AACE International Recommended Practice No.

62R-11

RISK ASSESSMENT: IDENTIFICATION AND QUALITATIVE ANALYSIS

TCM Framework: 7.6 – Risk Management

Rev. May 11, 2012

Note: As AACE International Recommended Practices evolve over time, please refer to www.aacei.org for the latest revisions.

Contributors:
David C. Brady, P.Eng. (Author) Dennis Read Hanks, PE CCE
James E. Arrow Rob Hartley, PSP
Chris Beale John K. Hollmann, PE CCE CEP
Leonard Enger, CCE Sami M. Jaroudi, CCC
Chantale Germain

Copyright © AACE® International AACE® International Recommended Practices

AACE® International Recommended Practice No. 62R-11
RISK ASSESSMENT: IDENTIFICATION AND
QUALITATIVE ANALYSIS
TCM Framework: 7.6 – Risk Management

May 11, 2012

INTRODUCTION

Scope

This recommended practice (RP) of AACE International defines the expectations, requirements, and practices for
identifying and qualitatively analyzing risk drivers as part of the overall risk management process. It expands on
TCM Framework section 7.6.2.2 Risk Assessment, sections a) Risk Identification and b) Qualitative Risk Analysis,
covering common practices and tools such as brainstorming, interviews, and checklists. It also covers
documentation for and the deliverables from the process step (e.g., risk register). It does not cover quantification
of risks or risk treatment planning.

In TCM, the risk management process is applied in the strategic asset management and project control processes.
In the strategic arena, the risk focus tends to be on the state of the current asset, the business environment, and
other issues that differentiate alternative asset solutions (e.g. varying levels of scope definition). In project control,
the risk focus expands to more specific project conditions, plans, deliverables, and events affecting a defined
project scope while strategic risks remain. This RP is intended to be generic to either any focus area and any
project scope.

Risk identification may require skills and knowledge of behavioral psychology because methods such as
brainstorming and Delphi must deal with participant biases.

Purpose

This RP is intended to provide guidelines, not a standard, for developing a process to identify project risks and
perform qualitative risk analysis that most practitioners would consider to be practices that can be relied upon and
that they would recommend be considered for use. It provides a foundation for developing risk treatment plans as
described in RP 63R-11, Risk Treatment. Ideally, the risk management process provides an opportunity for all
stakeholders and contracting parties to work together and manage project risk for their collective benefit. The
implementation of all or part of this RP will depend on the size and complexity of the project but the basic
processes described should be used in all cases.

This RP outlines the processes and practices but is not a detailed “how-to” in each case. In that respect it will most
benefit those that are new to risk management or to decision and risk management professionals who want to
refresh their knowledge of recommended practices.

Background

This RP is intended to elaborate on the required skills and knowledge of decision and risk management
professionals as identified by AACE International. This area of the body of knowledge is generally considered a well
established and settled area of practice although it may not be fully used on all projects. While the reader may not
consider that this RP provides new knowledge or insights, benefit is provided by clarifying where or how this
practice sits within the context of the TCM process. The TCM risk management process is unique in that it explicitly
includes residual risks in the quantitative risk analysis process to determine contingencies and this RP recognizes
that qualitative risk analysis is just a step in risk management.

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 2 of 12

May 11, 2012

RECOMMENDED PRACTICE

Risk Identification Planning

Prior to identifying the risks to objectives of an asset alternative or a project, planning of the risk identification step
must be done as part of general risk management planning (TCM 7.6.2.1). For approved projects, the risk
management plan should be part of an integrated project execution plan (PEP) and addresses who, what, where,
when, why, and how. Figure 1 provides a pictorial version of a typical risk identification process that is further
described in this section.

The earlier that risks can be identified, the more time the team has to properly manage them. Thus risk
identification should start as early in the process as practical, i.e. at the scoping phase of the project or
identification of the need to create, modify or otherwise affect an asset. For a major enterprise, there is usually an
integrated enterprise risk management (ERM) process in which risks of various types are considered in various sub-
processes within a variety of enterprise business or functional areas. In this case, it is important that risk
identification information be shared between these sub-processes (e.g., a business risk session may identify a
market risk of interest to a project team in execution).

