Adopting the Quadratic Mean Process to Quantify the Qualitative Risk Analysis

Publications

PMI Global Congress 2013 – North America
New Orleans – Louisiana – USA – 2013

Abstract

The objective of this paper is to propose a mathematical process to turn the results of a qualitative risk analysis into numeric indicators to support better decisions regarding risk response strategies.

Using a five-level scale for probability and a set of scales to measure different aspects of the impact and time horizon, a simple mathematical process is developed using the quadratic mean (also known as root mean square) to calculate the numerical exposition of the risk and consequently, the numerical exposition of the project risks.

This paper also supports the reduction of intuitive thinking when evaluating risks, often subject to illusions, which can cause perception errors. These predictable mental errors, such as overconfidence, confirmation traps, optimism bias, zero-risk bias, sunk-cost effect, and others often lead to the underestimation of costs and effort, poor resource planning, and other low-quality decisions (VIRINE, 2010).

Qualitative X Quantitative Risk Analysis

One of the main challenges during the analysis of a risk is to define the right approach to assess the amount of the exposure/opportunity. The two basic steps to determine the right level of risk are based on the qualitative and quantitative analysis (Exhibit 1).

6196.png

Exhibit 1 – Analysis of Risk Process Flow (ROSSI, 2007).

A qualitative risk analysis prioritizes the identified project risks using a predefined scale. Risks will be scored based on their probability or likelihood of occurrence and the impact on project objectives if they occur (Exhibit 2 and 3).

Level

Score

For Threats

High

Very High

5

Red

High

4

Medium

Medium

3

Yellow

Low

2

Low

Very Low

1

Green

6221.png

Exhibit 3 – Example of Qualitative Risk Matrix with 3 x 3 Levels (ALTENBACH, 1995)

A quantitative risk analysis is based on simulation models and probabilistic analysis, where the possible outcomes for the project are evaluated, providing a quantitative, numeric and many times financial risk exposure to support decisions when there is uncertainty (PMI, 2013). Some quantitative processes are simple and direct like rolling a dice (Exhibit 4), but most of them involve very complex simulation scenarios like the Monte Carlo Simulation.

Image6231.PNGExhibit 4 – Diagram showing the deterministic probability of rolling a dice

“Monte Carlo” was a nickname of a top-secret project related to the drawing and to the project of atomic weapons developed by the mathematician John von Neumann (POUNDSTONE, 1993 and VARGAS, 2013). He discovered that a simple model of random samples could solve certain mathematical problems, which couldn’t be solved up to that moment.

The simulation refers, however, to a method by which the distribution of possible results is produced from successive recalculations of project data, allowing the development of multiple scenarios. In each one of the calculations, new random data is used to represent a repetitive and interactive process. The combination of all these results creates a probabilistic distribution of the results (Exhibit 5 and 6).

6238.png

Exhibit 5 – Construction of model of distribution of costs and activities or work packages making up a final distribution from random data of the project (PRITCHARD, 2001).

relatorio_ROI_Impressao%205.pngExhibit 6 – Example of Monte Carlo simulation to assess the cost impact of a potential threat to the project

Because quantitative analysis is based on mathematics and statistics supported by objective metrics, such analyses are considered to be more rigorous (SMOCK, 2002). The main challenges of a solid quantitative analysis are the time and effort it requires to be executed and the required technical background in statistics to make the proper parameterization of the data. The main advantages and disadvantages of each method are presented in the Exhibit 7.

Quantitative Methods

Qualitative methods

Advantages

Facilitates the cost benefit analysis

Gives a more accurate value of the risk

More valuable

Relatively simple to be implemented

Easily determine risk categories with greater impact in the project

Visually impactful

Disadvantages

Results of the method may not be precise

Numbers can give a false perception of precision

More expensive and time consuming

A lack of understanding of the parameters used in the scale can lead to different interpretations

Results can be biased

Less valuable

The risk model proposed hereafter is a qualitative process with numerical results, reducing the ambiguity of the qualitative process without adds the time and effort to determine with precision the probability and the impact of uncertain events in the project.

Assessing Probability

The proposed qualitative probability assessment is based on a scale with their respective scores (Exhibit 8).

Level

Score

Description

7023.png

Very High

5

It is expected that the event will occur. If it does not occurs it will be a surprise.

High

4

The event has a great chance of occurring.

Medium

3

The event can occur.

Low

2

It will be a surprise if the event occurs.

Very Low

1

Very remote chance of the event to happen. Practically impossible.

