As you’re preparing for your PMI PMP exam, you’ll want to understand the basics of qualitative risk analysis (QLRA) and quantitative risk analysis (QTRA), both processes that are part of the “Project Risk Management” knowledge area. While these two concepts sound similar and both use numbers in risk rating, they’re not the same at all. Test-takers often get confused about how they work, how they vary and what unique roles they play. Adding to the confusion, QTRA can be optional! Both QLRA and QTRA are powerful risk analytics, and both have a place in project risk management. In this article, I explain their distinctive roles, show where they differ and illustrate what happens when both are used.
The PM Book of Knowledge risk management knowledge area has six processes that interact with each other:
All possible risks are identified in the “identify risks” process and put into a project document called the “risk register.” Then qualitative risk analysis is performed. From there, it may lead to quantitative risk analysis or directly to risk response planning. In other words, quantitative risk analysis is optional, as indicated by the dotted line. If both QLRA and QTRA are performed, they’ll be in close sequence and the risk register will be updated for both types of processes.
In its simplest form QLRA is the process of evaluating individual risks from the “Identify Risks” stage for their probability or likelihood of occurring (the “P” value), multiplying that with the impact the risk could have on the project objective (the “I” value) and then prioritizing the risks based on their ultimate “risk score.”
QTRA is the process of providing numerical estimates of the overall effect of risks on the project objectives when all risks are considered simultaneously. The numerical estimates are usually in terms of schedule and cost. The prioritized list of risks created in the QLRA process is further updated in the QTRA process, based on the numerical estimates.
Why is QTRA optional? As a project manager, you operate in a highly constrained environment. Sometimes, you have to leave something out because you lack time or budget, particularly in smaller projects. So why perform QTRA at all? We’ll look at that shortly.
When only qualitative risk analysis is conducted on a project, it’s known as “partial risk analysis.”
How QLRA and QTRA Differ
The fundamental difference between QLRA and QTRA is that the first addresses individual risks of a project, whereas the second considers the overall project risk. The overall risk to the project is due to the combined effect of all risks and their possible interdependencies and correlations. Overall risk applies to the project as whole, rather than individual activities or cost items in the project.
Note that both QLRA and QTRA use numbers for risk rating and prioritization of risks. But QLRA is a subjective evaluation, whereas QTRA is more objective in terms of value or cost terms. In QLRA, for example, the risk rating could be “5” or “10” after multiplying the P and I values of the individual risks. For QTRA you establish the overall cost or time impact on the project, such as: “$25,000.”
Let’s look at a sample risk register that has been compiled through the “Identify Risks” process. In this example positive risks are known as opportunities and negative risks are known as threats.
In QLRA, the probability and impact values are assigned and the risk score is set. Probability values may be textual (low, medium, high); graphical (red, orange, green); or numerical (1 for low risks, 5 for high risks or somewhere in between). Each risk is assigned a probability value and an impact value and the risk score is calculated. It’s not uncommon to combine the numerical and graphical values to have a color-coded indicator.
The updated risk register in the figure above, which summarizes the output of the QLRA process, is sometimes known as the “qualitative risk register.” The register may contain other information, such as identification date, identifying person, cause, effect and risk exposure. Based on the risk scores, you perform the prioritization of risks; if the score crosses risk tolerance limits for your organization, then you know you have to take a risk response.
As I noted earlier, QTRA is performed after QLRA. In the QTRA, you quantify some of the items from the qualitative risk registers and assign a cost value. The updated risk register, as shown below, is sometimes referred to as the “quantitative risk register.”
Notice that the register may contain other information such as impacted activities of the project, correlation and probabilistic distribution details, among others. In my example, I’ve used expected monetary value technique (EMV) for further prioritization and subsequent risk response planning on the quantified risks.
Differences between Qualitative and Quantitative Risk Analysis
In addition to the differences between QLRA and QTRA that I’ve already mentioned, others also exist, which I’ve summarized in the table below.
[table id=10 /]
Both qualitative and quantitative risks analysis are important for project risk management. As aspirants for PMP certification, you need to know that both QLRA and QTRA play distinct roles in project risk management. Also, you need to understand the key differences between them to tackle your exam.
Sorting image courtesy of California Avocado Commission under a Creative Commons Attribution 2.0 Generic (CC BY 2.0) license.
Related Content
Webinars (watch for free now!):
“EVM” – Earned Value Management – Not Just Another 3 Letter Acronym!
Webinar: Risk Management with Microsoft Project and Project Server
Articles:
PMP® Prep: Understanding Internal Rate of Return
PMP® Prep: Calculating EAC and ETC for Forecasting
Vladimir Shnaydman
Good paper, but there are still questions.
1. I’d like to elaborate at author’s approach to risk mitigation. If all “impacts” are implemented to eliminate all risks, then a project could significantly deplete resources (budget and manpower). What if some risks are not materialized? What would be an optimal risk mitigation strategy under limited resources?
2. I believe that it is hard to eliminate all risks. What about partial risk reduction? It means that each risk is associated with multiple risk mitigation strategies (RMS) including two extreme ones – (1) do nothing; and (2) eliminate risk. How to select optimal combination of RMS?
3. What is level of acceptable risk?
4. How about risk dependencies?
Best regards,
Vladimir
Satya Narayan Dash
Suresh,
Thank you. Indeed, risk analysis is a big topic. However, this article is written from PMP exam preparation point of view and particularly on the differences between qualitative and quantitative risk analysis.
Satya Narayan Dash
David,
Glad that you enjoyed the article. Let me answer the questions that you have raised.
Risk always comes with a probability (likelihood of occurrence) as it is uncertain. If there is no probability and it is certain and it has occurred, then it is not a risk. It becomes an issue (considering negative risk). So, for both QLRA and QTRA, probability (P value) will be always there.
Now, if it happens, it has to be multiplied with impact (I value). For risk#4, $55,000 is not the cost of the software, but what cost impact it will have on the project. So, how the value is derived? For for Risk 001, what you have got is multiplied value of 60% *50,000 = 30,000. This is in its simplest form and you will see that form in PMP exam. So, for risk-004, it will be 58% * $55,000 = $33,640. But then, how the expected value is at $33,000? Because I have applied probabilistic distribution, which is not mentioned in the table for brevity and simplicity. I have noted below the qualitative risk register.
Coming to your 3rd part of the query, quantification should state the overall exposure to the project. Yes, that in fact, is the main difference as noted in this article. However, QTRA is also used for further prioritization based on cost impact and/or schedule impact, correlation among risks and to know which individual risks contribute the most to the overall project risk. In this case, risk-004 is one of the risks contributing the most to the overall project risk.
Satya Narayan Dash
Vladimir,
Thanks for the kind words.
1 and 2 will be out of the scope of the current article. Risk mitigation happens in plan risk responses process. It is a big topic and there are many strategies for positive and negative risks. This is post QLRA and QTRA.
Coming to 3: Acceptable risk is determined from the risk governance parameters. Not every risk is looked into for response, though all possible risks should be identified. As noted in this article, if the risk threshold is crossed,then formal risk response is planned. Also, for risks with low priority, which are in watch-list, no formal risk response is taken.
For 4: Risk dependencies is addressed in QTRA. This where risk aggregation comes in. Check the item no. 15 in the table under section – ‘Differences between Qualitative and Quantitative Risk Analysis’.
Satya Narayan Dash
Colin,
Thank you for liking the piece. Yes, the current scope of the article is on QLRA and QTRA and particularly on the differences between them.
Satya Narayan Dash
David,
The P*I value for risk-004 should have been $31,900, not $33,640. Sorry for the typo. Rest of the explanation remains same.