My last article addressed the need to distinguish risk from uncertainty. There are an infinite number of uncertainties, but these are only risks if they would affect objectives if they occurred. A risk is "an uncertainty that matters".

Another common challenge in risk identification is to avoid confusion between causes of risk, genuine risks, and the effects of risks. The PMI� PMBoK� Guide (Third Edition Exposure Draft) says that "A risk may have one or more causes and, if it occurs, one or more impacts". In the most simple case, one cause leads to a single risk which in turn could have just one effect, though of course reality is considerably more complex. How do these three differ?

• Causes are definite events or sets of circumstances which exist in the project or its environment, and which give rise to uncertainty. Examples include the requirement to implement the project in a developing country, the need to use an unproven new technology, the lack of skilled personnel, or the fact that the organisation has never done a similar project before. Causes themselves are not uncertain since they are facts or requirements, so they should not be managed through the risk management process.
• Risks are uncertainties which, if they occur, would affect the project objectives either negatively (threats) or positively (opportunities). Examples include the possibility that planned productivity targets might not be met, interest or exchange rates might fluctuate, the chance that client expectations may be misunderstood, or whether a contractor might deliver earlier than planned. These uncertainties should be managed proactively through the risk management process.
• Effects are unplanned variations from project objectives, either positive or negative, which would arise as a result of risks occurring. Examples include being early for a milestone, exceeding the authorised budget, or failing to meet contractually agreed performance targets. Effects are contingent events, unplanned potential future variations which will not occur unless risks happen. As effects do not yet exist, and indeed they may never exist, they cannot be managed through the risk management process.

Including causes or effects in the list of identified risks obscures genuine risks, which may not receive the appropriate degree of attention they deserve. So how can we clearly separate risks from their causes and effects? One way is to use risk metalanguage (a formal description with required elements) to provide a three-part structured "risk statement", as follows: "As a result of [definite cause], [uncertain event] may occur, which would lead to [effect on objective(s)]."

Examples include the following :

• As a result of using novel hardware (a definite requirement), unexpected system integration errors may occur (an uncertain risk), which would lead to overspend on the project (an effect on the budget objective).
• Because our organisation has never done a project like this before (fact = cause), we might misunderstand the customer's requirement (uncertainty = risk), and our solution would not meet the performance criteria (contingent possibility = effect on objective).
• We have to outsource production (cause); we may be able to learn new practices from our selected partner (risk), leading to increased productivity and profitability (effect).

The use of risk metalanguage should ensure that risk identification actually identifies risks, distinct from causes or effects. Without this discipline, risk identification can produce a mixed list containing risks and non-risks, leading to confusion and distraction later in the risk process.

About the author:Dr David Hillson PMP FAPM FIRM MCMI is an international risk management consultant, and Director of Risk Doctor & Partners (www.risk-doctor.com). He is a popular conference speaker and award-winning author on risk. He is recognised internationally as a leading thinker and practitioner in the risk field, and has made several innovative contributions to improving risk management. His recent emphasis has been the inclusion of proactive opportunity management within the risk process, which is the topic of his latest book.

David is an active member of the global Project Management Institute (PMI) and was a founder member of its Risk Management Specific Interest Group. He received the 2002 PMI Distinguished Contribution Award for his work in developing risk management over many years. He is a Fellow of the UK Association for Project Management (APM) and a Fellow of the UK Institute of Risk Management (IRM), as well as being a member of the Chartered Management Institute. David can be contacted at david@risk-doctor.com