Figure 1 – Example Risk Identification Process Flowchart

The following is a description of issues to be considered in planning the risk identification process:

• Who? Identify attendees of the risk sessions or who will be interviewed. This will depend on what it is
being done and why it is being done. Early in TCM asset or project requirements elicitation, stakeholders
in the project objectives or execution will have been identified and they are all potential participants.
Table 1 provides some examples of typical roles that may be involved in the risk identification sessions

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 3 of 12

May 11, 2012

through the various phases of a project. The phase names are not standard and the table is not meant to
be restrictive but only provide some ideas of what risk identification sources could be used and who may
be invited or interviewed. Note that historical experience is always a fundamental foundation for
planning. Some of the sources will likely convey lessons learned from other risk identification sessions
involving a wider range of stakeholders (e.g., environmental representatives may report findings from
community interface sessions). A word of caution – if sensitive or confidential information could be
discussed, the list of attendees will have to take this into account.

PHASE TYPICALS SOURCES POTENTIAL ATTENDEES

Historical experience, lessons learned,
subject matter expert (SME), checklists,
Conceptual or scoping study
value analyses, insurance
(equivalent to AACE Estimate Class 5).
requirements, and regulatory
requirements.
Same as above (but typically in greater
Feasibility study or design (equivalent
detail) plus facilitated brainstorming or
to AACE Estimate Class 4).
Delphi practices.
Same as above plus special
Project approval (equivalent to AACE identification sessions such as process
Estimate Class 3). hazardous operations analysis
(HazOps).
Same as above though more detailed
and emphasis on risk monitoring
Execution (equivalent to AACE Class 2
findings, plus more input from
or 1).
commissioning, start-up and asset
turnover.
Same as above but specific to
Commissioning and start-up.
remaining work scope.
Table 1 – Typical Sources and Potential Attendees for Identification Sessions or Interviews
Business or asset representative,
operations/maintenance
representative, project manager,
engineering or technical manager, and
other key stakeholder representatives
such as environmental, health and
safety, supply chain and so on.
Same as above (but may represent
more specific to asset elements) plus
project team functional leads (e.g.,
technical or engineering, construction,
fabrication, procurement, etc.) and
SMEs as appropriate.
rd
Same as above. May include 3 parties
such as vendors or contractors as
appropriate.
Same as above with participation of
additional vendors and contractors as
appropriate and commissioning, start-
up and turnover representatives.
Same as above, but specific to
remaining work scope.

• What? Identify the scope and boundaries of the risk analysis (is it restricted to certain risk types, work
breakdown elements, etc.). What identification processes are to be used – e.g., brainstorming sessions,
Delphi methods, specialized sessions like HazOps, or other process hazard assessment (PHA) tools? Within
the context of the analysis session, what are the responsibilities of the owner/sponsor, the project
manager, and the risk manager/facilitator? These and other similar questions need to be answered before
the session planning has been finalized. What documentation should be provided to assist in the process?
The risk manager facilitating the session should have the project manager (or session chair) provide the
documents either as pre-reads to the session or at the session for reference. Typical reference data that
may be relevant to any session may include:

• Requirements documents
• Technical deliverables (drawings, specifications, etc., particularly for new technology)
• Relevant asset operating procedures
• Failure / repair history of similar assets
• Project risk history of similar projects
• Project plan deliverables (project charter including objectives, execution plans, estimates, schedules,
resource plans, etc.)

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 4 of 12

May 11, 2012

• Findings from various value improving practices (e.g., constructability)

At the conclusion, what will the deliverables be? Typically, the risk register is initiated or updated with new or
modified risks. Notes of the sessions should also be kept given the much abbreviated nature of register
entries.

• Where? Where will the session take place? Depending on the phase, the various sessions should be held
in the most appropriate place taking into consideration who is attending and where they are located. For
example, scoping may be best held in the owner’s offices or plant location as typically most invitees will
be from the owner’s team. As scope is developed, sessions may move to the offices of those doing most
of the scope development such as the engineer’s office. For the execution and later phases, the
construction, work, or asset site may be best. In some cases a neutral off-site location may be best to
minimize interference and biases.

• When? Identification meetings and interviews must be activities in the project plan and they should be
conducted as soon as practical. If the session will involve only several people and there is not much pre-
work needed, it may be practical to give a few days notice. If the session is going to involve many
participants with considerable pre-work, it may be necessary to schedule it a month or more in advance,
especially if it is going to take multiple days and travel. There may be a succession of sessions or
interviews (e.g., HazOps, management level reviews, etc.) which will require a logical, integrated schedule
to avoid recycle.

