Contracting Excellence Journal

Articles, news and insights from World Commerce & Contracting staffers and over 70,000 Members.

Subscribe and never miss out. There's always something going on here!

Since the dawn of time, mankind has used myths to make sense of the uncertainty that surrounds us. More recently myths have crept into risk management and business projects. Although risk myths have some basis in truth, they fail to accurately represent reality. Here are top ten risk myths and counterpoint rationale showing how to counter the myths.

Myth 1 all risk is bad 

“Risk? No thanks!” All risks are potential problems, and if they happen then we’re in trouble. For projects, risks mean threats to the budget and schedule, and the result of an impacted risk means overspend or delay. Even where we consider other objectives such as performance, safety or regulatory compliance, risk is bad news for the project.

On the other hand, starting from the idea that risk is uncertainty that matters, we arrive at a different conclusion. Some uncertainties might have helpful outcomes if they happen, saving time or money, enhancing performance or safety, helping us to achieve project objectives. Best-practice risk management recognises that risk includes both threats and opportunities, and both need to be managed proactively through the risk process.

Myth 2 risk management is a waste of time

“Qué será, será” or “whatever will be, will be.”  Most risks are outside our control, and we shouldn’t waste time trying to address them in advance. Instead we should rely on firefighting, dealing with issues as they arise. The good project manager is a hero who can handle any crisis as and when it happens.

But don’t forget. Risk management provides a forward-looking radar, scanning the uncertain future to reveal things that could affect us, giving us time to prepare in advance. We can develop contingency plans even for so-called uncontrollable risks and be ready to deal with likely threats or significant opportunities.

Myth 3 what you don’t know won’t hurt you

“Ignorance is bliss.” We’re so busy dealing with what we do know that we don’t have time to think about anything else.

That’s unrealistic.  Hope is not a strategy! Uncertainties exist out there that can hurt us and our projects very badly. Unforeseen events can cause major delays, result in significant additional cost, or even cause accidents. Failing to spot risks will result in avoidable problems happening or benefits that could have been captured being missed. Not knowing about the risks that we face can be very costly indeed.

Myth 4 the risk manager manages risk

“The clue is in the job title!” Just as the project manager manages the project or the quality manager manages quality, so the risk manager manages risk. That means the rest of the project team don’t have to worry about risk if they have a risk manager (or risk champion or risk coordinator).

Not true.  The title of risk manager is hugely misleading and should be banned! In no way can one person understand or manage all the risks on a project, even if they are super-competent. Instead risks need to be managed by the people who understand them and can deal with them effectively. Every member of the project team should be a risk manager, tackling the risks that affect their area of responsibility, leaving the risk manager to facilitate the risk process and ensure that it is working properly.

Myth 5 all risk can and should be avoided

“The only good risk is a dead risk.” Whenever a risk is encountered on our project, only one response is possible: avoidance. We need to do whatever it takes to ensure that the risk cannot happen, no matter what cost or effort is involved.

That’s short sighted. Not all risks can be avoided. We have a full range of risk response strategies available to us, of which avoidance is only one. Sometimes it would be too expensive or take too long to avoid a risk completely, so another strategy is required. Options for downside risks (threats) include risk transfer, risk reduction or risk acceptance, each of which might be appropriate for any particular risk. And clearly, we don’t want to avoid upside risks (opportunities) – these should be exploited, shared, or enhanced.

Myth 6 our projects aren't risky

“No risk please – we’re project managers!” The absence of risk is a sign of a successful project manager and a well-run project. Where risk rears its ugly head, it needs to be killed off as quickly as possible, so that we can return to our zero-risk nirvana (perfect bliss).

Such a naive dream!  Risk is built into all projects, as we seek to create a unique service, product or outcome with limited resources, conflicting constraints and competing stakeholders. Risk is also linked to reward, as we take risk to create value. So, the zero-risk project is neither possible nor desirable. And when we bring opportunities into the frame, then taking risk is a way to enhance performance even further.

Myth 7 risk management requires statistics

“You can’t manage risk without understanding statistics, probability theory and Monte Carlo simulation.” It’s pointless to record risks in a risk register,1 assess their probability and impact as high/medium/low and develop appropriate responses for each one. Only quantitative risk analysis (QRA) using hard numbers can reveal the true level of risk exposure in our project.

QRA is a powerful technique for analyzing the overall effect of risk on project outcomes, but it requires time, effort, specialist tools and expertise. On projects which are smaller, less complex or less innovative, it simply isn't cost effective. Many risks cannot be easily quantified either, so a qualitative approach is needed. Even on very risky projects, the data used in QRA are based on the risk register, so qualitative assessment is always required, while QRA is optional.

Myth 8 risks are covered by routine processes

“We manage risk all the time – it’s part of the day job.” We know all the risks faced by our project and we have processes in place to deal with them, so we don’t need to do separate risk management.

Project processes are indeed developed to handle routine risks that arise regularly in our projects. And maybe such “business-as-usual risks” don’t belong in the risk register because they’ll be handled by existing processes. But what about risks that we’ve never seen before? Risks that are particular to this project, this environment, this client? Risks that aren't covered by our standard processes? We need a focused risk process that identifies these novel risks, assesses their importance, and develops targeted responses.

Myth 9 contingency is for wimps

“We’ve agreed the project plan and we’re sticking to it.” A strong project manager stays within the budget and timeline, meets all targets, and doesn’t need slush funds or spare-time cushions. Setting aside time or money for things that might never happen is pointless.

Not even the best project manager can foresee the future with perfect accuracy. Unexpected things happen to good people. And all projects are risky, being unique and complex undertakings based on assumptions and dependencies, delivering change through people. We should always expect the unexpected. So, including a specific risk budget for known risks as well as a contingency amount for unforeseen risks is a sign of wisdom not weakness.

Myth 10 risk management doesn’t work

“We tried risk management once...” The risks we identified never happened, and the things that did happen weren’t in the risk register. Our responses made no discernible difference to project outcomes, so we gave up.

The risk process often fails to identify the real risks to the project or business, focusing instead on the “usual suspects”. Instead we need to explore what keeps people awake at night, either worrying about what might go wrong (threats), or excited about what good things might happen (opportunities). We also need to develop targeted actions that really change our risk exposure, and then implement those actions. When we identify the real risks and implement effective responses, then risk management will maximize our chances of project success. Done properly, risk management always works.

The truth revealed

In our rationalist world where we value most what we can measure easily, it’s not surprising that unhelpful myths have grown up around risk management. In providing a structured way to address uncertainty, risk management offers important insights to project managers and their teams. Effective management of risk is positively correlated with project success, as we discover in advance the things that might drive us off track, and we implement proactive measures to avoid threats and capture opportunities.

Discover the real truth about risk management, and let it work for you and your projects! You won’t regret it!


  1. A risk register is a document the risk management team develops during the early stages of a risk management project. It tracks issues and assess problems as they arise

Copyright © 2019, David Hillson

Dr. David Hillson, Founder and Director of The Risk Doctor Partnership, UK

View All Articles

About Globality

Globality’s stated mission is to “give all companies an opportunity to compete and win based on the merits of proven performance, expertise, and passion.”

> Back to all posts
    Download our
    Ten Pitfalls Report

    Download the Pitfalls Report

    See the February Edition of the Contracting Excellence Newsletter
    See the December Edition  of our Contracting  Excellence Newsletter

    Posts by Topic

    see all

    Recent Posts

    World Commerce & Contracting Membership Types & Pricing

    Take a look at the various membership types, or take a better look by becoming a FREE Trial Member

    Membership Types & Pricing