
There are many definitions of risk, but my preferred ones are:
the effect of uncertainty on objectives”
British Standard BS ISO 31000 :
2011. Risk management – Code of practice and guidance for the implementation of BS ISO 31000, British Standards Institution, London, 2011
APM Body of Knowledge Seventh Edition, The Association for Project Management, Princes Risborough, 2019
the potential of situation or event to impact on the achievement of specific objectives”
an event which may occur in the future and which if it happens might impact on the ability of the organisation to achieve its objectives”
Anderson, R., in “The Risk Management Universe: A Guided Tour”, Hillson, D. (Ed), British Standards Institution, London, 2006
Risk vs Issue vs Problem
To many in and around the project management community (and, no doubt, elsewhere) there is often confusion about the distinctions between ‘risk’; ‘issue’ and ‘problem’
A ‘risk’ is an event that may, or may not, occur. It is a probabilistic happenstance, that is outside of the control of project participants (although they may be able to influence the impact of the event should it mature)
An ‘issue’ is a breach of the agreed tolerances for work or a deliverable within a project or programme that must be resolved and will require support of the project sponsor to agree the chosen resolution. It is also the term often given to a risk event that has matured (i.e. occurred)
A ‘problem’ is a matter to be dealt with in day-to-day management
Characteristics of Risk
When considering risk and seeking to describe what it is; it may be helpful to reflect on the sequence: Cause, event and effect. That is to say ‘something’ – a cause may result in the occurrence of a ‘risk event’ which may affect the objectives
Thus ‘risk cause’ is the source of the risk i.e. a circumstance that may be either internal or external to the project that triggers the ‘risk event’. The ‘risk event’ should describe what might happen (the area of uncertainty) and determine if it is a threat or opportunity. ‘Risk effect’ describe the impact that the risk would have on the project objectives should the risk materialise
When discussing a risk event there are three things to be considered:
That is; what is the probability of the event occurring. Likelihood can be stated in either a general way on (say) a five-point scale
- Very low
- Low
- Medium
- High and
- ery high
Impact
Impact considers the result of the risk event occurring on the achievement of the project’s objectives, again on (say) a five-point scale
It is useful to consider how close to “time now” might the risk event actually occur i.e. within one week, one month, three months, six months, longer than six months. Proximity doesn’t, of course, have any effect on likelihood or impact, but it does inform management’s decision-making in terms of focus and importance as it would be prudent to deal with those risks expected to mature sooner before those that occur later in time. (Although equally; high probability, high impact risks merit consideration ahead of low probability, low impact ones)
Risk Attitude and Risk Appetite
Risk and uncertainty are ever-present in programme and project management and, moreover, consideration of the risk(s) involved are necessarily perception based. Risk attitude is a perception driven conclusion by an individual or group as to the “riskiness” of the project or endeavour. For example an extreme sportsmen’s view of how “risky” something is may be different from those who just spectate
Risk appetite is how much i.e. the quantum of risk that individuals, sponsors or investors are prepared to tolerate in order to achieve their, or the project’s objectives
Decision-makers may need to reflect upon the perception of risk at the individual and organisational level and recognise that investors and funders may have a range of views regarding how “risky” an enterprise or project may be
Upside and Downside
Risk can also be categorised into “upside” risk (sometimes referred to as opportunity) and “downside” risk. The former, should it occur, may be expected to enhance or improve the out-turn performance of the project; that is, it is a positive thing and, consequently, the management team should seek to ensure that the event does occur. The latter will have a detrimental or negative effect on the out-turn and management should seek to reduce or mitigate the likelihood of the event occurring and its impact
Risk Assessment
The purpose of risk assessment is to seek to determine the combined effect of the degree of uncertainty that a risk event may occur and the impact on objectives should it occur
Simple risk assessments are, generally, made by reference to a matrix analysis which plots likelihood and impact using the five point scale referred to above. Thus, any individual risk event would be assigned a score in the range of 1 to 25 representing a very unlikely occurrence with a very low impact (1) to a very likely occurrence with a very high impact (25).
At the risk of stating the obvious, upside (opportunity) and downside risks need to be considered separately.

Risk Response
Classically, there are a range of responses available to decision-makers and managers, depending on whether the event is a threat or an opportunity i.e. is it a downside or upside risk.
Threats or Downside Risks
Avoid
Change an aspect of the project i.e. scope, procurement route, supplier or sequence of activities, so that the threat can no longer have an impact or can no longer happen
Reduce (mitigate)
Take proactive action to reduce the likelihood of the event occurring by putting in place a control, or reduce the impact of the event should it occur
Fall-back
Put in place a fall-back plan to reduce the impact should the risk occur. This is a reactive response
Transfer (insure)
A third party takes responsibility for some of the financial impact of the threat, should it occur
Share
Risk sharing between two (or more) parties by agreement to share the consequences such as increased cost should the risk mature
Accept
A conscious and deliberate decision to retain the threat, as it is more economical to do so than to attempt a response action and/or because it falls within the risk appetite of sponsors. Nevertheless, the threat should continue to monitored to ensure that it remains tolerable
Opportunities or Upside Risks
Exploit
Seize an opportunity and seek to ensure the cause will happen and the beneficial impact will be realised
Enhance
Take proactive action to enhance the probability of the cause occurring or the impact should the event occur
Share
Parties by agreement may share the beneficial gains such as cost savings or enhanced performance if the risk matures
Reject
Take a conscious and deliberate decision not to exploit or enhance the opportunity
Risk Register
The Risk Register is a tool that assists with the recording of potential risks and the response(s) to them decided upon by project sponsors and their professional management team
It is considered good practice for the register to record:
- Risk event
- Likelihood
- Impact
- Risk Score (product of likelihood and impact)
- Proximity
- Response
- Risk Owner
- Post response likelihood
- Post response impact
- Post response score
- Further actions
- Date for next review
- Is the risk “Open” or “Closed” (that is, is the risk still likely to occur, or has it either occurred and been dealt with or is it no longer a risk)
Action Plan
The project team should put in place an action plan to deal with agreed responses to risk events. Such plans should deal with two sets of circumstances
The first concerns downside risk and comprises two elements: (a) the plan to implement the risk response and (b) the plan should the risk event nevertheless occur
The second is the plan to be implemented to enhance the probability of upside risks maturing
Risk Management Framework
An organisation’s risk management framework is the over-arching protocols and methodologies for assessing, managing and responding to risk events
It should also set out the risk attitude and range of risk appetites that the organisation is prepared to accept and the mechanisms for assessment, review and decision-maker approvals and/or delegated authorities. Usefully, it could also include audit arrangements
Conclusions
Risk and uncertainty are ever-present. Organisations and temporary project organisations should adopt and implement a management framework that enables risks to be assessed reviewed and managed with appropriate mandates delegated to particular post-holders or individuals
Adopting such practices as discussed here provides a level of organisational preparedness to not only deal with identified risks and opportunities but, importantly, a methodology to deal with any unexpected risks that might be encountered (the unknown unknowns)
Despite such processes, however, it needs to be recognised that the practice of risk management is an iterative one that needs to be kept under review at all times
A downloadable copy of this paper, together with the references is available from Martin Stevens Academy
Please click below to visit Martin Stevens Academy