• Why? As with all meetings, it is important to be able to explain to attendees why they are involved in the
session. An agenda or statement should be issued by the facilitator clarifying the session’s purpose and
the objectives to be achieved at the end of the review. Because project risk is defined as anything that
may cause a deviation from objectives, these project objectives must also be clearly communicated to all
participants ahead of time to help frame the context of the identification session.

• How? All relevant policies, procedures, and methods held by each stakeholder should be collated and
communicated to the whole team if possible (and summarized if that is more practical). Such documents
will help ensure participants garner the full value they expect to derive from the session and they may, in
themselves, predicate how the sessions or interviews should be conducted. Perhaps there could be
several options for the facilitator to choose from? Is it a brainstorming storming session to identify
hazards? Is it a session to identify the hazards, define the risks, and make preliminary assessments? Is it
using a Delphi interview technique? Who is chairing the session? Is it to be facilitated by the risk manager
or a third party facilitator? Who will keep notes? Are breakout rooms, flipcharts, and overhead projectors
available? Will the session use an online venue? All of these questions are critical to be answered so the
proper people can be invited, documents made available, and facilities reserved.

As detailed in the project's risk management plan, at a minimum, there will usually be at least one session (or
similar effort) per phase of the work as listed in Table 1. Deliverables and correspondence will be maintained in
accordance with document control procedures established in the risk management plan.

Risk identification is typically the first step in the risk management process that project team members directly
interact with. It may also be the first exposure to risk management for less experienced personnel.

It is critical that participants take ownership of risk management as it applies to them. Therefore, it is
recommended that sessions include an introduction where the risk management process is outlined, its purposes
explained, and its benefits defined.

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 5 of 12

May 11, 2012

Risk Identification

Tasks, Techniques and Tools

People new to risk management will likely ask “Where can I find risks?” or “How do I identify risks?”. The simple
answer is there is no single source. No one method or any one person can provide all of the risks on an asset
solution alternative or project regardless of its scope or size. Historical experience with similar assets or projects is
always a good starting point. In addition, one of the greatest benefits of the risk management process is simply
providing an opportunity for team-wide discussion, analysis, and review. A risk facilitator may provide prompt lists
(e.g. RBS or risk breakdown structure) that help stimulate or start this dialogue. It would be self-defeating to have
a predetermined, one-size-fits-all laundry list of risks that the facilitator hands over to the project team. However,
it would be prudent for the facilitator to maintain such a listing so he or she can help plug any possible stopgaps.

The identification of risk should take into account the relevant organizational procedures, the culture of the
organization, its values, goals and objectives. The following lists some tasks, techniques, and people that can help
identify risks on the project. These are not in any particular order of importance, nor are they all-inclusive:

• Value improving practices (e.g., constructability, life cycle value analysis, etc.).
• Estimators and schedulers responsible for key planning tasks (and basis documents)
• Project team member; owner's team; corporate (e.g. legal, financial representatives)
• Brainstorming
• Checklists of risks, issues, and concerns
• Audits
• Interviews
• Stakeholders
• Team members (business, technical)
• Subject matter experts (SME)
• Delphi interviews
• Third party experts
• Operators
• Lessons learned
• Flow charting
• Historical/similar work (which should include registers and risk event and impact experiences)
• Project turnover documents
• Company’s system for investigation safety incidents
• Scope (change) management records (e.g., trends, deviations, change orders, etc.)
• Maintenance records
• Safety meeting records
• Monthly
• Tool box talks
• Insurance requirements
• Process reviews - Does the process have the potential for an unplanned incident that can have an
appreciable or measurable impact?
• Process hazard analysis (PHAs)
• HazOps - hazard and operability studies
• FMEA - failure mode effects analysis
• FMECA - failure mode effects and criticality analysis
• SIL - safety integrity level
• SIS - safety instrumented system

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 6 of 12

May 11, 2012

• Decision analyses
• Fault tree analysis
• Event tree analysis
• Decision tree analysis
• What-if scenarios
• Cause-consequence analysis
• Human reliability analysis
• System failure analysis (typically using fault tree analysis process)

Risk Elicitation Methods

The most common ways to elicit information from stakeholders and teams are brainstorming and the Delphi
technique. These can be summarized as follows:

• Brainstorming: Gather a team in a workshop setting; clarify workshop objectives and review background
information; facilitator asks what the risks are in a structured way as appropriate (by type, by scope or
cost element, by function, etc.); discuss and clarify the risks; and test for understanding and ensure input
from all. Group interaction helps clarify the risk but group dynamics add challenges (e.g., managers may
dominate, groupthink, etc.)

