Qualitative Risk Analysis

Having identified a range of risks we now need to consider which are the most serious risks in order to determine where to focus out attention and resources. We need to understand both their relative priority and absolute significance.

People generally are not inherently good at analysing risk. We tend to take decisions swayed by our emotional response to a situation rather than an objective assessment of relative risk. Given half a chance most of us will believe what we want to believe and selectively filter out information that does not support our case. We are similarly bad at looking at probability in a holistic way. People generally focus on risks that have occurred recently even though another risk may have happened exactly the same number of times over the last five years.

We must nonetheless accept that most of the risk analysis done in our environment will be of a qualitative nature. Few of us have the skills, time or resources to undertake the kind of quantitative modelling that goes on in major projects in the commercial sector. This section aims to show that by taking a disciplined and structured approach it is possible to improve the objectivity of your analysis without getting into complex calculations or needing specialist software tools.

We have already said that it pays to involve a range of people in the identification and analysis of risk. Each will of course bring their own bias to the analysis but if you understand your organisation and stakeholders it ought to be possible to separate out the valuable experience from the personal agendas e.g. 'Fred always emphasises hardware security as he's been in three colleges that have suffered major break-ins' or 'Fred always emphasises hardware security as he's been after funding to move the machine room for the last five years'. One technique that is sometimes used to keep politics out of this type of discussion is the Delphi Technique. Using this technique opinions are gathered anonymously then cross-checked with a range of experts. The experts are simply looking at the data presented rather than dealing with the personalities involved.

In deciding how serious a risk is we tend to look at two parameters:

• Probability - the likelihood of the risk occurring
• Impact - the consequences if the risk does occur

Impact can be assessed in terms of its effect on:

• Time
• Cost
• Quality

There is also a third parameter that needs to be considered:

• Risk proximity - when will the risk occur?

Proximity is an important factor yet it is one that is often ignored. Certain risks may have a window of time during which they will impact. A natural tendency is to focus on risks that are immediate when in reality it is often too late to do anything about them and we remain in 'fire-fighting' mode. By thinking now about risks that are 18 months away we may be able to manage them at a fraction of the impact cost.

Another critical factor relating to risk proximity is the point at which we start to lose options. At the start of a project there may be a variety of approaches that could be taken and as time goes on those options narrow down. We said earlier that risk management is about making better decisions. Very often in the education sector we put off taking decisions until the options disappear and there is only one way forward.

Assessment of both probability and impact is subjective but your definitions need to be at an appropriate level of detail for your project. The scale for measuring probability and impact can be numeric or qualitative but either way you must understand what those definitions mean. Very often the scale used is High, Medium and Low. This is probably too vague for most projects. On the other hand a percentage scale from 1-100 is probably too detailed.

Use enough categories so that you can be specific but not so many that you waste time arguing about details that won't actually affect your actions. Experience suggests that a five-point scale works well for most projects. A suggested scale is: