Risk analysis is the second step of risk management. In risk analysis you study the risks identified is the identification phase and assign the level of risk to each item. You first need to categorize the risks and then need to determine the level of risk by specifying likelihood and impact of the risk.

Likelihood is the percentage of the risk occurrence and arises from different technical factors. Some of the technical factors which should be considered while assessing likelihood are:

  1. How complex the technology is?
  2. Technical skills of the test team
  3. Team conflicts
  4. Geographically distributed teams
  5. Bad quality of the tools used in the project
  6. Complex integration etc.

Impact is the effect of the risk in case it happens. Impact arises from business considerations. You should consider following business factors while assessing impact.

  1. Loss of customers
  2. Loss of business
  3. Loss or harm to society
  4. Financial loss
  5. Criminal proceedings against company
  6. Loss of license to continue business

You can apply quantitative or qualitative risk analysis to determine the level of risk. In quantitative risk analysis you have numerical ratings for likelihood and impact. Likelihood can be seen in percentage and impact can be seen in monetary terms. If you multiply these two values the outcome is expected loss in case that risk occurs.

Qualitative analysis is performed when you do not have statistically valid data on which you can perform quantitative analysis. So in qualitative analysis you can say that likelihood of the risk is very high, high, medium, low or very low. IN software engineering use of quantitative approach is almost inappropriate in most projects because saying likelihood in percentages like 90%, 50%, 25%, 10% does not make much sense and is misleading.