For each identified risk a score from 1 (one) to 5 (five) should be determined.

5 Dimensions of the Impact

The impact of the event, in case it occurs, can be perceived in different dimensions of the project objectives. For example, one risk can have a major impact on costs but not necessarily an important impact in quality. It is very important to highlight that threats and opportunities should be analyzed separately.

The basic groups where impact should be evaluated are (Exhibit 9):

  • impact on time and deadlines
  • impact on costs
  • impact on quality
  • impact in safety and security
  • other impacts

6295.png

Exhibit 9 – Basic impact groups showing the different impact dimensions of one specific risk

Each project may develop different impact groups based on the nature of the project, including groups like: impact on reputation, regulatory impact, environmental impact, social impact, and stakeholder’s impact, among several others. Following is the presentation of the 5 basic groups.

Impact on Time and Deadlines

One should assess the level of impact on the conclusion of the project. It can be positive or negative for opportunities and threats, respectively. Threats that impact the conclusion of the project must be considered as a priority if compared to other events.

Because each project differs in size, complexity and several other factors, the project team needs to agree on the level of tolerance that they consider appropriate for each level of impact, like the example shown in Exhibit 10.

Level

Score

Description

7025.png

Very High

5

Delays/Anticipation above 180 days or 6 months.

High

4

Delays/Anticipation between 120 and 180 calendar days.

Medium

3

Delays/Anticipation between 60 and 120 calendar days.

Low

2

Delays/Anticipation between 15 and 60 calendar days.

Very Low

1

Less than 15 calendar days of delays/anticipation.

Impact on Costs

One should also assess the level of impact that the event may bring to the total project cost. It can be positive (savings) or negative (additional expenditures) for opportunities and threats, respectively.

Like mentioned for time and deadlines, the project team needs to agree on the level of tolerance that they consider appropriate for each level of impact, like in the example for costs presented in the Exhibit 11.

Level

Score

Description

7027.png

Very High

5

Variation (positive or negative) above $1,000,000.

High

4

Variation (positive or negative) between $500,000 and $1,000,000.

Medium

3

Variation (positive or negative) between $250,000 and $500,000.

Low

2

Variation (positive or negative) between $100,000 and $250,000.

Very Low

1

Variation (positive or negative) lower than $100,000.

Impact on Quality

Assesses the level of impact on the quality required for the project. It can be positive or negative for opportunities and threats, respectively.

As presented in the other groups, the project team needs to agree on the level of tolerance that they consider appropriate for each level of impact like in the example in Exhibit 12 for negative risk events.

Level

Score

Description

7029.png

Very High

5

Client rejects the delivery or product.

High

4

Client asks for immediate corrective actions.

Medium

3

Client perceives and asks for action/information.

Low

2

Client perceives but forgives and no action is needed.

Very Low

1

Imperceptible impact (most of the time not even perceived by the stakeholders).

Impact in Safety and Security

Assesses the level of impact that the event can incur in safety at work and security. This impact group could include or not aspects related to environment, physical security of the work in the project, data security (IT), and reputation, among others.

In the Exhibit 13, an example of scale is presented to assess impacts in safety and security.

Level

Score

Description

7031.png

Very High

5

Crisis. Impact is so evident and public that the project could not proceed as planned.

High

4

Evident impact on environment/reputation.

Medium

3

Impact is perceived and raises concerns.

Low

2

Perceived impact on environment/reputation but without relevance.

Very Low

1

No impact on environment and reputation.

Other impacts

This group is an optional group and aims to include any other specific impact of a risk that was not covered in the previous groups. It is important that the score of the other impacts, if it exists, should be from 1 to 5 like the other impact groups.

Proximity: The 6th Impact Dimension

Another dimension of the impact is the time horizon or proximity of the event (Exhibit 14). An event that may happen in hours requires different actions than another event that could impact the project in 2 years. If an event is close to happen, it has a higher priority if compared with future events (in the proximity aspect).

6365.png

Exhibit 14 – Understanding the time horizon

The proximity scale should be compatible with the other impact groups (1 to 5 score for different time horizons). It is important that the project team defines what are immediate events, short-term events, medium-term events, long-term events and very long-term events (Exhibit 15).

It is important to highlight that immediate events will score higher than very long-term events when assessing their proximity.

Level

Score

Description

7033.png

Very High

5

Event can happen anytime in the next 15 days.

High

4

Event can happen between 15 days and 3 months.

Medium

3

Event can happen between 3 and 6 months.

