sign in sign up
<<
Home , Risk

7468/IPM Newsletter No.1/Ire 3/14/05 11:40 AM Page 6 Keith's G4:Desktop Folder:7468/IPMA Newsletter No.1/Ire:

THE WORLD LEADER IN CERTIFICATION

When is a Risk not a Risk? by Dr David Hillson One of the most common healthy), project objectives (including delivering Distinguishing risks failings in the on time and within budget), and corporate from non-risks process is for the risk objectives (such as to increase Another common challenge in risk identification identification step to identify and market share). Wherever objectives are is to avoid confusion between causes of risk, things which are not risks. defined, there will be risks to their successful genuine risks, and the effects of risks. The PMI® Clearly if this early stage of the achievement. This is illustrated for projects in PMBoK® Guide says that “A risk may have one risk process fails, subsequent Figure 1. or more causes and, if it occurs, one or more steps will be doomed and risk impacts”. In the most simple case, one cause management cannot be The link also helps us to identify risks at different leads to a single risk which in turn could have just effective. It is therefore levels, based on the hierarchy of objectives that one effect (see Figure 2), though of course reality essential to ensure that risk exists in an organisation. For example strategic is considerably more complex. How do these identification identifies risks. risks are that could affect strategic three differ? This paper addresses two key objectives, technical risks might affect technical requirements for effective risk objectives, risks would affect • Causes are definite events or sets of identification. The first is a clear reputation, and so on. circumstances which exist in the project or understanding of what is meant by the term “risk”. The second is to be able to distinguish risks FIGURE 1: Risk arises from the effect of on objectives from non-risks, particularly from their causes and effects. All projects contain risk, arising from interactions between • OBJECTIVES ... What must happen • UNCERTAINTY ... What might happen Clearly defining risk Many people when they try to identify risks get TIME confused between risk and uncertainty. Risk is not the same as uncertainty, so how are the two related? The key is to realise that risk can only be uncertainty uncertainty defined in relation to objectives. The simplest definition of risk is “uncertainty that matters”, and it matters because it can affect one or more objectives. Risk cannot exist in a vacuum, and we uncertainty QUALITY/ need to define what is “at risk”, i.e. what COST PERFORMANCE objectives would be affected if the risk occurred. A more complete definition of risk would therefore be “an uncertainty that if it occurs could One other question arises from the concept of its environment, and which give rise to affect one or more objectives”. This recognises risk as “uncertainty that could affect objectives” : uncertainty. Examples include the the fact that there are other uncertainties that are what sort of effect might occur? In addition to requirement to implement a project in a irrelevant in terms of objectives, and these should those uncertainties which if they occur would developing country, the need to use an be excluded from the risk process. For example if make it more difficult to achieve objectives (also unproven new technology, the lack of skilled we are conducting an IT project in India, the known as threats), there are also uncertain personnel, or the fact that the organisation uncertainty about whether it might be raining events which if they occur would help us achieve has never done a similar project before. tomorrow in London is irrelevant – who cares? our objectives (i.e. opportunities). When Causes themselves are not uncertain since But if our project involves redeveloping the identifying risks, we need to look for uncertainties they are facts or requirements, so they Queen’s gardens at Buckingham Palace, the with upside as well as those with downside. should not be managed through the risk possibility of rain in London is not just an management process. uncertainty – it matters. In one case the rain is Effective risk management requires identification • Risks are uncertainties which, if they occur, merely an irrelevant uncertainty, but in the other of real risks, which are “uncertainties which if would affect achievement of the objectives it is a risk. they occur will have a positive or negative effect either negatively (threats) or positively on one or more objectives”. Linking risks with (opportunities). Examples include the Linking risk with objectives makes it clear that objectives will ensure that the risk identification possibility that planned productivity targets every facet of life is risky. Everything we do aims process focuses on those uncertainties that might not be met, or exchange rates to achieve objectives of some sort, including matter, rather than being distracted and diverted might fluctuate, the chance that client personal objectives (for example to be happy and by irrelevant uncertainties. expectations may be misunderstood, or

