Project Risk Analysis and Evaluation

8.1 ­Introduction
Once project risks have been identified for a project stakeholder, they should be ­analysed
in terms of their magnitude and their severity (for threat risks) should be gauged in
some way. This takes us to Stages C1 and C2 in the project risk management cycle (see
Figure 4.2).
Risk analysis may be undertaken quantitatively or qualitatively. Sometimes this is also
described as ‘objective’ or ‘subjective’ assessment, but this interpretation is somewhat
misleading. It assumes that all risk data are either objective (factual information) or
subjective (perceptions and opinions of people). While this may be so, the two types of
data are not necessarily mutually exclusive in terms of the approach to their use in risk
analysis. In Case Study F (an aquatic theme park project), for example, the civil
engineering contractor uses objectively derived historic weather data to quantitatively
explore weather‐related risks on its projects. Also, subjective data may find their way
into quantitative analysis, and objective data are not excluded from qualitative
assessment. It is important, however, to know when this happens, in order to appreciate
the level of care required in such situations and to have some appreciation of the
confidence which can be placed in the analytical inputs and outputs.
In risk analysis, essentially we are looking at recognising, understanding, and dealing
with uncertainty. The uncertainty may relate to the likelihood of occurrence of a risk
event; the nature, magnitude, and occasion of its consequences; or all of these.
For most organisations, qualitative risk analysis will be carried out first, as a rapid
means of triaging threat risks. Indeed, for many projects this is all that is required. No
further analysis takes place simply because the organisation recognises that some proac-
tive form of risk treatment is inevitably required for particular risks and that extending
the analysis further is unlikely to yield additional knowledge that will change that situation.
Ideally, qualitative risk analysis should take place immediately after risk identification
has been completed, preferably in the same risk management workshop with the same
knowledgeable participants, while the project contexts and project risks are still fresh in
their minds. If this is not possible, another workshop should be held soon after the first
and be led by the risk manager. Here the total number of participants can be reduced to
three or four (but all should have attended the first workshop). Our earlier assertion still
holds: project risk management is not the preserve of a single person within an

Managing Project Risks, First Edition. Peter J Edwards, Paulo Vaz Serra and Michael Edwards.
© 2020 John Wiley & Sons Ltd. Published 2020 by John Wiley & Sons Ltd.
162 8  Project Risk Analysis and Evaluation

In our experience, it is also unwise to analyse each risk as it is identified in its simple
‘two or three word’ descriptor form. Attempting this requires workshop participants
to constantly switch between identification mode and analysis mode, and this is rarely
effective as it interrupts the risk identification ‘mind‐set’ that will have almost cer-
tainly developed in the workshop. More precise risk statements (as proposed
in Section 7.9) provide a better guide as to what factors must be analysed for each
project risk.
Precise risk statements help considerably in risk analysis. Besides properly framing
each risk, the actual process of formulating the individual risk statements also stimu-
lates the intellectual analytical and judgement capabilities of the brain. In fact, writing
good risk statements is where the previous identification mind‐set begins to change to
a risk analysis track. Simply writing ‘There is a “p” chance that ...’ encourages the brain
to simultaneously think about what that chance might be. Listing the consequences of
the risk event stimulates thinking about the potential influence of factors associated
with the internal and external contexts of the project. For many projects, before risk
analysis commences, it may be worthwhile revisiting the risk statements to confirm
their sufficiency and reminding workshop participants of the project contextualisation
that has been done.
Two outcomes from the project risk identification stage, risk classification and the
results of prior project contextualisation, can help where the number of risks to be dealt
with is extensive. For some types of projects, this may amount to several hundred sepa-
rate risks, and assessment thereby becomes arduous and onerous.
It may be possible to first consider risks in their category groups. Thus, for generic
natural category weather risks, the likelihood of occurrence and damaging impacts of
extreme weather conditions can be explored as general factors first, then modified for
particularly vulnerable stages of a project, and finally adjusted and applied to individual
risks. Other generic risk categories, and indeed other customised risk classification sys-
tems (see Chapter 2), can be used in a similar way.
Establishing the project contexts (see Chapter 5) will have revealed particular project
circumstances. Each of these can be examined for its influence, and the results then
applied to the relevant risks. External contexts will have been framed in terms of their
physical, technical, economic, and social effects. These too can be explored generally
and then applied to relevant project risks.
When embarking upon analysis, a stakeholder organisation should also investigate
what prior risk allocation arrangements already exist for the project (see Table 4.2).
There is little point in exploring a risk further if it has already been allocated to another
party, through a mechanism such as a special clause in a contract agreement, unless
there is a residual risk that your organisation must bear. For example, a subcontractor
normally used to submitting tenders on a fixed price basis would usually identify the
chance of high economic inflation as a threat risk factor on a project with a duration
extending beyond the short term. However, if the head contract included clauses agree-
ing to share cost fluctuations between client and main contractor, with flow‐on provi-
sions for subcontractors, this would mean that the consequences of the inflation risk
would be borne partly by the subcontractor and partly by the main contractor, who in
turn would share the increased cost with the client. A contract agreement such as this
has effectively allocated the economic inflation risk on a shared basis, and the subcon-
tractor would need to reflect this in its analysis of the risk.
8.2  Qualitative Analysis 163

In theory, of course, all risks should be allocated to the party best able to control them.
Practice, however, especially in the guise of contracts, has a habit of mocking theory!
In this chapter, we first consider qualitative threat risk analysis and explore linguistic
measures of likelihood and impact. Similar qualitative measures are suggested for
evaluating threat risk severity. (Note: Qualitative approaches for assessing opportunity
risks are discussed in Chapter 15.)
A brief discussion of quantitative risk analysis is then presented, in line with the
premise made in Chapter 1 about avoiding heavily mathematical treatments in this book.
The chapter concludes with discussion about the value of mapping project risks.

