Qualitative and Quantitative Risk Analysis

Learn more about qualitative and quantitative risk analysis. Discover how these methods help organizations address risks and hazards.

gestor de proyectos que realiza análisis de riesgos cualitativos y cuantitativos

What is Qualitative Risk Analysis?

Qualitative risk analysis is the process of evaluating and rating an identified risk based on its severity and the likelihood of its consequences. The goal of qualitative risk analysis is to come up with a short list of risks that need to be prioritized above others.

Qualitative risk analysis is best described as a project manager’s first line of defense against risks. It helps weed out potential detractors to the project’s success, including risks that are unlikely to cause any severe harm to the project. By targeting the most dangerous risks first, risk analysis in project management becomes more efficient and project managers are able to allocate their time and resources more effectively.

What is Quantitative Risk Analysis?

As part of the overall quantitative risk management process, quantitative risk analysis is the process of calculating risk based on data gathered. The goal of quantitative risk analysis is to further specify how much will the impact of the risk cost the business. This is achieved by using what’s already known to predict or estimate an outcome.

For data to be suitable for quantitative risk analysis, it has to have been studied for a long period of time or to have been observed in multiple situations. For example, in the past five projects, equipment type A has broken down after 7 hours of use. With this information, it can be assumed that if a project requires workers to use equipment type A for 8 hours, then it has a 100% chance of breaking down. 

Difference Between Qualitative and Quantitative Risk Analysis

The key difference between qualitative and quantitative risk analysis is the basis for evaluating risks. As mentioned earlier, qualitative risk analysis is based on a person’s perception or judgment while quantitative risk analysis is based on verified and specific data. 

Another difference is the values associated with risks. In qualitative risk analysis, this value is the risk rating or scoring. A risk may be rated “Low” or given a score of 1 to indicate that the risk does not require immediate attention. In quantitative risk analysis, the value associated with the risk is often in percentages and indicates the probability of the risk occurring or of it causing a specific negative effect on project objectives. 


To help guide project managers in selecting which risk analysis to perform, here are examples of instances where a qualitative or quantitative risk analysis may be applied.

Examples of Qualitative Risks/Problems

Change in perception of a risk – Example: The lack of machine guards was initially given a risk rating of low, but after several near misses involving the hazard occurred, the project manager believes its risk rating should be at least medium.

New risk has been identified – Example: When the project began, equipment was in good condition. The only risk the project manager could identify at the time was the lack of proper training, as most of the workers did not know how to use equipment safely. The project manager quickly arranged for the workers to be trained in equipment safety. Yet, as the workers started to use equipment more frequently, the project manager noticed that it was no longer in good condition and could malfunction soon.

Examples of Quantitative Risks/Problems

Large amount of data on the risk and its impact – Example: In 2020, a construction company planned on starting a major project in 2021. In preparation for the project, the construction company began collecting data on the risks they may face, their impact on the project’s completion, and how much mitigating these risks could cost the company. By early 2021, the construction company had enough data to perform a quantitative risk analysis. 

Qualitative risk analysis needs to be validated – Example: During qualitative risk analysis, a project manager scored each risk a 10 on a scale of 1-10, with 10 being extremely high risk. But the project manager wants to ensure that each risk has an impact great enough to justify spending time and resources on them. 

How to Perform Qualitative and Quantitative Risk Analysis

After choosing which risk analysis best fits their given situation, project managers can proceed with performing the risk analysis. For those looking for a guide on how to perform qualitative and quantitative risk analyses, follow the steps below:

Qualitative Risk Analysis Steps

Step 1: Identify Risks

The goal of this step is to create a masterlist of risks by noting down any risk that comes to mind and asking other members of the team for their input. Additionally, project managers can make the risk identification process faster by holding brainstorming sessions with their teams and even some workers to get a clearer idea of what’s happening in the field.

Step 2: Classify Risks

There are several techniques for classifying risks. One popular technique is the risk matrix, which combines the consequences and likelihood of a risk occurring. 

Risk Assessment Matrix

Risk Matrix

Lesser known techniques include assessing the possible causes and effects of each risk and preparing for different scenarios involving the risk.

Step 3: Control Risks

While this may look different depending on the technique chosen in the previous step, risk control is generally divided into two categories. The first category of risk control is focused on targeting the root causes of risks such as hazards or inefficient management processes. The second category of risk control is geared towards lessening the negative impact of the risk through corrective actions such as providing workers with PPE

Step 4: Monitor Business Risks

As project managers go through the qualitative risk analysis process, they should remember to keep all of their notes regarding risks, risk ratings, and control measures to mitigate consequences. These notes will be useful in completing the final step: risk monitoring. This step mainly involves observing risks and asking the following questions:

  • Is risk control effective?
  • Were risks correctly classified?
  • Have all risks been identified?

