Should risk practioners bother with qualitative risk assessments?
The subjective technique of identifying risks, categorisation on Probability – Impact Grids and management using comprehensive Enterprise Risk Management software (ARM, PREDICT, etc.) forms the core function of most Project Risk Management frameworks – often referred to as ‘Qualitative Risk Assessment’. Either managed in spreadsheets or on ERM software, they also offer additional possibilities (such as the Monte Carlo engine inbuilt into ARM). But should Risk practitioners prioritize Qualitative risk assessments over richer, and complex modelling techniques? My arguments are based on the following areas:
- Most project teams can manage risks on their own, either on simple spreadsheets or on comprehensive ERM packages,
- Risks tend to be very dynamic and for ERM software to be effective call for increased levels of resources,
- Many project team members think that qualitative risk assessments are too subjective, and a better approach would be to use Scenario Modelling or even to stress test the risk impacts,
- Given that ongoing action management and ensuring of data quality is highly resource intensive; risk practitioners will most likely get bogged down with internal data quality checks,
- In many cases the top risks perceived by senior management or that relayed to them; tend not to be those on ERM packages at all – either because they do not want to be shown that way or because the ERM packages just could not keep pace with highly accelerated project developments,
My radical argument is that organisations separate risk management into two specialities – a team that manages ERM systems and another to quantitatively model the various options – thereby extracting higher value add. I am interested in knowing your views (and those of your organisation, although they may not be congruent!!).