What is a risk in project management?
Before we start discussing and defining risk management and its importance, it’s essential that we first understand what a risk is and how that word is defined. Most people will feel they have a good understanding of it but when applying the term “risk” to project management there has been a common misconception for years.
The Oxford and Cambridge dictionaries both provide similar definitions for the word "risk":
The possibility of something bad happening at some time in the future; a situation that could be dangerous or have a bad result.
The common theme prevalent in this definition is that a risk is something perceived as negative, as being bad, as being dangerous. Technically that is an accurate description – but there is a more modern translation of the word “risk” that will give us a broader understanding of this word.
Examine the definition of a "risk" as described in the Management of Risk M_o_R® guide:
"An uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives…"
Within this definition, we do not see the word "bad", any words that suggest danger or anything alluding to negativity. You can think of it as a neutral definition. The key word within this definition is the word "uncertainty". Both definitions suggest uncertainty, and the reason why risks are uncertain is that they are set in the future, but not all future uncertainties will have a bad result.
We also see that it focuses on events that will have an effect on the achievement of objectives. This portion of the definition is vital. When you're managing risk in a world that is full of time and cost constraints and limited resources, it’s important to focus on only uncertainties that will affect what I am trying to achieve. This gives me a focus.
Threats and opportunities
In recent years, organisations have been accepting that the word "risk" simply means an uncertain event, and in this understanding, there can be two different categories: threats and opportunities.
An uncertain future event that, should it happen, would have a negative impact on the goals you are trying to achieve.
An uncertain future event that, should it happen, would have positive impact on the goals you are trying to achieve.
In this day and age, all organisations should make calculated efforts to capitalise on existing opportunities – failure to do so can be very costly in some competitive industries. If you have set yourself a goal, then risk-taking is inevitable; along the road lies uncertainty, but the good news is that it doesn’t always have to be something negative.
Risk assessment: document it clearly
Coordinated activities to direct and control an organisation with regard to risk (ISO31000:2018).
Risk is inherent in everything we do to achieve our objectives. Whether or not it's visible or deliberate, all organisations manage risk in some way, as do we as individuals. Sometimes it comes naturally as a part of our thought process.
For example, you're deciding when to cross a road. You're away from a designated crossing area and a car can be seen in the distance. Your eyes have identified the risk: the fast-approaching car. You have already established your goal: you want to cross the road. You could wait for the car to go by but you can see there are more cars behind it and you may have to wait a while, so your brain starts making assessments. How far away is the car? How fast is it travelling? Will it decelerate when I step into the road? Am I fast enough to cross the road before it arrives without putting myself in any necessary danger? Once these assessments have been made, you make an informed decision on what you're going to do… wait or run.
What if I told you the risk management process for project work is identical?
For project teams it’s important that this process is well understood by everybody and it does need to be visible – it cannot exist in someone’s mind. Documenting the process ensures visibility and our plans to manage risk bring everyone onto the same page. It also ensures that a consistent approach can be taken across the team and the organisation. Having documented processes and plans allows for standards to be achieved, lessons to be learned and improvements to be implemented based on past performance.
Why is good risk management important?
Projects that fail to proactively manage risk are subject to more issues occurring – issues being events that are happening now that require attention. Dealing with undesirable issues can be time-consuming and costly. It’s often clear when a project has no formalised approach to managing risk as much more time is spent firefighting. In more extreme cases, projects fail to meet their stated objectives and are prematurely cancelled.
Undesirable issues can often be prevented by applying proactive measures during risk management. It's crucial for any project team to identify and understand the risks that exist at any given time. Without such information, without the big picture, you'll be making important decisions without full insight. One of the main aims of risk management is that it helps to support better decision-making by giving insight to the risk that exists – with this knowledge, proactive decisions and sound judgements can be made as to the best way to proceed.
Effective risk management
Organisations manage risk in different shapes, forms and sizes. But in order to get the full benefit of risk management, it’s important that risk are:
- Identified – acknowledging the key uncertainties that could have an impact on what you are trying to achieve. These should be captured and communicated in a consistent way.
- Assessed – previously identified risks need to be further understood by estimating the likelihood of them occurring and the potential impact they could have on objectives. This understanding helps to prioritise your management efforts on the more urgent risks.
- Controlled – urgent risk will need to be responded to. An appropriate response to each risk needs to be chosen, executed and then monitored to ensure a desired outcome is reached.
None of these core steps can be missed when you're managing risk.
For more information about risk management best practice, consider visiting the AXELOS page for insights about the Management of Risk (M_o_R) certification, framework, case studies, qualification guidance and sample questions.