How to link the qualitative and the quantitative risk assessment


Eni Exploration and Production, the Italian Oil & Gas Company, has recently reengineered the internal processes to manage the Development Projects, covering the full lifecycle from the discovery of a hydrocarbon reservoir up to the construction of wells, pipelines and facilities to sustain the production. Eni's Project Management processes are mostly based on PMI concepts.

A great attention has been given to the risk management process in all its application since the initial stages of the evaluation & planning phases.

Along with a structured and specific set of guidelines that describe the theory and the implementation of the risk management process, a set of tools has been developed to support the activity of the project team. In particular an internal application has been developed to enhance the qualitative risk assessment in order to make this step more effective and to provide the next steps of the risk management process with further elements of analysis.

Through a scoring system the model is able to integrate all the risked effects of each single risk in order to identify and prioritise the main sources of risk, the impact areas and thus to provide an objective support to drive the following quantitative risk evaluation step.


Eni E&P project management system has been well illustrated in the paper “Supporting Project Management Processes with integrated Software tools and databases” presented at Budapest Congress by Marco Piantanida and myself as co-author.

The description of the E&P Project Management System is consequently non repeated in this paper that will focus on the Risk Management Process and, in particular, on the qualitative risk assessment.

Eni E&P Risk Management Process

Process overview / basic principles

Risk Management process defined accordingly to Project Management Institute (PMI®) guides consists of three basic steps:

Identify risks: the step required to identify risks and document their characteristics

Evaluate risks (and prioritise them): the step required to assess the risk impact on project activities and objectives, and the risks ranking according to defined criteria

Plan and Control risks: the step required to define and execute the risk management strategies

Risk Management Process

Exhibit 1

Exhibit 1

The Risk Management process described in Exhibit 1 the preparation two main deliverables:

  • Risk Register: identifies and prioritises each potential risk based on its features (category, risk level, manageability, etc.); it is the output of identification and evaluation steps
  • Risk Management Plan: defines the strategy for controlling each risk and assigns related tasks and responsibilities; it is the output of planning and control step

The overall risk management process time phasing along the project lifecycle and relevant major deliverables are sketched in the exhibit below.

Risk Management time phasing and main deliverables

Exhibit 2

Exhibit 2

Suggestions for successful Risk Management

Project Risk Management is a challenging process, and requires dedicated and qualified resources and tools.

Below are listed some basic suggestions to maximise the effectiveness of the Risk Management process.

  • Keep it simple
  • Identification of risks aligned with development process objectives
  • Start risk management from the very beginning
  • Keep it constantly updated along the development process
  • Use the result of the risk management process to feed others project management processes
  • Develop the Project Risk Management procedure from the very beginning
  • Maximise Project Team involvement in risk identification and control strategy definition
  • Organise the project team with clear responsibilities assignments
  • Keep a proactive attitude towards risk

Identify Risks

Risk identification is the starting point of the risk management process: it involves determining which risks may affect the project and documenting their characteristics.

It is a reiterative process that may be performed involving more participants at each iteration, even persons not involved in the project at a later stage.

Exhibit 3

Exhibit 3

Project Document Analysis

The analysis of the following various project documents may help to have full knowledge about the project before starting the risk identification step:

  • Project mission
  • Project objectives
  • Scope of work
  • Strategies adopted to execute the work
  • Procurement plan
  • Project schedule
  • Technologies adopted
  • Resources required (type, quantity, timing, duration, etc.)
  • Project assumptions and constraints
  • Other data or information that might affect project schedule, scope, quality, or costs

Selection and use of methods to identify risks

To identify project risks are usually used typical information-gathering techniques like the following listed:

  • Brainstorming: is a method to enhance PT creativity. It consists of: identification of the appropriate team to execute the brainstorming; constitution of the team and definition of the basic rules for the Brainstorming performance; generation of new ideas; clarification of ideas and conclusion of the Brainstorming session. The entire process is usually followed by a qualified facilitator
  • Delphi method: is a method to gain the experts agreement or disagreement about a problem; the experts should express their opinion about the problem (i.e. risk posed on the project), and a process administrator should aggregate the opinions received (i.e. in a statistical form) and send these back to the experts as anonymous feedback; the experts might revise their opinion and generate new ideas or keep the previous; the process is repeated 4÷5 times, and the areas of agreement or disagreement documented; the main advantage of this method is to avoid the direct mutual influence on judgements among the experts
  • Interviews: interviews are the simplest method and consist of asking various people their opinion
  • Checklist: provides a typical list of risks from literature (Annex 1 provides a typical list of common project risks)
  • Database: the collection of all risks experienced by the Company in the various projects; the database can be inquired to decide whether a certain identified risk could reasonably occur, or which are the risks that the project is exposed to.
  • Cause / effect diagrams: are diagrams supporting the analysis of the root cause of the risk on which the control strategy should operate
  • Network analysis: the analysis of the project network to compute the impact of the activities' duration on the project schedule; it allows the identification of the critical path, near critical paths, etc.
  • Sensitivity analysis: is the technique that allows to understand the relative impact of several variables to the entire problem; it consists in keeping all variables constant except one and modifying its value to assess its importance in the problem
  • Risk already identified might disappear and new risks might appear; and
  • Risks already identified might change over the time in probability of occurrence and / or impact to understand such variance, risk management process shall be repeated periodically during the project starting from risk identification.