• Delphi: Send background information and request written input from identified participants; compile the
information (keeping names confidential); reissue to the whole team for further comment; and then work
to develop consensus. This method is useful when you can’t get everyone in a room, but it takes time and
some people are better at verbalizing than writing.

Descriptions of other elicitation methods or sources is not part of this RP.

Risks versus Issues, Concerns and Other Terms

Most of the above identifications sources and practices will surface potential risks, but will not define the risk in a
way that can be analyzed, managed, and later quantified. They identify a hazard, an issue, a concern, or possibly a
risk driver, that could lead to a risk. The following terms may be helpful to gain an understanding of this concept:

• Risk: In TCM, an uncertain event or condition that could affect a project objective or business goal.
• Concern: In TCM risk management, something that worries stakeholders because it may give rise to a risk
event or condition (e.g., general fear of weather or an execution approach).
• Issue: In TCM risk management, a risk that has occurred or an unplanned question or decision that needs
to be addressed by a process other than risk management (e.g., government changes a regulation for
which the company implications have not been analyzed).
• Assumption: Something that everyone knows and usually takes for granted (e.g. correctness of the
owner’s design criteria).
• Constraint: In decision and risk management, something that limits the potential achievement of
objectives (e.g., management publishes costs before the estimate is complete).
• Action Item: An unplanned task that needs to be done.

The risk manager or facilitator needs to encourage participants to get all these things out on the table for
consideration – for both threats and opportunities. Understanding the differences between these types of inputs
will facilitate later description and analysis. When seeking to elicit risk ideas, some practitioners consider that

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 7 of 12

May 11, 2012

“quantity breeds quality” and that there are no bad ideas so care should be made not to constrain this process
with hard and fast rules and definitions. There is a point of caution to be made though – considering everything
may delay focusing on the important things.

Risk Description

The risk manager will gather the potential risks then help filter out the non-risk items into a separate log (e.g. an
issues/concern log) so they can be tracked and recorded. The remaining risks are entered into the risk register.

The risk manager will facilitate team interaction and communication to help ensure that everyone understands the
risk and its relevance to the project objectives. In order to set the stage for proper analysis and treatment the team
should insure that there is a complete description of each risk, with all its realistic and significant consequences
identified and referenced. The description should follow a common “meta-language”. E.g. if “X” action happens, it
could generate a “Y” risk event, resulting in ”Z” consequences. If the risk initially identified cannot be described in
such a cause-risk-effect context, then it is likely not a risk and should not be in the risk register. An example of a
risk description is:

“The site has been designed for a 1:10 year rain storm. If a more severe rain event occurs (the X
cause/action/circumstance) the site may flood (the Y risk) resulting in lost production, potential damage to
materials and equipment, and/or an uncontrolled release of water off-site contrary to the environmental
permit (the Z consequences).”

It is important to list all of the significant consequences in the description. Depending on the software or tool used
to manage the data in the risk register, this may actually require multiple entries to be made for what may, on face
value, be considered the same risk. As is explained later in this RP, this is necessary to allow proper assessment and
subsequent management.

Other Risk Identification Outputs

After establishing clear, unambiguous, and concise risk descriptions, the risk identification session should be used
as an opportunity to pinpoint additional information that can be used to support other risk management process
steps. This information includes:

• Trigger Event – This is a measurable or observable event or condition that is a precursor to, or an
indicator of, a risk’s occurrence. It will typically lead to initiation of a planned risk response. This is the
event (or final step in a chain of events) that will cause the risk to actually happen. It is not necessarily,
nor likely to be, the actual root cause of the risk event. It not only gives a “heads-up” that a risk may
happen, but it also provides a target for having the treatment(s) or risk response developed and
implemented. There is usually little or no value in having a mitigation plan developed after the risk event
has happened.

• Characterizing the Risk – Characterizing or classifying a risk can be done in many ways. The main benefit
is for efficient data management, reporting, and future analysis. The following are example suggestions
for potential classification and/or categorization, but the final methods will depend on the company,
project, and method requirements:
• By general source:
• Inherited — derived from preceding stages of a project.
• Economic — associated with availability and costs of resources.

