Qualitative Risk Analysis: definition, methods, examples

Risk management is a critical component of any organisation and a fundamental requirement for businesses pursuing management system certification, including ISO 9001 (Quality Management), ISO/IEC 27001 (Information Security), and ISO 45001 (Occupational Health and Safety).

Organisations use a broad range of tools and methodologies to identify, assess and control risk. As each approach offers distinct advantages and limitations, most businesses adopt a combination of methods to meet their specific objectives. Common risk assessment techniques include qualitative, quantitative, semi-quantitative, asset-based, vulnerability-based and threat-based approaches.

Within this spectrum, qualitative risk analysis (QRA) plays a vital role. It provides a strategic, high-level perspective of risks, enabling organisations to prioritise threats and make informed decisions without relying solely on numerical data.

What is qualitative risk analysis?

Qualitative risk analysis evaluates risks by considering their likelihood of occurrence and potential impact using clearly defined relative scales. Likelihood is typically measured on an ascending scale, ranging from rare and unlikely to possible, likely and almost certain. Similarly, the severity of consequences is assessed on a scale from negligible and minor to moderate, major and catastrophic.

Assigning a position on these scales relies on expert judgement, supported by historical data and known incidents. One of the key strengths of qualitative risk analysis (QRA) is its inclusivity, enabling contributions from employees at all levels as well as external stakeholders. While some structure is necessary, incorporating a wider range of perspectives generally results in a more robust and accurate qualitative risk assessment.

QRA is frequently used as an initial step in comprehensive risk management processes, providing a broad overview before more detailed, data-driven techniques are applied.

Qualitative risk analysis: methods & techniques

Qualitative risk analysis is a subjective yet structured process that relies on expert judgement and stakeholder input to assess risks without depending on numerical data. The outcomes are typically displayed using a risk matrix, where risks are visually mapped from low levels in the bottom-left corner through moderate and high, up to extreme in the top-right. The overall risk rating is commonly derived by combining the likelihood of occurrence with the potential impact. This visual representation enables organisations to quickly identify priorities and implement appropriate risk mitigation strategies. As an intuitive and widely used tool, qualitative risk analysis (QRA) supports effective decision-making by clearly highlighting which risks require immediate attention.

For smaller or narrowly defined projects, a Keep It Super Simple (KISS) approach is often adopted to minimise unnecessary complexity. This method allows even less experienced teams to carry out assessments efficiently using a simple, one-dimensional scale such as very low, low, medium, high and very high.

In contrast, more complex scenarios typically require a probability-impact approach. This two-dimensional method evaluates both the likelihood and severity of risks and is best conducted by multidisciplinary teams with relevant experience. To improve accuracy and reduce bias, it is important that the QRA process includes input from a broad range of stakeholders across different departments or specialisms. A well-balanced team helps prevent the underestimation or overestimation of risks, ensuring a more reliable and comprehensive qualitative risk assessment.

Other qualitative risk analysis techniques include:

• Bow-Tie Analysis: Using a bow-tie shaped diagram, a risk’s possible causes are shown on the left and the consequences on the right. This method treats each cause and consequence separately allowing an overview of multiple plausible scenarios, in a single picture.
• Delphi Technique: Involves experts answering multiple questionnaires. Experts provide their opinion on the likelihood and consequence of risk, and their responses are shared with the group after each round. A consensus is reached after reviewing their responses.
• Risk Workshops: Internal and external stakeholders meet in a collaborative setting to produce a matrix and may also use an element of quantitative risk analysis to determine the severity of the risk.
• SWIFT Analysis: SWIFT is an acronym for Structured What-If Technique and is a team-based approach to risk analysis that applies a systematic approach in a workshop setting. It involves investigating potential changes to an approved plan and assessing their impact on a project through a series of “What if” considerations. This technique is beneficial for evaluating the feasibility of opportunity risks.

How to perform qualitative risk analysis?

A structured qualitative risk management process typically includes the following steps:

1. Risk Identification: The initial step involves identifying potential risks that could affect a project, process or organisation. This can be achieved through a variety of techniques, including workshops, interviews, brainstorming sessions and the use of checklist.
2. Risk Analysis: Once risks have been identified, they are analysed to gain a deeper understanding of their nature and potential impact. This stage generally includes:
   • Root cause analysis: Identifying the underlying drivers of risk using techniques such as the 5 Whys or cause-and-effect analysis.
   • Assessment of existing controls: Evaluating the effectiveness and reliability of current mitigation measures and identifying any gaps.
   • Estimation of likelihood: Determining the probability of the risk occurring, typically ranging from rare to almost certain.
   • Assessment of impact or severity: Evaluating possible consequences across different areas such as financial, operational, legal and reputational impact. Risk rating: Combining likelihood and impact using structured approaches such as a 5×5 risk matrix, scoring models, Bow-Tie analysis, FMEA, SWOT or SWIFT.
   • The outcome of this stage is a clearly defined risk level, which supports prioritisation and informed decision-making.
3. Risk Evaluation: After Following analysis, risks are evaluated to determine their significance. This involves comparing the assessed risk level against predefined organisational criteria, such as risk appetite, regulatory requirements and internal policies. Risks are typically classified as: acceptable, tolerable under specific condition, unacceptable and requiring mitigation. This phase is primarily managerial, focusing on aligning risks with organisational thresholds and priorities.
4. Risk Mitigation: For risks deemed significant, appropriate mitigation strategies must be developed and implemented. These may include reducing the likelihood of occurrence, minimising potential impact, transferring the risk, or avoiding it altogether. All actions should align with the organisation’s overall risk management framework.
5. Risk Monitoring and Review: QRA is an ongoing process rather than a one-time exercise. Regular monitoring and review ensure that emerging risks are identified and that existing risks are reassessed as circumstances change. Continuous learning from previous assessments also helps to improve future risk management practices and outcomes.

Examples of qualitative risk analysis

Qualitative risk analysis is widely applied across management systems aligned with ISO standards, as it provides a practical and structured way to assess risks even when precise data is not available. It also supports organizations in meeting ISO certification requirements, while its flexibility makes it particularly valuable for early-stage assessments, ongoing monitoring and cross-functional risk evaluations.

Some common applications include:

• Environmental Risk Assessment (ISO 14001): organisations often apply qualitative methods to evaluate the potential environmental impact of their operations. For instance, the risk of chemical spills may be assessed by considering factors such as the toxicity of substances involved and their proximity to sensitive environments, including water sources.
• Occupational Health and Safety (ISO 45001): qualitative analysis is frequently used to assess workplace hazards, such as slips, trips and falls, or exposure to hazardous materials. Risks are typically evaluated based on the likelihood of occurrence and the potential severity of harm, enabling organisations to prioritise preventative measures and enhance overall workplace safety.
• Information security (ISO/IEC 27001): in cybersecurity risk management, organisations use qualitative approaches to assess threats such as data breaches or phishing attacks. By considering both likelihood and potential impact on confidentiality, integrity and availability, businesses can prioritise controls and strengthen their information security posture.
• Quality management (ISO 9001): qualitative techniques are used to identify risks affecting product quality and process performance. Examples include supplier reliability issues or potential production errors, allowing organisations to implement effective preventative and corrective actions to maintain high standards.