Managing overall project risk
The Risk Doctor Partnership
Leading Project Risk Management guidelines include a definition of a higher level of risk in projects, called “overall project risk”, which is different from individual risks. For example, the PMI A Guide to the Project Management Body of Knowledge (PMBOK® Guide )— Fifth Edition (PMI, 2013) defines individual risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives,” whereas overall project risk is defined as “the effect of uncertainty on the project as a whole … more than the sum of individual risks within a project, since it includes all sources of project uncertainty … represents the exposure of stakeholders to the implications of variations in project outcome, both positive and negative.”
Unfortunately, the concept of overall project risk is usually overlooked in the Project Risk Management approach adopted by most organisations. This means that our risk processes focus exclusively on individual risks and we fail to identify or proactively manage the overall risk exposure associated with our projects.
Little assistance or support is offered by current Project Risk Management guidelines, which do not elaborate on how overall project risk should be addressed during the Project Risk Management process; they merely define the concept, then say little more.
This paper clarifies the concept of overall project risk, explains its importance, and outlines how it can be identified, assessed, and managed. Only by broadening our risk approach to include this aspect can we answer two key questions from project sponsors, stakeholders, and customers: “How risky is this project? And what are you doing about it?”
Defining “Overall Project Risk”
Current Risk Standards
When considering risk in projects, there are two levels of interest, typified by the scope of responsibility and authority of the project manager and the project sponsor.
- The project manager is accountable for the delivery of project objectives, and therefore needs to be aware of any risks that could affect that delivery, either positively or negatively. His or her scope of interest is focused on specific sources of uncertainty within the project. These sources are likely to be particular future events or sets of circumstances or conditions that are uncertain to a greater or lesser extent, and that would have some degree of impact on the project if they occurred. The project manager asks, “What are the risks in my project?” and the answer is usually recorded in a risk register or similar document.
- The project sponsor, on the other hand, is interested in risk at a different level. He or she is less interested in specific risks within the project, and more in the overall picture. The question is, “How risky is my project?” and the answer does not usually come from a risk register. Instead of wanting to know about specific risks, the project sponsor is concerned about the overall riskiness of the project. This represents his or her exposure to the effects of uncertainty across the project as a whole.
These two different perspectives reveal an important dichotomy in the nature of risk in the context of projects. A project manager is interested in “risks,” while the sponsor wants to know about “risk.” While the project manager looks at the detail of specific risks in the project, the project sponsor is interested in the riskiness of the project. The risk register lists all identified risks, prioritised for attention and action, with responses and owners allocated to each risk. But a list of risks cannot answer the sponsor's “How risky?” question. A different concept is needed to describe the overall risk exposure of a project, which is different from the individual risks that need to be managed.
“Risks” Versus “Risk”
The Project Management Institute (PMI) has addressed this dual perspective of overall risk and individual risks in the Practice Standard for Project Risk Management (PMI, 2009, p. 10), and also in the PMBOK® Guide - Fifth Edition (PMI, 2013, p. 310), both of which have two distinct definitions of risk:
- “Individual risk” is defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives.”
- “Overall project risk” is defined as “the effect of uncertainty on the project as a whole.”
The UK Association for Project Management (APM) also has two similar definitions of risk in its Project Risk Analysis & Management (PRAM) Guide (Association for Project Management, 2004, p. 17), as well as in the most recent edition of the APM Body of Knowledge (Association for Project Management, 2012, p. 178):
- “Risk event” is defined as “an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more of the project's objectives.”
- “Project risk” is defined as “the exposure of stakeholders to the consequences of variations in outcome.”
Both professional associations give further details on the distinction between these two levels, as shown in Exhibit 1.
Exhibit 1: Risks versus risk in Project Risk Management guidelines
This dual concept of risk is important and useful when considering how to manage risk in projects. At one level, the project manager is responsible for identifying, assessing, and managing the individual risks that are recorded in the risk register. At another higher level, the project manager is also required to account to the project sponsor, the project owner, and other stakeholders for the overall risk exposure of the project.
These two levels might be distinguished as the risks in the project and the risk of the project. This is more than mere semantics or a question of singular and plural. These two terms refer to entirely different (though related) concepts of risk, arising from and affecting the project at different levels, and requiring radically different approaches to their management.