8.2 ­Qualitative Analysis
Qualitative approaches to risk analysis reflect the perceptions, opinions, and value
mechanisms of the assessors. Much of the analysis deals in some way with the treatment
of uncertainty, and this aspect of risk was explored in Chapter 2.
There will be uncertainty associated with the values of nearly all the input variables
from which the estimates are derived for the component factors of risk. Any one of a
range of values might actually occur for a variable.
Qualitative analysis usually is regarded as subjective because it relies almost entirely
upon human judgement. That judgement will be influenced by experience and by per-
sonal biases that may lead to errors.
Errors in human judgement include those arising from biases such as:
●● Anchoring (wrongly sticking with a first estimate even though it is inappropriate for
the context) – a ‘representativeness’ heuristic bias.
●● Selective recall (remembering only certain facts or incidents and ignoring other evi-
dence) – an ‘availability’ heuristic
●● Base rate fallacies (e.g. assuming that a particular trend line will continue at the same
rate into the future) – also an ‘availability’ heuristic
●● Over‐pessimism
●● Over‐optimism
●● Overconfidence in the assessment
●● Inappropriate search for patterns in data
●● Inappropriate framing of the situation.
Note that several of these biases are similar to those listed as barriers to good decision
making in Chapter 3.
The advantage of subjective analysis is that it is generally quick to apply and simple to
understand. The disadvantage is that errors in judgement are often difficult to detect
and eradicate. Here, it is not so much that practice will make perfect, but more that
periodic recalibration of assessment criteria, particularly at an intra‐organisational
level, would help to minimise any accretion of subjective biases. Exploration of the
existence and nature of judgement bias in an organisation also helps.
The outcome of qualitative risk analysis should be a list of project threat risks that the
stakeholder organisation faces, categorised according to type and grouped or ranked in
terms of the level of severity they represent. The analytical data can be used to populate
the stakeholder’s project risk register (PRR).
164 8  Project Risk Analysis and Evaluation

The process involves applying estimating measures to factors such as the likelihood of
occurrence of the identified risk event and the magnitude of its consequences. The two
measures can then brought into association to determine a level of threat severity for
each risk.
In qualitative risk analysis, these measures are most often linguistic, using words as
descriptors for value or quantity estimates.
The most basic linguistic assessment measure is: low, medium, and high. Table 8.1
illustrates this three‐point scale applied to the likelihood of occurrence and impact of a
risk event.

Table 8.1  Three‐point risk assessment measures.

Impact → Low Medium High

The very simplicity of the three‐point assessment approach can lead to problems in
application. Firstly, the potential range of interpretations for each interval of the meas-
ure is wide. How low is ‘low’? How high is ‘high’? What does ‘medium’ mean? Establishing
interval definitions (a strategic task for senior management in an organisation) is diffi-
cult, especially for impact measures where different types of consequences may ensue.
Secondly, as will be seen later in this chapter, the three‐point assessment measures flow
through to corresponding three‐point measures of risk severity, and this may not pro-
vide sufficient distinction between risks to allow confidence in their ranking or priority:
the scale is too coarse. Thirdly, the simple structure of the three‐point scale infers an
erroneous assumption that the intervals are equidistant, with ‘medium’ as a midpoint.
More explicit interval definitions may reveal that this is not the case, but that fact may
not be fully appreciated by project risk workshop participants working rapidly under
pressure to deal with many risks.
We advocate the adoption of more extended linguistic measures for qualitative
project risk analysis. Sections 8.3 and 8.4 explore these more fully for likelihood and

8.3 ­Assessing Likelihood
If three‐point linguistic risk measures are too coarse, how many intervals should be
incorporated into the scales? We have encountered as many as seven and nine, but in
our view five intervals best serve the purpose. This o
­ pinion is supported by the sug-
gestions offered by the old risk management handbook AS/NZS HB 436 (2004). As
noted in Chapter 4, these documents have since been superseded by the international
standard ISO 31000 (2018) and the handbook SA/SNZ HB 89 (2013).
8.3  Assessing Likelihood 165

Customised, linguistically based, ordinal‐scale measures for risk assessment can be

developed by any organisation to suit its particular purposes, but some principles of
scale construction should be observed:
●● The word descriptors for scale intervals should be precise and distinctive (and this is
where seven and nine‐point scales usually fail, because the descriptors become too
blurred and difficult to separate).
●● Descriptors should preferably be single‐word interval labels, avoiding qualifiers such
as ‘very’, ‘highly’, and so on, as they add little or nothing to clarity.
●● The descriptors and underlying definitions should be confirmed in terms of strategic
risk management policy established by senior management.
●● The descriptors and definitions should be appropriate to the internal context of the
organisation and the activities which it undertakes.
●● The scale progression of the risk assessment measure must be logically progressive
(but not necessarily with equidistant intervals).
●● The scale interval descriptors and definitions should be meaningful and uniformly
understood across the organisation (i.e. not just in particular parts of it).
Table 8.2 shows a generic five‐point measure for the likelihood of occurrence for a
project risk event applicable to all types of projects, organisations, and industries.
The ordinal descriptor labels and their expanded definition should be easily grasped,
not only by project‐based staff but also by managers and employees across the organisa-
tion. The same measure can thus be applied to project risks and to other risks faced by
the organisation.
Note that in the first column, the two extremes cannot be labelled as ‘Never’ and
‘Certain’. The uncertainty represented by likelihood of occurrence is mathematically
expressed by probability values greater than 0 and less than 1. Since ‘Never’ must equal
0 and ‘Certain’ must equal 1, no uncertainty is present, and therefore no risk arises.
Table 8.2 complies with the principle of scale progression whereby ‘1. Rare’ represents
the lowest expected frequency and ‘5. Almost certain’ the highest, while each of the
intervening labels escalates the frequency in a logical manner. The underlying interval

Table 8.2  Five‐point measures of likelihood.

Probability/likelihood scale interval Defining description (AS/NZS 4360; Possible project

label (AS/NZS 4360) AS/NZS HB 436) frequency basis

5. Almost certain Expected to occur in most 75 or more out of 100

circumstances projects
4. Likely Will probably occur Fewer than 75/100
3. Possible Might occur at some time Fewer than 50/100
2. Unlikely Could occur at some time Fewer than 10/100
1. Rare May occur in exceptional Fewer than 5/100
circumstances projects

Source: Adapted from AS/NZS HB436 (2004).

