Using Quantitative Risk Analysis in Project Management
You may have explored a new project on a surface level with senior managers and other stakeholders. And while on paper the idea appears compelling, it lacks detail. This may be the type of project that requires a sizable investment, and that’s too hard a call to make without having clear, accurate, objective data on hand. Quantitative risk analysis is what you’d use to gather that data.
In this article, we cover:
- What the quantitative risk analysis process is
- What the differences are between qualitative and quantitative risk analysis methods
- How a project manager uses both qualitative and quantitative risk analyses
- Why quantitative risk analysis should be an ongoing feature of all projects
- Seven popular quantitative risk analysis methods
What Is Quantitative Risk Analysis?
Quantitative risk analysis assessments attempt to rate the risk inherent in a project in numbers.
First, you identify each risk and then assign it a value. You then objectively assess the threat posed by each risk. After that, add all those values together to come up with a project risk exposure score. You then use that score to decide whether or not you move forward with a project.
Identifying and quantifying risks doesn’t mean that somehow you’re fully protected from them. It means that you can reduce their impact and set aside contingency reserves to cover them if they do turn from risk into reality.
What Is the Difference Between Quantitative and Qualitative Risk Analysis?
A quantitative assessment is a forensic assessment of both the likelihood and cost of individual risks materializing in measurable terms. Think of a qualitative risk analysis as more of an educated guess.
Quantitative is numbers on a spreadsheet whereas qualitative is a risk matrix or a graph based on assumptions and people’s biases.
The reason project managers and stakeholders use qualitative risk analysis at the start is to help them see risks earlier on. It also helps them explain better the riskiness of a project to stakeholders who may lack a technical background.
If a project gets an amber light through qualitative risk assessment, it’s then really put to the test through quantitative analysis.
The quantifiable data and detailed information that comes out of this analysis help decision-makers with the following:
- More efficient use of cash: If you need to borrow money for a project, you can borrow closer to the right amount, avoiding interest charges and other fees for borrowing too much.
- Confidence: If you're approaching lenders or investors, this gives them confidence that you have already prepared for everything and that you're less likely to approach them for more money. Project financing covers four categories of risk — construction, operations, financing, and volume.
- Chances of success: You'll be better able to see whether a project is completable within the maximum time and investment you're willing to commit.
- Project goals: In higher-risk industries like mining, oil, gas, and construction, sunk costs in projects are substantial. By understanding costs and likely returns, you'll understand if longer-term project goals — like profitability and sustainability — are realistic.
What to Include When You Perform Quantitative Risk Analysis
To put meat onto the bones of the initial qualitative risk analysis, those carrying out the quantitative assessment should do the following.
Uncover Areas of Uncertainty
The unknown could be a mistake in estimating, overconfidence in making predictions, the collapse of a supplier, or work turning out differently than expected.
Uncertainty is present in every project. But managers can create mitigation strategies against it from the start and as the project goes on by amending their current estimates and paying closer attention to those risks re-emerging.
Compile a List of Potential Risks
Areas of uncertainty are the "known unknowns," while the "known knowns" are risks that can be predicted and managed. They could be vendor delays, changes in regulations, and technology problems (including cybersecurity risks). Although unwelcome, most project managers will have a range of risk management techniques to deal with them.
Estimate the Probability of Each Risk
To understand how likely it is that a risk might become a threat, managers should do their research and call upon their past experience to help them be more precise with their predictions. The more a manager knows about and is ready to react to each risk, the higher the chance that they will be able to stop it as soon as it happens.
Determine the Potential Impact of Each Risk and Assign Quantitative Values to Them
A manager should assess the potential impact of each risk and quantify them in terms of time, cost, and quality. By doing this, they can prioritize which risks to address and then defend against them.
Develop Risk Response Strategies
Once the quantitative risk analysis has been completed and managers and stakeholders better understand the potential impact and likelihood of risks on a project, they can set up contingency plans, adjust work schedules, and allocate resources to mitigate against or avoid those risks altogether.
Why Quantitative Risk Analysis Should Be Ongoing
Quantitative risk analysis should be something project managers and stakeholders carry out on a continual basis. A project or risk manager should always be aware of threats from each source and have the authority to divert the resources they need to protect the project against them to keep everything on track.
As well as monitoring for individual threats, you should also track and evaluate all risks throughout the project life cycle. While pre-identified risks always exist, new ones could appear at any time.
Project team members, clients, and senior management should keep in touch with each other throughout, especially when the results of new quantitative risk analysis reports are released. This will not only maintain stakeholder confidence, but it will lead to improved project management and business decision-making.
