Qualitative and Quantitative Risk Analysis

Everything you need to know about qualitative and quantitative risk analysis: their differences, examples of when to perform each, as well as detailed steps, techniques, and methods to help guide you through each process

Published 24 Dec 2021

What is Qualitative Risk Analysis?

Qualitative risk analysis is the process of rating or scoring risk based on a person’s perception of the severity and likelihood of its consequences. The goal of qualitative risk analysis is to come up with a short list of risks which need to be prioritized above others.

Qualitative risk analysis is best described as a project manager’s first line of defense against risks. It helps weed out potential detractors to the project’s success, including risks that are unlikely to cause any severe harm to the project. By targeting the most dangerous risks first, project managers are able to allocate their time and resources more effectively.

What is Quantitative Risk Analysis?

Quantitative risk analysis is the process of calculating risk based on data gathered. The goal of quantitative risk analysis is to further specify how much will the impact of the risk cost the business. This is achieved by using what’s already known to predict or estimate an outcome. 

For data to be suitable for quantitative risk analysis, it has to have been studied for a long period of time or to have been observed in multiple situations. For example, in the past five projects, equipment type A has broken down after 7 hours of use. With this information, it can be assumed that if a project requires workers to use equipment type A for 8 hours, then it has a 100% chance of breaking down. 

Difference Between Qualitative and Quantitative Risk Analysis

The key difference between qualitative and quantitative risk analysis is the basis for evaluating risks. As mentioned earlier, qualitative risk analysis is based on a person’s perception or judgment while quantitative risk analysis is based on verified and specific data. 

Another difference is the values associated with risks. In qualitative risk analysis, this value is the risk rating or scoring. A risk may be rated “Low” or given a score of 1 to indicate that the risk does not require immediate attention. In quantitative risk analysis, the value associated with the risk is often in percentages and indicates the probability of the risk occurring or of it causing a specific negative effect on project objectives. 

When to Perform a Qualitative and Quantitative Risk Analysis

Qualitative risk analysis should be performed when there is a change in the perception of a risk and when a new risk has been identified. As a general rule, project managers should always  perform qualitative risk analysis at the beginning of every project. Additionally, since performing qualitative risk analysis is relatively easy, quick, and low-cost, it can be done at any time during the project or whenever the project manager deems it necessary.

Quantitative risk analysis should be performed when there is a large amount of data on the risk and its impact and when qualitative risk analysis needs to be validated. Since performing quantitative risk analysis can be difficult and time-consuming, it is not recommended by most project managers unless the safety of the project relies on precise estimations of risk. In these environments, performing quantitative risk analysis may be required by law or by project stakeholders. 


To help guide project managers in selecting which risk analysis to perform, here are examples of instances where a qualitative or quantitative risk analysis may be applied.

Examples of Qualitative Risks/Problems

Change in perception of a risk – Example: The lack of machine guards was initially given a risk rating of low, but after several near misses involving the hazard occurred, the project manager believes its risk rating should be at least medium.

New risk has been identified – Example: When the project began, equipment was in good condition. The only risk the project manager could identify at the time was the lack of proper training, as most of the workers did not know how to use equipment safely. The project manager quickly arranged for the workers to be trained in equipment safety. Yet, as the workers started to use equipment more frequently, the project manager noticed that it was no longer in good condition and could malfunction soon. 

Examples of Quantitative Risks/Problems

Large amount of data on the risk and its impact – Example: In 2020, a construction company planned on starting a major project in 2021. In preparation for the project, the construction company began collecting data on the risks they may face, their impact on the project’s completion, and how much mitigating these risks could cost the company. By early 2021, the construction company had enough data to perform a quantitative risk analysis. 

Qualitative risk analysis needs to be validated – Example: During qualitative risk analysis, a project manager scored each risk a 10 on a scale of 1-10, with 10 being extremely high risk. But the project manager wants to ensure that each risk has an impact great enough to justify spending time and resources on them. 

How to Perform Qualitative and Quantitative Risk Analysis

After choosing which risk analysis best fits their given situation, project managers can proceed with performing the risk analysis. For those looking for a guide on how to perform qualitative and quantitative risk analyses, follow the steps below:

Qualitative Risk Analysis Steps

Step 1: Identify Risks

The goal of this step is to create a masterlist of risks by noting down any risk that comes to mind and asking other members of the team for their input. Additionally, project managers can make the risk identification process faster by holding brainstorming sessions with their teams and even some workers to get a clearer idea of what’s happening in the field.

