This means that they’re trying to manage non-risks through the risk management process, which is a waste of time and effort. Perhaps your risk register also contains non-risks? Do any of these “risks” sound familiar?
- We haven’t signed the contract yet and work has already started.
- The timeframe for this job is really too short and we don’t have enough resources.
- This is a highly innovative project and none of the bidders have any relevant experience.
None of these are risks! How about these:
- The contractor may fail to deliver a product that meets the requirement.
- There could be an accident leading to a fatality.
- We might be late or over budget.
Would it surprise you to learn that these aren’t risks either? To understand what’s wrong with these two lists of non-risks, we need to get back to basics and remember two key facts about risk.
First, all risks are uncertain. They have not yet happened and they may never happen. This means that a risk is not the same as a problem, an issue, a constraint or a requirement, although these things might give rise to risks. All of the three items in the first list above are actual facts that are true today: the contract is unsigned, the timeframe is short and the project is innovative. None of these is uncertain, so none of them can be a risk. However, each of them could result in a number risks as we move forward, so they are potential causes of risk. It is common to confuse the causes of risk with the risks themselves.
Second, all risks matter. Although all risks are uncertain, not all uncertainties are risks. There are billions of uncertainties in the world, but not all of them are recorded in our risk registers. Somehow, we need to filter the huge mass of uncertainties to decide which ones are risks.
The key is to recognize that risk is uncertainty that matters. Most uncertainties don’t matter to us (although they may matter to someone else). The ones that matter
How can we address these two common failings: confusing risks with their causes or their effects? One way is
As a result of <definite cause(s)>,
<uncertain event> may occur,
which would lead to <effect on objective(s)>.
Examples include the following:
- “As a result of using novel hardware (this is a definite requirement, so it is a cause), unexpected system integration errors may occur (this is uncertain, so this is the risk), which would lead to overspend on the project (this effect on the budget objective will only occur if the risk happens).”
- “Because our organization has never done a project like this before (fact = cause), we might misunderstand the customer’s requirement (uncertainty = risk), and our solution would not meet the performance criteria (contingent possibility = effect on objective).”
- “We have to outsource production (cause); we may be able to learn new practices from our selected partner (risk), leading to increased productivity and profitability (effect).”
The use of risk metalanguage helps us to identify real risks, distinct from causes or effects.
What is contained in your risk register? Does it list real risks, or are these mixed with causes of risk or potential risk effects? It’s worth reviewing your risk register to check! Remember:
- Causes are definite events or sets of circumstances which exist in the project or its environment, and which give rise to uncertainty. Examples include:
- the requirement to implement the project in a developing country;
- the need to use an unproven new technology;
- the lack of skilled personnel; or
- your organization has never done a similar project before.
- Causes themselves are not uncertain, so they cannot be managed through the risk management process.
- Risks are uncertainties which, if they occur, would affect the project objectives either negatively (threats) or positively (opportunities). Examples include:
- the possibility that planned productivity targets might not be met;
- interest or exchange rates might fluctuate;
- the chance that client expectations may be misunderstood; or
- whether a contractor might deliver earlier than planned.
These uncertainties should be managed proactively through the risk management process.
- Effects are unplanned variations from project objectives, either positive or negative, which would arise as a result of risks occurring. Examples include:
- being early for a milestone;
- exceeding the authorized
budget; or failingto meet contractually agreed performance targets.
Effects are contingent events, unplanned potential future variations that will not occur unless risks happen. As effects do not yet exist, and indeed they may never exist, they cannot be managed through the risk management process.
By ensuring that each risk description contains all three elements of cause, risk
ABOUT THE AUTHOR