Qualitative risk assessments and quantitative risk assessments have different objectives, whereas a qualitative risk assessment assesses the potential of occurrences of risks or adverse events, a quantitative risk analyses is a mathematical model reflecting the probability of the occurrence of a risk or an adverse event. A qualitative risk assessment does not attempt to assign hard financial values or assets, expected losses, loss of control etc. Instead relative values are being calculated which may include indicative cost and loss values.

Qualitative risk assessment due to its very nature requires multiple inputs from various parties for a comprehensive evaluation of the risks, and consequences of adverse events. A quantitative risk analyses can be performed by a single person since the potential risks have been identified but require a probability factor.

A qualitative risk assessment can be conducted through a combination of questionnaires and collaborative workshops. The participants i.e., the review team, should be a representation of all relevant aspects of the organization of the enterprise, and should all be adequately familiar with the enterprise objectives.

For clarity, in this narrative, an enterprise has been defined as efforts performed in a strategic manner for achieving a perceived objective, and thus can apply to a business, an existing plant, part of an existing plant, a project, or part of a project, It can be applied in its entirety to the whole enterprise, as well as to specific parts, sections or stages of the enterprise.

This narrative specifically focuses on the risks associated with a project style execution of actions of an enterprise. This implies that the success of the performance of the execution is measured in terms of the following three criteria:

  • Is the work completed in time, i.e., on schedule ?
  • Is the work completed within the allocated funding, i.e., within budget ?
  • Does the quality of the services and material to be delivered under contract meet the technical requirements, i.e., is it in compliance with the contract specifications, applicable standards and codes ?.

Table 2.1 provides a guide for assessing the potential financial risks.

It is recommended to identify potential operational and financial risks, prior to starting an enterprise. A Risk Management Plan (RMP) should be part of an Enterprise Execution Plan. Risk Management topics should address issues such as, enterprise risk, management deceptions, loss of capital, equipment theft, earthquake, construction safety, political risk, privacy, workplace violence, and strikes.

This narrative presents a methodology for conducting a Qualitative Risk Assessment, how risks can be identified, evaluated and mitigated or avoided, in a consistent and systematic manner.

For assessing potential hazards that may occur as a result of a design weakness, or an inadequacy pertaining to operating safety, a HAZOP  (Hazard Operability) review can be conducted. For HAZOP review practices, refer to the HAZOP workshop section.

A comprehensive Risk Management Plan (RMP) generally requires to cover the following issues.:

  • The stakeholders concerns
  • Set-up of the Risk Management Process
  • Risk Identification
  • Risk Assessment
  • Risk Response Planning and mitigation
  • Risk Monitoring and Control

Sequence of activities addressing particulars, pertinent to establishing a RMP, are addressed on a step-by step basis as shown in the “Risk Assessment Process Diagram” shown under “Services/Qualitative Risk Assessment - Risk Assessment Diagram”.


The objective of Risk Management is minimizing the probability and severity of adverse events on an enterprise.


3.1    Stakeholders - A “Stakeholder” can be defined as: “Any person, group, or entity that can place a claim on the organization’s attentions, resources or output, or is affected by that output”. Thus, within the frame of this definition, a ‘Stakeholder’ can place a claim on the organization’s resources, and hence is to be considered a source of risk.

The organization’s stakeholders, whose interests may be affected, are all, or any party of the following:

  • Client
  • Contractor
  • Shareholders
  • Employees / Staff
  • Insurance Companies;
  • Auditors
  • Management
  • Board of directors

3.2    Hazard - Anything that may cause a potential risk

3.3    Risk - Exposure to the chance of an adverse effect, e.g. human injury, adverse environmental effects, loss of     production, loss of capital, adverse effect on reputation, negative effect on project execution etc.

3.4   Deviation - Any event that causes an offset of the intended use of a piece of equipment, system, procedure or objective. A deviation is often a potential initiation of a risk.

3.5   Risk Management Planning - This is the process of how to plan for the Risk Management activities for an enterprise.