To maximise risk management effectiveness the Project Team should focus to identify those risks aligned with the actual objective of the project phase along the project life cycle.

Once risks have been identified these should be qualified according to risk category, and risk impact areas, as shown in the following exhibits. Risk categorisation is aimed to a better identification of common sources of risks thus supporting the further response plan definition in terms of probability mitigation. Risk impact areas identification is aimed to a better identification of common impact areas thus supporting the further response plan definition in terms of consequences mitigation. Risk data may be organized and structured using a Risk Breakdown Structure to facilitate understanding, communication, reporting and accountability.

Risk Categories

Exhibit 4

Exhibit 4

Risk Impact Areas

Exhibit 5

Exhibit 5

After having defined each risk in terms of risk category and risk impact areas to each risk is assigned a Risk Owner, member of the Project Team, responsible for controlling that specific risk: thus he/she is responsible to:

  • Detect early signals or triggers of risk occurrence
  • Ascertain that the defined risk control strategy is suitable, and in case make the required adjustments
  • Implement the risk control strategy and relevant action plan
  • Detect risk control strategy efficacy and proposes modification if so required
  • Activate the fall-back plan
  • Inform the Risk Analyst about the changes of risk probability, impact, period of occurrence, control strategy required, etc.

Risk owner shall be identified as soon as possible, to get its involvement in the subsequent risk management steps. Its contribution is important both in the evaluation step and in the planning step to define the risk control strategy and the action plan

Risk identification requires the start of the Risk Form preparation. The Risk Form build-up is a process, in which some information is produced during the Identification step, further are produced during Evaluation and balance

Evaluate Risks

The risk evaluation step is the process of assessing the impact and likelihood of the identified risks, thus prioritising the risks according to their potential effect on project objectives.

Exhibit 6

Exhibit 6

After the identification step the way to determine the importance of each specific risk and to guide the risk response process, is to assess the probability and the impacts of the identified risks, that is to assess the risk level.

Risk level is defined as the expected influence of risk occurrence on project objectives, based on likelihood of their occurrence and the level of possible impact. Risk level can be expressed according to the formula:


Probability of occurrence is the best estimate of chances that the identified risk could occur. To assess probability of occurrence of a certain event, the following could be used:

  • Database
  • Expert interviews
  • Analogy comparison
  • Delphi method

Consequences on identified project areas shall be expressed as the impact on relevant project baselines. The level risk for each identified risk will be determined by the sum of the potential impacts on the identified project areas.

Two different techniques can be used to evaluate and prioritise project risks:

  • Qualitative Risk Analysis
  • Quantitative Risk Analysis

Qualitative risk analysis

Qualitative risk analysis requires that the probability and consequences of the risk be evaluated using established qualitative-analysis methods and tools, describing them in terms such as very high, high, moderate, low, very low. These two dimensions of risk are applied to each specific risk event and the results may be plotted using a probability-impact matrix. It illustrates the simple multiplication of the scale values assigned to determine whether a risk is considered low, moderate or high.

The ranges suggested below are just an example which can be customized according to Project needs. Accordingly to Company procedures it is shown that the probability of risks impacting on People and Environment areas should be evaluated with a different scale.

Quantitative Risk Analysis

Although qualitative risk analysis is broadly used, whether enough data are available, the risk assessment can be performed through a quantitative risk analysis. Main advantages of a quantitative approach are:

  • Determine the probability of achieving a specific project objective
  • Quantify the risk exposure for the project, and determine the size of cost and schedule contingency that may be needed
  • Identify risks requiring most attention by quantifying their relative contribution to project risk
  • Identify realistic and achievable costs, schedule, or scope targets

The quantitative approach requires:

  • the definition of the probabilistic value of each single risk factors occurrence
  • the quantitative definition of the potential impact.

Quantitative assessment is particularly used to forecast potential project schedule and cost results listing the associated confidence level for each potential value of the considered value.

The result is to describe in terms of a probabilistic distribution the potential values of a given variable (impact areas). Whether more accurate data are not available a triangular distribution may be adopted, this requiring only the quantification of the minimum, most likely and maximum value that the variable may take.