7 Quantitative Risk Assessment Methodologies
There are seven main types of risk analysis templates used:
- Three-point estimate: This involves adding all the totals of estimated most likely, optimistic, and pessimistic cost forecasts together and dividing by three to get the expected cost.
- Beta distribution: Related to the three-point estimate, this method involves multiplying the most likely value by four, adding the optimistic and pessimistic values, and dividing the total by six to arrive at the expected cost.
- Decision tree analysis: Sometimes called a fault tree analysis, you evaluate the risk of each choice and its associated costs and put them in a visual diagram called a decision tree. For each choice, assign a probability and cost. Then, add up the costs on each path to see which one presents the lowest risk.
- Expected monetary value (EMV): For the EMV method, you need to know the expected cost of each risk and how likely each risk is to occur. Then, multiply the cost of each risk by its probability to get a forecast cost. Finally, add up the forecast costs to come up with an overall project cost with risk factored in.
- Monte Carlo simulation: First, estimate the probability of each possible outcome. Give the most expected outcome the highest probability and the least the lowest. Then, estimate the cost associated with each outcome. Combine the probabilities with the cost to calculate an expected project cost. (This is also known as the Monte Carlo analysis.)
- Failure mode and effects analysis (FMEA): Start by identifying where your project may fail. Analyze as many potential points of failure together with why they might happen. You then associate the risk of each potential point of failure with the goal of coming up with strategies to mitigate or avoid these risks.
- Sensitivity analysis: Let's say that your project has two potential outcomes — a stable but high-cost outcome (risk A) and an uncertain but low-cost outcome (risk B). With this approach, you look at everything that causes the uncertainties in both to try to find the most optimal outcome in terms of cost and risk.
Using Quantitative Risk Analysis in Project Management
You may have explored a new project on a surface level with senior managers and other stakeholders. And while on paper the idea appears compelling, it lacks detail. This may be the type of project that requires a sizable investment, and that’s too hard a call to make without having clear, accurate, objective data on hand. Quantitative risk analysis is what you’d use to gather that data.
In this article, we cover:
- What the quantitative risk analysis process is
- What the differences are between qualitative and quantitative risk analysis methods
- How a project manager uses both qualitative and quantitative risk analyses
- Why quantitative risk analysis should be an ongoing feature of all projects
- Seven popular quantitative risk analysis methods
What Is Quantitative Risk Analysis?
Quantitative risk analysis assessments attempt to rate the risk inherent in a project in numbers.
First, you identify each risk and then assign it a value. You then objectively assess the threat posed by each risk. After that, add all those values together to come up with a project risk exposure score. You then use that score to decide whether or not you move forward with a project.
Identifying and quantifying risks doesn’t mean that somehow you’re fully protected from them. It means that you can reduce their impact and set aside contingency reserves to cover them if they do turn from risk into reality.
What Is the Difference Between Quantitative and Qualitative Risk Analysis?
A quantitative assessment is a forensic assessment of both the likelihood and cost of individual risks materializing in measurable terms. Think of a qualitative risk analysis as more of an educated guess.
Quantitative is numbers on a spreadsheet whereas qualitative is a risk matrix or a graph based on assumptions and people’s biases.
The reason project managers and stakeholders use qualitative risk analysis at the start is to help them see risks earlier on. It also helps them explain better the riskiness of a project to stakeholders who may lack a technical background.
If a project gets an amber light through qualitative risk assessment, it’s then really put to the test through quantitative analysis.
The quantifiable data and detailed information that comes out of this analysis help decision-makers with the following:
- More efficient use of cash: If you need to borrow money for a project, you can borrow closer to the right amount, avoiding interest charges and other fees for borrowing too much.
- Confidence: If you're approaching lenders or investors, this gives them confidence that you have already prepared for everything and that you're less likely to approach them for more money. Project financing covers four categories of risk — construction, operations, financing, and volume.
- Chances of success: You'll be better able to see whether a project is completable within the maximum time and investment you're willing to commit.
- Project goals: In higher-risk industries like mining, oil, gas, and construction, sunk costs in projects are substantial. By understanding costs and likely returns, you'll understand if longer-term project goals — like profitability and sustainability — are realistic.
What to Include When You Perform Quantitative Risk Analysis
To put meat onto the bones of the initial qualitative risk analysis, those carrying out the quantitative assessment should do the following.
Uncover Areas of Uncertainty
The unknown could be a mistake in estimating, overconfidence in making predictions, the collapse of a supplier, or work turning out differently than expected.
