Quantitative Risk Analysis: Process Overview

 

This article is the ninth part of my look into project risk management, and today the topic is quantitative risk analysis.

What is quantitative risk analysis?

Well, it’s difficult to spell, that’s what! And often confused with qualitative risk analysis.

Simply put, it’s the next step after you’ve identified the likelihood, probability and any other risk metrics that you consider important. It’s the process of getting a number from those risk assessments and seeing what the financial, resource and time impact would be should the risks happen.

On large projects it’s a way of providing greater levels of confidence and management oversight by reviewing substantive risks in a very structured way, allowing the team to work out what the best course of action is to manage the risk.

Inputs

The inputs to this process are:

• The project management plan – the risk management plan is the key part of this document but you’ll also need to refer to the scope, schedule and cost baselines
• The project documents, and there’s a wide selection of files that are going to be helpful – more on those in a minute
• Enterprise environmental factors like industry studies
• Organisational process assets like info from past projects that might be relevant to your work.

What documents should you review?

Most of your project documents could be considered fodder for this process, but beyond the risk register and risk report here are the most important ones:

Assumption log – review any assumptions and constraints that affect risk.

Basis of estimates – this will tell you how estimates were created and the less scientific ways of developing estimates will represent a higher risk to the project.

Cost and resource estimates – use these as a starting point to work out the cost or resourcing variability for any given risk.

Duration estimates – use these as a starting point to work out variability in the schedule.

Cost forecasts – these are helpful if you are calculating confidence levels because you can compare the quantitative cost risk analysis to your forecast and see how on track you are likely to be.

Schedule forecasts and milestone list – ditto for confidence levels related to scheduling.

Tools and Techniques

There are also quite a lot of tools and techniques that will be helpful in carrying out this step of your risk management process:

• Expert judgement
• Interviews and facilitation (data gathering and interpersonal and team skills)
• Data analysis
• Representations of uncertainty – this is a statement, model or distribution that represents the levels, values and range of uncertainty for each risk.

The expert judgement input you need here is going to be quite a specialised skill, so if you have risk certified professionals on the team, use them to support you.

Data analysis can be undertaken in a variety of ways and you can select which is going to be the most appropriate for the type of risk you are assessing.

Simulations like Monte Carlo analysis which simulators the combined effects of individual risks to see what their impact would be on successfully completing the project.

Sensitivity analysis helps you understand which individual risks are most likely to affect the projects outcomes. You’ll typically see these represented in a tornado diagram.

Decision tree analysis is a way of visually representing several different options for dealing with risk and reviewing what the impact of each of those options would be. It helps you choose the best risk management approach, and it typically focuses on working out the cost of different choices.

Influence diagrams show the interconnections within the project, highlighting what relationships influence particular outcomes. In itself it isn’t going to share many insights about the impact of risk, but it is a good starting point for seeing how different stakeholders or tasks connect and influence each other.

Outputs

There is only one output from this process and that’s the risk report. Update the report with the formal outcome of the analysis. If you have only used this process for some risks, those are the ones you want to update – it’s fine if you don’t have the same level of detail for every risk, because you are prioritising effort and time on the risks that are going to have the impact for your project.

Do you always have to do quantitative risk analysis?

No, you don’t. It is a good technique to use if you’ve got good data. If your risk data is skimpy and your baselines are more guesswork than expert judgement, all you are doing is building an analysis on shaky foundations.

This is an appropriate process for large, complex, strategic projects or where there is a requirement to do it because a contract or stakeholder says so. However, if you choose not to go ahead and quantitatively analyse risk, then be aware that it’s really the only reliable way to aggregate and review the overall risk exposure for your project and onwards up into the rest of the portfolio. So if you need that data, you’ll have to do it.

Next time I’ll be looking at how to plan risk responses.

In case you missed them, and to save you a job digging through the archives, here are the quick links back to the previous instalments:

Read part 1 here: An introduction to risk management

Read part 2 here: Trends and Emerging Practices in Project Risk Management (Part A)

Read part 3 here: Trends and Emerging Practices in Project Risk Management (Part B)

Read part 4 here: Tailoring Risk Management

Read part 5 here: Planning Risk Management

Read part 6 here: The Risk Management Plan

Read part 7 here: Identify Risks Process

Read part 8 here: Qualitative Risk Analysis

Pin for later reading