Quantitative Risk Analysis Steps

Step 1: Identify the Purpose, Scope, Method

Project managers first need to think about what they want out of the quantitative risk analysis. What kind of insight are they looking for? After identifying the purpose of quantitative risk analysis, project managers can now define the scope and limitations. What data will or will not be included in the quantitative risk analysis? Once this question has been answered, project managers can now select one of the following methods for quantitative risk analysis:

Step 2: Prepare the Data, Tools, and People Needed

Before applying the selected method, project managers should ensure that data is organized and compatible with the method and tools they plan to use. Tools can include digital templates, specialized software such as an employee gps tracking, and other materials that can help in performing quantitative risk analysis. As for the preparation of the people needed, this highly depends on whether or not project managers decide to hire outside experts or involve people from other departments or branches.

Step 3: Apply the Chosen Method to the Data Gathered

Once the data, tools, and people needed are ready, project managers can proceed with performing the quantitative risk analysis. If project managers selected the FMEA or BIA methods, they can use the following digital templates:

For the EMV method, project managers can use the following formula:

Probability in % of Risk Occurring x Cost of Impact in Preferred Currency = EMV

Step 4: Record and Store All Results

After applying the FMEA, BIA, or EMV method, ensure that all results are recorded and stored securely, even if they aren’t the focus of this risk analysis. The reason for keeping these records is that they may be useful later on in the next risk analysis. As quantitative risk analysis takes up a lot of time, effort, and resources, it’s important to not waste information gained from it.

Quantitative risk analysis is also helpful in performing industry-specific functions such as restaurant inspections, pharmaceutical audits, and food safety inspections as it can help identify health code violations before they become a problem.

Achieve operational excellence

Cultivate a culture of excellence with our digital solutions that enhance efficiency, agility, and continuous improvement across all operations.

Explore now

Leverage Digital and Ready-to-Use Templates

SafetyCulture (formerly iAuditor) templates are easy to use and customize according to the needs of the project. Project managers can simply download one of SafetyCulture’s pre-made templates to get started. Here are some SafetyCulture templates that could help project managers in performing qualitative and quantitative risk analysis:

Quantitative Risk Analysis Template

Use this digital template as a guide in performing quantitative risk analysis. It includes the following steps:

  1. Identify the purpose, scope, and method
  2. Prepare the data, tools, and people needed
  3. Apply the chosen method to the data gathered
  4. Record and store all results for future risk analysis

Create your own Quantitative Risk Analysis template

Build from scratch or choose from our collection of free, ready-to-download, and customizable templates.

Browse Quantitative Risk Analysis template

FAQs about Qualitative and Quantitative Risk Analysis

Qualitative risk analysis focuses on assessing and prioritizing risks based on their impact and likelihood, using non-numerical methods. It provides a subjective evaluation based on the perspective of the assessor and the business’s priorities. Qualitative risk analysis also typically  doesn’t involve mathematical calculations or quantification.

Some of the methods used when implementing quantitative risk analysis are Failure Mode and Effects Analysis (FMEA), Business Impact Analysis (BIA), and Expected Monetary Value (EMV). The specific method greatly depends on the needs of the analysis as well as the goal that organizations want to achieve with the results.

Qualitative risk analysis should be performed when there is a change in the perception of risk and when a new risk has been identified. As a general rule, project managers should always perform qualitative risk analysis at the beginning of every project. Additionally, since performing qualitative risk analysis is relatively easy, quick, and low-cost, it can be done at any time during the project or whenever the project manager deems it necessary.

In relation to that, a 5 whys software can help in efficiently performing qualitative risk analysis. Since 5 whys digs into the reason why a certain situation is the way it is, calculating risks and their impact would be easier and more credible. 

Quantitative risk analysis should be performed when there is a large amount of data on the risk and its impact and when qualitative risk analysis needs to be validated. Since performing quantitative risk analysis and quantitative risk assessment can be difficult and time-consuming, it is not recommended by most project managers unless the safety of the project relies on precise estimations of risk. In these environments, performing quantitative risk analysis may be required by law or by project stakeholders.

SafetyCulture Content Team
Article by
SafetyCulture Content Team
The SafetyCulture content team is dedicated to providing high-quality, easy-to-understand information to help readers understand complex topics and improve workplace safety and quality. Our team of writers have extensive experience at producing articles for different fields such as safety, quality, health, and compliance.