Contracting Excellence Journal

Articles, news and insights from World Commerce & Contracting staffers and over 70,000 Members.

Subscribe and never miss out. There's always something going on here!

Contracts are a mechanism for transferring risk between contracting parties. And yet many people wrongly think that transferring the risk is nothing more than choosing the right form of contract. It's puzzling. Worse, it's really problematic!

There is a better way to understand the relationship between risk and contracts. Clearly, the balance of risk ownership differs significantly between different types of contracts: time and materials, cost-reimbursable, target-cost incentivized, lump sum, fixed price, firm-fixed price and so on. 

By recognizing the true nature of risk, we can ensure that our contracts address it intelligently and appropriately.  We need to share the risk challenge equitably among contracting parties so we can manage that risk effectively and achieve the contract purpose.

Risk is uncertainty that matters

A risk can be defined as “…any uncertainty that if it occurs would affect achievement of one or more objectives...” Variants on this wording are found in international risk standards, including ISO 31000:20091 and the Institute of Risk Management (IRM), as well as risk guidelines from the Project Management Institute (PMI) and the Association for Project Management (APM).

If risk is “uncertainty that matters,” then we need to ask ourselves two questions:

  1. What types of uncertainty?
  2. What types of mattering?

Types of uncertainty

One common misconception about risk is that it refers only to uncertain events that might occur in the future. But this is a very limited view of the types of uncertainty that might affect our businesses or projects.

Of course risk does include uncertain future events, but the risk process must also address other kinds of risk. A proper understanding of risk must account for all forms of uncertainty, including uncertain future events, potential variability in planned activities, sources of ambiguity, and the possibility of the unexpected.

Three main non-event types of uncertainty:

  1. Variability involves uncertainty about some key characteristics of a planned event or activity or decision. For example we plan to conduct a test of some new equipment but we are uncertain about how long the test will take. A range of outcomes is possible but we're not sure which of these might happen.
  2. Ambiguity often exists where we are uncertain about what might happen, if anything. For example, we intend to launch a new product into a competitive marketplace – how will competitors and potential customers react?
  3. Emergence describes uncertainties that are unknowable -- risks we can't see because we don't know we should be looking for them.

Types of mattering

Another common misconception is that all risk is bad. We measure success of most projects by their time and cost performance, so usually we're only concerned about risks that could trigger delays or overspending. So typically when people think about risk, they are focusing on threats to the schedule or budget. Two weaknesses exist in this view of risk:

  1. Most businesses and projects are concerned about more than just time and cost. We need to identify and manage any uncertainties that could affect other objectives, including performance, safety, reputation, market share, competitive positioning, share price etc.
  2. Not all risk is bad. Some, if they occur, would help us achieve our objectives. Negative risks are threats.  Positive risks are opportunities.

Instead of thinking about threats as being limited to schedule or budget, we should look for uncertainties that might impact any of our objectives, and include those negative risks that could cause delay, overspend, performance shortfall or reputation damage, etc. As well, we need to look for positive risks that might result in shorter timescales, reduced cost, enhanced performance or improved reputation etc.

Risk is any uncertainty that matters

As mentioned, the commonly-adopted interpretation of risk as being limited to “uncertain future events that, if they occurred, would have a negative effect on the project budget and/or schedule” limits risk management to a mere subset of all the uncertainties that matter. Clearly any uncertainty that could affect our ability to achieve our goals must be better managed.

Figure 1 below illustrates this more complete understanding of risk, expanding both the “uncertainty” side and the “mattering” dimension.

 David's figure

Figure 1: “Uncertainty that matters” expanded

Risk and contracts

You likely know that contracts are the primary means for transferring risk between the contracting parties, with the aim that risk should be owned by the party best able to manage it.

Unfortunately the prevailing negative view of risk spawns a combative approach to contracting, because owning risk is always seen as “a bad thing.” Here's what often happens. The buyer passes as much risk as possible to the seller, always at the minimum price of course, while the seller is naturally defensive and reluctant to accept risk, and responds by loading the price with a “risk premium.”

The use of “standard terms” worsens this situation, because these entrench the perception of risk as unwelcome, and seek to protect positions with onerous terms. Boilerplate text locks negative views of risk into contracts, making it hard to take a more enlightened approach. What if we discarded this negative view and adopted the wider view of risk? How might we deal with risk differently in contracts?