Uncertainty is present in every project. But managers can create mitigation strategies against it from the start and as the project goes on by amending their current estimates and paying closer attention to those risks re-emerging.
Compile a List of Potential Risks
Areas of uncertainty are the "known unknowns," while the "known knowns" are risks that can be predicted and managed. They could be vendor delays, changes in regulations, and technology problems (including cybersecurity risks). Although unwelcome, most project managers will have a range of risk management techniques to deal with them.
Estimate the Probability of Each Risk
To understand how likely it is that a risk might become a threat, managers should do their research and call upon their past experience to help them be more precise with their predictions. The more a manager knows about and is ready to react to each risk, the higher the chance that they will be able to stop it as soon as it happens.
Determine the Potential Impact of Each Risk and Assign Quantitative Values to Them
A manager should assess the potential impact of each risk and quantify them in terms of time, cost, and quality. By doing this, they can prioritize which risks to address and then defend against them.
Develop Risk Response Strategies
Once the quantitative risk analysis has been completed and managers and stakeholders better understand the potential impact and likelihood of risks on a project, they can set up contingency plans, adjust work schedules, and allocate resources to mitigate against or avoid those risks altogether.
Why Quantitative Risk Analysis Should Be Ongoing
Quantitative risk analysis should be something project managers and stakeholders carry out on a continual basis. A project or risk manager should always be aware of threats from each source and have the authority to divert the resources they need to protect the project against them to keep everything on track.
As well as monitoring for individual threats, you should also track and evaluate all risks throughout the project life cycle. While pre-identified risks always exist, new ones could appear at any time.
Project team members, clients, and senior management should keep in touch with each other throughout, especially when the results of new quantitative risk analysis reports are released. This will not only maintain stakeholder confidence, but it will lead to improved project management and business decision-making.
7 Quantitative Risk Assessment Methodologies
There are seven main types of risk analysis templates used:
- Three-point estimate: This involves adding all the totals of estimated most likely, optimistic, and pessimistic cost forecasts together and dividing by three to get the expected cost.
- Beta distribution: Related to the three-point estimate, this method involves multiplying the most likely value by four, adding the optimistic and pessimistic values, and dividing the total by six to arrive at the expected cost.
- Decision tree analysis: Sometimes called a fault tree analysis, you evaluate the risk of each choice and its associated costs and put them in a visual diagram called a decision tree. For each choice, assign a probability and cost. Then, add up the costs on each path to see which one presents the lowest risk.
- Expected monetary value (EMV): For the EMV method, you need to know the expected cost of each risk and how likely each risk is to occur. Then, multiply the cost of each risk by its probability to get a forecast cost. Finally, add up the forecast costs to come up with an overall project cost with risk factored in.
- Monte Carlo simulation: First, estimate the probability of each possible outcome. Give the most expected outcome the highest probability and the least the lowest. Then, estimate the cost associated with each outcome. Combine the probabilities with the cost to calculate an expected project cost. (This is also known as the Monte Carlo analysis.)
- Failure mode and effects analysis (FMEA): Start by identifying where your project may fail. Analyze as many potential points of failure together with why they might happen. You then associate the risk of each potential point of failure with the goal of coming up with strategies to mitigate or avoid these risks.
- Sensitivity analysis: Let's say that your project has two potential outcomes — a stable but high-cost outcome (risk A) and an uncertain but low-cost outcome (risk B). With this approach, you look at everything that causes the uncertainties in both to try to find the most optimal outcome in terms of cost and risk.
Achieve Your Project Objectives With Certa
Quantifying project risk is challenging. But having a reliable and dependable risk management process when committing to go/no-go type projects — the projects that could define a business — is of utmost importance.
Use Certa in your quantitative risk analysis exercises to:
- Automate workflows with Certa's no-code Studio, which enables easy creation and customization of your vendor compliance workflows.
- See the real-time compliance status of every third party from Certa's dashboards and reports.
- Prepare comprehensive vendor risk assessments and scorecards.
- Validate third-party data through Certa's integrations with services like Sayari and Dun & Bradstreet, which provide real-time risk intelligence.
- Quickly draft and manage contracts with Certa’s vendor onboarding and offboarding workflows as well as a library of vendor contract templates and compliance clauses.
- Establish a strong defensible position during audits and regulatory verifications with Certa’s reports and audit trails.
- Provide regulatory training to your internal and external users with Certa's built-in SCORM integration.
- Store all legal documents and paperwork in a secure repository.
Schedule a demo of our system in action to see how we help supplier/vendor onboarding, selection, and monitoring across your whole business.