166 8  Project Risk Analysis and Evaluation

definitions follow the same logic, although the linguistic distinction between ‘2. Unlikely’
and ‘3. Possible’ is quite subtle and reinforces the need to ensure uniform understanding
across the organisation.
The third column in the table is offered as a more quantitative, project‐based sug-
gestion of likelihood, with intervals corresponding to the linguistic descriptors and
definitions. Mathematically, the probability extremes shown are <0.05 and ≥0.75.
This column reinforces our earlier caution that scale intervals are not necessarily
equal. However, to apply this ratio scale implies that the organisation has sufficient
objective evidence, gathered from a sufficient number of similar (but not necessarily
identical) projects, to construct a reliable assessment scale. A further caution might
be that such a scale requires periodic recalibration to reflect changes in organisa-
tional practice.
Table  8.3 presents a more customised version of the generic measure shown in
Table 8.2. While adopting the same basic interval descriptor label scale, this organisa-
tion has developed its own underlying definitions.
Here, the probability definitions must relate to the likelihood of occurrence of the risk
events (although this is not explicitly stated) rather than the frequency of projects in
which they might be encountered.
Table 8.3  Alternative five‐point measures of likelihood.

Probability/likelihood Description

5. Almost certain ●● >75% probability or

●● occurrence is imminent or
●● could occur within ‘days to weeks’
4. Likely ●● ≤75% probability or
●● on the balance of probability will occur or
●● could occur within ‘weeks to months’
3. Possible ●● ≤50% probability or
●● may occur but a distinct probability it will not or
●● could occur within ‘months to years’
2. Unlikely ●● ≤10% probability or
●● may occur but not anticipated or
●● could occur in ‘years to decades’
1. Rare ●● ≤5% probability or
●● occurrence requires exceptional circumstances or
●● very unlikely, even in the long‐term future or
●● only occurs as a ‘100 year event’

While we do not recommend adoption of this particular alternative to replace the

generic measure, it does raise the important aspect of time. In most mathematical
expressions of probability, time is usually implied or made explicit in the probability
itself, for example ‘a 50% chance of heavy rain showers occurring over the next 24 hours’
or ‘a 20% chance of surviving this surgical operation beyond five years’.
Traditionally, projects (particularly in the construction industry) have been regarded
as relatively short‐term undertakings and viewed largely from the perspective of
8.4  Assessing Impacts 167

the  delivery or procurement phase. In those terms, time was not seen as a major con-
sideration for assessing the likelihood of occurrence for project risk events and uncer-
tainties, and could be almost ignored. Our exploration of projects in Chapter 3, which
introduced ultra‐short and ultra‐long durations for different types of projects, forces us
to consider time more carefully. In adopting generic or developing customised meas-
ures of likelihood for project risks, therefore, project stakeholder organisations should
pay careful attention to the ramifications of time (with its associated uncertainty) and
the risks they face.
Incidentally, a problem arising with Table 8.3 (which has been taken from a real‐life
project stakeholder organisation’s risk management system) is that in part it adopts
an  ‘imminence to the project’ concept of time (e.g. levels 4 and 5) which may be

8.4 ­Assessing Impacts
In exploring assessment measures for the impacts of risk events, we remind readers
that our focus will be upon threat risks, and the consequences will thus be negatively
For three‐point qualitative measures of impact (low, medium, and high), the same
limitations apply as those pointed out in Section 8.2 – possibly to a greater degree, since
while the likelihood of occurrence of a risk event is a single concept, there may be mul-
tiple consequences of different types. In turn, multiple consequences entail greater
attention to ensuring that each is suitably defined, described, and understood.
Table  8.4 illustrates five‐point risk impact measures (again adapted from the
Australian/New Zealand standards). While measures 1 to 4 on this table could apply to
threat and opportunity risks, the level 5 ‘Catastrophic’ label clearly anchors this meas-
ure to threat risks. Two impacts of risk events are embraced by this measure: financial
and personal harm. If the type of project is such that no risk event could result in per-
sonal harm, then that impact measure would not be applicable. It is tempting to place
information technology (IT) projects in this category, but more careful consideration
might suggest that the harm descriptions should be modified rather than abandoned.

Table 8.4  Five‐point measures of impact.

(AS/NZS 4360) $Loss Harm

5. Catastrophic Huge. Greater than $d (or financial Death occurs

collapse of organisation)
4. Major Major. Less than $d Serious injuries; hospitalisation;
long‐term disability
3. Moderate High. Less than $c Medical treatment needed
2. Minor Medium. Less than $b First aid treatment required
1. Insignificant Low. Less than $a No injuries

Source: Adapted from AS/NZS 4360 (1999) and AS/NZS HB436 (2004).
168 8  Project Risk Analysis and Evaluation

Some IT projects, like any others, may be subject to impact uncertainties associated
with personal stress and anxiety.
As with Table 8.2, the progressive logic of the impact levels in Table 8.4 is clear, but an
important point to note is that, unlike the measure of likelihood, the levels of impact
assessed for any risk could differ in terms of the type of impact. For example, a safety
risk impact might be assessed as moderate in terms of personal harm, but minor in
terms of financial cost to the organisation. A further assessment principle is thus neces-
sary: where multiple consequences can arise for any risk, the highest impact category
rating should be assigned to the whole risk.
Table  8.5 shows how an organisation might expand its risk impact measures. Six
types of impact measure are shown in this table. For some organisations, there could
be several more, but caution should be taken when attempting to create more exten-
sive measures in this way. Too many different types of impact measures will directly
affect the capacity of the multiple measure to be meaningfully understood across the
organisation. Applying the impact measures in a project risk management workshop
will take more time (and probably lead to more argument among participants!). The
value of precise risk statements is demonstrated again here, as they will determine
what risk consequences should be assessed as distinct from those that could be assessed.
Other types of risk event consequences are considered in Chapter 16 (Strategic Risk
As with the measures of likelihood, it is important to remember that the rating levels
for impact, while they are ordinal, do not signify equidistant intervals on the scale and
therefore do not permit any quantitative arithmetic to be performed. Numeric labels of
1 to 5 must be treated with caution. These measures also require periodic recalibration,
particularly as an organisation grows and its perceptions of financial and reputational
impacts change.
Qualitative analysis of the uncertainties associated with the likelihood of occurrence
and the consequences of project risks is followed (or even simultaneously accompa-
nied) by evaluation of their severity to the project stakeholder organisation, as indi-
cated by Stage C2 in the project risk management cycle (Chapter 4, Figure 4.2).

