Published on Monday, September 14, 2009

# Defining Risk Management - Part 4: Risk Quantification

There’s more detail available than what I’m going to go into here or include here from the book excerpt. Mostly, because this article would end up being far too long. I’ll go into Risk Quantification at a higher level here, and then present further detail in a subsequent article.

This information below on Risk Quantification comes again – for the most part – from the book “The Project Management Question and Answer Book.”

**What is Risk Quantification?**

Risk quantification is the process of evaluating the risks that have been identified and developing the data that will be needed for making decisions as to what should be done about them. Risk management is done from very early in the project until the very end. For this reason qualitative analysis should be used at some points in the project, and quantitative techniques should be used at other times.

The objective of quantification is to establish a way of arranging the risks in the order of importance. In most projects there will not be enough time or money to take action against every risk that is identified.

The severity of the risk is a practical measure for quantifying risks. Severity is a combination of the risk probability and the risk impact. In its simplest form the risks can be ranked as high and low severity or possibly high, medium, and low. At the other extreme, the probability of the risk can be a percentage or a decimal value between zero and one, and the impact can be estimated in dollars. When the impact in dollars and the probability in decimal are multiplied together, the result is the quantitative expected value of the risk.

Various statistical techniques such as PERT (program evaluation and review technique), statistical sampling, sensitivity analysis, decision tree analysis, financial ratios, Monte Carlo, and critical chain can all be used to evaluate and quantify risks.

**Qualitative and Quantitative Analysis**

Qualitative risk analysis is appropriate early in the project and is effective in categorizing which risks should or should not be planned for and what corrective action should be taken for them. Qualitative analysis techniques will not give us the precise values for the risk that we would like to have. They are very effective when we have little time to evaluate risks before they actually happen.

Quantitative values may be applied to risks when using qualitative analysis. Values such as very risky, not so risky; high and low; high, medium, and low; high, high medium, medium, medium low, and low are generally used. Qualitative evaluation might also evaluate the risks on a scale of one to ten. These values can be applied to both the probability and the impact of the risk. The impact and probability can then be combined to give similar descriptions to the severity of the risk.

If an evaluation of impact and probability used a scaled evaluation of one to ten, the numbers could be multiplied to get the severity. In this way a probability of 7 with an impact of 9 would give us a severity of 63. This number for severity should give us plenty of information for ranking the risks. Using the high, medium, and low version sometimes creates disagreements about risks that are on the borderline between one value and another. For example, does this risk have an impact of medium or high when it is close to the border between the two values? And what happens when the impact is very high or very low and the probability is the opposite?

While qualitative analysis is less precise than quantitative analysis, evaluating the results is far less expensive in terms of both time and money. The results are good enough to indicate the overall risk of the project and identify the high-priority risks in order to begin taking some corrective action. This kind of information may assist in pricing the project to a client.

Quantitative risk analysis attempts to attach specific numerical values to the risks. The severity can be assessed from these numerical values for impact and probability. Numerical techniques for decision analysis are used for this approach. These techniques include Monte Carlo analysis, PERT, computer simulations, decision tree analysis, critical chain scheduling, statistical estimating techniques, and expected value analysis. Generally we find the use of statistics and probability theory to be useful in quantitative analysis.

Care should always be used in quantitative analysis because using a good quantitative technique with bad data is worse than not using the technique at all. Many people are impressed with statistical models and simulations and never look at the data to see how good they are. It is quite possible to impress people into making the wrong decision based on excellent analysis of bad data. Care should also be exercised in the use of quantitative techniques because the cost of applying the technique and collecting the data can sometimes be more than the cost of the risks the technique helps to quantify.