Step 2: Classify Risks

There are several techniques for classifying risks. One popular technique is the risk matrix, which combines the consequences and likelihood of a risk occurring. 

risk matrix qualitative and quantitative risk analysis

Risk Matrix

Lesser known techniques include assessing the possible causes and effects of each risk and preparing for different scenarios involving the risk.

Step 3: Control Risks

While this may look different depending on the technique chosen in the previous step, risk control is generally divided into two categories. The first category of risk control is focused on targeting the root causes of risks such as hazards or inefficient management processes. The second category of risk control is geared towards lessening the negative impact of the risk through corrective actions such as providing workers with PPE

Step 4: Monitor Business Risks

As project managers go through the qualitative risk analysis process, they should remember to keep all of their notes regarding risks, risk ratings, and control measures to mitigate consequences. These notes will be useful in completing the final step: risk monitoring. This step mainly involves observing risks and asking the following questions:

  • Is risk control effective?
  • Were risks correctly classified?
  • Have all risks been identified?

Quantitative Risk Analysis Steps

Step 1: Identify the Purpose, Scope, Method

Project managers first need to think about what they want out of the quantitative risk analysis. What kind of insight are they looking for? After identifying the purpose of quantitative risk analysis, project managers can now define the scope and limitations. What data will or will not be included in the quantitative risk analysis? Once this question has been answered, project managers can now select one of the following methods for quantitative risk analysis:

Step 2: Prepare the Data, Tools, and People Needed

Before applying the selected method, project managers should ensure that data is organized and compatible with the method and tools they plan to use. Tools can include digital templates, specialized software, and other materials that can help in performing quantitative risk analysis. As for the preparation of the people needed, this highly depends on whether or not project managers decide to hire outside experts or involve people from other departments or branches.

Step 3: Apply the Chosen Method to the Data Gathered

Once the data, tools, and people needed are ready, project managers can proceed with performing the quantitative risk analysis. If project managers selected the FMEA or BIA methods, they can use the following digital templates:

For the EMV method, project managers can use the following formula:

Probability in % of Risk Occurring x Cost of Impact in Preferred Currency = EMV

Step 4: Record and Store All Results

After applying the FMEA, BIA, or EMV method, ensure that all results are recorded and stored securely, even if they aren’t the focus of this risk analysis. The reason for keeping these records is that they may be useful later on in the next risk analysis. As quantitative risk analysis takes up a lot of time, effort, and resources, it’s important to not waste information gained from it.

Using iAuditor Templates

iAuditor templates are easy to use and customize according to the needs of the project. Project managers can simply download one of iAuditor’s pre-made templates to get started. Here are some iAuditor templates that could help project managers in performing qualitative and quantitative risk analysis:

Qualitative Risk Analysis Template

Use this digital template to perform qualitative risk analysis in 4 steps:

  1. Risks and hazards identification
  2. Classify risks
  3. Control risks
  4. Monitor risks

Quantitative Risk Analysis Template

Use this digital template as a guide in performing quantitative risk analysis. It includes the following steps:

  1. Identify the purpose, scope, and method
  2. Prepare the data, tools, and people needed
  3. Apply the chosen method to the data gathered
  4. Record and store all results for future risk analysis

iAuditor Features

iAuditor by SafetyCulture is a digital operations platform project managers use to ensure that their projects stay on track. It has the following features:

Perform risk analysis on a mobile device

iAuditor makes it simple and easy for project managers to perform risk analysis on-the-go or in the field. With the iAuditor mobile app, project managers can capture and record risks as soon as they appear, set risk ratings, and collaborate with other members of their team in identifying potential risks.

Create corrective actions to control risks

Project managers can assign corrective actions to anyone in the organization or even to themselves. They can add due dates, priority levels, and images to any corrective action created in iAuditor.

Keep risk analysis results all in one place

View risk analysis results in the analytics dashboard and apply filters to get the insights you need. Store critical data effortlessly with automated recordkeeping.


Reach Project Goals

iAuditor helps you manage risks so that they don’t get in the way of your work. Without a good project risk management system, projects are vulnerable to unexpected threats and may be delayed as a result. Prepare for anything and everything by identifying and analyzing risks. By performing regular risk analysis, you become more equipped to handle possible obstacles to the project completion.


SafetyCulture Content Specialist

Zarina Gonzalez

Zarina is a content writer and researcher for SafetyCulture. She enjoys discovering new ways for businesses to improve their safety, quality, and operations. She is working towards helping companies become more efficient and better equipped to thrive through change.

Zarina is a content writer and researcher for SafetyCulture. She enjoys discovering new ways for businesses to improve their safety, quality, and operations. She is working towards helping companies become more efficient and better equipped to thrive through change.