8.5 ­Evaluating Risk Severity

Great care is necessary in devising measures for evaluating threat risk severity, particu-
larly where qualitative measures have been used for assessing likelihood and impact.
In quantitative risk analysis, risk severity is a straightforward matter of calculating
the product of the probability and impact values for each risk, as each is represented by
data values that are continuous in type. The calculation is therefore mathematically
valid, and reliable relative comparisons can be made between evaluated risks.
No such validity attaches to qualitative analysis, and any capacity for relative com-
parison therefore suffers. The tables presented in this section cannot be regarded as
mathematical representations of risk severity. The nominally ordinal linguistic meas-
ures for likelihood and impact are set alongside each other simply for the purpose of
assigning ratings from an ordinal scale of severity. That scale must be developed by
senior management as part of a strategic organisational and project risk management
policy. It is usually aimed at informing risk response decision making.
170 8  Project Risk Analysis and Evaluation

Table 8.6 shows a risk severity measure that might accompany the three‐point low/
medium/high measures for assessing likelihood and impact measures. The severity
measure is also a three‐point scale with low, medium, and high interval labels. The
distribution of the three severity markers to each of the nine severity rating possibilities
is the responsibility of senior management in the organisation. They are shown in
Table  8.6 as different grey‐scale shadings, getting darker as the severity increases,
but  in  practice coloured ‘traffic light’ cell shading could be used (e.g. low  =  green,
medium = amber, and high = red).

Table 8.6  Three‐point measure of risk severity.

High R7, R9 R5

R4, R8, R13 R12, R14 R2, R10,

Likelihood Medium R18, R19,
R20, R21
Medium R16

Low R1, R3, R22 R15, R17

Severity Low Medium High


As with the other three‐point tables in this chapter, the distinction between severity
intervals is not sufficiently nuanced, and only one cell is allocated to low‐severity risks
in this measure. Extending the severity range helps to address that shortcoming. The
extended range could include any number of intervals, influenced only by the sophisti-
cation of the risk response, monitoring, and control guidance sought by the stakeholder
organisation and its capacity to devise suitable interval descriptors. As with the likeli-
hood and impact measures, we have found a five‐point scale for risk severity to be the
most suitable. Table 8.7 illustrates this approach.
Here, too, the grey cell shading and hatching can be replaced by colour shading. Note
how the expanded capacity created by the five‐point measures permits more nuanced
8.5  Evaluating Risk Severity 171

Table 8.7  Five‐point measure of risk severity.







Insignificant Minor Moderate Major Catastrophic

Impact ↑
Severity key ↓

Negligible Low Medium High Extreme

Source: Adapted from AS/NZS HB436 (2004).

severity evaluation allocations, capable of reflecting the strategic risk management poli-
cies of the organisation. As Table 8.7 shows, the risk severity distribution among the 25
possible cells does not have to be symmetric. It is perhaps disappointing to see low,
medium, and high reappearing among the risk severity interval labels, but we invite you
to stretch your command of the English language to suggest alternatives!
Practice and experience will improve familiarity with, and rapid practical application
of, qualitative project risk assessment and evaluation using the measures suggested
here. The approach should suffice in most circumstances.
The project risk item record example (Chapter 7, Table 7.14) presents a format for
entering data from qualitative risk analysis and severity evaluations. Table 4.1 (Chapter 4)
provides a spreadsheet‐based PRR template for ongoing risk management purposes. In
the spreadsheet, the column cells provided for risk severity can incorporate suitable ‘if ’,
‘and’, ‘or’, and ‘then’ algebraic logic to determine the appropriate severity from the likeli-
hood and impact ratings for each risk recorded in the two previous columns. This is
discussed more fully in Chapter  18 (Computer Applications). Such logic should be
capable of accommodating asymmetric severity distributions.
172 8  Project Risk Analysis and Evaluation

8.6 ­Quantitative Analysis
While we have claimed that qualitative analysis is usually sufficient in project risk man-
agement, we do acknowledge that, for some project risks, more sophisticated quantita-
tive analysis may be necessary. This means that further investigation is warranted for
the most severe risks revealed through earlier qualitative assessment. More often than
not, formal exploration of the uncertainties associated with those risks is the required
focus, and tools are available to help with this task.
In Case Study A (a public–private partnership [PPP] correctional facility), the main
contractor’s qualitative risk assessment was deemed sufficient to allow risk response
decisions to be made unless the risk parameters were such (high uncertainty in proba-
bility or impact, high level of severity) that prudence suggested further quantitative
analysis. The results then informed risk decision making outcomes, such as calculating
a contingency amount to include in the bid, extending the search for a risk avoidance
option, or even declining an invitation to bid for the project. On this project, the ten
highest priority (i.e. most severe) threat risks for the main contractor were reassessed
As noted in this chapter, since quantitative risk analysis involves mathematical analy-
sis, risk severity can be calculated as the product of likelihood and impact and used for
valid relative comparisons between risks. This is not possible with qualitative risk
analysis. We cannot claim that an ‘Extreme’ project risk is x times more severe than a
‘High’ risk, only that in our judgement one is more (or less) severe than the other for our
organisation on this project.
However, the benefits of valid risk severity comparisons derived from quantitative
approaches do not come without cost. Several issues must be considered and dealt with,
●● Availability and sufficiency of essential input data
●● Nature, accuracy, and reliability of input data
●● Reliability of the analytical and modelling techniques involved
●● Competent application of techniques
●● Nature, accuracy, and reliability of output data
●● Competent interpretation of outcomes
●● Time availability
●● Costs of analysis.
Quantitative approaches to investigating uncertainty in project risks generally use
mathematically based statistical analyses of historic data (updated in some way if neces-
sary) and may involve simulation. At a simple level, the analysis might comprise sensi-
tivity testing of the critical variable values: changing the value of one variable by one
incremental step at a time and observing the effect on the outcome. The limitation of
sensitivity testing is that it is not suitable for exploring the effect of multiple changes in
several variables at the same time.
At a more sophisticated level, Bayesian analysis, fuzzy sets, Monte Carlo simulation,
and other techniques may be appropriate. However, we have stated that this book was
not intended to be a mathematical treatise on probability. Many texts are available that
deal comprehensively with Monte Carlo and other forms of simulation and statistical
analysis, and several computer software applications for such analyses are commercially
8.6  Quantitative Analysis 173

