Effective risk management isn’t just a safeguard—it’s a strategic advantage. Today’s organizations face increasingly complex challenges, making it essential to assess potential threats with precision and clarity. With tools and strategies like qualitative risk analysis, analysts can identify, evaluate, and prioritize risks based on likelihood and impact. These insights support smarter decisions, strengthen project planning, and help teams proactively protect resources, timelines, and outcomes.
Understanding risk is essential—but how you analyze it makes all the difference. In project management and strategic planning, two core approaches stand out: qualitative and quantitative risk analysis. Each serves a different purpose, depending on the nature of the risk, the availability of data, and the precision required in decision-making.
Qualitative risk analysis is ideal when organizations encounter new or uncertain risks without historical data to draw from, or when the necessary information isn’t available for a good quantitative assessment. It involves evaluating threats based on expert judgment, probability, and potential impact. This method is used to group risks together that have similar probabilities or impact severities, allowing us to prioritize risks and shape early-stage strategies—even when hard numbers are unavailable.
Quantitative risk analysis is based on statistical analysis of pre-existing data, such as financial data or manufacturing data. Quantitative risk analyses, according to Werner G. Meyer of the Project Management Institute (PMI), “[convert] the impact of risk on the project into numerical terms,” usually focusing on issues of cost and time.
At Lumivero, we’re here to help you transform uncertainty into your next opportunity, with expert resources like this guide to qualitative risk analysis and enterprise risk management software that help analysts measure and model risks, even in the most complex situations. Continue reading to learn what qualitative risk analysis in project management is, how it complements (and contrasts with) quantitative risk analysis, and some common techniques that analysts use in qualitative risk assessment.
What is qualitative risk analysis?
First, let’s clarify what qualitative risk analysis is and how it compares with quantitative risk analysis. Qualitative risk analysis involves a systematic approach to gathering and analyzing subjective input from people within an organization to determine the possible risks to a project and their potential impacts. (“Subjective” here refers to insights based on professional experience and expertise, rather than on numerical data.)
Information from inputs is then organized to develop a ranking of risks, with outputs expressed in descriptive, descriptive terms (e.g., “very high risk”) rather than numeric terms (e.g., 72% probability or $500,000 cost impact risk). This type of non-numeric output is just one of the ways in which qualitative risk analysis differs from quantitative risk analysis.
Qualitative vs. quantitative risk analysis
Broadly speaking, qualitative analysis identifies potential risks and their impacts to a project or process, then provides a framework for ranking those risks in order of priority for action. Quantitative risk analysis uses statistical modeling based on historical data to determine the specific probability of those events occurring and expresses their potential impact in numerical values such as cost and time, allowing cost and time savings to drive decisions on priority for action.
This chart further compares qualitative risk analysis vs. quantitative risk analysis:
| Qualitative risk analysis | Quantitative risk analysis |
| Utilizes subjective assessments based on people’s opinions, prior experience, or expertise, using descriptive definitions to help with this. | Utilizes objective data based on statistics, e.g. financial data, machine performance data, etc., or requires detailed justification for a basis of an estimate. |
| Helps to group risks together that have a similar probability or impact severities. | Quantifies the specific impact of risks and their probability of occurring, helping to identify individual risks’ influence on the end goal. |
| Can assess “soft” risks such as those impacting brand reputation, employee morale, etc. | Can assess “hard” risks such as project schedules, costs, production quality, etc. |
| Results often presented in a risk matrix that ranks various risks | Results presented in a variety of statistical visualizations |
| Outputs are expressed in verbal terms (“these are high risks, these are low likelihood risks, these are the risks that are more severe”, etc.) | Outputs are expressed numerically (cost, time, probability, confidence of achieving a specific cost or time goal etc.). |
| A relatively quick, inexpensive process - though less thorough it can quickly offer a high-level overview of your risk profile. | A longer process that can be resource-intensive to obtain good quality inputs. |
Qualitative and quantitative risk analysis are often used together during the risk assessment process.
Why risk assessment is important, and where qualitative risk analysis fits in
Risk assessments – estimates of how severe risks are – can be used in all kinds of scenarios, from product launches to plant maintenance to engineering projects. Qualitative risk analysis is often used as a first step in the risk assessment process.
According to a 2021 article for ISACA Journal by Volkran Evin, qualitative risk analysis can “quickly identify risk areas”, helping analysts determine hazard scenarios which are then subjected to a detailed qualitative assessment if data is available. In a 2020 blog post about qualitative risk assessment for PMI, author Elizabeth Harrin expresses it another way: qualitative analysis helps organizations “decide which are the risks we are going to focus on because we don’t have time to spend effort on all of them.”
Qualitative risk analysis is often used to determine the risk appetite for a project – that is, which risks an organization is willing to take to achieve its goals. It can also establish the risk tolerance – that is, the specific amount of impact from a risk that a company is willing to accept. Or, as an article on the UK’s Institute of Risk Management website puts it: “Organizations have to take some risks and avoid others. To do so, they need to be clear about what successful performance looks like.”
Risk appetite determines which risks the company takes. Risk tolerance sets acceptable limits on the impact of those risks. Qualitative risk analysis helps define both factors.
How to perform qualitative risk analysis – an overview
Qualitative risk analysis aims to answer three questions:
- What are the risks involved with this project or program?
- How likely is it that any of these risks will occur (probability)?
- How damaging would they be if they did occur (impact)?
