Project Management

When is a risk not a risk (Part 1)

From the Risk Insights from The Risk Doctor Blog
by
David Hillson, The Risk Doctor, shares key tips on understanding and managing risk, blending thought-leadership with expert practical application. Managing risk is easy - find out how!
risk identification | risk management | risk responses | show all posts

About this Blog

RSS

Recent Posts

HAPPY NEW YEAR: Two-faced risk management

Zero chance of a zero-risk project

Innovative risk management

Why some risks turn into surprises

Are project opportunities the same as scope screep?

Categories

risk analysis, risk identification, risk management, risk process, risk psychology, risk responses

Date

linkedin twitter facebook Request to reuse this  

Categories: risk identification


One of the most common failings in the risk management process is for the risk identification step to identify things which are not risks. Clearly if this early stage of the risk process fails, subsequent steps will be doomed and risk management cannot be effective. It is therefore essential to ensure that risk identification identifies risks.

Many people when they try to identify risks get confused between risk and uncertainty. Risk is not the same as uncertainty, so how are the two related? The key is to realise that risk can only be defined in relation to objectives. The simplest definition of risk is“uncertainty that matters”, and it matters because it can affect one or more objectives. Risk cannot exist in a vacuum, and we need to define what is “at risk”, i.e. what objectives would be affected if the risk occurred.

A more complete definition of risk would therefore be “an uncertainty that if it occurs could affect one or more objectives”. This recognises the fact that there are other uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk process. For example if we are conducting an IT project in India, the uncertainty about whether it might be raining in London is irrelevant – who cares? But if our project involves redeveloping the Queen’s gardens at Buckingham Palace, the possibility of rain in London is not just an uncertainty – it matters. In one case the rain is merely an irrelevant uncertainty, but in the other it is a risk.

Linking risk with objectives makes it clear that every facet of life is risky. Everything we do aims to achieve objectives of some sort, including personal objectives (for example to be happy and healthy), project objectives (including delivering on time and within budget), and corporate business objectives (such as to increase profit and market share). Wherever objectives are defined, there will be risks to their successful achievement.

The link also helps us to identify risks at different levels, based on the hierarchy of objectives that exists in an organisation. For example strategic risks are uncertainties that could affect strategic objectives, technical risks might affect technical objectives, reputation risks would affect reputation, and so on.

One other question arises from the concept of risk as “uncertainty that could affect objectives” – what sort of effect might occur? In addition to those uncertainties which if they occur would make it more difficult to achieve objectives (also known as threats), there are also uncertain events which if they occur would help us achieve our objectives (i.e. opportunities). When identifying risks, we need to look for uncertainties with upside as well as those with downside.

Effective risk management requires identification of real risks, which are “uncertainties which if they occur will have a positive or negative effect on one or more objectives”. Linking risks with objectives will ensure that the risk identification process focuses on those uncertainties that matter, rather than being distracted and diverted by irrelevant uncertainties.

 

[The next blog will clarify another common confusion in risk identification: the difference between risks, their causes and their effects.]


Posted on: June 26, 2015 05:04 PM | Permalink

Comments (9)
Please login or join to subscribe to this item
avatar
anil kukreti Senior engineer | Mobiquity softech pvt ltd Ghaziabad, Uttar Pradesh, India
Nice article. Thanks for sharing it. “an uncertainty that if it occurs could affect one or more objectives”. This recognizes the fact that there are other uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk process.
So as per the article I think its identification of relevancy of risk that is more important than identifying a risk itself otherwise effort used in risk identification would not fetch expected result. right ?




avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Thanks Anil. You're right that we only want/need to identify "real risks" that are relevant. But relevant to what? That's why we make the explicit link to objectives: Our objectives are how we determine whether a risk is relevant or not.
So we should review the entries in our risk register and ask two questions:
1. Is this an uncertainty?
2. Does it affect one or more objectives?
If the answer is not yes and yes, then it is not a risk for us, and it should not be in our risk register.
Of course, it might be something certain that affects an objective, but that is not a risk - it is an issue, which should be recorded separately, perhaps in an issue log.
Or it might be something uncertain that affected someone else's objective, in which case it is their risk and we should escalate it to them.
In my risk register, I should only have things that are uncertain and that matter to my objectives. Then I know they are truly relevant - as you say.

avatar
anil kukreti Senior engineer | Mobiquity softech pvt ltd Ghaziabad, Uttar Pradesh, India
Great advice ...
"In my risk register, I should only have things that are uncertain and that matter to my objectives." A one more reason why I think it is good to start preparation for PMP Credential with ProjectManagement.com

Thanks

avatar
Ganesan Balaji PMP, RMP, PgMP Lead| --- Tx, United States
An uncertainty that matters, might not affect the objectives directly. It might affect the objectives when one drills down and may be at level 4 of WBS.

Then one has to see extent of impact and identify the causes and quantify the cost of manage the risk.

Basically, project team members must have the shared understanding of the definition of risk. Else, one can imagine wildly and claim such an issue as a risk.

As always, your article is lucid and makes it more interesting in knowing more risk management.

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Thanks Balaji. You're right that the effect on objectives may be indirect, possibly at a low level in the WBS. The point is that if a so-called "risk" has no effect on objectives, even indirectly, then why should we care about it?! It really does not matter.

I agree completely that the aim is to help project team members (and other stakeholders) to have an agreed understanding of the risk, so that they can then manage it effectively. The use of risk metalanguage helps to create that shared understanding, by focusing the risk description on the real risk.

avatar
Ashley Jones ERM Consultant| ERM Insights by Carol Tallahassee, Fl, United States
Great article! As a Risk Analyst, we are in the process of engaging our PMO to help identify risks to the organization - not just the project. Having a clear definition of "risk" is certainly the starting point, but identifying what area/objective the risk could impact is just as important. Well done!

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Thanks Ashley, glad it was helpful. When you are identifying risks to the organization, you should use the same principle, and look for uncertainties that would affect organizational objectives. In fact, once you understand the essential connection between risk and objectives, it all becomes simple!

I wish you success in getting the PMO engaged - but don't forget also to engage the organizational leaders who own the affected objectives. They are likely to be the most appropriate owners for organizational risks, so they must be involved in identifying their risks - although the PMO can help to facilitate this.

avatar
Vincent Guerard Coach - Trainer - Speaker - Advisor| Freelance Mont-Royal, Quebec, Canada
Nice post, Should we look at identifying risk by objectives? Like, what are the risks that can impact reputation objectives?

avatar
David Hillson The Risk Doctor| The Risk Doctor Partnership Petersfield, Hampshire, United Kingdom
Thank you Vincent. Yes, all risks should be linked to at least one objective. This is clear from the definition of a risk as "an uncertain event or condition that, if it occurs, would affect one or more objectives", as discussed in this blog post.
This means that, as you suggest, we can take each objective in turn and ask "What uncertainties might effect achievement of this objective?"
We can also categorise risks by the affected objective. So a reputation risk is an uncertainty that affects reputation objectives. Environmental risks affect environmental objectives. Strategic risks affect strategic objectives. And so on...

Please Login/Register to leave a comment.

ADVERTISEMENTS

Do, or else do not. There is no 'try'.

- Yoda

ADVERTISEMENT

Sponsors







Vendor Events

See all Vendor Events

Newsletters

Jun 3: The Career Problem Facing New PMs
May 20: Your PM Career as a Project Life Cycle
May 13: The Big Lie After Layoffs

See all newsletters