Key principles of risk management

Definition of risk

There are different definitions of risk that vary in scope and completeness, popular definitions are set out below:

‘Risk is a possible future event combining the probability or frequency of occurrence of a defined threat or opportunity and the magnitude of the consequences of that occurrence.’
British standard, IEC guide 73:2002

‘An uncertain event or set of circumstances that should they occur would have an effect on the achievement of one or more of the project objectives.’
APM Body of Knowledge

‘Uncertainty of outcome (whether positive opportunity or negative threat). It is the combination of the chance of an event and its consequences.’
Management of Risk: Guidance for Practitioners

Perhaps the simplest is contained in ISO 31000, which has the advantage of being able to be applied to most situations. It is the effect of uncertainty on objectives. Note that uncertainty can be either positive or negative and objectives are what is trying to be achieved.

Adherence to a recognised definition of risk is is not essential but it can help and it is advised that some definition is adopted early to avoid confusion.

Risk is considered exclusively as a future phenomenon and risk management as a way to control the future and can have a direct impact on the success of the project.

The ‘effect’ in the above definition can occur as an event or can simply be an expression of our lack of knowledge about the outcome.

The essential point is that there is some variability in the future that will affect the outcome and that risk management helps to understand that uncertainty, what can be done about it (if anything) and if it is significant.

Risk refers to both positive and negative uncertainty and risk management is concerned with both threats and opportunities.

Risk management in context

Risk management operates in projects, programmes and businesses as one of many processes and techniques designed to help control outcomes. It should not operate in isolation, it is part of a wider effort to control change and promote stability. As such, there are a number of terms that are used in conjunction with risk management, as follows:

  • Uncertainty: either, a risk with a 100% probability of occurring or a general description of a variable.
  • Change: Usually an item that affects the budget although it is often used generically to describe anything that varies.  It is important that change is used prescriptively otherwise it creates a lot of confusion.
  • Trend: An emerging risk that has a demonstrable impact on the baseline, either time or cost.
  • Early warning: a contract term that describes the notification of a risk (derived from the NEC contract).
  • Issue: sometimes used to describe a risk that has occurred but more recently for a management issue that needs to be resolved but does not necessarily have a direct impact on the baseline.

Be aware that there are no consistently-used standard definitions.

Different organisations have a tendency, for all the right reasons, to define the terms to suit themselves. This shouldn’t be seen as a problem but it is wise to be clear about definitions as early as possible.

Other definitions of an issue are given below:

‘A relevant event that has happened, was not planned and requires management action. It could be a problem, query, concern, change request or risk that has occurred.’
Management of Risk: Guidance for Practitioners

‘A term used to cover any concern, query, Request for Change, suggestion or Off-Specification raised during the project. They can be about anything to do with the project.’
Prince2

There are many other terms associated with risk and while it can be a source of disagreement, so long as a definition is agreed and consistently applied within a domain it does not really matter what it is. The most crucial point is recognising things that are certain and things that are less so.