Adopting the quadratic mean process to quantify the qualitative risk analysis
The objective of this paper is to propose a mathematical process to turn the results of a qualitative risk analysis into numeric indicators to support better decisions regarding risk response strategies.
Using a five-level scale for probability and a set of scales to measure different aspects of the impact and time horizon, a simple mathematical process is developed using the quadratic mean (also known as root mean square) to calculate the numerical exposition of the risk and consequently, the numerical exposition of the project risks.
This paper also supports the reduction of intuitive thinking when evaluating risks, often subject to illusions that can cause perception errors. These predictable mental errors, such as overconfidence, confirmation traps, optimism bias, zero-risk bias, sunk-cost effect, and others often lead to the underestimation of costs and effort, poor resource planning, and other low-quality decisions (Virine, 2010).
Qualitative X Quantitative risk analysis
One of the main challenges during the analysis of a risk is to define the right approach to assess the amount of the exposure/opportunity. The two basic steps to determine the right level of risk are based on the qualitative and quantitative analysis (Exhibit 1).
A qualitative risk analysis prioritizes the identified project risks using a pre-defined scale. Risks will be scored based on their probability or likelihood of occurrence and the impact on project objectives if they occur (Exhibits 2 and 3).
A quantitative risk analysis is based on simulation models and probabilistic analysis, where the possible outcomes for the project are evaluated, providing a quantitative, numeric and often financial risk exposure to support decisions when there is uncertainty (PMI, 2013). Some quantitative processes are simple and direct like rolling a dice (Exhibit 4), but most of them involve very complex simulation scenarios like the Monte Carlo Simulation.
“Monte Carlo” was a nickname of a top-secret project related to atomic weapons developed by the mathematician John von Neumann (Poundstone, 1993; Vargas, 2013). He discovered that a simple model of random samples could solve certain mathematical problems, which couldn't be solved up to that moment.
The simulation refers, however, to a method by which the distribution of possible results is produced from successive recalculations of project data, allowing the development of multiple scenarios. In each one of the calculations, new random data is used to represent a repetitive and interactive process. The combination of all these results creates a probabilistic distribution of the results (Exhibits 5 and 6).
Because quantitative analysis is based on mathematics and statistics supported by objective metrics, such analyses are considered to be more rigorous (Smock, 2002). The main challenges of a solid quantitative analysis are the time and effort it requires to be executed and the required technical background in statistics to make the proper parameterization of the data. The main advantages and disadvantages of each method are presented in Exhibit 7.
The risk model proposed hereafter is a qualitative process with numerical results, reducing the ambiguity of the qualitative process to determine with precision the probability and the impact of uncertain events in the project.
The proposed qualitative probability assessment is based on a scale with their respective scores (Exhibit 8).
For each identified risk a score from 1 (one) to 5 (five) should be determined.
Five Dimensions of the Impact
The impact of the event, in case it occurs, can be perceived in different dimensions of the project objectives. For example, one risk can have a major impact on costs but not necessarily an important impact on quality. It is very important to highlight that threats and opportunities should be analyzed separately.
The basic groups where impact should be evaluated are (Exhibit 9):
- Impact on time and deadlines
- Impact on costs
- Impact on quality
- Impact in safety and security
- Other impacts
Each project may develop different impact groups based on the nature of the project, including groups like: impact on reputation, regulatory impact, environmental impact, social impact, and stakeholder's impact, among several others. Following is the presentation of the five basic groups.
Impact on Time and Deadlines
One should assess the level of impact on the conclusion of the project. It can be positive or negative for opportunities and threats, respectively. Threats that impact the conclusion of the project must be considered as a priority if compared to other events.
Because each project differs in size, complexity and several other factors, the project team needs to agree on the level of tolerance that they consider appropriate for each level of impact, like the example shown in Exhibit 10.
Impact on Costs
One should also assess the level of impact that the event may bring to the total project cost. It can be positive (savings) or negative (additional expenditures) for opportunities and threats, respectively.
Like mentioned for time and deadlines, the project team needs to agree on the level of tolerance that they consider appropriate for each level of impact, like in the example for costs presented in the Exhibit 11.
Impact on Quality
Assesses the level of impact on the quality required for the project. It can be positive or negative for opportunities and threats, respectively.
As presented in the other groups, the project team needs to agree on the level of tolerance that they consider appropriate for each level of impact, as in the example in Exhibit 12 for negative risk events.
