Chapter 54: Performing Quantitative Analysis

Though we have done the Qualitative Analysis in the previous chapter, we are not complete. We still need to do Quantitative Analysis.

Quantitative risk analysis is generally performed on risks that have been prioritized by using the qualitative risk analysis. However, depending upon the experience of the team and their familiarity with the risk, it is possible to skip the qualitative risk analysis and, after the risk identification, move directly to the quantitative risk analysis. The quantitative risk analysis has three major goals:

• Assess the probabilities of achieving specific project objectives
• Quantify the effect of the risks on the overall project objectives
• Prioritize risks by their contributions to the overall project risk

The image below explains the process more clearly.

Input to Quantitative Analysis

All the items that are input for the qualitative risk analysis are also input for the quantitative risk analysis. In addition, the quantitative risk analysis generally requires more information than its qualitative counterpart. The list of inputs for this process are:
• Risk register - The key input items from the risk register are the following:

o List of identified risks
o Priority list of risks if the qualitative risk analysis was performed
o Risks with categories assigned to them
o Management plans - To perform quantitative risk analysis, you must look at the risk management plan, cost management plan, and schedule management plan. To generate the output of the quantitative risk analysis, you need the following elements of the risk management plan:

 Budgeting
 Definitions of probabilities and impacts
 Probability and impact matrix
 Risk categories
 Risk timing and scheduling

To analyze the effect of risks on the project objectives, you need to know the project schedule and the project cost. These can be found in the cost management plan and schedule management plan. Also, the approaches taken by these plans can affect quantitative risk analysis.
• Organizational process assets - The following organizational process assets might be useful in the quantitative analysis:

o Information on previously performed similar projects
o Studies performed by risk specialists on similar projects
o Proprietary risk databases or risk databases available from the industry

Tools and Techniques for Quantitative Analysis

The quantitative risk analysis can be looked upon as a two-step process; gathering and representing the data, and analyzing and modeling the data. Accordingly, all the techniques fall into two categories: data gathering and representation techniques, such as interviewing, probability distributions, and expert judgment; and analysis and modeling techniques, such as sensitivity analysis, EMV analysis, decision tree analysis, and modeling and simulation. We shall be covering them one by one in the list below:

Interviewing - This technique is used to collect the data for assessing the probabilities of achieving specific project objectives. You are looking for results such as: We have a 70% probability of finishing the project within the schedule desired by the customer. Or: We have a 60% probability of finishing the project within the budget of Rs. 100,000. The goal is to determine the scale of probabilities for a given objective; for example, there is a 20% probability that the project will cost Rs. 50,000, a 60% probability that it will cost Rs. 100,000, and a 20% probability that it will cost Rs. 150,000.

The data is collected by interviewing relevant stakeholders and subject matter experts. Most commonly, you will be exploring the optimistic (best case), pessimistic (worst case), and most likely scenarios for a given objective.

Probability distributions - After you have collected the data on meeting the project objectives, you can present it in a probability distribution for each objective under study. Note that a distribution represents uncertainty, and uncertainty represents risk. For example, if you know for sure the project will cost Rs. 25 lakhs, there will be no distribution because it is only one data point. Distribution comes into the picture when you have several possible values with a probability assigned to each value. There are distributions of different shapes in which the data can be presented.

Look at the picture above. This example is for the cost objective. The X axis represents the cost, and the Y axis represents the corresponding probability that the project will be completed within that cost.

The beta distribution and the triangular distribution are the most frequently used distributions. The other commonly used distributions that could be suitable under given circumstances are normal distribution and uniform distribution. The uniform distribution is used when all the values of an objective have the same chance of being true.

Sensitivity analysis - This is a technique used to determine which risk has the greatest impact on the project. You study the impact of one uncertain element on a project objective by keeping all other uncertain elements fixed at their baseline values. You can repeat this analysis for several objectives, one at a time. You can also repeat this study for several uncertain elements (creating risks), one element at a time. This way, you can see the impact of each element (or risk) on the overall project separate from other elements (or risks).

Expected monetary value analysis - The expected monetary value (EMV) analysis is used to calculate the expected value of an outcome when different possible scenarios exist for different values of the outcome with some probabilities assigned to them. The goal here is to calculate the expected final result of a probabilistic situation. EMV is calculated by multiplying the value of each possible outcome by the probability of its occurrence and adding the results. For example, if there is 60% probability that an opportunity will earn you Rs. 1,000 and a 40% probability that it will only earn you Rs. 500, the EMV is calculated as follows:

EMV = 0.60×1000 + 0.40×500 = 600 + 200= 800

So the EMV in this case is Rs. 800. When you are using opportunities and threats in the same calculation, you should express EMV for an opportunity as a positive value and EMV for a threat as a negative value. For example, if there is a 60% chance that you will benefit from a risk by Rs. 1,000 and a 40% probability that you will lose Rs. 500 as a result of this risk, the EMV is calculated as follows:

EMV = 0.60×1000 - 0.40×500 = 600 – 200 = 400

Therefore, the EMV in this case is Rs. 400.

The concept of EMV can be presented in a decision-making technique, such as a decision tree analysis.

