Project Management Institute

Analyzing risks


Question: What are the underlying principles of risk assessment and how does it differ from risk management?

In his insightful and entertaining book, Against the Gods: The Remarkable Story of Risk, Peter Bernstein identifies the management of risk as the dividing line between the old world and the new. Before we understood risk, mankind was only reactive: Floods, famines, plagues and catastrophes were seen just as the retribution of the gods, events that man could only suffer and endure. Maybe the victims deserved their punishment, maybe they didn't, but all agreed there was nothing to be done about it.

But the rise of commercial ventures and large public projects caused people to think about taking their futures into their own hands. Later, the development of mathematics, statistics and probability gave people the tools to assess risk first and then deal with it. Project-based organizations, like shipping and trading companies, involved high levels of investment and risk and were among the first to approach risk management in a formal way: “If half our ships on the Spice Island route are lost to storms and pirates, let's send two ships, by different routes, to maximize our chances of success.”

Then and now, before risk can be managed, it must be understood. We can plan our responses to risks only after we have identified what those risks are, and what their impacts are likely to be. While the precise techniques of risk assessment develop over time, the underlying principles remain the same.

Memory/Imagination. Risk assessment begins with memory. This is true both personally (you remember what happened when you last drove too fast on an icy road) and professionally (Boeing began the design of its 777 jetliner by poring over the lessons learned from its predecessor 767). Either way, memory lets us use the lessons from our past to suggest what risks we'll face in the future.

The future has a way of developing in ways reminiscent of the past, but different from it too. We can count on our memory of past events as a general guide, but never as infallible truth.

All this brings us to that great complement of memory, imagination. If memory reflects our past, it is imagination that allows us to foretell our future. Without imagination, we are imprisoned by our past like the World War I generals, who kept hurling waves of young British men at Germany's new machine guns, and in so doing, wasted a generation of English youth.

We can plan our responses to risks only after we have identified what those risks are, and what their impacts are likely to be.

Probability/Impact. The other major principle of risk assessment dates back to 1668 when Antoine Arnauld wrote, “Fear of harm ought to be proportional, not merely to the gravity of the harm, but also to the probability of the event.”

This simple but revolutionary idea is reflected today in the construct in which we multiply probability of occurrence by impact to learn the expected value of a risk event. From this grows our current techniques, such as failure modes and effects analysis, systems redundancies and even insurance as tools to manage risk.

Risk assessment is a little like buying life insurance: No one likes going through the process, but everyone agrees it's necessary. Thinking about risks—about all the ways our project can go astray—is always difficult. And since we can't be certain what awaits us tomorrow, careful risk assessment remains an essential tool to save us from the maelstrom of the unknown and the unknowable.

Answer: Risk management remains essential to good project management. But before risks can be managed, they have to be thoroughly understood—which is the essence of risk assessment.

Do you have a practical, project management technique-oriented question for PM Network? Write a 50-words-or-less description of your workplace situation and the issue you'd like addressed and e-mail the question to PM Network reserves the right to edit submission for clarity and length. All submissions should include name and contact information for verification purposes.

Bud Baker, Ph.D., teaches at Wright State University, Dayton, Ohio, USA, where he heads the MBA concentration in project management. He is a regular contributor to PM Network and Project Management Journal and is a member of the PMJ Editorial Review Board.


Send comments on this column to

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI.




Related Content

  • PM Network

    Rising Risks

    By Nilsson, Ryan For as long as humans have been building cities, they have migrated toward the coasts -- for food, ease of transportation and any number of ecological benefits. Today, it's estimated that more than…

  • PM Network

    Playing with Fire

    By Jones, Tegan With the coastline of an entire continent burning, a scorched-earth urgency had teams across Australia racing to control the damage. Between September 2019 and January 2020, bushfires ravaged…

  • PM Network

    Trees of Life

    By Hendershot, Steve The world needs more trees—and a lot of them—to stem the damage wrought by mass deforestation. Brazil alone is destroying the equivalent of three football pitches per minute in the Amazon rainforest…

  • PM Network

    From the Rubble

    By Thomas, Jennifer Puerto Rico's infrastructure woes began long ago. But a series of earthquakes this year coupled with hurricanes Irma and Maria in 2017—which racked upUS$139 billion in damage—exacerbated the U.S.…

  • PM Network

    Protection Clause

    By Parsi, Novid As harbors of sensitive client information, law firms are ripe targets for hackers. According to PwC's 2019 global survey, 100 percent of the top-10 surveyed law firms experienced a cybersecurity…