Impact on Safety and Security
Assesses the level of impact that the event can incur in safety at work and security. This impact group could include aspects related to environment, physical security of the work in the project, data security (IT), and reputation, among others.
In Exhibit 13, an example of scale is presented to assess impacts in safety and security.
This group is an optional group and aims to include any other specific impact of a risk that was not covered in the previous groups. It is important that the score of the other impacts, if it exists, should be from 1 to 5 like the other impact groups.
Proximity: the 6TH Impact Dimension
Another dimension of the impact is the time horizon or proximity of the event (Exhibit 14). An event that may happen in hours requires different actions than another event that could impact the project in years. If an event is close to happening, it has a higher priority if compared with future events (in the proximity aspect).
The proximity scale should be compatible with the other impact groups (1 to 5 score for different time horizons). It is important that the project team defines what are immediate events, short-term events, medium-term events, long-term events and very long-term events (Exhibit 15).
It is important to highlight that immediate events will score higher than very long-term events when assessing their proximity.
Calculating the Expected Value and Final Risk Assessment
The expected value is a risk measurement used to assess and prioritize risk events (Exhibit 16).
Using the qualitative method, the probability will range from 1 to 5 (Exhibit 8).
The impact is based on the impact in different aspects of the project and the proximity using a quadratic mean (root square mean) calculation (Exhibit 17).
The decision for the quadratic mean instead of the arithmetic mean is based on the concept that different levels of impact add additional exposure to the project and this variance should be considered as a risk factor to the project.
The relationship between the quadratic mean and the arithmetic mean is
where the variance is a measure of how far a set of numbers is spread out.
The variance concept is directly related to the dispersion of the different impact groups. If the impact ranges are very wide, the variance will also be high and the difference between the proposed quadratic mean and the traditional arithmetic mean will increase, increasing the risk impact.
One example of the impact results is presented in Exhibit 19.
It is important to highlight that the threats and opportunities can be calculated using the same formula, but with different signals (+ for opportunities and – for threats). The total qualitative risk exposure of the project is determined by the sum of the expected values of all threats and opportunities. An example of this process is presented in Exhibit 20.
The results from the process will be always a number between 1 and 25. In the example of Exhibit 20, the value -5,10 is equivalent to 20,4% negative exposure (5,10/25) for the project.
Based on this result and the tolerance thresholds (Hilson, 2007), the total exposure can be compared with other projects and the corporate limits to define potential risk response plans.
The qualitative risk method is always a simplified model if compared with the quantitative methods. The approach of this paper suggests an alternative model that can be tailored to include different kinds of impacts and scales in order to produce a reliable quantitative result.
This result allows opportunities and threats to be compared in order to determine the total risk exposure. The concept that an opportunity can cancel a threat of the same level is not possible with the traditional qualitative risk management approach.
Altenbach, T. J. (1995). A comparison of risk assessment techniques from qualitative to quantitative. Honolulu, ASME Preassure Vessels and Piping Conference. Available at http://www.osti.gov/bridge/servlets/purl/67753-dsZ0vB/webviewable/67753.pdf
Hilson, D., & Murray-Webster, R. (2007). Understanding and managing risk attitude. London: Gower Publishing.
Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK® guide) - fifth edition. Newtown Square, PA: Project Management Institute.
Poundstone, W. (1993). Prisoner's Dilemma. Flushing: Anchor Publishing Group.
Pritchard, C. L. (2001). Risk Management: Concepts and Guidance. 2nd Ed. Arlington, VA: ESI International.
Rossi, P. (2007). How to link the qualitative and the quantitative risk assessment. Budapest: PMI Global Congress EMEA.
Rot, A. (2008). IT risk assessment: Quantitative and qualitative approach. San Francisco: World Congress on Engineering and Computer Science.
Smock, R. (2002). Reducing subjectivity in qualitative risk assessments. Bethesda, MD: SANS Institute. Available at http://www.giac.org/paper/gsec/2014/reducing-subjectivity-qualitative-risk-assessments/103489
Vargas, R. V. (2013). Determining the mathematical ROI of a project management implementation. New Orleans, LA, PMI Global Congress North America.
Virine, L. (2010). Project risk analysis: How ignoring it will lead to project failures. Washington, DC, PMI Global Congress North America.
© 2013, Ricardo Viana Vargas
Originally published as a part of 2013 PMI Global Congress Proceedings – New Orleans – Louisiana - USA