When is a risk not a risk (Part 2)

 

The last blog entry addressed the need to distinguish risk from uncertainty. There are an infinite number of uncertainties, but these are only risks if they would affect objectives if they occurred. A risk is “an uncertainty that matters”.

Another common challenge in risk identification is to avoid confusion between causes of risk, genuine risks, and the effects of risks. The PMI^®  PMBoK^® Guide says that “A risk may have one or more causes and, if it occurs, one or more impacts”. In the most simple case, one cause leads to a single risk which in turn could have just one effect, though of course reality is considerably more complex. How do these three differ?

• Causes are definite events or sets of circumstances which exist in the project or its environment, and which give rise to uncertainty. Examples include the requirement to implement the project in a developing country, the need to use an unproven new technology, the lack of skilled personnel, or the fact that the organisation has never done a similar project before. Causes themselves are not uncertain since they are facts or requirements, so they are not the main focus of the risk management process.
• Risks are uncertainties which, if they occur, would affect the project objectives either negatively (threats) or positively (opportunities). Examples include the possibility that planned productivity targets might not be met, interest or exchange rates might fluctuate, the chance that client expectations may be misunderstood, or whether a contractor might deliver earlier than planned. These uncertainties should be managed proactively through the risk management process.
• Effects are unplanned variations from project objectives, either positive or negative, which would arise as a result of risks occurring. Examples include being early for a milestone, exceeding the authorised budget, or failing to meet contractually agreed performance targets. Effects are contingent events, unplanned potential future variations which will not occur unless risks happen. As effects do not yet exist, and indeed they may never exist, they cannot be managed directly through the risk management process.

Including causes or effects in the list of identified risks obscures genuine risks, which may not receive the appropriate degree of attention they deserve. So how can we clearly separate risks from their causes and effects? One way is to use risk metalanguage (a formal description with required elements) to provide a three-part structured “risk statement”, as follows : “As a result of <one or more definite causes>, <uncertain event or condition> may occur, which would lead to <one or more effects on objective(s)>.”

Examples include the following :

• “As a result of using novel hardware(a definite requirement), unexpected system integration errors may occur (an uncertain risk), which would lead to overspend on the project (a negative effect on the budget objective).”  
• “Because our organisation has never done a project like this before (fact = cause), we might misunderstand the customer's requirement (uncertainty = risk), and our solution would not meet the performance criteria (contingent possibility = effect on objective).”
• “We have to outsource production (cause); we may be able to learn new practices from our selected partner (risk), leading to increased productivity and profitability (effect).”

The use of risk metalanguage should ensure that risk identification actually identifies risks, distinct from causes or effects. Without this discipline, risk identification can produce a mixed list containing risks and non-risks, leading to confusion and distraction later in the risk process.