3.6   Risk Identification - This activity involves identification of potential adverse events that may affect the enterprise.

3.7    Qualitative Risk Assessment (QlRA) - This is a exercise on how to assess the probability (P) of an adverse event and it severity (S). Both will be used to determine the relative importance of the potential adverse event.

3.8    Quantitative Risk Analysis (QnRA) - This is a numerical analysis of the probability of the risk, and sensitivity when the adverse event occurs

3.9    Risk Response Plan (RRP) - The process of developing options and determining actions to reduce adverse events, that may affect the enterprise.

3.10    Enterprise Plan Risk (EPR) - This is a business risk, i.e., an uncertain adverse event or condition that, if it occurs, has a negative effect on an enterprise plan objectives.

3.11    Guideword -  Help for indicating a deviation, a concern, or a cause.

3.12    HSE -  Health Safety and Environment

3.13    EIA -  Environmental Impact Assessment on plant or factory premises, surrounding community/local population  local area biotopes e.g. agricultural premises, vegetation, wildlife, surface water and aquifer etc.

3.14    Risk Tools - A tool to determine the importance of a risk to which an enterprise is objected, or an organization is willing to accept within the frame of set or defined values. A “Risk Tool” broadly falls under the umbrella of the following elements:

  • The estimated probability (P) of the chance that the adverse event will occur
  • The estimated severity (S) of the effect an adverse event will have the enterprise

A risk (R) can be quantified by the following simple equation R = P X S.

As the importance of the risk (R) is determined by combining both, the probability (P) of the event to occur and its severity (S). The costs associated with “R” can be compared with costs, related to (additional) contingencies, investments or expenses, pertaining to preventive maintenance and/or inspection, for achieving a lower risk level.

P and S can be expressed in percentages of by a factor (In %, R ≤ 100 %, 100% = definitive when P = S = 100%; in factors R ≤ 1, 1 = definitive when P = S = 1)

3.15    Risk Matrix - The Risk Matrix (Table 2.3A,. demonstrates a combined result of the likelihood or Probability (P) of an event and the severity(S) or Impact of its consequence.

The “Risk Matrix” is the base on which management can decide on the necessary “Mitigating Action” to be taken as a “Response”. The Risk Matrix therefore is the ‘driver’ to conclude a “Response Table” (Ref Table 2.3A) which is a scorecard that directs the mitigating actions on the basis of an overall risk category and risk level the organization of the enterprise (i.e. stakeholders) can accept.

3.16    Risk Categories - Risks, when identified can be organized into risk categories. These categories reflect common sources of risk in the application area as follows:

  • Technical (substandard) Quality and/or (under) Performance Risk
  • Enterprise/Management Risk
  • Organizational Risk of the enterprise
  • External Risks

Severity (S) relative to the probability (P) can be defined as measures of loss of business revenue, production, assets, equity and costs incurred from repairing equipment and/or cleanup of the area and environment as well as potential damage claims. Known or identified risks must be addressed in Risk Management Planning. Unknown risks cannot be planned. However based on experience, these risks can be covered by adding contingency.

Risk Assessment is the process of gathering and analyzing data to develop an understanding of the exposure of a risks to an enterprise. To establish the importance of a possible risk, the following questions are to be answered:

  • What is the potential adverse event.?
  • What is the probability of the adverse occurring?
  • What will be its severity should it occur?


The risk identificationshouldbehandled in an assessment meeting,and is aniterativeprocesswhereparticipantsshouldgenerallyincludethefollowing teammembers:

  • Chairman/ Facilitator/Team Leader
  • Secretary or scribe
  • Contractor / Consultant
  • Client's specialists
  • Stakeholders
  • Third party specialists.(technical, financial and legislative)

The results of the meeting should be recorded in a systematic manner similar to a HAZOP review meeting. Attachment 2.1 Qualitative Risk Assessment Worksheet can be used for recording the results of the meeting.


Risk Management Plan defines how to approach and plan the risk management activities for an enterprise. The plan indicates how risk identification, qualitative assessment, response, monitoring and control will be performed during execution.