Plan & Control Risks

Plan and Control is the step in which the risk control strategies are defined and implemented to reduce the initial risk level exposure.

Risk response planning is the process of developing options and determining actions to reduce threats to the project objectives, with the definition of the risk control strategies whose effectiveness will directly determine whether actual risk increases or decreases along the project lifecycle.

The deliverable issued during this step is the Risk Management Plan, it should include as a minimum: identified risks, results from qualitative and quantitative evaluation processes, risk owners and assigned responsibilities, agreed control strategies selected, level of residual risk expected after the strategies are implemented, budget and times for responses, contingency plans.

Risk monitoring and control is the process of keeping track of the identified risks, monitoring residual risks and identifying new risks, ensuring the execution of risk plans, and evaluating their effectiveness in reducing risks: risk monitoring and control is an ongoing process during the project lifecycle, the risks change as the project develops, new risks arise, or some disappear.

How to link the qualitative and the quantitative risk assessment

After having applied the process previously described to a significant number of projects, it was realized that there was room to improve the step of the qualitative evaluation: in particular with the following objectives:

  • reduce the subjective level, typical of any qualitative evaluation
  • obtain a result from the qualitative assessment with a greater value and impact on the subsequent risk and project planning processes

In order to perform qualitative assessments with the minimum level of bias, the process has been structured with the definition of precise indications on for each scale levels in terms of: probability ranges and magnitude for each project impact area.

The evaluation remain done on qualitative base but it is based on homogeneous and standard approaches.

A step forward in the qualitative assessment process can be done associating a score to the probability and impact scales: this will allow further possibilities of analysis in particular in terms of:

  • risk factors ranking
  • risk categories and impact areas relevant “risk” weight on the overall project risk exposure
  • overall project risk exposure definition and monitoring.

In particular with this elements and indexes it is possible to drive the project team effort in the implementation of the further step of the risk process that is the risk quantitative analysis on one or some of the impact areas evaluated during the qualitative analysis.

The scoring system is used to quantify, on a given scale, the qualitative assessment of:

  • the probability of risk occurrence
  • the impact of risk occurrence

Accordingly to Company procedures, risk impacting project objectives should be assessed differently from risks impacting HSE aspects because the acceptable risk level exposure is significantly different.

The following scoring table could be used for risks impacting project objectives, corporate image and relation with 3rd party stakeholder.

PROBABILITY OF OCCURENCE 0.05 0.20 0.40 0.65 0.95
0 < P < 0.10 0.10 ≤ P < 0.25 0.25 ≤ P < 0.45 0.25 ≤ P < 0.45 0.70 ≤ P < 0.95
Occurence is very unlikely and is generally controlled by following existing process, procedures and plans Occurence is unlikely and may not be entirely controlled by following existing process, procedures and plans Occurence is rather unlikely and may not be entirelly controlled by following existing process, procedures and plans Occurence is rather likely and may not be entirelly controlled by following existing process, procedures and plans Occurence is very likely and may not be entirelly controlled by following existing process, procedures and plans

For risks impacting people and environment, the probability (P) and impact (I) could be evaluated using the following scoring tables.

PROBABILITY OF OCCURENCE events × year 0.05 0.20 0.40 0.65 0.95
0 < P < 10 -6 10 -6 ≤ P < 10 -4 10 -4 ≤ P < 10 -3 10 -3 ≤ P < 10 -1 10 -1 ≤ P
Could happen in E&P industry Happened in E&P industry Already happened within the Company Happened several times within the Company Happened several times per year within the Company or at a location
RISK IMPACT AREA 0.01 0.15 0.3 0.7 0.9
PEOPLE Slight health effect / injury Minor health effect / injury Major health effect / injury Permanent total inability or single death (reduced exposed population) Multiple deadh (groups exposed)
ENVIRONMENT Slight effect Minor effect Localised effect Major effect Extensive damage

Once risks have been assessed the resulting scores may be used for further analysis as illustrated in the following figure where a PxI matrix is applied to a single project workpackage.

