When is a Risk Not a Risk?
StumbleUponRisk identification identifies risks. It sounds simple, right? David Hillson explains why it's fundamental to get it correct first time...
One of the most common failings in the risk management process
is for the risk identification step to identify things which are
not risks. Clearly if this early stage of the risk process
fails, subsequent steps will be doomed and risk management
cannot be effective. It is therefore essential to ensure that
risk identification identifies risks.
Many people, when they try to identify risks, get confused between risk and uncertainty. Risk is not the same as uncertainty, so how are the two related? The key is to realise that risk can only be defined in relation to objectives. The simplest definition of risk is "uncertainty that matters", and it matters because it can affect one or more objectives. Risk cannot exist in a vacuum, and we need to define what is "at risk", i.e. what objectives would be affected if the risk occurred.
A more complete definition of risk would therefore be "an uncertainty that if it occurs could affect one or more objectives". This recognises the fact that there are other uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk process. For example if we are conducting an IT project in India, the uncertainty about whether it might be raining in London is irrelevant - who cares? But if our project involves redeveloping the Queen's gardens at Buckingham Palace, the possibility of rain in London is not just an uncertainty - it matters. In one case the rain is merely an irrelevant uncertainty, but in the other it is a risk.
Linking risk with objectives makes it clear that every facet of life is risky. Everything we do aims to achieve objectives of some sort, including personal objectives (for example to be happy and healthy), project objectives (including delivering on time and within budget), and corporate business objectives (such as to increase profit and market share). Wherever objectives are defined, there will be risks to their successful achievement.
The link also helps us to identify risks at different levels, based on the hierarchy of objectives that exists in an organisation. For example, strategic risks are uncertainties that could affect strategic objectives, technical risks might affect technical objectives, reputation risks would affect reputation, and so on. One other question arises from the concept of risk as "uncertainty that could affect objectives" - what sort of effect might occur? In addition to those uncertainties which if they occur would make it more difficult to achieve objectives (also known as threats), there are also uncertain events which if they occur would help us achieve our objectives (i.e. opportunities). When identifying risks, we need to look for uncertainties with an upside as well as those with a downside.
Effective risk management requires identification of real risks, which are "uncertainties which if they occur will have a positive or negative effect on one or more objectives". Linking risks with objectives will ensure that the risk identification process focuses on those uncertainties that matter, rather than being distracted and diverted by irrelevant uncertainties.
Dr David Hillson PMP FAPM FIRM MCMI is an international risk management consultant, and Director of Risk Doctor & Partners (www.risk-doctor.com). He is a popular conference speaker and award-winning author on risk. He is recognised internationally as a leading thinker and practitioner in the risk field, and has made several innovative contributions to improving risk management. His recent emphasis has been the inclusion of proactive opportunity management within the risk process, which is the topic of his latest book.
David is an active member of the global Project Management Institute (PMI) and was a founder member of its Risk Management Specific Interest Group. He received the 2002 PMI Distinguished Contribution Award for his work in developing risk management over many years. He is a Fellow of the UK Association for Project Management (APM) and a Fellow of the UK Institute of Risk Management (IRM), as well as being a member of the Chartered Management Institute. David can be contacted at david@risk-doctor.com
Many people, when they try to identify risks, get confused between risk and uncertainty. Risk is not the same as uncertainty, so how are the two related? The key is to realise that risk can only be defined in relation to objectives. The simplest definition of risk is "uncertainty that matters", and it matters because it can affect one or more objectives. Risk cannot exist in a vacuum, and we need to define what is "at risk", i.e. what objectives would be affected if the risk occurred.
A more complete definition of risk would therefore be "an uncertainty that if it occurs could affect one or more objectives". This recognises the fact that there are other uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk process. For example if we are conducting an IT project in India, the uncertainty about whether it might be raining in London is irrelevant - who cares? But if our project involves redeveloping the Queen's gardens at Buckingham Palace, the possibility of rain in London is not just an uncertainty - it matters. In one case the rain is merely an irrelevant uncertainty, but in the other it is a risk.
Linking risk with objectives makes it clear that every facet of life is risky. Everything we do aims to achieve objectives of some sort, including personal objectives (for example to be happy and healthy), project objectives (including delivering on time and within budget), and corporate business objectives (such as to increase profit and market share). Wherever objectives are defined, there will be risks to their successful achievement.
The link also helps us to identify risks at different levels, based on the hierarchy of objectives that exists in an organisation. For example, strategic risks are uncertainties that could affect strategic objectives, technical risks might affect technical objectives, reputation risks would affect reputation, and so on. One other question arises from the concept of risk as "uncertainty that could affect objectives" - what sort of effect might occur? In addition to those uncertainties which if they occur would make it more difficult to achieve objectives (also known as threats), there are also uncertain events which if they occur would help us achieve our objectives (i.e. opportunities). When identifying risks, we need to look for uncertainties with an upside as well as those with a downside.
Effective risk management requires identification of real risks, which are "uncertainties which if they occur will have a positive or negative effect on one or more objectives". Linking risks with objectives will ensure that the risk identification process focuses on those uncertainties that matter, rather than being distracted and diverted by irrelevant uncertainties.
Dr David Hillson PMP FAPM FIRM MCMI is an international risk management consultant, and Director of Risk Doctor & Partners (www.risk-doctor.com). He is a popular conference speaker and award-winning author on risk. He is recognised internationally as a leading thinker and practitioner in the risk field, and has made several innovative contributions to improving risk management. His recent emphasis has been the inclusion of proactive opportunity management within the risk process, which is the topic of his latest book.
David is an active member of the global Project Management Institute (PMI) and was a founder member of its Risk Management Specific Interest Group. He received the 2002 PMI Distinguished Contribution Award for his work in developing risk management over many years. He is a Fellow of the UK Association for Project Management (APM) and a Fellow of the UK Institute of Risk Management (IRM), as well as being a member of the Chartered Management Institute. David can be contacted at david@risk-doctor.com
Comments
You must be logged in to comment.