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 8 of 12

May 11, 2012

• Commercial — associated with customers’ needs and desires, competition, etc.

• Technological — associated with the ability to achieve desired results, produce products, etc. and
the life of current or new technology and the compatibility of new technologies.
• Implementation — the ability to meet the project plan and commitments due to human behavior
or organizational factors.
• By project disciplines: E.g., engineering, construction, supply chain, safety, commissioning.
• By type of impact to the company: E.g., health and safety, environmental, news coverage, company’s
reputation, share prices.
• By type of risk impact: Threat or opportunity.
• By risk breakdown structure (RBS): This is any form of coded risk characterization. Organized
chronologically, this can be a very effective tool to virtually lead the team through the project and
prompt or inform the risk identification dialog. It is also useful for historical analysis of risks and
tracking of key risk indicators (KRIs) and subsequent key performance indicators (KPIs).
• By work breakdown structure (WBS): This is especially important if the risks are going to be used as
part of a quantification analysis. By comparing the most common causes or sources of risk by RBS,
against the most commonly affected areas by WBS, it is possible to identify hot spots which may help
influence the overall management of the project.
• By impacted objective(s): The analysis is influenced by whether the risk affects finance, health, safety,
environmental, operability or other company requirements and objectives (e.g., safety risk may be
paramount regardless of financial impact).
• By person or organization who identified the risk: If there are questions about the risk (e.g.
clarification on the description, likelihood, or consequences), by those doing the assessment or
treatment plan, then the team will have an idea who can provide further insight.
• By date risk identified: May help in summary reports, lesson learned, or even prioritizing risks. (E.g. a
construction risk is identified in early engineering but the trigger event won’t be for two more years.
Even though it may be a high risk, the treatment plan may be deferred to allow people to work on
treatment plans for those risks that could happen much sooner.)
• Comments: Providing a comment field allows the person making revisions to the risk register to
explain what and/or why a revision is made. These help explain or clarify the risk for those that need
to assess it or develop a treatment plan, particularly if the information does not fit in the risk
description and/or the categories do not adequately identify the risk type. By clearly indicating the
date the comment is made (e.g. MMM, dd, yyyy) along with the name of the person making the
comment, it provides a solid record of revisions to the risk information. The more information
presented, the clearer the risk is. This will then make qualitative analysis and risk treatment planning
easier.

Qualitative Risk Analysis

Once risks have been identified, qualitative analysis is done to prioritize or rank the risks so that the team can
focus its efforts to define treatments, action plans, and recommendations on the most significant risks that matter.
Risks that matter are those that can influence project objectives, irrespective of their probability of occurrence or
severity of impact. However, to determine this, each risk identified must have the inherent or initial status
analyzed in terms of probability or likelihood of occurrence and consequence or impact.

Qualitative Analysis (Risk Ranking) Sessions

Qualitative analysis is often conducted during the risk identification session with the same team of participants to
help prioritize the risks for treatment. However, this can take several days and it may not be possible to have all

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 9 of 12

May 11, 2012

team members present the whole time. In that case, a sub-group of team members (e.g., the risk management
team) may be designated to develop the full analysis. The subgroup should be representative of the team
population. It should include more than one or two individuals so there is no “perception bias”. The sub-group’s
findings should be reviewed by those team members who attended the identification session who identified the
risks because they may have better understanding of the risks, their likelihood, and impacts. All risks that exceed
the team’s established threshold of acceptability help prioritize the risks for treatment.

Risk Matrix

Qualitative analysis of the likelihood and impact of identified risks is typically based on a risk matrix. The matrix
lists the verbal measures and/or verbal descriptions of impacts to key project objectives (cost, schedule,
environmental, etc.) against measures of probability of occurrence providing defined qualitative descriptions of
result(s) of their interaction(s). Appendix A provides an example of such a matrix. The worst ranking category for
impact will generally reflect failure to achieve the project objective. Typically, three to five categories are
established for the matrix. The category ratings will reflect the risk appetite and/or tolerance of the business
sponsor and management. There needs to be a word of caution on developing a risk matrix greater than 5 x 5. In
general, the risk practitioner is advised against, devising impact scores beyond five (5) levels which can result in an
overwhelming amount of information that may hinder the risk analysis.

