Contracting Excellence Journal

Articles, news and insights from World Commerce & Contracting staffers and over 70,000 Members.

Subscribe and never miss out. There's always something going on here!

Obviously risk management is supposed to manage risk. But in over thirty years of working in the field, and having seen thousands of risk registers, I’ve found that about half of the things people identify as risks are actually not risks at all.

This means that they’re trying to manage non-risks through the risk management process, which is a waste of time and effort. Perhaps your risk register also contains non-risks? Do any of these “risks” sound familiar?

  • We haven’t signed the contract yet and work has already started.
  • The timeframe for this job is really too short and we don’t have enough resources.
  • This is a highly innovative project and none of the bidders have any relevant experience.

None of these are risks! How about these:

  • The contractor may fail to deliver a product that meets the requirement.
  • There could be an accident leading to a fatality.
  • We might be late or over budget.

Would it surprise you to learn that these aren’t risks either? To understand what’s wrong with these two lists of non-risks, we need to get back to basics and remember two key facts about risk.

First, all risks are uncertain. They have not yet happened and they may never happen. This means that a risk is not the same as a problem, an issue, a constraint or a requirement, although these things might give rise to risks. All of the three items in the first list above are actual facts that are true today: the contract is unsigned, the timeframe is short and the project is innovative. None of these is uncertain, so none of them can be a risk. However, each of them could result in a number risks as we move forward, so they are potential causes of risk. It is common to confuse the causes of risk with the risks themselves.

Second, all risks matter. Although all risks are uncertain, not all uncertainties are risks. There are billions of uncertainties in the world, but not all of them are recorded in our risk registers. Somehow, we need to filter the huge mass of uncertainties to decide which ones are risks.

The key is to recognize that risk is uncertainty that matters. Most uncertainties don’t matter to us (although they may matter to someone else). The ones that matter are those that would affect our ability to achieve our objectives, if they happened. However, the risk is not the same as the potential impact it might have on our objectives. Each of the three items in the second list are statements of effect that would arise if some uncertainty occurred: failure to meet the requirement, fatal accident, or being late/overspent. None of these statements describe the uncertainty that might lead to these effects, so none of them is a risk. It is common to confuse the effects of risk with the risks themselves.

How can we address these two common failings: confusing risks with their causes or their effects? One way is use a structured risk description that separates risk, cause and effect. This is sometimes called risk metalanguage, and it looks like this:

As a result of <definite cause(s)>,

<uncertain event> may occur,

which would lead to <effect on objective(s)>.

Examples include the following:

  • “As a result of using novel hardware (this is a definite requirement, so it is a cause), unexpected system integration errors may occur (this is uncertain, so this is the risk), which would lead to overspend on the project (this effect on the budget objective will only occur if the risk happens).”   
  • “Because our organization has never done a project like this before (fact = cause), we might misunderstand the customer’s requirement (uncertainty = risk), and our solution would not meet the performance criteria (contingent possibility = effect on objective).”
  • “We have to outsource production (cause); we may be able to learn new practices from our selected partner (risk), leading to increased productivity and profitability (effect).”

The use of risk metalanguage helps us to identify real risks, distinct from causes or effects.

What is contained in your risk register? Does it list real risks, or are these mixed with causes of risk or potential risk effects? It’s worth reviewing your risk register to check! Remember:

  • Causes are definite events or sets of circumstances which exist in the project or its environment, and which give rise to uncertainty. Examples include:
    • the requirement to implement the project in a developing country;
    • the need to use an unproven new technology;
    • the lack of skilled personnel; or
    • your organization has never done a similar project before.
  • Causes themselves are not uncertain, so they cannot be managed through the risk management process.
  • Risks are uncertainties which, if they occur, would affect the project objectives either negatively (threats) or positively (opportunities). Examples include:
    • the possibility that planned productivity targets might not be met;
    • interest or exchange rates might fluctuate;
    • the chance that client expectations may be misunderstood; or
    • whether a contractor might deliver earlier than planned.

These uncertainties should be managed proactively through the risk management process.

  • Effects are unplanned variations from project objectives, either positive or negative, which would arise as a result of risks occurring. Examples include:
    • being early for a milestone;
    • exceeding the authorized budget; or
    • failing to meet contractually agreed performance targets.

Effects are contingent events, unplanned potential future variations that will not occur unless risks happen. As effects do not yet exist, and indeed they may never exist, they cannot be managed through the risk management process.

By ensuring that each risk description contains all three elements of cause, risk and effect, we can clarify which uncertainties matter (the risks themselves), where they come from (their causes), and why they matter (their effects on objectives). This will help us to understand each risk in enough detail to prioritize it properly against other risks, and to develop appropriate risk responses to manage each risk effectively. Only then can we be sure that risk management is managing risk!


Dr David Hillson, The Risk Doctor, is an international thought-leader in risk management, with a global reputation as an excellent speaker and award-winning author.  Many have benefited from his blend of innovative insights with practical application, presented in an accessible style that combines clarity with humor.  He also shares his insights regularly through books, papers and articles, as well as the regular series of Risk Doctor Briefings.  David’s speaking and writing is guided by the Risk Doctor motto: “Understand profoundly so you can explain simply”.

Dr David Hillson, The Risk Doctor©

Dr. David Hillson, Founder and Director of The Risk Doctor Partnership, UK

View All Articles

About Globality

Globality’s stated mission is to “give all companies an opportunity to compete and win based on the merits of proven performance, expertise, and passion.”

> Back to all posts
    Download our
    Ten Pitfalls Report

    Download the Pitfalls Report

    See the February Edition of the Contracting Excellence Newsletter
    See the December Edition  of our Contracting  Excellence Newsletter

    Posts by Topic

    see all

    Recent Posts

    World Commerce & Contracting Membership Types & Pricing

    Take a look at the various membership types, or take a better look by becoming a FREE Trial Member

    Membership Types & Pricing