A model for Risk Assessment is demonstrated in the “Risk Assessment Diagram” (See services “Qualitative Risk Assessment”)

The Qualitative Risk Assessment generally is to include the following:

  • Assessment - Defines the tools and data sources to be applied as appropriate in risk management. This depends on Enterprise Plan stage, the available data and information, as well as the response options.
  • Responsibilities - Definition of the Role and Responsibility of each team member of the Risk Management Team.
  • Budget - Establishment of a budget for Risk Management in the Enterprise Plan.
  • Timing - Defines the frequency and / or stage when a Qualitative Risk Assessment must be conducted.
  • Scoring and Interpretation - Defines methods and criteria to be applied for Risk Quantification and Qualification.
  • Thresholds - Defines criteria for actions to be taken on risks.
  • Reports - Defines the format of Qualitative Risk Assessment results will be recorded, analyzed and relayed to the team.
  • Tracking and Tracing documents

These documents show the adverse events of all risk related data and information and how the risk data and activities were addressed and dealt with. It also addresses future needs and lessons to be learned as how risk processes can be audited.


Refer to“Services/Qualitative Risk Assessment – Risk Assessment Diagram - Actions 1 through 5

Refer to Table 2.1 – Financial risk and Table 4.2 Guide for hazard identification (HAZID Workshop)

6.1    Output from Risk Identification

  • List of Risks
  • List uncertain events which have negative effects on the Enterprise.

6.2   Risk Ranking Matrix

Any enterprise constitutes a potential risk. Therefor it is essential to establish a risk acceptance level identified as “As Low As Reasonably Practical” (ALARP).

The combined probability (P) and severity (S) determines the importance of the potential risk of the event in terms of either being in the:

  • ‘High’ (Red Zone)
  • ‘Moderate’ (Yellow Zone)
  • Or ‘Low’ (Green Zone)

The boundaries of the ALARP is in the ”Moderate Risk zone”, The high ALARP level has been identified ALARP 1, which borders the High Risk red zone; the low ALARP level is has been indicated by ALARP 2, which borders to the Low Risk green zone.

The ALARP levels relevant to the probability are shown in Table 2.3B.

Table 2.3A shows the impact from success to failure in on a numerical (non-linear) and ordinal scale. .

The potential “Risk Zones”, being the combination of the Probability of Occurrence (P) of the Event and its Severity (S), remain flexible in

6.3   Resources for risk identification. 

The mostly used and practical sources are listed in order of priority as follows:

  • Statistical Records
  • Expertise Judgment
  • People that have been exposed to, or that have encountered the event that is being considered, on previous several occasions, are considered a reliable source in visualizing the probability of the potential adverse event and its severity..
  • Assumptions based on experience and interpretation of historical data. This approach is to be left to the end and considered as a last resort to complete the requirements for the analysis. All effort is to be made to arrive to a logical and rational assumption.
  • Wild guess. This term is self explanatory.

Assessment results obtained by using statistical records are considered the most reliable. A “wild guess” would demonstrate a least reliable exercise, whilst those based on the ‘expertise judgment’ could be satisfactory.

6.4   ALARP and risk impact scale

The extent of lowering the ALARP zone is usually governed by a Techno-Economic or an ‘Economic evaluation depending on the applied criteria and priorities. To complete the ranking the “Definitive” has been added. As a zero risk has no impact, it has not been shown in the ranking. If the effect of an adverse event is of no significance it has been ranked as Very Low (V.Low) Table 2.3B

The impacts on (Business) Case objectives can be scaled from very low to very high ordinal scale or on a numerical scale. The numerical scale shown here is nonlinear, indicating that the organization wishes specifically to avoid risks with high and very high impact (Table 2.3A).

When an abundance of statistic data is available, the statistics can be used for probability assessment calculations. In general the Normal Distribution mode would be the most practical for decision making. 