Impacts or Consequences

Each project has unique objectives. Most have profitability as a key measure. In early phases (strategic asset
management in TCM), the objectives evaluated in the risk analysis will tend to be strategically focused (e.g.,
profitability, company reputation, etc). In later phases, as more strategic risks are mitigated, the focus tends to
shift to project cost and schedule. The following are some examples of company and project objectives to consider
in risk ranking:
• Environmental
• Economic - Include all potential impacts to profitability of the project, but also the overall business (i.e., a
holistic view). Examples include:
• Revenue
• Capital expenditures (CAPEX) direct costs
• CAPEX indirect costs
• Operational (production and/or maintenance costs) expenditures (OPEX)
• Business interruption
• Impact on related work
• Regulatory penalties
• Fines
• Schedule, which could be converted to a financial impact (the owner’s profitability is often strongly
tied to getting revenue streams going early and not performing as per the design beyond the
completion date)
• Health, safety and security
• Social
• Community
• Press
• Investors

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 10 of 12

May 11, 2012

Initially, the maximum impact without regard to treatment actions or safeguards should be considered in the initial
rating. This can be refined later through recycle with the treatment process which will consider if any existing
controls are in place that might change the risk or mitigate its likelihood or impact.
Probability or Likelihood

Based on the matrix, the risks are rated by the analysis team according to their relative magnitude on the project
objective as measured by probability and impact. The resulting ratings are summarized into a risk register database
for the development of a treatment or response plan. Probability or likelihood are terms used interchangeably,
however, probability implies a statistical assessment while likelihood fits better to a descriptive approach. In the
end, the ranking is a narrative term or rank value, but the matrix may equate this to a descriptive rating (e.g., “rare
or very unlikely”) or a statistical rating (“<2 percent”) as demonstrated in Appendix A. The descriptive term is often
easier for the people to comprehend. In qualitative analysis, excessive focus on statistical probabilities is not
warranted. Later in the risk management process, quantitative risk analysis associated with contingency estimating
is justifiably statistical in nature.

Risk
Identification
Health & Safety

Social

Evaluate Each
Determine Risk Rating or
Type of Environmental Maximum Impact
Likelihood Rank
Consequence

Economic

Other Objectives

Is Risk Acceptable Is Money Return to Project

YES NO Planning
without Further Action? Available?

YES
NO
To Treatment or
Response Monitor & Review
Planning

Figure 2 – Example Qualitative Risk Analysis Process Flowchart

Risk Scoring and Screening

Corporate management needs to decide upon thresholds of acceptability or risk appetite and these should be
stated in the project's risk management plan, the project charter, and/or the project execution plan. Based on the
company's risk appetite, the project team can now determine the priority of treatment for each risk. The
combination of likelihood and impact may be presented as a score (e.g., on a scale of 1 to 5, if likelihood is rated 5
and impact is also 5, the “score” would be 5x5=25). With various heuristics established in the risk management
plan (e.g., treat risks for which the combined score exceeds X and impact exceeds Y, etc.) the team can quickly

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 11 of 12

May 11, 2012

prioritize which risks need to be treated first. If the risk is under the threshold scope or other heuristic, it is usually
accepted and no further analysis needs to be performed other than periodic monitoring or review.

Additional Parameters

The parameters listed below (and those described in Appendix A) are not typical for every qualitative risk analysis
but it is good practice to consider them:
• Relatedness - Is this risk related to other risks? A risk with complex links or dependencies with other risks
should be given higher priority than an independent risk because of potential compounding or cascading
impacts that are hard to envision.

• Urgency - How much time is available in order to implement an effective response to the risk? If action is
required immediately to address the risk, it should be given a higher priority than one who's trigger is
further out in the schedule.

Outputs

At the end of the identification and qualitative analysis process step, the risk register will be compiled or updated
to reflect all of the findings and ratings commonly held by the project team as indicative of the project risk profile
for the given period under review. The team should include all relevant notes to capture explanatory information
and to describe special situations for later consideration. In particular, if the team identified potential treatment
ideas, these need to be captured so that they can be used during the follow-on treatment planning process. Any
backup documents, analysis, and correspondence should be retained pending further analysis. Other than the risk
register, no other formal report is usually prepared at this stage.