available, either as independent applications or as add‐on modules for popular spread-

sheet, project scheduling, and project management tools.
A strong caveat is that all such analytical and simulation tools are vulnerable to the
issues noted here.
If sufficient and appropriate data are not available, or cannot be collected, in order to
service the input requirements of assessment tools, then the reliability of output infor-
mation from such analyses is diminished and confidence in ensuing judgement and risk
decision making may be compromised.
The nature and quality of the data required for quantitative risk analysis add to this
dilemma. It cannot be assumed that all data will be objective; some will represent the
individual or collectively gathered subjective opinions of people. This exposes such data
to the uncertainties, errors, and biases of qualitative assessment noted in Section 8.2.
The sufficiency and quality of historical risk data for projects rarely match that for data
collected by the insurance and manufacturing industries. Sample sizes are often too
small, and the data are not sufficiently homogeneous.
High levels of uncertainty associated with input data will be reflected by greater
uncertainty in output data, and this too has to be acknowledged and dealt with in deci-
sion making.
The convenient availability and often ‘tick‐box’ user‐friendliness of commercially
available software applications can be a dangerous trap if users are not fully competent
in understanding and using them, and in being able to interpret outcomes appropri-
ately. Technical understanding of the tool itself is obviously important, but so too are
grasps of the underlying theory, the concepts of risk, and familiarity with the particular
target project risk contexts.
Quantitative analysis at this level cannot be rushed simply to meet the time pressures
associated with contemporary projects. It is also likely to be expensive, particularly if
domain experts and specialists have to be hired and briefed to carry out the analyti-
cal work.
To demonstrate some of these issues, we return to the decision tree analysis (DTA),
event tree analysis (ETA), and fault tree analysis (FTA) examples presented in Chapter 7.
In each case, we have inserted data (admittedly hypothetical) that permits quantitative
analysis of the three situations.
Figure  8.1 is expanded from the example of a trip to Sydney shown in Chapter  7
(Figure 7.2).
Probabilities for the likelihood of occurrence and worth values are added to each of
the travel outcome nodes. The three arrival probabilities for each travel option must
sum to 1.0, as no other possibilities are entertained. The expected utility value is then
calculated for each arrival node as the product of probability and worth. Some com-
ment is necessary for each of these. Firstly, however, we must admit that, for the sake of
diagrammatic simplicity, the model is not complete. For each of the travel alternatives
options shown in Figure 8.1, there are two decision nodes: whether to take the early
departure option or the later departure option. Each of these then generates three
arrival possibilities: early, on time, or delayed. However, between the departure options
and arrival outcomes, we should insert another set of possibilities associated with
departure. Will that travel mode depart on time, or will it be delayed? For the ‘Drive’
travel mode, three departure possibilities actually exist for the ‘Early start’ and ‘Late
start’ options. For each of these options, Mary Jane (our DTA ‘victim’) might be able to
174 8  Project Risk Analysis and Evaluation

leave earlier than planned, she might be unavoidably delayed and have to start her
­journey later, or she might leave at the planned time. For the other travel options, there
is only a remote possibility that the flight or train will actually leave earlier than the
scheduled time. For these two options, we have also omitted any further complications
associated with Mary Jane’s journey to the airport or railway station!

Early 100
A. Early flight 0.3 On time 98 EU FLY (A):
(0.1 × 100) + (0.3 × 98) + (0.6 × 92) =
Delay 92 (10 + 29 + 55.2) = 94.6

0.2 Early 98
0.6 EU FLY (B):
B. Later flight On time 96
FLY (19.6 + 57.6 + 18) = 95.2
0.2 Delay 90

Early 84
0.3 EU DRIVE (A):
A. Early start 82
On time (33.6 + 24.6 + 23.4) = 81.6
0.3 Delay 78
Decision DRIVE
0.1 Early 76
0.4 EU DRIVE (B):
B. Late start
On time 72 (7.6 + 28.8 + 34) = 70.4
Delay 68
Early 92
VFT 0.05 EU VFT(A):
A. Early departure 0.2
On time 90 (4.6 + 18 + 63.75) = 86.35
0.75 Delay 85

0.1 Early 90
0.1 EU VFT(B):
On time 85
B. Late departure (9 + 8.5 + 64) = 81.5
0.8 Delay 80
Decision 1 Decision 2 Arrival outcomes Indexed Worth to
and probabilities Mary Jane

Figure 8.1  Expected utilities for DTA of travel outcomes.

For the expanded example, we have noted that the data insertions are hypothetical.
How would actual data values be derived, and are the values objectively or subjectively
Comprehensive airline and railway schedule compliance data are almost certainly
compiled by airline and railway companies, but also almost certainly inaccessible to the
general public. In order to assign the relevant probability values, Mary Jane will have to
either exercise personal judgement or rely on the experience and judgement of her
travel agent. She might conduct a small survey among colleagues and staff in the organi-
sation, but would thereby encounter problems associated with sample size. Without
access to authoritative objective data, Mary Jane’s input data values will be largely sub-
jective and vulnerable to all the errors and biases we have identified. When we turn to
the estimates of worth, these are likely to be almost entirely subjective estimates as they
pertain only to Mary Jane’s personal preferences, albeit that they may be conditioned by
her previous travel experiences and made with the best possible intent.
The DTA outcomes in Figure  8.1 suggest that Mary Jane’s best travel option (with
the highest expected utility) is to book on the Sydney flight leaving Melbourne later in
8.6  Quantitative Analysis 175

the day. Her worst option is to drive to Sydney with a late departure. This is what the
quantitative analytical model tells us. In real life, of course, Mary Jane’s travel decision
would be most heavily influenced by how much she hates flying, driving, or travelling
by train, or getting up early!
Note also that the DTA example models only one consequence – uncertain arrival time
in Sydney. Attempting to use DTA to quantitatively assess uncertainties associated with
multiple risk impacts, such as those shown in Table 8.5, becomes highly complicated.
Next, we examine the ETA example of the potential disaster flowing from the closing
failure of ferry loading doors. Figure 7.3 from Chapter 7 has also been augmented by
adding probability values to the nodes. Figure 8.2 displays the results.