Limitations of Current Practice
Given these two levels of risk exposure, any approach to risk management in projects needs to be able to answer the questions of both project manager and project sponsor. An effective Project Risk Management process should identify individual risk events within the project and enable them to be managed appropriately, and it should also provide an indication of overall project risk exposure. This second aspect is less well developed in current thinking and practice, although it is the subject of active development by leading practitioners (for example, Hillson & Simon, 2012) and professional bodies.
Managing risk effectively requires action at both levels. But the typical Project Risk Management process only addresses the lower level of individual risks within the project, which are recorded in the risk register. It is far less common to consider the overall risk exposure of the project as a whole, or to have any structured approach to managing risk at that higher level.
So how can overall project risk be identified, assessed, and managed? The simplest way to address overall project risk is during the pre-project or concept phase, when the scope and objectives of the project are being clarified and agreed. Here the project sponsor or owner defines the benefits that the project is expected to deliver, together with the degree of risk that can be tolerated within the overall project. Each decision about the risk-reward balance involves an assessment of overall project risk, representing the inherent risk associated with a particular project scope and its expected benefits. At this level, overall project risk is managed implicitly through the decisions made about the scope, structure, content, and context of the project.
Once these decisions have been made and the project is initiated, then the traditional Project Risk Management process can be used to address explicitly the individual risks that lie within the project. At key points within the project, it will be necessary to revisit the assessment of overall project risk to ensure that the defined risk thresholds have not been breached before returning to the ongoing task of managing individual risks within the project.
So, two levels of risk management are important for projects, as illustrated in Exhibit 2:
- Implicit risk management addresses overall project risk through decisions made about the structure, scope, content, and context of the project, particularly (though not exclusively) in the pre-project phase;
- Explicit risk management deals with individual project risks through the standard risk management process to identify, analyse, respond to, and control risks, mostly during the remainder of the project lifecycle.
Exhibit 2: Implicit and explicit risk management
There are, however, more detailed approaches to managing overall project risk throughout the project life cycle than just addressing it implicitly through decisions about project scope. The remainder of this paper explores these more detailed approaches further.
Managing “Overall Project Risk”
Identifying Sources of Overall Project Risk
Taking the PMI definition of “overall project risk” as “the effect of uncertainty on the project as a whole” (PMI, 2009, 2013); it is clear that identifying overall project risk requires a different perspective from the typical risk identification process.
In standard risk identification, it is common to use one or more structured techniques to address the interface between potential sources of risk (often defined in a hierarchical risk breakdown structure) and potential areas of impact on the project (defined in the work breakdown structure, cost breakdown structure, project breakdown structure, etc.). This approach necessarily produces a focus on the detailed risks that arise from specific sources and that affect particular project elements (Hillson, Rafele, & Grimaldi, 2006). These detailed individual risks are of course important because they could significantly affect the ability of the project to meet its objectives.
However, a higher view is required in order to identify risk at the overall project level. Indeed, while a project will have multiple individual risks associated with it, overall project risk is a unitary concept: each project has a single given level of overall risk at any point in time. This means that the focus of the identification phase for overall project risk is actually not on the risk itself, but on its causes and effects.
Like individual risks, overall project risk arises from one or more causes and has one or more effects, but both the causes and the effects of overall project risk exist at a higher level than for individual risks.
Causes of Overall Project Risk
Where causes of individual risks can be described in a hierarchical risk breakdown structure in increasing degrees of detail (Hillson, 2002), overall project risk arises from wider influences in the environment and context of the project. Risk identification techniques can use a variety of frameworks to structure the search for overall project risk, including:
- PESTLE – Political, Economic, Social, Technological, Legal, Environmental
- PESTLIED – as PESTLE, with the addition of International (or Informational) and Demographic
- STEEPLE – as PESTLE, with the addition of Ethics
- InSPECT – Innovation, Social, Political, Economic, Communications, Technology
- SPECTRUM – Socio-cultural, Political, Economic, Competitive, Technology, Regulatory/legal, Uncertainty/risk, Market
- TECOP – Technical, Environmental, Commercial, Operational, Political
- VUCA – Volatility, Uncertainty, Complexity, Ambiguity
Each of these frameworks can act as a prompt list, suggesting potential causes of overall project risk. They can be used as inputs for a structured brainstorm or risk workshop, or as part of a SWOT analysis or Ishikawa analysis, or to form the agenda for risk interviews or Delphi groups.