REFERENCES

1. AACE International, Recommended Practice No. 10S-90 “Cost Engineering Terminology”, AACE International,
Morgantown, WV, (latest revision)
2. Hollmann, John K., Editor. Total Cost Management Framework: An Integrated Approach to Portfolio, Program
and Project Management, Morgantown, WV: AACE International, (latest revision)
3. AACE International, Skills and Knowledge of Cost Engineering, 5th Edition; Chapter 31 Risk Management, AACE
International, Morgantown, WV, 2004.
4. Mulcahy, Rita, Risk Management; Tricks of the Trade for Project Managers, RMC Publications, 2003.

CONTRIBUTORS

David C. Brady, P.Eng. (Author)

James E. Arrow
Chris Beale
Leonard Enger, CCE
Chantale Germain
Dennis Read Hanks, PE CCE
Rob Hartley, PSP
John K. Hollmann, PE CCE CEP
Sami M. Jaroudi, CCC

Copyright © AACE® International AACE® International Recommended Practices

62R-11: Risk Assessment: Identification and Qualitative Analysis 12 of 12

May 11, 2012

APPENDIX A: EXAMPLES OF GUIDELINES FOR PROBABILITIES, CONSEQUENCES, AND OTHER POTENTIAL

PARAMETERS

The following table is based on a 5 x 5 risk matrix. It is an example of what could be used and should be easily
modified to match other matrix build-ups. The objectives and measures will vary with each company.

1 2 3 4 5
Very Low Low Medium High Very High
Probability of Qualitative Rare, very unlikely
Unlikely, but not Possible Moderately likely Almost certain, will
Occurrence Description impossible probably arise
Event Description Remote chance of May happen less than Expected to occur in Expected to occur Occurs once or more
happening once during the the BU/facility/project several times in the per year in
BU/facility/project lifetime BU/facility/project BU/facility/project
lifetime lifetime
% Description Less than 10% chance 10% - 40% chance 40% - 70% chance 70% - 90% chance Higher than 90%
chance
Frequency of <1/100 1/100-1/10 1/10-1/1 1/1-10/1 >10/1
Occurrence
(times/year)
Consequences Qualitative Negligible Minor, easily Moderate, some Major, most Most objectives will
Description remedied objectives affected objectives threatened not be met
People First aid Medical aid Lost Time Disabling injury Fatality
Capital Cost (% of <0.01 0.01-0.1 0.1-1.0 1-10 >10
capital cost)
Schedule (% of <0.01 0.01-0.1 0.1-1.0 1-10 >10
project duration)
Operations (% of <0.01 0.01-0.1 0.1-1.0 1-10 >10
yearly budget)
Environment Fugitive emissions Controlled release Emissions exceed Some damage Widespread damage
limits
Public Image Individual Local Provincial Industry-wide National/
international
Technology Existing "off-the-shelf" Minor redesign of Major change to Technology available, State of the art, some
technology existing technology existing technology complex design research complete
feasible
Other Risk Risk Reduction Virtually no risk Unacceptable degree Acceptable degree of Relatively high degree Extremely high degree
Analysis Index reduction with option of risk reduction with risk reduction with of risk reduction with of risk reduction with
Parameters option option option option
Precision with Virtually nothing Poor knowledge of Average knowledge of Good knowledge of Excellent knowledge
which risk known about risk risk event risk event risk event of risk event
understood event
+50% / -25% +25% / -20% +20% to -10% +10% to -5% +2.5% to 0%
Admissibility Option almost totally Option inconsistent Option moderately Option consistent with Option almost
inconsistent with most with majority of consistent with majority of project completely consistent
project objectives project objectives majority of project objectives with most project
objectives objectives
Achievability Option virtually Option relatively Option of average Option relatively easy Option extremely easy
impossible to difficult to implement difficulty to to implement to implement
implement implement
Acceptability Virtually impossible to Relatively difficult to Option moderately Relatively easy to Virtually certain to
accept option accept option acceptable accept option accept option
Controllability Virtually impossible to Relatively difficult to Average ease of Relatively easy to Virtually certain to
control risk event control risk event controlling risk event control risk event control risk event
response response response response response
Risk Cost Index Option risk-cost Option risk-cost Option risk-cost Option risk-cost Option risk-cost
profile makes it option profile makes it profile moderately profile makes it profile makes it
extremely easy to relatively easy to attractive relatively difficult to virtually impossible to
select option select option select option select option
Controllability Extremely poor Below average Average Above average Extremely good
Index

Copyright © AACE® International AACE® International Recommended Practices