The purpose of risk management is obviously to manage risks. But one of the most common failings in the risk management process is for the risk identification step to identify things that are not risks. If this early stage of the risk process fails, subsequent steps will be doomed, and risk management will not be effective. It is therefore essential to ensure that the risk identification process correctly identifies risks.
Many people are confused between risk and uncertainty. Risk is a type of uncertainty, and it’s important to define what qualifies an uncertainty as a risk. The key is that risk is defined in relation to objectives. The simplest definition of risk is “uncertainty that matters,” and it matters because it can affect one or more objectives. Risk does not exist in a vacuum, and we need to define what is “at risk,” i.e. what objectives would be affected if the risk occurred.
A more complete definition of risk would therefore be “an uncertainty that, if it occurs, could affect one or more objectives.” There are other uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk process. For example, if we are conducting an IT project in India, the uncertainty about whether it might be raining in London is irrelevant – who cares? But if our project involves redeveloping the Queen’s gardens at Buckingham Palace, the possibility of rain in London is not just an uncertainty – it matters. In one case the rain is merely an irrelevant uncertainty, but in the other it is a risk.
UNCERTAINTY THAT CAN AFFECT OBJECTIVES
Linking risk with objectives makes it clear that every facet of life is risky. Everything we do aims to achieve objectives of some sort, including personal objectives (to be happy and healthy), project objectives (delivering on-time and within budget), and corporate business objectives (increasing profit and market share). Wherever objectives are defined, there will be risks to their successful achievement.
The link also helps us to identify risks at different levels, based on the hierarchy of objectives that exists in an organization. For example, strategic risks are uncertainties that could affect strategic objectives, technical risks might affect technical objectives, reputation risks would affect reputation, and so on.
One other question arises from the concept of risk as “uncertainty that could affect objectives” – what sort of effect might occur? There are uncertainties that, if they occur, would make it more difficult to achieve objectives (threats), and there are also uncertain events that, if they occur, would help us achieve our objectives (opportunities). When identifying risks, we need to look for uncertainties with upside as well as those with downside.
Effective risk management requires identification of real risks, which are “uncertainties that, if they occur, will have a positive or negative effect on one or more objectives.” Linking risks with objectives will ensure that the risk identification process focuses on uncertainties that matter, rather than being distracted and diverted by irrelevant uncertainties.
RISKS: CAUSES AND EFFECTS
Another common challenge in the risk identification process is confusion between causes of risk, the risks themselves, and the effects of risks. The PMI® PMBoK® Guide (Sixth Edition) says that “A risk may have one or more causes and, if it occurs, one or more impacts.” In the simplest case, one cause leads to a single risk, which in turn could have just one effect. Reality, of course, is considerably more complex. How do causes, risks, and effects differ?
- Causes are events or sets of circumstances which exist in the project or its environment, and which give rise to uncertainty. Examples include the requirement to implement the project in a developing country, the need to use an unproven new technology, the lack of skilled personnel, or the fact that the organization has never done a similar project before. Causes themselves are not uncertain. They are facts or requirements, so they should not be managed through the risk management process.
- Risks are uncertainties which, if they occur, would affect the project objectives either negatively (threats) or positively (opportunities). Examples include the possibility that planned productivity targets might not be met, interest or exchange rates that might fluctuate, the chance that client expectations may be misunderstood, or whether a contractor might deliver earlier than planned. These uncertainties should be managed proactively through the risk management process.
- Effects are unplanned variations from project objectives, either positive or negative, which would arise as a result of risks occurring. Examples include being early for a milestone, exceeding the authorised budget, or failing to meet contractually agreed performance targets. Effects are contingent events, unplanned potential future variations which will not occur unless risks happen. As effects do not yet exist, and indeed they may never exist, they cannot be managed through the risk management process.
Including causes or effects in the list of identified risks obscures genuine risks, which may not receive the appropriate degree of attention they deserve. So how can we clearly separate risks from their causes and effects? One way is to use risk metalanguage (a formal description with required elements) to provide a three-part structured “risk statement” as follows:
“As a result of <definite cause>, <uncertain event> may occur, which would lead to <effect on objective(s)>.”
Examples include the following:
- “As a result of using novel hardware (a definite requirement), unexpected system integration errors may occur (an uncertain risk), which would lead to overspend on the project (an effect on the budget objective).”
- “Because our organization has never done a project like this before (fact = cause), we might misunderstand the customer’s requirement (uncertainty = risk), and our solution would not meet the performance criteria (contingent possibility = effect on objective).”
- “We have to outsource production (cause); we may be able to learn new practices from our selected partner (risk), leading to increased productivity and profitability (effect).”
The use of risk metalanguage should ensure that risk identification actually identifies risks, distinct from causes or effects. Without this discipline, risk identification can produce a mixed list containing risks and non-risks, leading to confusion and distraction later in the risk process.
Risks must be identified if they are to be successfully managed. But risk is not the same as uncertainty, and risks must be separated from their causes and their effects. We must be clear about what we are trying to identify. Only then can we be sure that the risk management process is addressing those uncertainties that can affect our projects and businesses.