Qualitative Risk Analysis: definition, methods, examples

Risk management is an essential element for any organization and a pre-requisite for companies seeking management system certification to standards such as ISO 9001 (Quality), ISO/IEC 27001 (Information security) and ISO 45001 (occupational health and safety).

A wide variety of tools and methodologies are used in managing risks. Because each has its strengths and weaknesses, a business will very likely find itself using more than one to achieve its objectives. The methods usually used are qualitative, quantitative, semi-quantitative, asset-based, vulnerability-based or threat-based. Within this landscape, qualitative risk analysis (QRA) plays a key role by providing a high-level, strategic view of risks.

What is qualitative risk analysis?

A qualitative risk analysis assesses risks based on their likelihood of occurrence and potential impact using relative scales. On an ascending scale, probability could be ranked as rare, unlikely, possible, likely and almost certain. The consequence can be ranked on an ascending scale as negligible, minor, moderate, major and catastrophic.

Determining where on each scale a particular risk or hazard will fall is determined by expert analysis and reference to known events. The QRA approach gives the opportunity for input from all personnel and from external stakeholders. Although some limit is desirable, the analysis will be more accurate with more considerations being offered. QRA is often used as the first step in a larger project before other more detailed risk analysis techniques are employed.

Qualitative risk analysis: methods & techniques

Qualitative risk analysis is a subjective process that relies on expert judgment and stakeholder input to evaluate risks without the need for numerical data. The results are typically visualized using a risk matrix, where risks are mapped from low levels in the lower left corner through moderate and high, up to extreme in the upper right. The severity of risk is obtained by multiplying the likelihood of occurrence by its impact. This visual mapping helps organizations prioritize risks and define appropriate actions to reduce their impact. As a structured yet intuitive qualitative risk analysis tool, it supports effective decision-making by clearly highlighting which risks require immediate attention.

In narrowly framed or small projects, a Keep It Super Simple (KISS) approach is often used to avoid unnecessary complexity. The assessment can be made easily even by teams lacking experience in assessing risk. The one-dimensional technique involves rating risk on a basic scale, such as very high, high, medium, low and very low.

For more complex issues, a Probability/Impact approach is used. It involves multilateral teams that have experience with risk assessments. This two-dimensional technique is used to rate probability and impact. To avoid bias in the results, the team conducting the QRA should be as “large” as possible with representation from various departments or disciplines. This will help avoid the likelihood of consequence ratings being downgraded or elevated as might happen if too little experience or knowledge is brought to the table.

Other qualitative risk analysis techniques include:

• Bow-Tie Analysis: Using a bow-tie shaped diagram, a risk’s possible causes are shown on the left and the consequences on the right. This method treats each cause and consequence separately allowing an overview of multiple plausible scenarios, in a single picture.
• Delphi Technique: Involves experts answering multiple questionnaires. Experts provide their opinion on the likelihood and consequence of risk, and their responses are shared with the group after each round. A consensus is reached after reviewing their responses.
• Risk Workshops: Internal and external stakeholders meet in a collaborative setting to produce a matrix and may also use an element of quantitative risk analysis to determine the severity of the risk.
• SWIFT Analysis: SWIFT is an acronym for Structured What-If Technique and is a team-based approach to risk analysis that applies a systematic approach in a workshop setting. It involves investigating potential changes to an approved plan and assessing their impact on a project through a series of “What if” considerations. This technique is beneficial for evaluating the feasibility of opportunity risks.

How to perform qualitative risk analysis?

A structured qualitative risk management process typically includes the following steps:

1. Risk Identification: The first step is to identify potential risks that could impact the project or process. This can be done through various methods such as workshops, interviews, brainstorming sessions, and checklists.
2. Risk Analysis: The identified risks are examined to be understood and quantified. The result of this process is a defined risk level that helps prioritize risks and supports decisions. This phase typically includes:
   • Analysis of root causes: Identify underlying factors and drivers of the risk (e.g., using 5 Whys, cause-effect analysis).
   • Verification of current controls: Assess effectiveness and reliability of existing mitigation measures and identify gaps.
   • Estimation of likelihood: Evaluate the probability of the risk occurring (e.g., rare to almost certain).
   • Estimation of impact or severity: Determine potential consequences across dimensions such as financial, operational, legal, or reputational.
   • Calculation or assignment of risk level: Combine likelihood and impact using structured methods (e.g., 5×5 matrix, scoring models, Bow-Tie, FMEA, SWOT, SWIFT).
3. Risk Evaluation: After analyzing the risks, they should be evaluated to determine their significance. This step often involves comparing the level of risk against predefined criteria to see how they stack up in terms of priority. It is used to decide whether the level of risk emerging from the analysis is: acceptable, tolerable under certain conditions, or unacceptable and requiring mitigation actions. It is therefore a process of comparison between the risk level obtained from the analysis and the organization’s risk criteria (defined by governance, regulations, internal policies, risk appetite, and thresholds). It is a more managerial phase rather than technical.
4. Risk Mitigation: For the risks that have been identified as high priority, mitigation strategies need to be developed. This could involve transferring the risks, reducing their likelihood, or minimizing their consequences. The chosen strategy should align with the overall risk management framework of the organization.
5. Risk Monitoring and Review: QRA is not a one-time activity; as new risks emerge and existing risks change, regular reviews ensure that the risk management process remains relevant and effective. It is important to learn from the QRA process and use the insights gained to improve future risk assessments.

Examples of qualitative risk analysis

Qualitative risk analysis is widely applied across management systems aligned with ISO standards, as it provides a practical and structured way to assess risks even when precise data is not available. It also supports organizations in meeting ISO certification requirements, while its flexibility makes it particularly valuable for early-stage assessments, ongoing monitoring and cross-functional risk evaluations.

Some common applications include:

• Environmental Risk Assessment (ISO 14001): companies might use qualitative methods to assess the potential environmental impact of their operations. For example, they could evaluate the risk of chemical spills by considering factors like the toxicity of the chemicals and the proximity to water sources.
• Occupational Health and Safety (ISO 45001): qualitative analysis is frequently used to evaluate workplace hazards, such as slips, trips and falls or exposure to hazardous substances. Risks are typically assessed based on the frequency of incidents and the potential severity of injuries, helping organizations prioritize preventive measures and improve workplace safety.
• Information security (ISO/IEC 27001): organizations may assess cybersecurity risks by evaluating the likelihood of threats such as data breaches or phishing attacks and their potential impact on confidentiality, integrity and availability of information. This helps prioritize controls and strengthen overall security posture.
• Quality management (ISO 9001): qualitative approaches are used to identify risks related to product quality or process performance, such as supplier reliability issues or production errors, enabling organizations to take preventive and corrective actions.