The IIL Blog

LinkedIn Newsletter | Join our Email List

Focusing on the Right Risk – Risk Magic

I have visited many companies over my 20 plus years of project and program management training and consulting.  Time and time again, I see organizations are not dealing with risk appropriately.  Sure, they have a list of five to ten risks on their projects, but they are not managing their risk and are falling into risk management pitfalls. In this article, let’s look at a few ways we can change from risk managing us to us managing the risk. Some people would call this risk magic.

Let me refresh your memory on the definition of risk. “Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost and quality.”   “A risk may have one or more causes and, if it occurs, it may have one or more impacts.” [PMBOK 5th Edition, PMI. ©2012, Chapter 11, page 310]. So, uncertain events from various causes can have impacts or effects on your project. If we want to avoid the negative impacts and take advantage of the positive impacts, wouldn’t it make sense to be proactive about these events or causes?

Dr David Hillson, an international thought leader in risk management, says that the risk we need to be concerned with is the uncertainty that matters. We need to examine the two underlined terms and figure out what uncertainty brings risks to something we care about and what kind of mattering do we care about. Let’s first look at what matters.

What Matters

For a vast majority of project managers, when something happens on their projects that they didn’t expect, they call it “unknown risk”.  Take a minute and think about is “unknown risk” before you continue reading.

In the real-world, we tend to think of “unforeseen” events as being unknown risk. We didn’t think it could happen and we never identified it as a problem. Well, if we are trying to be proactive, having “unforeseen” events means we are being more reactive, waiting for them to happen, rather than being proactive. If we were more proactive, it would give the project team time to think through the risks and responses to those risks, providing a better focus on project success.

If we look at why we run into problems that are “unforeseen”, there are a few recurring themes. The three most prevalent are:

  • Looking at risk wrong,
  • Poor risk definition, and
  • Limited thinking.

Let’s dive into these three for a few minutes.

Looking at Risk Wrong

How many of you have “lack of resources” as a risk on your projects?  Most often the resources we are talking about are human resources. How often do you have too few people to do all the required work on your project as planned?  When I ask this question in class or at a presentation, the answer I get is it happens “all the time”.  Well wait a minute. If you never have enough resources to do the required work according to the plan, is that a risk?

Or is that just poor project management? Who built an unrealistic plan as the baseline for the project? It is NOT a risk; it is a fact (if it happens all the time) that you will have too few resources. So, build a realistic plan, utilize resources as they are available, NOT like you would like them to be available. Facts are not risks.

Poor Risk Definition

In defining risks, we also define them inadequately. Is the weather a risk on your project?  By defining “rain” as a threat to your project, what courses of action come to mind avoiding or mitigate it? Exactly, we shrug our shoulders.  We don’t have any idea.

One way to define risks is to use a format that is called many names, but essentially it is Cause-Consequence.  We define what the root cause of the risk is and then define what the consequence is.  Let me give you an example.  Instead of just saying the rain would be a threat to our project, be more specific. Cause: “During the laying of the foundation, if it rains more than .25” per hour, it will overwhelm the temporary drainage system, flooding the construction site”. Be more specific about the consequence as well.  Consequence: “There will be a two-week delay to the project at $100K per day.”

Now, think about what could be done in this situation to deal with this threat more effectively.  Go ahead before you read on and come up with 2-3 options. I’ll wait.

Some have said that we should install a more capable drainage system now before it rains, others say to have portable pumps and hoses on-site to redirect any excess water, others still might say to grade the construction site so the rain will drain away from the area. These are great ideas. They come from defining the risks in more detail, using the Cause-Consequence format. Try it out!

Limited Thinking

In defining risks, we limit our thinking and focus on the negative aspects. We do this so much that many people find it difficult to think of anything besides threats when someone mentions risks. When we defined risk earlier, we said there could be either a POSITIVE or negative impact. You are leaving many opportunities unreviewed, just hoping and praying that they happen while you focus on the threat side.

Spend some time thinking about what opportunities exist (use the same Cause-Consequence format).  Consider as many opportunities as possible. Here is an example. Situation: We are buying 5 computers for the project team; the contractor gives a 10% discount for the first 10 computers and a 30% discount for 11 or more computers. We get a 10% discount. Cause: Can we find another project buying 6 or more computers at the same time we are? Consequence: Both projects will get an additional 20% discount.

So “what matters” are those risks (opportunities and threats) that can have a significant consequence on our project.  We now know how to better define these risks so we can be more proactive.

The other aspect Dr. Hillson mentioned was uncertainty.  Let’s look more at uncertainty.


Dr. Hillson lists four types of uncertainty:

  • Stochastic uncertainty
  • Aleatoric uncertainty
  • Epistemic uncertainty
  • Ontological uncertainty

For each type I would like to define it, give an example of it, and identify an action we might take.

Stochastic Uncertainty

Definition:  These are random events, there is a chance of it happening or not.  Think of events or our normal definition of risk when we think about risk.  A risk event either happens or it doesn’t, yes or no.

Example: Parts delivery could be on time or late.

Action: Here we use our normal risk responses (Threats: Avoid, Mitigate, Transfer or Accept; Opportunities: Exploit, Enhance, Share or Accept)

Aleatoric Uncertainty

Definition: A chance of multiple outcomes. Think of variability, coming from our lack of knowledge. We don’t know which of the possible results will happen.

Example: Rolling a die, you could get 1 of 6 possible results.

Action: Reduce the variability, understand it better with 3-point estimates or tornado diagrams.

Epistemic Uncertainty

Definition: Relating to knowledge or knowing about the risk. Think of ambiguity from our lack of understanding the situation.

Example: We do not know how the competition will react to a new enhancement we are releasing next month.

Action: By knowing you have the lack of understanding allows you to try to uncover more information to help fill the gap.

Ontological Uncertainty

Definition: Related to or based upon being or existence. Think emergent or from out of the blue.

Example: If I had an example, it wouldn’t be Ontological, Haha.

Action: Identify vulnerable parts of your project and set up triggers, build resiliency or management reserves.

If we think back to what we considered an “Unknown risk” at the beginning, the examples we came up with could have fit into any of these four types.  As we can see, the only one that is truly unknown is the last, Ontological risk.

I started the article by saying that some people believe there is risk magic. If you have ever seen a good magician, it looks like magic. To someone outside our project, good risk management may look like magic.  But just as the magician knows exactly what they are doing, project managers who follow the risk management process and take time to avoid the risk management pitfalls, can make it look like magic.  I hope you can take something from this article and put it to use on your projects, making risk magic.

Jeffrey is a Program and Project Manager Professional, Trainer, Coach, Facilitator, Speaker and Mentor in project management and agile. with over 20 years of extensive experience working with all levels of an organization, Jeffrey is an energetic anddynamic leader thrives on developing people and organizations and great verbal and written communication, exceptional problem solving, supportive management skills and a positive work ethic.

If you have questions or comments, please contact me, and mention the article.

Jeffrey S. Nielsen (Jeff)

Browse IIL’s Risk Management Courses here!

Disclaimer: The ideas, views, and opinions expressed in this article are those of the author and do not necessarily reflect the views of International Institute for Learning or any entities they represent.

Scroll to Top