One common definition of risk is “a potential problem that might delay project, increase its cost, or otherwise harm the project”. But some say this focus on negative risk or threats means that doom, gloom, anxiety and poor morale can prevail and potential opportunities are missed.
Thus, contemporary definition is that risk is “an uncertain event that has positive or negative (upside or downside) effect on at least one of the project parameters”. The PMBOK®, perhaps not wishing to be trumped by PRINCE2, also now defines risk as “a discrete occurrence that may affect the project for better or worse”, but doesn’t really address the concept much further as yet.
In recent years, project risk management has deservedly been given much greater attention. Where once we might have invited some stakeholders to check out our pristine plan before its execution – sort of one-off risk management event designed mainly to identify and nullify the cynics and pessimists before they undermined our project, risk management is now proactive, essential and integral part of the whole project life cycle.
This heightened interest is due in part to our increasingly uncertain future as exponential rates of change cause unexpected things and seem to quickly render our estimates, forecasts and predictions pretty much useless, except perhaps as baseline against which to assess some hapless project manager’s performance.
Given that the further out we attempt to look, the more fuzzy the future, it’s little wonder that project duration is now major risk factor (especially when our organisation’s strategic plan is of even shorter duration), aggravated by project complexity, novelty, and size characteristics.
But there has always been uncertainty with projects. This uncertainty generally diminishes as our project proceeds and reality is revealed. It’s not until the project is finished that we have complete certainty. We then know for sure that we have disaster or something better. At that point, it’s all facts. Up until then it’s been estimates – statistical probabilities. And an “exact estimate”, even the most optimistic project owners now recognise, is an oxymoron.
Traditionally, we have thought of risk in terms of negative consequences. Risks were seen as bad guys – threats to our project’s success. What’s at stake, how much could we lose, and how bad will it hurt us?
But risks also contain opportunities. That’s the side of the ledger we often forget. So, not all risk is negative. Risk can also have positive impact on our project. When risk occurs, be it good or bad, it’s an issue, which also could be good or bad and needs to be addressed.
For example, say Company announces that it is most likely to launch its new product on 1 October. Company B is also undertaking project to produce similar product, and realises that every day it launches earlier than Company A, the bigger will be its initial market share and profit. However, it also realises that every day it launches later than Company A, the smaller will be its market share and profit. Thus, positive outcome of this risk is that if fear of late release causes Company B to accelerate its schedule and complete the project even one week earlier than does Company A, then risk management should provide positive outcome. Although, Company A’s launch date could have been porky to lull Company B into false sense of security!
Our risk logs or registers should now cater for both opportunities and threats, with responses and contingency plans, complete with budgets, which aim to exploit, share or enhance opportunities or positive risk. And owners will need to be assigned as we do for negative risks.
Also, we should address opportunities from the start of the project. Capture strategies for major opportunities should be included in our baseline plan, medium opportunities need contingency plans for exploitation when triggers happen, and minor opportunities, like minor threats, generally need no immediate action. New opportunities will likely be identified as the project proceeds and existing opportunities need to be reassessed periodically, including business case benefits.
Risk management is now dynamic and ongoing business, which like quality and safety should involve us all.
Incidentally, the risk probability curve is not bell-shaped. The skewed appearance recognises Murphy’s Law that tells us there is always more that might go accidentally wrong (threats), than might go accidentally right (opportunities). In our example, there is limit to how early the launch might occur, but perhaps no limit to how late the launch might be.
Sometimes, in the interests of getting there first, some extra expenditure might be incurred and some quality and functionality might be sacrificed or at risk, at least with Version 1.0, in order to secure the market. Version 2, our enhancement project, should rectify these issues. The only certainty for users is that at launch the product will already be obsolete! Our example is time-driven project in which risk is therefore particularly significant if it impacts the schedule, which in turn may impact project benefits for better or for worse.
Risk can impact any of the project parameters (objectives or constraints) and project benefits – those positive outcomes typically identified in the project business case that justify the initial and ongoing investment. Accordingly, for the project sponsor and client or owner at least, interest in risk management should continue into the operational life of the deliverable when benefits are realised, not realised, or exceeded, which arguably is when the real success of the project can be determined. Just as our threat responses might cause secondary threats, which if untreated may mean disbenefits, opportunity responses, even after product launch, might create secondary opportunities, which if exploited, may mean further project benefits not originally identified.
Benefits might be of the first-to-market variety as per our example, or not come to fruition for some time when they will be at much greater risk. No benefits are assured, especially those that take time to materialise, and even then we can’t always attribute actual benefits to our project. Some other projects might also claim our benefits – especially those longer-term, indirect and qualitative type benefits. Benefit realisation is also subject to mostly uncontrollable and unpredictable situational factors, which very occasionally conspire to make our projects and their products more successful than they deserve to be.
Hey, you took risk reading this article. You invested some of your precious time – and thanks for that – but it’s time you can’t regain. Also, you might have done something better – opportunity cost. However, you may now know something useful that you didn’t know before. In which case, you took risk and hopefully benefited from doing so.
In summary, risks usually have negative connotation – they are the bad guys that can harm our project, whereas modern risk approaches recognise positive risks or opportunities. These good guys make our projects faster, better or cheaper (or more profitable). That said, I suspect most time and focus will still be spent handling negative risks or threats, despite our changing definition of risk. M
Dr Jim Young FNZIM is certificated PMP and PRINCE2 practitioner and project management consultant and trainer.