Trigger Potential
Consequent event possibilities
event outcomes

trapped and
Ferry Disaster with
capsizes fatalities
p = 0.95 (p = 2.565 × 10–8)
Vehicles Yes
move and p = 0.4
COG changes
Yes Ferry sunk
Seawater p = 0.05 (p = 1.35 × 10–9)
enters ferry p = 0.25
Crew fail to
Yes No
respond Vehicle damage
Ferry to alarm p = 0.6 (p = 4.05 × 10–8)
p = 0.60
doors fail Yes
to close Water damage
p = 0.005
fully p = 0.75 (p = 2.025 × 10–6)
Yes No Reportable crew
p = 0.9 p = 0.40 (p = 1.8 × 10–7)
Wear failure of
bow door
No Reportable incident
closing servo
component? (p = 8.955 × 10–5)
p = 0.995
p = 0.0001 No Undetected incident
(p = 1.0 × 10–5)
p = 0.1

Figure 8.2  Outcome probabilities for ETA of ferry vehicle loading door incident.

After assigning a probability of occurrence to the door failure as the initiating event,
each of the dichotomous ‘Yes/No’ consequence tree nodes of the diagram is assigned a
probability, and the probability for a possible outcome is calculated from the product of
all the previous probabilities that can be traced back from that branch of the tree. As
with the DTA example, the assigned probabilities are hypothetical, and the same ques-
tions arise about these data.
The model for this example suggests that the chance of a ferry disaster with loss of
human life and vessel, due to wear failure occurring in a component of a loading door
servo‐motor, is about 3 in 100 million (0.001 × 0.9 × 0.005 × 0.6 × 0.25 × 0.4 × 0.95 = 0.000 
000 025 65; or 2.565 × 10−8). This probability assumes a ‘domino’ sequence in that the
doors do not close fully, the crew then fail to respond to an automatic alarm, seawater
enters the ferry, the vehicles on‐board move and the vessel’s centre of gravity shifts, the
vessel capsizes and sinks, and passengers are trapped and drowned.
176 8  Project Risk Analysis and Evaluation

Note that there is a smaller chance (slightly more than 1 in 1 billion) that the same
sequence could occur without resulting in any loss of life.
Design engineers might be able to assign an objective probability to the servo‐motor
component failure, but almost certainly a pessimistic subjective probability must be
assigned to the next link (the loading doors do not close fully). Some measure of crew
incompetence might be objectively assessed through reference to employee profiles
and training records in the human resource department of the ferry company. Prevailing
sea conditions and the likelihood of seawater entering the ship might be gauged from
meteorological forecasts, tide tables, and analysis of the ship design; but the extent to
which these will produce objective data is questionable. Vehicle movement and changes
in the ship’s centre of gravity could be calculated from first principles, as could the
likelihood of the vessel capsizing in such circumstances. The likelihood of passengers
being trapped and thereby drowning might be assessed from historical ferry disaster
incidents, but almost certainly a pessimistic subjective interpretation would be given to
the length of time the ferry might remain floating, the depth of the sea at this location,
and the proximity of effective response help.
As noted in Chapter 7 for this example, the ETA does not explore any further upstream
causal investigation of the reasons for the component failure. We can claim, however,
that for analysis of circumstances such as these, the assignment of probability values (as
measures of associated uncertainty) will derive from objective and subjective sources,
and objective data are likely to be subjectively conditioned.
Our third example takes the FTA diagram (Figure 7.4) for the deployment failure of
the aircraft emergency evacuation chute and assigns probability values to likelihood of
occurrence for the various nodes on the fault tree. Figure 8.3 depicts these values (again
As with the ETA, sub‐causal probabilities in this FTA example are multiplied in the
nodal branches of the three ‘trunk’ possible main causes of chute failure (power failure,
signal failure, and mechanical failure). Thus, the chance that chute deployment failure
is due to a lubrication failure in an auxiliary power unit (APU) is about 3% (0.3 × 0.65 × 
0.45 × 0.3 = 0.026 325). How are the node probabilities determined? Objective probabil-
ity data would have to be gathered from prolonged testing under controlled conditions,
possibly augmented by evidence from whatever real‐life incident analyses are available.
For mechanical components, failure estimates might also be derived from complex
design engineering and safety factor analysis. However, these data are only objective
because the context involves a highly engineered aircraft system. Other contexts might
reveal a considerable reliance on subjectively determined probabilities.
The three examples (DTA, ETA, and FTA) all suggest that context plays a large part in
determining the extent to which quantitative risk data are objectively or subjectively
derived and how this might influence our confidence in using them for quantitative
analysis of project risks. All three examples incorporate probability assessments. DTA
reflects different values for decision node outcomes in terms of their worth to the com-
pany director, and these could be transformed into financial values (albeit of doubtful
precision). The ETA example presents possible outcomes in ascending levels of severity,
while the FTA example shows one outcome (chute deployment failure). Neither exam-
ple places any financial values on the outcomes, although this could be attempted.
Expected monetary value (EMV) is an analytical technique that deals directly with
financial outcomes of risk events. It is a financial version of expected utility (EU) or may
8.6  Quantitative Analysis 177

provide an additional level of analysis for that tool. EMV is also known as ‘expected
mean value’, as the next example will show.

Aircraft type?

evacuation chute
(p = 0.0001)

p = 0.3 p = 0.45 p = 0.25

Power failure Signal failure Mechanical failure

p = 0.45 p = 0.55 p = 0.5 p = 0.5 p = 0.25 p = 0.7

Supply Control Faulty Faulty Damaged Faulty

failure equipment transmitter receiver components servos
p = 0.65 p = 0.15
p = 0.15 p = 0.85 p = 0.85 p = 0.05
p = 0.15
p = 0.35
APU Faulty Part p = 0.85
fault wiring failure Faulty Faulty Missing
wiring motherboard components
p = 0.3 p = 0.7

Lubrication Part
failure failure

Figure 8.3  FTA causal factor probabilities for chute deployment failure.

