – low (green), medium (yellow), and high (red). They each have associated risk score ranges. This is noted in the table below:
The probability scale, the impact scale with considerations around chosen objectives, the stakeholders’ risk appetite levels, and risk threshold are all defined in the Risk Management Plan, which is created during the planning stage of a project.
Qualitative Risk Analysis – What Happens?
Now that we know about the fundamentals on various risk attributes, let’s get deeper into qualitative risk analysis.
PMI calls qualitative risk analysis the process of Perform Qualitative Risk Analysis (QLRA), and says it is:
“The process of prioritizing individual project risks for further analysis or action by assessing their probability of occurrence and impact as well as other characteristics.”
In other words, we consider the probability and impact values of the individual project risks to conduct qualitative risks analysis. We also consider other risk characteristics. The simplified flow for qualitative risk analysis is shown in the following figure:
The salient points about the above flow diagram are noted below.
- The risk management plan is prepared in Plan Risk Management process. It has the information on probability and impact scales, PI matrix, and stakeholder risk appetite levels.
- The risk management plan then acts as input to Identify Risks process to create a project document named risk register, which has information on the possible individual risks identified.
At this stage, you can have various risk attributes documented in the risk register such as risk identifier (ID), risk title, risk type, risk category, possible risk trigger date, potential risk owners, potential risk responses, etc.
- Next, the risk register and the risk management plan act as inputs to the Perform Qualitative Risk Analysis (Perform QLRA) process. The stakeholder register is also acting as an input as the final risk owners are nominated in the process of Perform QLRA.
- Post qualitative analysis, the risk register will be updated as an output of Perform QLRA process. It will be updated with information for individual project risks such as probability and impact values, risk score, nominated risk owner, and other risk characteristics. We already know that the higher the score the higher the priority. Hence, prioritization of individual project risks happens in this process. Risks with low priorities are moved into a list called Watch-List. This watch-list is not a separate project document, but part of the risk register.
- The updated risk register can act as input to Perform Quantitative Risk Analysis (Perform QTRA) providing further analysis or can directly act as an input to Plan Risk Responses process to develop risk response strategies for the risks. This is because the process of Perform QTRA is optional, represented with a dotted line above.
Qualitative Risk Analysis – An Example
To understand further qualitative risk analysis, let’s consider the risk register shown below. There can be many possible fields in the register during qualitative risk analysis. In order to keep things simple, I’ve kept the number of fields to a minimum here.
Going by our above risk register, we have five risks. These are shown in the Risk ID column of the register.
While calculating the risk score, I’ve considered the highest impact across various objectives multiplied with the probability value. For example, Risk 001 has a schedule impact that is high (H), cost impact that is medium (M), a scope impact that is very high (VH), and a quality impact that is high (H). The overall impact is taken to be very high (VH). It has a probability value of very high (VH), as well. The overall score of the first risk is 25.
Shall we act on all the risks with high scores? Not necessarily. Rather, we will act on a risk if it crosses the risk threshold.
Let’s say our risk threshold value is 9. If the score of the risk is greater than or equal to 9, then the risk will be prioritized. Otherwise we will move it to the watch-list.
Considering the above risk register, the prioritized risks will be Risk 001, Risk 002, and Risk 004, because their scores are above the accepted level of 9. Risk 003 and Risk 005 will be moved into the watch-list, which is less frequently monitored.
Other Impacting Risk Parameters
In our earlier definition for the process of Perform QLRA, I mentioned that other characteristics considered beyond probability and impact. These impact the score and hence, priority of the risk in question. Some of these risk characteristics or parameters, as documented in the PMBOK guide, are noted in the below table.
Quite a list, right? Although long, the concepts are not complicated. Let’s take one parameter, Risk Urgency, to understand how it impacts the score of the risk.
Say a risk is about to occur tomorrow, and another risk will happen in next week. Which risk are you going to take up first for analysis and subsequent change implementation? Obviously, it will be the risk happening tomorrow. A risk requiring a near term response is considered more urgent.
Risk urgency can be put in textual form with a weighting factor combined as shown in the below table.
Say a risk has a score of 16 and it is expected to happen in next couple of days. As the risk is imminent, we multiply it by 1.1 and increase the score. The result will be 18 (16 * 1.1 = 17.6 and then rounded up to the nearest value of 18). Similarly, if you consider other risk parameters, the score may change.
You can also combine these parameters to rank the order in which risks should be addressed. For example, if you combine risk urgency with risk manageability, you will first address the risks with high urgency and high manageability, whereas for the risks with low manageability and low urgency, you will avoid (or look at last). This is represented below:
If you want to combine more than two risk parameters, you can plot them in a 3-dimesional (3D) chart, which can be represented as a Bubble Chart. The risks are presented as bubbles in the chart.
Taking the risks from our earlier risk register, a possible bubble chart is shown below:
In this case, we are considering three parameters – risk manageability (X-axis), risk detectability (Y-axis), and risk impact (bubble size). The bigger the size of the bubble, the higher the impact. Analyzing the above bubble chart, Risk 001, Risk 002, and Risk 004 will be of higher priority because they have high manageability, high detectability, and high impact.
I do hope this article gives you a deeper understanding on qualitative risk analysis. For aspiring Project Management Professionals (PMP), Risk Management Professionals (RMP), or Certified Associates in Project Management (CAPM), qualitative risk analysis is a key topic to understand. In the real world, too, this analysis usually happens on identified risks, because qualitative analysis is mandatory to prioritize the risks of a project or a natural disaster, such as a cyclone.
This article is dedicated to the memory of those people who passed away in the super cyclone of 1999, cyclone Phailin, and recent cyclone Titli, which impacted India, Thailand, Myanmar, Bangladesh, and Nepal. Today, Odisha, which has been most impacted by these natural catastrophes, is known to be one of the best prepared states to face cyclones and related calamities. It’s a tribute to her peoples’ perseverance, resiliency, and tenacity.
 Project Management Body of Knowledge (PMBOK) Guide, 6th Edition, by Project Management Institute (PMI)
 I Want To Be A RMP: The Plain and Simple Way To Be A RMP, by Satya Narayan Dash
 I Want To Be A PMP: The Plain and Simple Way To Be A PMP, 2nd edition, by Satya Narayan Dash
 Practice Standard for Project Risk Management, by Project Management Institute (PMI)
 1999 Odisha cyclone: https://en.wikipedia.org/wiki/1999_Odisha_cyclone
 Cyclone Phailin: https://en.wikipedia.org/wiki/Cyclone_Phailin