Perform Qualitative Risk Analysis

Sensei Short Scroll 22 Planning Process Group

Perform Qualitative Risk Analysis

Introduction: Why This Matters

Not all risks are created equal. Some are minor distractions, while others can sink a project if they are ignored. The Perform Qualitative Risk Analysis process prioritizes risks by assessing their probability and impact so the project team can focus its energy on the most critical ones.

On the PMP exam, this process is frequently tested through situational questions about how to rank risks and what to do before investing effort in quantitative analysis. In practice, this process ensures that limited time and resources are applied where they matter most (Project Management Institute, 2021).

Purpose and Objectives

Primary Purpose: Prioritize individual project risks for further analysis or action by assessing their probability of occurrence and potential impact.

Key Objectives:

  • Evaluate risks using agreed probability and impact scales.
  • Prioritize risks into practical categories such as high, medium, and low.
  • Identify which risks need quantitative analysis and detailed responses.
  • Update the risk register with prioritization results.
  • Improve stakeholder understanding of the overall risk exposure.

Overview

Perform Qualitative Risk Analysis uses structured criteria, scales, and expert input to sort and rank risks, rather than calculate precise financial or schedule impact. It focuses on relative priority so the team knows where to concentrate risk responses and where to consider more advanced quantitative analysis.

  • Core focus: Probability, impact, data quality, categorization, and urgency.
  • Key outcome: A prioritized risk register that guides risk responses and next steps.

Inputs, Tools and Techniques, Outputs (ITTOs)

Inputs

  • Risk management plan.
  • Risk register (from Identify Risks).
  • Stakeholder register.
  • Assumption log.
  • Other project documents such as schedule, cost, scope, and resource information.

Tools and Techniques

  • Expert judgment: Risk specialists, functional experts, PMO.
  • Data gathering: Interviews and facilitated workshops.
  • Data representation:
    • Probability and impact matrix.
    • Risk categorization by source, area, or phase.
    • Risk data quality assessment.
  • Interpersonal skills: Facilitation and political awareness.
  • Risk urgency assessment: Evaluating the time sensitivity of each risk.

Outputs

  • Project document updates, including risk register, assumptions log, and issue log.

Characteristics

Probability and Impact Matrix

  • A grid that combines probability (likelihood of risk occurring) and impact (effect on objectives) to assign a risk rating.
  • Probability may be scored as Very Low (0.1), Low (0.3), Medium (0.5), High (0.7), or Very High (0.9), based on the organization’s scales.
  • Impact is scored across cost, schedule, quality, and scope dimensions.
  • Multiplying probability × impact produces a risk score that supports prioritization.

Risk Categorization

Grouping risks by source such as technical, external, organizational, or by WBS element, helps identify clusters and concentrations where focused attention is needed.

Data Quality Assessment

Data quality assessment tests whether risk data is sufficient, reliable, and accurate before prioritization. If data is weak or vague, the team may need to revisit Identify Risks or clarify assumptions.

Risk Urgency Assessment

Risk urgency assessment determines how soon a response is required. A high impact risk in eighteen months may be less urgent than a moderate risk that is likely to occur next week.

Practical Example: Software Implementation Project

Context: A company is rolling out a new enterprise resource planning (ERP) system.

Risk register (from Identify Risks):

  • Risk 1: Vendor delays in software delivery.
  • Risk 2: Key developer leaves the project.
  • Risk 3: End users resist adoption.
  • Risk 4: Regulatory audit finds compliance gaps.

Qualitative analysis:

  • Vendor delays: Probability high, impact high → Score 0.7 × 0.8 = 0.56 (critical).
  • Developer leaves: Probability medium, impact high → Score 0.5 × 0.8 = 0.40 (important).
  • User resistance: Probability high, impact medium → Score 0.7 × 0.5 = 0.35 (moderate).
  • Regulatory audit: Probability low, impact very high → Score 0.3 × 0.9 = 0.27 (monitor).

Outcome: Risks are prioritized. Vendor delays require immediate mitigation. Developer attrition requires contingency plans. Regulatory risks are tracked but are not immediate priorities.

Common Pitfalls

Overconfidence in subjective data

  • Pitfall: Risk scoring based only on gut feeling.
  • Prevention: Use structured scales, agreed criteria, and SME input.

Ignoring opportunities

  • Pitfall: Only threats are analyzed.
  • Prevention: Assess positive risks, or opportunities, with the same rigor.

Treating all risks equally

  • Pitfall: No prioritization, which can waste time and resources.
  • Prevention: Use the probability and impact matrix to focus on what matters most.

Static analysis

  • Pitfall: Risks prioritized once and never revisited.
  • Prevention: Reassess periodically, especially after major changes or new information.

Sensei Tip : On the exam and in real life, qualitative analysis is about focus, not perfection. Use your probability and impact scales to quickly separate critical risks from background noise, and always include opportunities in that conversation.

Exam Alert : If the question describes many identified risks and asks what to do before planning responses or running simulations, the correct answer is usually Perform Qualitative Risk Analysis, not quantitative analysis or immediate risk responses.

Exam Lens

Patterns on the PMP Exam:

  • Expect questions about probability and impact matrices and how they are used to prioritize risks.
  • Qualitative analysis comes before quantitative analysis.
  • When risk data is vague or insufficient, the best action is to perform a risk data quality assessment.
  • Always remember that opportunities are assessed along with threats.

Sample Question

Question: A project manager has identified forty risks. Stakeholders want to know which ones deserve the most attention before planning responses. What should the project manager do next?

  1. Perform quantitative risk analysis.
  2. Perform qualitative risk analysis.
  3. Update the assumption log.
  4. Develop risk responses.

Correct Answer: B. The next step is to prioritize risks through qualitative analysis.

Quick Recap Table

Concept Description Exam Watch Point
Probability and Impact Matrix Tool that prioritizes risks based on likelihood and effect. Know how it is applied to focus on high priority risks.
Risk Categorization Groups risks by source, area, or project phase. Often appears in scenario questions about clusters of risk.
Data Quality Assessment Confirms that risk data is complete and trustworthy. Choose this when risks are vague or poorly defined.
Risk Urgency Assessment Evaluates how soon a response is required for each risk. Use in scenarios asking which risk needs attention now.

Key Takeaways

  • Perform Qualitative Risk Analysis prioritizes risks so that time and resources are focused on what matters most.
  • The probability and impact matrix is the core tool for scoring and ranking risks.
  • Both threats and opportunities must be assessed during qualitative analysis.
  • Data quality and urgency help refine which risks require immediate attention or further quantitative analysis.
  • On the exam, qualitative analysis always precedes quantitative risk analysis.

Next Step

With risks prioritized qualitatively, the next process is Perform Quantitative Risk Analysis, where numerical techniques such as simulation and decision tree analysis are used to evaluate the potential impact of high priority risks on project objectives.

Bibliography

Project Management Institute. (2021). A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (7th ed.). Project Management Institute.

Scroll to Top