Low

2

Event can happen between 6 months and 1 year.

Very Low

1

Event can happen more than 1 year ahead.

Calculating the expected value and final risk assessment

The expected value is a risk measurement used to assess and prioritize risk events (Exhibit 16).

6393.png

Exhibit 16

Using the qualitative method, the probability will range from 1 to 5 (Exhibit 8).

The impact is based on the impact in different aspects of the project and the proximity using a quadratic mean (root square mean) calculation (Exhibit 17).

6402.pngExhibit 17

The decision for the quadratic mean instead of the arithmetic mean is based on the concept that different levels of impact add additional exposure to the project and this variance should be considered as a risk factor to the project.

The relationship between the quadratic mean and the arithmetic mean is

6411.png

Exhibit 18

where the variance is a measure of how far a set of numbers is spread out

The variance concept is directly related to the dispersion of the different impact groups. If the impact ranges are very wide, the variance will also be high and the difference between the proposed quadratic mean and the traditional arithmetic mean will increase, increasing the risk impact.

One example of the impact results is presented in the Exhibit 19.

Impact Time

Impact Cost

Impact Quality

Impact S&S

Other Impact

Proximity

Risk A

3

2

1

1

1

4

6438.png

Exhibit 19

It is important to highlight that the threats and opportunities can be calculated using the same formula, but with different signals (+ for opportunities and – for threats). The total qualitative risk exposure of the project is determined by the sum of the expected values of all threats and opportunities. An example of this process is presented on the Exhibit 20.

Type

Proba- bility

Proxi- mity

Impact Time

Impact Cost

Impact Quality

Impact Safety and Security

Other Impacts

Total Impact

Expected Value

Threat

1

3

2

1

1

1

4

2,31

(2,31)

Threat

2

4

4

3

3

4

3

3,54

(7,07)

Threat

2

3

5

4

4

5

1

3,92

(7,83)

Opportunity

3

2

4

3

5

4

2

3,51

10,54

Opportunity

4

1

3

2

4

3

2

2,68

10,71

Threat

5

2

2

1

3

1

1

1,83

(9,13)

The results from the process will be always a number between 1 and 25. In the example of Exhibit 20, the value -5,10 is equivalent to 20,4% negative exposure (5,10/25) for the Project.

Based on this result and the tolerance thresholds (HILSON & MURRAY-WEBSTER, 2007), the total exposure can be compared with other projects and the corporate limits to define potential risk response plans.

Conclusions

The qualitative risk method is always a simplified model if compared with the quantitative methods. The approach of this paper suggests an alternative model that can be tailored to include different kinds of impacts and scales in order to produce a reliable quantitative result.

This result allows opportunities and threats to be compared in order to determine the total risk exposure. The concept that an opportunity can cancel a threat of the same level is not possible with the traditional qualitative risk management approach.

References

ALTENBACH, T. J. (1995). A Comparison of Risk Assessment Techniques from Qualitative to Quantitative. Honolulu, ASME Preassure Vessels and Piping Conference. Available at http://www.osti.gov/bridge/servlets/purl/67753-dsZ0vB/webviewable/67753.pdf

HILSON, D. & MURRAY-WEBSTER, R. (2007). Understanding and Managing Risk Attitude. London: Gower Publishing.

PMI (2013). The Project Management Body of Knowledge: Fifth Edition. Newtown Square: Project Management Institute.

POUNDSTONE, W (1993). Prisoner’s Dillema. Flushing: Anchor Publishing Group.

PRITCHARD, C. L. (2001). Risk Management: Concepts and Guidance. 2ª Ed. Arlington: ESI International.

ROSSI, P. (2007). How to link the qualitative and the quantitative risk assessment. Budapest: Project Management Institute Global Congress EMEA.

ROT, A. (2008). IT Risk Assessment: Quantitative and Qualitative Approach. San Francisco: World Congress on Engineering and Computer Science.

SMOCK, R. (2002). Reducing Subjectivity in Qualitative Risk Assessments. Bethesda, SANS Institute. Available at http://www.giac.org/paper/gsec/2014/reducing-subjectivity-qualitative-risk-assessments/103489

VARGAS, R. V. (2013). Determining the Mathematical ROI of a Project Management Implementation. New Orleans, Project Management Institute Global Congress North America.

VIRINE, L. (2010). Project Risk Analysis: How Ignoring It Will Lead to Project Failures. Washington: Project Management Institute Global Congress North America.

Risk Management , Risk , Residual Risks , Secondary Risks , Risk Responses