RISK IMPACT AREA 0.01 0.15 0.30 0.70 0.90
COST Insignificant cost increase Cost increase within contingency 0 ÷ 7% budget increase 7 ÷ 15% budget increase > 15% budget increase
QUALITY Quality degradation barel noticeable Only very demanding applications are affecte Quality reduction requires client approval Quality reduction unacceptable to the client Project and item is effectively unusable
SCHEDULE Insignificant schedule slippage Schedule slippage within contingency Overal project schedule slippage 0 ÷ 3 months Overal project schedule slippage 3 ÷ months Overal project schedule slippage > 6 months
COMMERCIAL / BUSINESS LOSS Insignificant business loss < 5% IRR reduction 5 ÷ 10% IRR reduction 10 ÷ 20% IRR reduction IRR reduction > 20%
CORPORATE IMAGE Negligible complaints, unlikely press involvement; no effect on future projects Complains, jerkylocal press on Eni, need of site personnel intervention; no effect on future projects Jerk unfavourable local and national press on Eni, need of DPM intervention; future projects not challenged Bad local and national press on Eni, need of company HQ intervention; future projects quite difficult in the area Bad national and international press on Eni, need of Eni HQ/Government intervention; future projects impossible in the area
Negligible frictions, basic agreement; disagreement/ delay only on few and minor decisions Moderate frictions, limited to some topics; disagreement / delay on few major decisions Conceptual and significant friction on some topics; disagreement / delay on some critical decisions Large friction, difficult relationship, difficulties in getting feetback and approval on most critical decisions; difficult future projects Bad relationship, blockin difficulties in getting any feetback and approval; quite impossible future projects

With reference to the above scoring tables:

  • the first row provides the score to be used for P (first table) and I (second table) in PxI calculus;
  • the second row in the first table represents the probability range;
  • the following rows give the corresponding probability and impact qualitative descriptions.

Once risks have been assessed the resulting scores may be used for further analysis as illustrated in the following figure where a PxI matrix is applied to a single project workpackage.


Each cell is subdivided in two parts: one represents the risk score and the other the impact score of the risk on the impact area.


This matrix allows characterising the risks posed on the WP by risk categories and by impact area; it also addresses the cumulative risk exposure relevant to the WP execution.

Than PxI score figures can be summed per:

  • row: to quantify risk level of each risk event occurrence according to the formula

Riskk = ∑h (Pkh x Ikh) with sum extended to all impact areas h, where Pkh and Ikh are the probabilities and impacts of risk k on the impact area h

  • column: to quantify the cumulative risk per risk impact areas according to the formula

Risk Impact Areah = ∑k (Pkh x Ikh) with sum extended to l, representing all risks impacting the risk impact area j

The sum of all figures per row or per column represents the WP risk level.

Each Riskk is then evaluated summing the effects on all impacted WPs according to the the formula:

RISKk = s[∑h(Pkh X Ikh)]s

with s all WPs impacted by Riskk.

Once such evaluation has been developed the WP risk level can be represented in a radar diagram where the axis are the risk categories, or the risk impact areas (ref. Annex 3).

Project risk level can be calculated summing-up the risks per risk category or per risk impact area using the following matrix.


Data of all WPs can be aggregated per risk impact areas or per risk categories to provide different evaluation of the project risk level (see annexes 2 & 3 for possible data representation).

The above developed evaluations allow the risk prioritisation (i.e. risk ranking per decreasing value of risk level).

In addition the following evaluations may be produced:

  1. risk level of each identified risk
  2. risk level per risk category for each WP and for the Project
  3. risk level per risk impact area for each WP and for the Project
  4. risk level for each WP
  5. project risk level

Such prioritisation supports the identification of:

  1. the most significant risks
  2. the WPs most affected by such risks
  3. the project risk level

and will drive the risk management effort in terms of control strategies selection and control requirements.


Rossi, P. & Piantanida, M. (2007 May,). Supporting Project Management Processes with integrated Software tools and database. PMI EMEA Global Congress, Budapest.

Rossi, P. (December, 2005). R(2000). Risk Management Process: methods, tools & techniques. Eni Best Practices.

© 2007 Paolo Rossi
Originally published as a part of Proceedings 2007 PMI Global Congress EMEA – Budapest, Hungary



Related Content

  • Project Management Journal

    Narratives of Project Risk Management member content locked

    By Green, Stuart D. | Dikmen, Irem The dominant narrative of project risk management pays homage to scientific rationality while conceptualizing risk as objective fact.

  • Project Management Journal

    Identifying Subjective Perspectives on Managing Underground Risks at Schiphol Airport member content locked

    By Biersteker, Erwin | van Marrewijk, Alfons | Koppenjan, Joop Drawing on Renn’s model and following a Q methodology, we identify four risk management approaches among asset managers and project managers working at the Dutch Schiphol Airport.

  • Project Management Journal

    Collective Mindfulness member content locked

    By Wang, Linzhuo | Müller, Ralf | Zhu, Fangwei | Yang, Xiaotian We investigated the mechanisms of collective mindfulness for megaproject organizational resilience prior to, during, and after recovery from crises.

  • PMI Case Study

    Saudi Aramco member content open

    This in-depth case study outlines a project to increase productivity with Saudi Arabian public petroleum and natural gas company, Saudi Aramco.

  • PM Network

    A certeza da incerteza member content open

    By Fewell, Jesse Por mais que ansiamos por um retorno pré-pandêmico, é ingênuo pensar que as velhas formas de trabalho um dia voltarão - mesmo para o ágil.