Top Ten Risk Myths

February 20, 2019 | Dr. David Hillson

top ten risk mythsSince the dawn of time, mankind has used myths to make sense of the uncertainty that surrounds us. More recently, in the world of business and projects, risk management has performed the same role. Unfortunately, myths have also grown up around risk management. Like many myths, risk myths have some basis in truth, but they are far from an accurate representation of reality. Here are the top ten risk myths, and how to counter them.


“Risk? No thanks!” Risks are potential problems, and if they happen then we’re in trouble. For projects, risks mean threats to the budget and schedule, and the result of an impacted risk means overspend or delay. Even where we consider other objectives such as performance, safety or regulatory compliance, risk is bad news for the project.

Starting from the idea that risk is “uncertainty that matters”, we arrive at a different conclusion. Some uncertainties might have helpful outcomes if they happen, saving time or money, enhancing performance or safety, helping us to achieve project objectives. Best-practice risk management recognizes that risk includes both threats and opportunities, and both need to be managed proactively through the risk process.


“Qué será, será.” Most risks are outside our control, and we shouldn’t waste time trying to address them in advance. Instead we should rely on fire-fighting, dealing with issues as they arise. The good project manager is a hero who can handle any crisis as and when it happens.

Risk management provides a forward-looking radar, scanning the uncertain future to reveal things that could affect us, giving us time to prepare in advance. We can develop contingency plans even for so-called uncontrollable risks, and be ready to deal with likely threats or significant opportunities.


“Ignorance is bliss.” We’re so busy dealing with what we do know that we don’t have time to think about anything else.

Hope is not a strategy! Uncertainties exist out there that can hurt us and our projects very badly. Unforeseen events can cause major delays, result in significant additional cost, or even cause accidents. Failing to spot risks will result in avoidable problems happening or benefits that could have been captured being missed. Not knowing about the risks that we face can be very costly indeed.


“The clue is in the job title!” Just as the Project Manager manages the project or the Quality Manager manages quality, so the Risk Manager manages risk. That means the rest of the project team don’t have to worry about risk if they have a Risk Manager (or Risk Champion or Risk Coordinator).

The title of Risk Manager is hugely misleading and should be banned! There’s no way that one person can understand or manage all the risks on a project, even if they are super-competent. Instead risks need to be managed by the people who understand them and can deal with them effectively. Every member of the project team should be a “risk manager”, tackling the risks that affect their area of responsibility, leaving the Risk Manager to facilitate the risk process and ensure that it is working properly.


“The only good risk is a dead risk.” Whenever a risk is encountered on our project, only one response is possible: avoidance. We need to do whatever it takes to ensure that the risk cannot happen, no matter what cost or effort is involved.

Of course, not all risks can be avoided. We have a full range of risk response strategies available to us, of which avoidance is only one. Sometimes it would be too expensive or take too long to avoid a risk completely, so another strategy is required. Options for downside risks (threats) include risk transfer, risk reduction or risk acceptance, each of which might be appropriate for any particular risk. And clearly, we don’t want to avoid upside risks (opportunities) – these should be exploited, shared, or enhanced.


“No risk please – we’re project managers!” The absence of risk is a sign of a successful project manager and a well-run project. Where risk rears its ugly head, it needs to be killed off as quickly as possible, so that we can return to our zero-risk nirvana.

Risk is built into all projects, as we seek to create a unique service, product or outcome with limited resources, conflicting constraints and competing stakeholders. Risk is also linked to reward, as we take risk to create value. So the zero-risk project is neither possible nor desirable. And when we bring opportunities into the frame, then taking risk is a way to enhance performance even further.


“You can’t manage risk without understanding statistics, probability theory and Monte Carlo simulation.” It’s pointless to record risks in a Risk Register, assess their probability and impact as High/Medium/Low, and develop appropriate responses for each one. Only quantitative risk analysis (QRA) using hard numbers can reveal the true level of risk exposure in our project.

QRA is a powerful technique for analysing the overall effect of risk on project outcomes, but it requires time, effort, specialist tools and expertise. On projects which are smaller, less complex or less innovative, it simply isn’t cost effective. Many risks cannot be easily quantified either, so a qualitative approach is needed. Even on very risky projects, the data used in QRA are based on the Risk Register, so qualitative assessment is always required, while QRA is optional.


“We manage risk all the time – it’s part of the day job.” We know all the risks faced by our project and we have processes in place to deal with them, so we don’t need to do separate risk management.

Project processes are indeed developed to handle routine risks that arise regularly in our projects. And maybe such “business-as-usual risks” don’t belong in the Risk Register because they’ll be handled by existing processes. But what about risks that we’ve never seen before? Risks that are particular to this project, this environment, this client? Risks that aren’t covered by our standard processes? We need a focused risk process that identifies these novel risks, assesses their importance, and develops targeted responses.


“We’ve agreed the project plan and we’re sticking to it.” A strong project manager stays within the budget and timeline, meets all targets, and doesn’t need slush funds or spare-time cushions. Setting aside time or money for things that might never happen is pointless.

Not even the best project manager can foresee the future with perfect accuracy. Unexpected things happen to good people. And all projects are risky, being unique and complex undertakings based on assumptions and dependencies, delivering change through people. We should always expect the unexpected. So including a specific risk budget for known risks as well as a contingency amount for unforeseen risks is a sign of wisdom not weakness.


“We tried risk management once…” The risks we identified never happened, and the things that did happen weren’t in the Risk Register. Our responses made no discernible difference to project outcomes, so we gave up.

The risk process often fails to identify the real risks to the project or business, focusing instead on the “usual suspects”. Instead we need to explore what keeps people awake at night, either worrying about what might go wrong (threats), or excited about what good things might happen (opportunities). We also need to develop targeted actions that really change our risk exposure, and then implement those actions. When we identify the real risks and implement effective responses, then risk management will maximize our chances of project success. Done properly, risk management always works!


In our rationalist world where we value most what we can measure easily, it’s not surprising that unhelpful myths have grown up around risk management. In providing a structured way to address uncertainty, risk management offers important insights to project managers and their teams. Effective management of risk is positively correlated with project success, as we discover in advance the things that might drive us off track, and we implement proactive measures to avoid threats and capture opportunities.

Discover the real truth about risk management, and let it work for you and your projects! You won’t regret it!

  • facebook
  • twitter
  • linkedin
  • mix
  • reddit
  • email
  • print
  • About The Author
  • Website
  • Dr David Hillson HonFAPM PMI-Fellow FIRM CMgr FCMI

    Known globally as The Risk Doctor, David Hillson leads The Risk Doctor Partnership (, a global consultancy offering specialist risk services across the world.

    David has a reputation as an excellent speaker and presenter on risk. His talks blend thought-leadership with practical application, presented in an accessible style that combines clarity with humor, guided by the Risk Doctor motto: “Understand profoundly so you can explain simply”.

    He also writes widely on risk, with twelve major books, and over 100 professional papers. He publishes a regular Risk Doctor Briefing blog in seven languages to 10,000 followers, and has over 7,000 subscribers to the RiskDoctorVideo YouTube channel (

    David has advised leaders and organizations in over fifty countries around the world on how to create value from risk based on a mature approach to risk management, and his wisdom and insights are in high demand. He has also received many awards for his ground-breaking work in risk management over several decades.