Effects of Overall Project Risk
Like individual risks, overall project risk can be positive or negative, presenting either an opportunity or a threat for the project as a whole. However, unlike individual risks, the impact of overall project risk is not on the objectives of the project, but on the project itself. In other words, where individual risks might result in delay or acceleration in meeting milestones or end-dates, or they might cause budget overrun or underspend; unacceptably high levels of negative overall project risk might result in project cancellation or significant de- scoping, or the scope of a project with a high exposure to positive overall risk might be extended or additional benefits may be identified.
Assessing Overall Project Risk – Qualitative
Overall, project risk is defined as “the effect of uncertainty on the project as a whole” (PMI, 2009, 2013), or as “the exposure of stakeholders to the consequences of variations in outcome” (Association for Project Management, 2004, 2012). These two complementary definitions show that overall project risk has the same two dimensions as individual risks, namely uncertainty and significance. Indeed, overall project risk is just another manifestation of the proto-definition of risk as “uncertainty that matters” (Hillson, 2009).
The “uncertainty” dimension can be described using terms such as probability, frequency, or likelihood; and the “mattering” dimension is usually labelled effect, impact, or consequence. Assessment scales (high, medium, low) for overall project risk can be defined so as to reflect the risk appetite and risk thresholds of the project sponsor or owner as well as the risk capacity of the wider organisation, in the same way that is common for assessment of individual risks. However, the impact scales will be defined in terms of the whole project rather than against particular project objectives, such as time, cost, or performance.
This two-dimensionality of overall project risk allows the same qualitative assessment approach as is commonly used for individual risks, namely via some sort of matrix plotting uncertainty against significance. This is typically called a “probability-impact matrix” when used for individual risks, but this name excludes other types of uncertainty; a more generic name might be “likelihood-consequence matrix.” The principle is the same for assessment of overall project risk, with zones defined within the matrix for high/medium/low risk (or red/yellow/green, or top/moderate/low priority). However, the unitary nature of overall project risk means that each project will occupy only one position in the matrix at a given time. While this might seem to be of limited use, it does allow trends in overall project risk to be plotted over time, indicating whether the project as a whole is becoming more or less risky.
Despite the attraction of this simple matrix approach, its use for assessing overall project risk is subject to the same flaws and drawbacks as with individual risks, and alternatives should be considered by organisations with a more mature approach to managing risk (Association for Project Management, 2008).
Assessing Overall Project Risk – Quantitative
Returning to the definitions of overall project risk as “the effect of uncertainty on the project as a whole” (PMI, 2009, 2013), or “the exposure of stakeholders to the consequences of variations in outcome” (Association for Project Management, 2004, 2012), it is clear that questions can be asked about overall project risk that have quantitative answers. For example, “What is the potential range of variation in outcome?” or “How likely is this project to succeed (or fail)?” Answering these questions requires use of quantitative risk analysis methods to model the effect of uncertainty on the project as a whole and to determine the potential magnitude of variation in outcome (Vose, 2008).
The standard Monte Carlo simulation approach is ideal for this type of analysis, since the main output presents the range of possible outcomes against the probability of each value being achieved. This is usually shown as a cumulative probability density plot, or S-curve, and an example cost analysis is shown in Exhibit 3.
Exhibit 3: Example S-curve for total project cost
This example shows that the potential variation in total project cost is $0.5 million against a target budget of $2.2 million, with a range of possible values from $2.1 million (5th percentile) to $2.6 million (95th percentile). This tells the project sponsor that the overall variability in project cost is $0.5 million (i.e. 22% of the expected project value), that in the best case they might expect to beat the budget by $0.1 million (representing a 4% underspend), but at worst the project might exceed its budget by $0.4 million (18% overrun). The S-curve in Exhibit 3 also shows that the probability of meeting the project cost target of $2.2 million is 23%, with a 77% of exceeding the budget. The analysis predicts an expected outcome of $2.35 million, which is an overspend of $0.15 million or 7%. Finally, the project sponsor can determine values of total project cost that correspond to chosen confidence levels; for example there would be an 85% chance of meeting a revised budget of $2.45 million. This allows the project sponsor to make risk-informed decisions trading off increased cost (+ $0.25 million) against increased probability of success (from 23% to 85%).