There’s also a fourth potential question – how soon is this risk likely to happen (proximity)? – but these three generally form the starting point of qualitative risk assessment.
Step one: Risk identification
The first phase of qualitative risk assessment involves identifying high-level risks and then establishing agreement about risk appetite and risk tolerance. For example, a mining company may be willing to risk slowing down its schedule to avoid compromising employee safety, but it will establish limits for defining how slowly work can progress and still be considered successful.
There are multiple methods for gathering information for the risk identification phase of the assessment including:
- Conducting interviews with experts
- Conducting surveys with people whose work the project will affect
- Stakeholder or project team member brainstorming meetings with a facilitator
A 2018 U.S. Army Corps of Engineers guide to qualitative risk analysis walks through the potential pitfalls of each these methods. For example, members of brainstorming groups may not represent all the areas of expertise that exist on a project. Conducting, transcribing, and analyzing interviews can be time-consuming. It’s up to the organization to decide which method gives them the best possible chance of identifying relevant risks.
Step two: Risk categorization
Next, the team must categorize risks based on the area of the organization they may impact. These can include impacts on a company’s finances, reputation, sustainability goals, etc. These risks can then be listed and tracked in a risk register.
Many organizations maintain risk registers within spreadsheet documents. However, using risk management software such as Lumivero’s Predict! makes it possible to build centrally accessible risk registers that can be updated as projects evolve, and support consistent approach to capturing and managing risk. Predict! Risk Controller offers a dashboard view of the risk register as well as access to qualitative and quantitative analysis tools.
Step three: Risk scaling definitions
After risks are categorized, it is time to develop scales that define risk impact (how consequential it would be if it happened) and likelihood (how probable it is that the risk will happen). “Qualitative risk assessment” by PMI explained that an impact scale defines different levels of impact for each aspect of the project, and provides this example of a generic impact scale:
Step four: Conducting analysis
Using one of the techniques in the next section, analysts can then define the severity of each risk using the agreed-upon scales. The result of analysis is a tool – a chart, a document, or other collection of evidence – which can be used to help monitor risk throughout the project lifecycle and inform risk mitigation strategies.
Qualitative risk analysis techniques
There are multiple qualitative techniques for analyzing risk. Three common methods include:
Delphi method
The Delphi method, developed by the RAND Corporation in the 1950s, is essentially a structured brainstorming technique. It involves assembling panels of subject-matter experts to anonymously evaluate risks, then re-evaluate them based on a review of group answers.
A Delphi method analysis may involve several rounds of review. The goal is to gradually arrive at an expert consensus about risk severity.
Bow-tie analysis
A bow-tie analysis is a qualitative risk analysis technique developed in the 1990s that, according to a UK Rail Safety and Standards Board article about the method, “captures credible risk scenarios related to a specific hazard and ways an organization can stop those scenarios from happening.” It’s often used in industries where there is a high risk of accident or disaster, such as oil and gas extraction.
Bow-tie analysis, like the Delphi method, involves iterative rounds of input from experts on a hazard. The output of the analysis is a graph that resembles a bowtie, as shown in this example:
The center of the bow-tie is the adverse event. To the left are the potential causes of that event, with proactive controls the organization has in place to prevent those causes. To the right are potential consequences if the event occurs, with reactive controls the organization has in place to minimize the impact of these consequences.
Risk assessment matrix
One of the most common qualitative methods of analyzing risk is to create a risk matrix – a graphical representation of risks ranked by their potential to impact the project. The impact is gauged either against the likelihood that the risk will occur (an impact-likelihood or consequence-probability matrix) or the difficulty of dealing with the risk (an impact-difficulty or impact-effort matrix). These matrices can vary in complexity, but they usually involve scoring the risks on a three-point or five-point scale. The example shown here is a 5x5 risk matrix:
With this matrix, for example, an A5 risk is one that is both certain to occur and likely to have a catastrophic effect on project success. Color coding also helps users quickly categorize the impact of a risk.
While these qualitative risk analysis techniques have historically involved manual generation – either on hard copies or in generalist computer programs like Microsoft Excel – today, there are better solutions for conducting analyses.
Using risk management software such as Lumivero’s Predict! makes it possible to visualize your whole set of risks on a matrix to help get a better understanding of the overall exposure to risk events and to help put better focus on prioritization and urgency.
Risk management software for qualitative risk analysis
Lumivero’s Predict! offers a single source for managing risk aligned with methodologies such as those in ISO31000. Organizations can build centralized risk registers with dashboards that give users project- or enterprise-wide visibility into risks. Visualization tools allow for fast creation and editing of bow-tie charts, risk matrices, connections among risks in different projects, and more.
Predict! is also scalable, making it ideal for both small organizations with a limited number of projects to large organizations handling multiple projects and complex programs. For example, Femern A/S, a corporation formed by the Danish government to build an 11-mile fixed link between Germany and Denmark, used Predict! to develop qualitative and quantitative risk analyses for two transport scenarios: an 11-mile bridge or an 11-mile tunnel.
For complete end-to-end risk management, combine Predict! with Lumivero’s @RISK to conduct probabilistic quantitative analysis using Monte Carlo simulation from inside the dashboard. Finally, Predict! offers reporting tools that can be tailored to meet your internal or external compliance requirements.
Discover end-to-end risk management with Predict! and @RISK.
Empower your organization to identify, evaluate, and manage risks across every process and project—with confidence and clarity.