For this example, we assume a business situation where a newly formed company is
exploring a project to purchase and operate a franchise opportunity. The price of the
franchise is $250 000. Before entering into a franchise agreement, however, the com-
pany examines the business case and realises that in the first year a trading loss is likely
to occur due to the necessary start‐up costs. The exact amount of the loss is not known
with certainty, but the company has sought advice from the national association of busi-
ness franchisees. This association has collected extensive data about franchise perfor-
mance during the first three years of operation. Table  8.8 shows the information
provided by the association for potential first‐year losses on a franchise costing up to
$300 000.

Table 8.8  Franchise first‐year trading loss EMV.

Expected trading loss in first year of franchise Associated probability (p) $Loss × p

≤$25 000 0.55 $13 750

≤$15 000 0.25 $3 750
≤$10 000 0.15 $1 500
≤$5 000 0.05 $250
EMV = $19 250
178 8  Project Risk Analysis and Evaluation

From this information, the company can calculate an EMV of loss for the first year of
operation of the franchise. The calculation is shown in the right‐hand column of the
table, where each possible loss is multiplied by its likelihood of occurrence. The EMV is
the sum of the calculated losses.
The EMV suggests that the company should prudently plan for a trading loss of about
$20 000 in the first year if it purchases the franchise, but ‘prudence’ in this context sug-
gests an attitude towards risk that is discussed more fully in Chapter 9 (Risk Response
and Treatment Options).
While the analysis in the example now deals directly with uncertainty associated with
the financial impact of first‐year trading operations for the franchise, the expected loss
is not explained other than ascribing it to start‐up costs. There might well be additional
explanations (insufficient customers, bad debts, etc.) that constitute the prior risk
events. In this sense, the example is too simplistic in terms of risk identification.
Furthermore, the quality of the information provided by the franchisee association is
not known in terms of: the sample size that the data are drawn from, representativeness
(type of franchise), and ‘shelf life’ (contemporaneity). Inadequacies in any of these will
degrade the data quality and affect organisational confidence in the EMV.
In the construction industry, EMV can be used for quantitative exploration of sev-
eral project threat risks, as long as the caveat about data sufficiency and reliability is
observed. The technique is used to calculate a monetary amount that should be included
in the project bid price, or on more direct means of mitigating the risk. Case Studies A
(a PPP correctional facility) and B (an aquatic theme park) indicate use of this risk strat-
egy, but its application is limited by the data requirements. Dealing with weather risk is
perhaps the most frequent application of EMV. The use of cranes on construction sites
is, among other factors, determined by weather conditions and particularly by wind
speeds and wind gusting. Access to meteorological records will indicate the probability
and number of days in any season where extreme winds are likely. Costing records will
indicate the average hourly cost of operating a crane on site and the costs of lost produc-
tivity per day for different types of projects. The seasonal flow of site activities for the
target project will also be considered. A contractor can then bring data for all these
factors into the EMV analysis to determine an amount that should be priced into its bid.
The analysis will indicate minimum, maximum, and mean values, and, depending upon
its risk appetite and assessment of the tender market, the contractor can choose which
amount to add to its bid.
This section is not intended in any way to criticise the use of quantitative risk analysis.
When used correctly, this approach is a valuable contributor to effective project risk
management. As with qualitative risk assessment, our purpose has been to highlight the
issues that must be resolved, and important among these is the danger of using values
for uncertainty that are ‘pseudo‐objective’ – they have the appearance of quantitative
objective data but are actually subjectively derived – and then treating them as though
they are completely objective data. A guiding principle to quantitative risk assessment
is ‘caveat emptor’ (‘Let the buyer beware’) for both the analytical techniques and the
data that service them.
While qualitative risk analysis is generally faster than quantitative analysis and can
be carried out rapidly by a small experienced team, it should not be undertaken as a
‘once‐over lightly’ exercise just to satisfy the compliance requirements of a project
stakeholder organisation’s risk management system and policies. Nor should it be just
8.7  Risk Mapping 179

a means of avoiding the greater rigour of quantitative analysis. Good, appropriate, and
thoughtful risk analysis, and evaluation of risk severity, substantially informs organi-
sational decision making about how risk should be treated, monitored, and
Particular care should be taken with what are often referred to as ‘long tail’ threat
risks. This occurs where the probability or likelihood of occurrence of the risk event is
extremely low, but the period of exposure to the consequences is very long and the
impact magnitude is very high. Such risks do not fit comfortably into qualitative risk
assessment models and should be flagged and accorded individual attention. We will
return to this dilemma in Chapter 9.
Information arising from project risk analysis and evaluation is used to populate the
stakeholder organisation’s project risk item record and thence to its PRR and organisa-
tional risk register (ORR) systems. A good organisational project risk management
system will provide access links (e.g. on a dedicated cloud‐based platform) to any quan-
titative data and analytical processes.
The four examples (DTA, ETA, FTA, and EMV) demonstrate that quantitative risk
analysis is not for the faint‐hearted! In our view, EMV is likely to be the most practical
tool for project risk management, and then only if the user has sufficient confidence in
the financial input data.
A useful adjunct to qualitative or quantitative risk assessment is that project risks can
then be mapped.

