When is a risk not a risk? Part 1
Published: 08 September 2015
One of the most common failings in the risk management process is for the risk identification step to identify things that are not risks. In the first of a two-part article series, David Hillson explains how to tell the difference between risk and uncertainty.
One of the most common failings in the risk management process is for the risk identification step to identify things which are not risks. Clearly if this early stage of the risk process fails, subsequent steps will be doomed and risk management cannot be effective. It is therefore essential to ensure that risk identification identifies risks.
Many people when they try to identify risks get confused between risk and uncertainty. Risk is not the same as uncertainty, so how are the two related? The key is to realise that risk can only be defined in relation to objectives. The simplest definition of risk is ‘uncertainty that matters’, and it matters because it can affect one or more objectives. Risk cannot exist in a vacuum, and we need to define what is ‘at risk’, i.e. what objectives would be affected if the risk occurred.
A more complete definition of risk would therefore be ‘an uncertainty that if it occurs could affect one or more objectives’. This recognises the fact that there are other uncertainties that are irrelevant in terms of objectives, and these should be excluded from the risk process. For example if we are conducting an IT project in India, the uncertainty about whether it might be raining in London is irrelevant – who cares? But if our project involves redeveloping the Queen’s gardens at Buckingham Palace, the possibility of rain in London is not just an uncertainty – it matters. In one case the rain is merely an irrelevant uncertainty, but in the other it is a risk.
Linking risk with objectives makes it clear that every facet of life is risky. Everything we do aims to achieve objectives of some sort, including personal objectives (for example to be happy and healthy), project objectives (including delivering on time and within budget), and corporate business objectives (such as to increase profit and market share). Wherever objectives are defined, there will be risks to their successful achievement.
The link also helps us to identify risks at different levels, based on the hierarchy of objectives that exists in an organisation. For example strategic risks are uncertainties that could affect strategic objectives, technical risks might affect technical objectives, reputation risks would affect reputation, and so on.
One other question arises from the concept of risk as ‘uncertainty that could affect objectives’ – what sort of effect might occur? In addition to those uncertainties which if they occur would make it more difficult to achieve objectives (also known as threats), there are also uncertain events which if they occur would help us achieve our objectives (i.e. opportunities). When identifying risks, we need to look for uncertainties with upside as well as those with downside.
Effective risk management requires identification of real risks, which are ‘uncertainties which if they occur will have a positive or negative effect on one or more objectives’. Linking risks with objectives will ensure that the risk identification process focuses on those uncertainties that matter, rather than being distracted and diverted by irrelevant uncertainties.
The next Briefing will clarify another common confusion in risk identification: the difference between risks, their causes and their effects. See When is a risk not a risk? Part 2.
First published by David Hillson at www.risk-doctor.com 2004.