6 7468/IPM Newsletter No.1/Ire 3/14/05 11:40 AM Page 7 Keith's G4:Desktop Folder:7468/IPMA Newsletter No.1/Ire:

THE WORLD LEADER IN PROJECT MANAGEMENT CERTIFICATION

whether a contractor might deliver earlier criteria (contingent possibility = effect on than planned. These uncertainties should be objective).” References and managed proactively through the risk • “We have to outsource production (cause); we further reading management process. may be able to learn new practices from our Association for Project Management. 2004 • Effects are unplanned variations from selected partner (risk), leading to increased “Project Risk Analysis & Management objectives, either positive or negative, which productivity and profitability (effect).” (PRAM) Guide” (second edition). Published would arise as a result of risks occurring. by APM Publishing, High Wycombe, Bucks Examples include being early for a milestone, The use of risk metalanguage should ensure that UK. ISBN 1-903494-12-5 exceeding the authorised budget, or failing to risk identification actually identifies risks, distinct meet contractually agreed performance from causes or effects. Without this discipline, risk Hillson D. A. 2000. “Project risks – targets. Effects are contingent events, identification can produce a mixed list containing identifying causes, risks and effects”. PM unplanned potential future variations which risks and non-risks, leading to confusion and Network, Volume 14 Number 9, pages will not occur unless risks happen. As effects distraction later in the risk process. 48-51 do not yet exist, and indeed they may never exist, they cannot be managed through the Conclusion Hillson D. A. 2002. “What is risk? Towards risk management process. Risks must be identified if they are to be a common definition”. InfoRM, journal of Including causes or effects in the list of identified successfully managed. But risk is not the same as the UK Institute of Risk Management, April risks obscures genuine risks, which may not uncertainty, and risks must be separated from their 2002, pages 11-12 receive the appropriate degree of attention they causes and their effects. We must be clear about deserve. So how can we clearly separate risks what we are trying to identify. Hillson D. A. 2003. “Effective opportunity from their causes and effects? One way is to use management for projects : Exploiting risk metalanguage (a formal description with Effective risk identification is an essential positive risk.” Published by Marcel Dekker, required elements) to provide a three-part prerequisite for a successful risk process, and this New York, US. ISBN 0-8247-4808-5 structured “risk statement”, as follows : “As a requires both a clear understanding of what “risk” Project Management Institute. 2004. “A Guide to the Project Management Body of FIGURE 2: Cause, Risk and Effect Knowledge (PMBoK®)”, Third Edition. Project Management Institute, CAUSE Definite fact about project or its environment Philadelphia, US.

RISK Uncertainty that could affect project if it occurs About the author Dr David Hillson PMP FAPM is an international risk EFFECT Contingent effect of risk on project objective(s) management consultant, and Director of Risk Doctor & Partners result of , means as well as what is does not mean. This (www.risk- may occur, which would lead to .” clarifying the fundamental link between risk and and award-winning author on risk. He is objectives (a risk is “any uncertainty which if it recognised internationally as a leading thinker Examples include the following : occurs would have a positive or negative effect on and practitioner in the risk field, and has made • “As a result of using novel hardware (a one or more objectives”), and by describing how several innovative contributions to improving risk definite requirement), unexpected system risk metalanguage can distinguish between cause, management. integration errors may occur (an uncertain risk and effect (“Because of a cause, a risk might risk), which would lead to overspend on the occur, which would lead to an effect”). Applying David is an active member of the global Project project (an effect on the budget objective).” these simple approaches will ensure that risk Management Institute (PMI®) and received the • “Because our organisation has never done a identification identifies risks, allowing the rest of 2002 PMI Distinguished Contribution Award for his project like this before (fact = cause), we the risk process to proceed on a sound basis. Only work in developing risk management over many might misunderstand the customer's then can we be sure that the risk management years. He is also a Fellow of the UK Association for requirement (uncertainty = risk), and our process is addressing those uncertainties that can Project Management (APM) and a Fellow of the UK solution would not meet the performance affect our projects and . Institute of Risk Management (IRM).

7