8.7 ­Risk Mapping
Risk mapping is a very under-utilised tool in project risk management, yet it can yield
substantial benefits, not only for the project at hand but also strategically. ‘Clusters’ of
risk are quickly revealed, and the purpose of mapping is to discover where abnormally
large or unusual clusters exist. Follow‐up comparison with the risk maps of previous
projects can indicate signs of emerging risk trends.
Perhaps the simplest approach is to map project risks according to severity level.
Table  8.6 showed three‐point risk likelihood, impact, and severity measures. The
coded risks (which are amplified in individual risk schedule items) can be mapped onto
the matrix according to the severity assigned to each one. The matrix shows that the
highest preponderance of threat risks occurs under ‘Medium’ severity. This information
is useful as it could be compared with severity matrices from previous similar projects.
If the comparison is found to be unfavourable, the risk item records may provide expla-
nations, and the organisation might need to consider changes in its project manage-
ment or methods of undertaking projects. If the number of ‘High’ risks mapped is
excessive, the organisation might even want to consider abandoning that project. The
larger matrix of Table 8.7 could be used in a similar way.
Another approach is to map risks according to category type. This can be done in a
simple manner by recoding risk identifiers according to their risk category: for example,
if Risk R1 is a weather‐related risk, it may be recoded as R1‐W, and so on. Should the
cluster of weather risks prove substantially and unusually large for the project, thought
can then be given to a cluster mitigation response, such as using an innovative tempo-
rary canopy for a construction project.
180 8  Project Risk Analysis and Evaluation

Ideally, this approach should be combined in a matrix format with some of the risk
identification tools dealt with in Chapter 7, such as the ‘listing’ types represented by
Tables 7.8–7.11. The ultimate combination matrix format is probably that shown in
Table 7.13.
Mapping according to risk type category explores risk source events. While mapping
risks in terms of likelihood of occurrence of the risk event is unlikely to provide much
useful benefit, risk impact mapping can prove to be very useful. For instance, mapping
risks that have large environmental consequences (see Table 8.5) may give insight into
the environmental ‘footprint’ of the project and trigger consideration of alternative pro-
ject technologies.
A unique form of comparative risk mapping that uses the graphical charting capacity
of modern spreadsheet software applications is found in ‘spider charts’. Table 8.9 shows
hypothetical severity assessments for 10 different threat risks that reoccur across three
project alternatives.

Table 8.9  Comparative project risk severity assessments.

Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 Risk 7 Risk 8 Risk 9 Risk 10

Project A 100 90 80 70 60 50 40 30 20 10
Project B 85 85 60 80 40 65 30 70 45 50
Project C 60 95 110 40 75 35 60 50 60 30

Considerable care is needed for this type of risk mapping. While the continuous data
available from quantitative risk analysis are suitable for charting, ordinal data from
qualitative analysis cannot be used for this purpose unless the ordinal scales are arranged
so that ascending step progressions between scale intervals are equal and similar scales
are used for all risks and all projects. Inevitably, some form of objective indexation
should be applied to the risk severity values, so as to form a common relative basis for
comparisons. In this example, the 10 risks for Project A are indexed from the severest
of the 10 (A1 = 100), and the similar risks for the alternative projects (B and C) are then
rated in comparison to A1.
Figure  8.4 displays the ensuing spider chart for the projects and their risks. The
visual risk ‘footprints’ for the three projects suggest that Project B and Project C are
each probably ‘riskier’ than Project A, but overall differences might be more difficult
to detect between B and C. Risk C3 looks abnormal and may warrant further examina-
tion for this project alternative. Other project risk comparisons deserve similar
Charting comparisons are not limited to alternative projects. They can be prepared
for different parts of a project where similar risks (but with differing severities) tend
to arise.
Experimentation with various charting formats, and with data required for them,
could yield valuable risk knowledge for a project stakeholder organisation. Our trials
suggest that up to 20 project risks can be charted in this format. Beyond that, the chart
becomes too cluttered and illegible, but we leave it to the creative ingenuity of our read-
ers to explore this technique further!
8.8 Summary 181

Risk 1

Risk 10 100 Risk 2



Risk 9 40 Risk 3


Risk 8 Risk 4

Risk 7 Risk 5

Risk 6

Figure 8.4  Risk severity spider chart.

8.8 ­Summary
The outcome of the risk analysis and evaluation processes should be a list of all the
identified threat risks that the stakeholder faces on the project. Each risk is analysed,
either qualitatively or quantitatively (or both), in terms of the uncertainty associated
with the likelihood of occurrence for the risk event and the consequences that will
flow from it. From these analyses, threat risks are then evaluated in terms of their
severity to the project stakeholder organisation that faces them. For qualitatively
analysed risks, subjective linguistic interval labels are applied to an acceptable meas-
ure. For quantitatively analysed risks, objective mathematical values of severity can
be calculated.
If subjective linguistic measures are adopted for qualitative risk analysis and evalua-
tion, it is important to remember that it is your ‘model’ measuring your risks, and you
must be comfortable using it as part of your risk management system. Establishing the
measures and defining intervals are the responsibility of senior management in an
organisation and should be done through careful consideration and with an acceptable
logical underpinning. In the contemporary world of projects, always be mindful that
your organisation might be called upon, in an official enquiry, to explain and justify its
risk assessment methods.
Similarly, ‘long tail’ risks will almost certainly warrant separate attention.
182 8  Project Risk Analysis and Evaluation

Risk identification is often claimed to be more important than risk analysis for
the purposes of project risk management, since you cannot proactively manage uniden-
tified risks and it may be obvious that some risks must be addressed regardless of their
likelihood and impact characteristics. Despite this, risk analysis is always worthwhile as,
like the earlier stages in the project risk management cycle, it raises the level of risk
awareness among project participants.
The uniqueness necessarily associated with any organisation’s approach to assessing
its risks supports our ongoing argument that a universal project risk management sys-
tem (i.e. one shared by all project stakeholders) is impractical.
Finally, the usefulness of risk mapping should not be neglected. This activity does not
necessarily have to be carried out in parallel with risk analysis, nor at the same time, but
such mapping may provide further risk insights for a project stakeholder organisation,
and the results can influence decision making about risk treatment options and
responses. This is the topic of Chapter 9.

Australian Standard/New Zealand Standard (AS/NZS) (2004). Risk Management
Guidelines – Companion to AS/NZS 4360 (HB 436). Homebush, NSW: Standards
International Organisation for Standardisation (ISO) (2018). Risk Management: Principles
and Guidelines (ISO 31000). Geneva: International Organisation for
Standardisation (ISO).
Standards Australia/Standards New Zealand (SA/SNZ) (2013). Risk Management –
Guidelines on Risk Assessment Techniques (SA/SNZ HB 89). Homebush, NSW:
Standards Australia.

