4.3 Perform Qualitative Risk Analysis

Purpose

Perform Qualitative Risk Analysis prioritizes individual project risks for further action by assessing their probability of occurrence and impact on objectives. It is fast, subjective, and performed on every project — it filters the long identified list down to the risks worth deeper attention. It always precedes quantitative analysis (Chapter 5).

The deliverable is a prioritized list of risks and updates to the risk register: each risk gets a probability rating, an impact rating, a category, and often urgency or other parameters.

Qualitative analysis is the right tool when speed matters and numerical modeling is unnecessary or unaffordable. Unlike quantitative analysis, it does not produce dollar figures or probability distributions — it produces a ranking. That ranking is enough to drive most response decisions on most projects, which is why qualitative analysis runs on essentially every project while quantitative analysis is reserved for the largest or most complex ones.

Probability & Impact Assessment

Each risk is rated on two dimensions:

• Probability — how likely the risk is to occur.
• Impact — the effect on objectives (scope, schedule, cost, quality) if it does occur.

Ratings use scales defined in advance in the risk management plan so everyone judges consistently. A risk may have different impacts on different objectives (e.g., low cost impact but high schedule impact); the assessment captures the most significant, or each, depending on the agreed method.

The assessment is gathered through expert judgment — interviews, workshops, or meetings — where each risk's probability and impact are discussed and agreed. Investigating the level of probability and impact reduces the effect of bias and often improves the accuracy of the ratings. The output is recorded against each risk in the register, ready for the matrix.

The Probability-Impact (PI) Matrix

The probability-impact matrix is a grid that maps each risk by its probability (rows) and impact (columns) to a priority zone, usually color-coded:

The risk score = probability × impact. With cardinal values, a risk rated 0.5 probability and 0.4 impact scores 0.20. The matrix lets the team triage: red risks get immediate response planning, green risks may go to a watch list.

Defining Scales: Ordinal vs Cardinal

The team must agree on rating scales up front:

• Ordinal scales rank risks with ordered labels — Very Low, Low, Moderate, High, Very High. They show relative order but the gaps are not mathematically equal.
• Cardinal scales assign actual numbers — e.g., probability 0.1 / 0.3 / 0.5 / 0.7 / 0.9, impact 0.05 / 0.10 / 0.20 / 0.40 / 0.80. Cardinal values can be multiplied to produce comparable scores.

Exception to memorize: ordinal = order/labels; cardinal = real numbers you can do math with.

Risk Data Quality Assessment

Risk data quality assessment evaluates the degree to which the data about risks is useful — examining accuracy, reliability, integrity, and completeness. If a risk's probability and impact rest on poor or incomplete data, the resulting rating is untrustworthy. Low-quality data means the team gathers better information before relying on the rating. This step is a direct control on the subjectivity inherent in qualitative analysis.

Categorization & Visualization

Risk categorization groups risks by source using the Risk Breakdown Structure (RBS), by affected area of the project, or by other useful categories (phase, root cause). Categorization reveals concentrations — for example, many risks rooted in one vendor — so the team can plan systemic responses.

Visualization tools:

• Bubble charts display three parameters at once: two by position (x and y axes, e.g. probability and impact) and one by bubble size (e.g. detectability or proximity).
• Hierarchical charts plot risks where more than two parameters need representation, extending the simple two-axis matrix.

Why Categorize

Risk categorization is more than housekeeping. Grouping by RBS source can reveal that a cluster of separate risks share one root cause — a single supplier, a new technology, a key dependency — which lets the team plan one systemic response instead of many piecemeal ones. Categorization also helps assign risks to the right specialists and exposes which areas of the project carry the densest exposure, guiding where management attention should concentrate.

Controlling Subjectivity

Qualitative analysis is judgment-based, so the exam stresses controls that keep it honest:

• Pre-agreed scales and definitions in the risk management plan — so "high" means the same thing to everyone.
• Risk data quality assessment — discard or improve ratings built on weak data.
• Diverse participation and facilitation — reduce individual bias and over-optimism.
• Documented rationale — record why a rating was given so it can be challenged and revisited.

These controls do not remove subjectivity but make it transparent and reviewable. The exam treats qualitative analysis as legitimately subjective by design — the right answer is rarely "switch to quantitative analysis" to escape judgment, but rather "apply the agreed scales, check data quality, and document the rationale" so the subjective rating can be trusted and revisited.