The risks falling within the above three distinct zones (paragraph 6.2), can be handled along with the following Three Points Estimate guideline and is based on a range of possible outcome – from a minimum to a maximum. A most likely outcome appropriately located between the two extremes are the following:

  • Minimum - An optimistic estimate of what might happen assuming that everything goes about as well as possible.
  • Most likely - This is the estimator’s best guess. An estimate that is likely to be right more often than any other. It is the "Mode", in statistical terminology.
  • Maximum - A pessimistic extreme, assuming that the worst case tends to occur.


Refer to “Services/Qualitative Risk Assessment”-Action #5”.

8.1   Risk Response Plan Elements

The Risk Response Plan addresses options available for such as, reducing or avoiding potential adverse events to reach the Enterprise Plan objective.

Depending on the nature and probability of the events, the following are typical responses:

a.   Avoidance

   Changing the Business Plan, so that the risk can be eliminated. Options for considerations are:

  • Change execution scenarios by shifting (key) activities
  • Add resources or divert to other resources and subcontractors
  • Revise contractual conditions (if possible)
  • Adopting a technology that is more familiar.

b.   Transference

Shifting areas of potential risk to 3rd parties that have more experience or expertise in dealing with the specifics of the potential risk.

c.   Mitigation

Taking early (diverging) actions for changing or reducing the probability of a potential event, or reducing the severity to an acceptable level. Taking early action may reduce the probability of an adverse event. This may be more effective than taking corrective actions as the risk event occur.

d.   Having a Contingency Plan

Develop a Contingency Plan defining the actions to be taken as well as providing the contingency funding and professional liability insurances.

A Contingency Plan can be integrated with any of the above scenarios

e.   Take No Action

This action is self-explanatory. However, if it is so decided, the potential risk must be well described and the “No Action” scenario must be agreed on by all participants

8.2    Risk Response Action Outcome

The following items should be finalized after the risk response planning procedure has been applied. The outcome must be

  • Risk Response plan
  • Risk Register
  • Contingency Budget
  • Impact on the Enterprise Execution Plan (EEP)
  • The response plan must be incorporated in the EEP


Refer to “Services/Qualitative Risk Assessment – Risk Assessment Diagram - Action 6”.

9.1    Risk Monitoring and Control (RMC):

RMC must keep track of identified risks and residual risks. The process will identify new risks, ensure the execution on risk plans and their effectiveness in reducing risk, and is to determine the following:

  • The risk responses
  • The effectiveness or the Risk Response - Audits: examine the effectiveness of risk responses
  • The validity of the enterprise assumptions - Risk reviews; this should be on the agenda in team meetings
  • Any risk initiators; Risk Warning/Alarm points, potential problems
  • Possible unexpected adverse events

It is vital that a risk control report to the enterprise manager and the risk team leader states the effectiveness of the response plan being followed, and if any, what corrective actions are required.

Earned value analysis: monitoring or Enterprise performance on cost, schedule and goals against the enterprise plan

9.2   Output from RMC

The risk monitoring and control function should be recorded in a Risk Control Report and address the following as applicable:

  • Preventive action by performing contingency plans or unplanned responses to emerging unidentified risks;
  • Corrective action to be performed in the event of the actual occurrence of an adverse event (for containing or neutralizing the severity of the adverse event
  • Enterprise change requests due to frequent preventive and/or corrective actions.

Risk data should be gathered and analyzed to form the basis for risk lessons to be learned and for future risk identification and risk response plans.


Refer to “Services/Qualitative Risk Assessment – Risk Assessment Diagram - Action 7”.

After corrective actions have been taken and the adverse event has been resolved, a close-out report shall be prepared addressing:

  • The cause of the adverse event
  • Severity of its effect on the Enterprise Plan
  • Preventive action or actions take
  • Corrective action or actions taken

The Risk Close-out Report shall be incorporated in the final Enterprise Execution Plan.

Actions recorded on the work sheet (Attachment 2.1), during the review meeting can be consolidated in the Action Control Sheet (refer to Attachment 2,2, Participants can be recorded using Attachment 2.3.Template of a Qualitative Risk Assessment report is shown as Attachment 2.4