Threats and opportunities

Our first change would be to recognize that some risks are good. Positive risk helps us create value, enhance performance and deliver more benefits through the contract. When opportunities are identified in the contract, parties will be encouraged to embrace risk more willingly, taking ownership of positive risks and seeking to manage them proactively to optimize performance. Innovation and continuous improvement would be supported and contractors would actively seek to exploit or enhance opportunities.

In this broader context, risk transfer would become completely different.  Contracting parties could conduct a mature discussion about who could best tackle threats, where opportunities could be most effectively managed, and what consideration should be applied to reflect the balance of risk.

The new approach would allow contract negotiation to start with a joint assessment of the major threats and opportunities, followed by an honest debate about where each risk should sit between the contracting parties. After an open and transparent costing of the risks owned by each party, the set of risks covered by the contract could then be explicitly included in an annex as a record of the agreement of the parties. The contractual consideration would then formally include a risk element based on a shared understanding of the major risks in the undertaking.

Non-event risks

If we understand that the concept of risk includes more than just future uncertain events, then the contract would need to deal with other types of risk explicitly. Taking the three classes of non-event risk mentioned above in turn, we might expect to see the following:

  1. Variability - contract terms can use approaches based on target-cost incentives to encourage contractors to manage to the upside and discourage underperformance. Explicit description of variability risks in the contract will ensure that everyone is clear about the range of possible outcomes and contract terms can motivate the effective management of such variability.
  2. Ambiguity can wreak havoc in executing the contract, like unclear terms or requirements that can be interpreted many ways. Identifying specific ambiguity risks during contract negotiation can minimize the effect of these uncertainties and lead to a more robust contract.
  3. Emergent (unknowable) risks will nearly always arise and surprise us. We can't identify unknowable-unknowns in advance, so the contract must provide appropriate contingency to account for these should they occur. Setting the right level for this contingency is not easy and should be based on previous experience of similar projects, and industry norms where available.

By including this full range of risks in our contracts, we can be more confident that we will consider and address all uncertainties that matter, and give ourselves the best chance to succeed in delivering the contract objectives.


We know that business and projects are risky, but one way to control the amount of risk contracting parties take is to make proactive use of formal contracts. Traditional views – those that see risk as negative uncertain events that cause delays or overspend -- have resulted in suboptimal contracts.  In this context it is natural for contracting parties to protect themselves against any undue risk exposure and pass as much risk as possible over the contractual fence.

We must recognize that we can handle risk through the contract in a more detailed and targeted way than simply selecting a particular form of contract. By expanding our view of risk to include any uncertainties that matter, and reflecting these risks properly in our contracts, the contract will finally become an effective tool to ensure that risk is owned by the party best able to manage it. 

Be sure to watch the author's previously recorded IACCM Ask the Expert discussion on Bringing a Risk Perspective to Contract Management

To contact Dr. David Hillson   


Known globally as The Risk Doctor, Dr David Hillson is an international thought-leader and expert practitioner who consults, speaks and writes widely on risk.  His ground-breaking work in risk management over three decades has been recognized by multiple awards, including honorary fellowships from both the Project Management Institute (PMI®) and the Association for Project Management (APM). The Institute of Risk Management (IRM) also named him inaugural “Risk Personality of the Year” in 2010-11.

© Copyright 2015, The Risk Doctor Partnership 


  1. ISO 31000:2009 – Risk management

Become an IACCM member today

Dr. David Hillson, Founder and Director of The Risk Doctor Partnership, UK

View All Articles

About Globality

Globality’s stated mission is to “give all companies an opportunity to compete and win based on the merits of proven performance, expertise, and passion.”

> Back to all posts
    Download our
    Ten Pitfalls Report

    Download the Pitfalls Report

    See the February Edition of the Contracting Excellence Newsletter
    See the December Edition  of our Contracting  Excellence Newsletter

    Posts by Topic

    see all

    Recent Posts

    World Commerce & Contracting Membership Types & Pricing

    Take a look at the various membership types, or take a better look by becoming a FREE Trial Member

    Membership Types & Pricing