Decision tree analysis - This technique uses the decision tree diagram to choose from different available options; each option is represented by a branch of the tree. This technique is used when there are multiple possible outcomes with different threats or opportunities with certain probabilities assigned to them. EMV analysis is done along each branch, which helps to make a decision about which option to choose.

Look at the image below. It is a simple decision tree.

The decision tree diagram above depicts two options: updating an existing product or building a new product from scratch. The initial cost for the update option is Rs. 500,000, whereas the initial cost for the build-from-scratch option is Rs. 700,000. However, the probability for failure is 25% for the update option, compared to 10% for the build-from-scratch option, and the impact from failure for case 1 is Rs. 1.25 lakhs whereas for the other it is only Rs. 70,000. In such a situation, the build from scratch may be chosen because, even though it costs more, the chances of failure as well as losses in case of a failure are lower than the update option.

Modeling and simulation - A model is a set of rules to describe how something works; it takes input and makes predictions as output. The rules might include formulas and functions based on facts, assumptions, or both. A simulation is any analytical method used to imitate a real-life system. Simulations in risk analysis are created using the Monte Carlo technique, which is named after the city of Monte Carlo; known for its casinos that present games of chance based on random behavior. Monte Carlo simulation models take random input iteratively to generate output for certain quantities as predictions. This technique is used in several disciplines, such as physics and biology, in addition to project management. In risk analysis, the input is taken randomly from a probability distribution, and the output for impact on the project objectives is predicted. The name “Monte Carlo” refers to the random behavior of the input.
Expert judgment - In quantitative risk analysis, expert judgment can be used to validate the collected risk data and the analysis used for the project at hand.

Output of the Quantitative Risk Analysis: Updated Risk Register

As with the Qualitative Analysis, the output of this process too is the updates to the Risk Register. The updates include:
• Probabilistic analysis of the project - This includes the estimates of the project schedule and cost with a confidence level attached to each estimate. Confidence level is expressed in percentage form, such as 95%, and it represents how certain you are about the estimate. You can compare these estimates to the stakeholders’ risk tolerances to see whether the project is within the acceptable limits.
• Probability of achieving the project objectives - Factoring in project risks, you can estimate the probability of meeting project objectives, such as cost and schedule, set forth by the current project plan. For example, the likelihood of completing the project within the current budget plan of Rs. 2 lakhs is 70%.
• Prioritized list of risks - Risks are prioritized according to the threats they pose or the opportunities they offer. Risks with greater threats (or opportunities) are higher on the list. The goal is to prioritize the response plan efforts to eliminate (or minimize) the impact of the threats and capitalize on the opportunities. The priorities are determined based on the total effect of each risk to the overall project objectives.
• Trends in the results - By repeating the analysis several times and examining the results, you might recognize a trend for specific risks. That trend might suggest further analysis or a specific risk response. In finding the trend, you can also take a look at the historical information on project cost, quality, schedule, and performance.

Prev: Performing Qualitative Analysis

Next: Planning Risk Response

Chapter 53: Performing Qualitative Analysis

Qualitative Analysis is the first step towards analyzing the risks that have been identified in the risk identification process. The qualitative analysis process is quick and cheaper. It gives you some feel about the risks, and then you can determine which risks needs to be analyzed further by using quantitative analysis.

The perform qualitative risk analysis process is shown as a picture below:

Input to Qualitative Risk Analysis

The Risk Register is a default input to this process. Apart from the risk register, the other inputs to this process are:

Project scope statement - When you are performing qualitative risk analysis, you want to know what kinds of risks you are dealing with. For example, are you already familiar with these risks? If your project is similar to previous projects, it might have well-understood risks. If it is a new and complex project, it might involve risks that are not well understood in your organization. So, how do you know what kind of project you are dealing with? Simply put, you have to take a look at the project scope statement and search for uncertainties.
Risk management plan - To generate the output of qualitative risk analysis, you will need the following elements of the risk management plan:

• Roles and responsibilities for performing risk management
• Budgeting
• Definitions of probabilities and impacts
• The probability and impact matrices
• Risk categories
• Risk timing and scheduling
• Stakeholders’ risk tolerances

If any of these input items was not developed during risk management planning, it can be developed during qualitative analysis.

Risk register - The risk register contains the list of identified risks that will be the key input to the qualitative risk analysis. Updated risk categories and causes of risks can also be useful elements of the risk register, which can be used in the qualitative risk analysis.
Organizational process assets - While analyzing risks, you will make use of the risk-related components of the knowledge base from previous projects, such as data about risks and lessons learned. You can also look into risk databases that may be available from industry organizations and proprietary sources.

Tools and Techniques for Qualitative Risk Analysis

Prioritizing risks based on their probability of occurrence and their impact if they do occur is the central goal of qualitative risk analysis. Accordingly, most of the tools and techniques used involve estimating probability and impact.

Risk probability and impact assessment - Risk probability refers to the likelihood that a risk will occur, and impact refers to the effect the risk will have on a project objective if it occurs. The probability for each risk and the impact of each risk on project objectives, such as cost, quality, scope, and time, must be assessed. Note that probability and impact are assessed for each identified risk.

