by Peter Martini
Office of Management and Budget Circular A-123 requires that federal agencies conduct risk assessments of their operational environments.
The Project Management Institute Project Management Body of Knowledge® (5th ed., p. 310) defines project risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives… A risk may have one or more causes and, if it occurs, it may have one or more impacts.”
The underlying goal of risk management is to identify and address risks. A common weakness in risk assessments is confusion among cause, risk and impact – which gets in the way of effective risk management.
Impacts versus Risks
Organizations often confuse impacts and risks. For example, they may talk about risks saying, “We may fail to deliver on schedule,” or “Our product may not be delivered with the required quality.” Yet both statements convey impacts on project objectives, not risks. In fact, mis-categorizing the potential impacts as risks makes them nearly impossible to manage.
A common weakness in risk assessments is confusion among cause, risk and impact – which gets in the way of effective risk management.
Instead, organizations should ask themselves, “What would result if our schedule or quality targets are not met?” Schedule overruns, for instance, might result from unclear requirements or high staff turnover.
The proximate cause will dictate significantly different risk management strategies.
(Too) Broadly Defined Risks
Another risk assessment issue is defining risks too abstractly. A classic example is: “Funding may be insufficient.” Insufficient funding is a category and, as such, cannot be directly managed and is not a risk.
To identify risks, organizational leaders could ask, “What uncertain event or condition might cause a funding shortfall?” Two possibilities include organizational priority changes that redirect funding or uncontrolled operational costs that reduce available funding. Each of those risks would be managed differently.
Another risk assessment issue is defining risks too abstractly.
Value of Identifying the Proximate Cause
Identifying the proximate cause of a given risk is essential on two levels:
For example, regarding failure to control operational costs, the cause might be increased travel expenditures due to rising energy costs. It could be managed through alternatives to physical travel.
David Hillson’s article titled “Project Risks: Identifying Causes, Risks, and Effects” offers additional perspectives on this topic. I recommend it highly.
Hillson, David (2000) | “Project Risks: Identifying Causes, Risk, and Effects” | PM Network, 14(9), 48-51 | https://www.pmi.org/learning/library/project-risks-causes-risks-effects-4663
Project Management Institute | A Guide to the Project Management Body of Knowledge (PMBOK® Guide) | 5th ed., p. 310
U.S. Office of Management and Budget | “OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control” | https://www.whitehouse.gov/wp- content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-17.pdf