Three essential elements of risk - Business Works
BW brief

Three essential elements of risk

by Crispin Piney, Risk Expert All risk management standards agree that the goal of risk management is to enhance the chances of success of the relevant endeavour. However each of them provides a different definition of risk and this matters because, until we know what we are dealing with, we cannot manage it in the best way possible, says Crispin ('Kik') Piney who specialises in managing risk in projects and programmes and is one of the Risk Doctor network.

The ISO31000:2009 definition calls it 'effect of uncertainty on objectives', the PMI PMBOK® Guide has 'an uncertain event or condition that, if it occurs, has a positive or negative effect on the project's objectives' and the preferred Risk Doctor definition is 'uncertainty that matters'. Each description is true, but only partly so:

  • If we use the ISO definition, then our first thought will be to focus on the effect;

  • If we follow PMI, then we will start from the potential occurrence;

  • With the Risk Doctor definition, we start from uncertainty.

Each of these, the effect, the event and the uncertainty, is a component of risk, but, on its own it is not a risk. Even taken in pairs they do not provide the full picture:

  • an effect plus an event is an issue;

  • an event plus an uncertainty is a prediction;

  • an uncertainty plus and effect is a concern.

It is only when you put all three together that you can see what a risk is made of, and use this information to decide on what, if anything, to do about it. Of course, this then requires a longer definition, but the goal enhancing the chances of success is worth the effort. But what is 'success'? It is more than simply 'meeting objectives'; it must also include the condition of 'complying with project constraints' in order for the final result to remain within scope.

Given this clarification, a more complete definition is 'Risk consists of three parts: an uncertain situation, the likelihood of occurrence of the situation and the effect (positive or negative) that the occurrence would have on project success'.

The three-part definition helps with three important stages of the risk management process:

  • in risk identification, it supports the structured description of a risk ('risk metalanguage') in the form: 'Because of <one or more causes>, <uncertain situation> may occur, leading to <one or more effects>';

  • in risk evaluation, knowledge of potential causes allows you to evaluate the likelihood; identification of effects provides a basis for quantifying the impact;

  • in risk response planning, the different parts of the definition suggest different response approaches:

    • for threat avoidance, understanding the situation may allow you to stop it happening or protect against its results;

    • understanding the situation can also be used to help us exploit opportunities;

    • in risk transfer or sharing, we seek a partner better equipped to address the effect;

    • for threat reduction or opportunity enhancement, we focus on the effect and / or the likelihood;

    • in risk acceptance, any contingency plan has to address the effect.

Including these three components when you describe risks (the uncertainty, the event and the effect) will help everyone involved in risk management to take account of these three important aspects of risk and act on them to enhance the chances of success.

Crispin ('Kik') Piney is part of the Risk Doctor network. For more information of to contact Kik, please visit:

Tweet article
BW on TwitterBW RSS feed