Methods used in making the probability and impact assessment include holding meetings, interviewing, considering expert judgment, and using an information base from previous projects.

A risk with a high probability might have a very low impact, and a risk with a low probability might have a very high impact. To prioritize the risks, you need to look at both probability and impact.

Assessment of the risk data quality - Qualitative risk analysis is performed to analyze the risk data to prioritize risks. However, before you do it, you must examine the risk data for its quality, which is crucial because the credibility of the results of qualitative risk analysis depend upon the quality of the risk data. If the quality of the risk data is found to be unacceptable, you might decide to gather better quality data. The technique to assess the risk data quality involves examining the accuracy, reliability, and integrity of the data and also examining how good that data is relevant to the specific risk and project for which it is being used.

Risk urgency assessment - This is a risk prioritization technique based on time urgency. For example, a risk that is going to occur now is more urgent to address than a risk that might occur a few months from now.

Probability and impact matrix - Risks need to be prioritized for quantitative analysis, response planning, or both. The prioritization can be performed by using a probability and impact matrix; a lookup table that can be used to rate a risk based on where it falls both on the probability scale and on the impact scale.

Look at the table below: RXY, where X and Y are integers that represent risks in the two-dimensional (probability and impact) space.

Probability	Impact
0.00	0.05	0.15	0.25	0.35	0.45	0.55	0.65	0.75	0.90
0.20	R11	R12	R13	R14	R15	R16	R17	R18	R19
0.40	R21	R22	R23	R24	R25	R26	R27	R28	R29
0.60	R31	R32	R33	R34	R35	R36	R37	R38	R39
0.80	R41	R42	R43	R44	R45	R46	R47	R48	R49

This is how you read this matrix. R21 has a 40% probability of occurring and will have a 5% impact on the project. Similarly R49 has a 80% probability and will have a 90% impact on the project.

How to calculate the numerical scales for the probability and impact matrix and what they mean depends upon the project and the organization. However, remember the relative meaning: Higher value of a risk on the probability scale means greater likelihood of risk occurrence, and higher value on the impact scale means greater effect on the project objectives.

Each risk is rated (prioritized) according to the probability and the impact value assigned to it separately for each objective. Generally, you can divide the matrix in the table above into three areas; high-priority risks represented by higher numbers, such as R49, medium-priority risks represented by moderate numbers, such as R25, and low-priority risks represented by lower numbers, such as R12. However, each organization has to design its own risk score and risk threshold to guide the risk response plan.

Note that impact can be a threat (a negative effect) or an opportunity (a positive effect). You will have separate matrices for threats and opportunities. Threats in the high-priority area might require priority actions and aggressive responses. Also, you will want to capitalize on those opportunities in the high-priority area, which you can do with relatively little effort. Risks posing threats in the low-priority area might not need any response, but they must be kept on the watch list to ensure that you don't get any unwanted or unexpected surprises towards the end of the project.

Risk categorization - You defined the risk categories during the risk management planning and risk identification processes. Now you can assign the identified risks to those categories. You can also revisit the categorization scheme, such as RBS, that you developed for your project, because now you have more information about risks for the project. Categorizing risks by their causes often helps you develop effective risk responses.

Expert judgment - You may need expert judgment to assess the probability and impact of each risk. To find an expert, look for people who’ve had experience with similar projects in the not too distant past. While weighing the expert judgment, look for possible biases. Often experts are biased toward their area or idea.

Output of the Qualitative Risk Analysis: Updated Risk Register

The risk register was initiated during the Identify Risks process and is updated with the results from the qualitative risk analysis. The updates will be:
• Risks categorizations - This means arranging risks in different categories. This helps you identify the common root causes of the risks and the areas of the project that might require special attention. Furthermore, categorizing risks can bring order to a chaotic situation and makes the management of these risks easier and more effective.
• Prioritized list of risks - The risk register has lists of risks prioritized according to the probability and impact matrix discussed earlier in this article. A separate list can be created for each project objective, such as cost, quality, scope, and time. These lists help you prioritize efforts for preparing and executing risk responses. The risks may be ranked as high, medium, or low.
• Lists of risks - Using some criteria, you can make different lists of risks for effective management. Following are some examples:

o List of risks with time urgency - This list includes urgent risks that require attention now or in the near future.
o Watch list of low-priority risks - This list contains risks that are deemed unimportant by the qualitative risk analysis but that need to be monitored continually.
o List of risks for additional analysis and response - This list includes risks that need further analysis, such as quantitative analysis or a response action.

• Trends in the analysis results - By examining the results from the qualitative risk analysis, you might recognize a trend for specific risks. That trend might suggest further analysis or a specific risk response.

The main output of qualitative risk analysis is the prioritization of risks based on a probability and impact matrix for each objective. So each objective can have its own prioritized list of risks.

Qualitative risk analysis is a relatively quick and cost-effective way to prioritize risks for risk planning. It also lays the groundwork for the quantitative risk analysis if one is required for some of the identified risks.

Prev: Analyzing Risks

Next: Performing Quantitative Analysis