This type of analysis allows the “How risky is this project?” question to be answered quantitatively. So for the example in Exhibit 3, the two subsidiary questions could be answered in detail as follows:
- What is the potential range of variation in outcome?
- Total potential range = $0.5 million (= 22% of project value)
- Realistic best case = $2.1 million (– 4%)
- Realistic worst case = $2.6 million (+18%)
- How likely is this project to succeed?
- Probability of meeting $2.2 million target = 23%
- Expected value = $2.35 million (+7%)
The results from this quantitative risk analysis of overall project risk can be shown on a heat map, plotting the probability of failure against the potential variation in outcome, similar in nature to the qualitative likelihood- consequence matrix. As for qualitative assessment, using a heat map to plot changes in overall project risk with time will indicate the trend in risk exposure, allowing the project sponsor and other stakeholders to make appropriate decisions on the future of the project.
The example in Exhibit 3 discussed above focuses only on the project budget, describing overall project risk solely in cost terms. It is of course possible to undertake similar quantitative risk analyses on other project outcomes, such as time, performance, return on investment (ROI), etc. Indeed, current best practice is to analyse overall project risk in terms of both cost and time together in an integrated risk model (Hulett, 2011). In this case, variations in both outcomes can be shown in a single output, as in Exhibit 4, allowing project stakeholders to visualise overall project risk in terms of both cost and time.
Exhibit 4: Example output from integrated cost-time quantitative risk analysis
Since quantitative risk analysis is the main means of determining the extent of overall project risk exposure, it is vital that risk modelling is done well. Some guidance is given in the PMI Practice Standard for Project Risk Management (PMI, 2009, Chapter 7).
The quality of output from any risk model depends critically on two factors: the quality of the input data, and the structure of the underlying model. While the need for good-quality input data is well understood, the ability to produce robust and realistic risk models remains rare. Basic requirements are often missed, such as:
- Use of appropriate distributions to reflect different types of risk (not just three-point triangular distributions);
- Modelling of both variability in planned tasks (via distributions) as well as discrete risk events (via stochastic branching);
- “Many:many” mapping of risks to tasks;
- Inclusion of correlation and dependency to model links between related elements, etc.
The absence of these fundamental modelling techniques will render the model outputs meaningless and misleading.
Responding to Overall Project Risk
Once the level of overall project risk is understood, the project sponsor and other stakeholders can make appropriate and proactive risk-based decisions about the future of the project. In most cases, risk responses use information on the causes of overall project risk gained during the identification phase. Having identified root causes of overall project risk, these can be targeted specifically during the response phase in order to remove or reduce potential negative outcomes for the project and to capture or enhance potential upside.
Various response strategies can be applied to address overall project risk, analogous to the standard responses for individual risks (avoid/exploit, transfer/share, reduce/enhance, accept), but applied at the level of the whole project.
Avoid. This response strategy to negative overall project risk exposure involves removing high-risk elements of scope from the project, recognising that this is likely to reduce the available value or benefit that the project can deliver. The ultimate risk avoidance response at overall project level is to cancel the project. While this may be a last resort, it is often the right course of action if overall project risk exposure remains unacceptably and persistently high.
Exploit. The aggressive response to high levels of upside risk at the overall project level is to increase project scope to take advantage of areas where additional value or benefit is available. Done in an intentional and controlled way, this does not equate to “scope creep,” but instead represents a rational and chosen management response to significant opportunity.
Transfer/Share. These two response types match their counterparts in the individual risk space, involving third parties to manage overall project risk where they are more competent than the current project team. Transfer requires someone to bear the potential downside of the project and take responsibility for minimising overall project risk; share invites a partner to take responsibility for capturing potential upside in return for a proportion of the additional value created. At the whole project level, these two strategies often involve setting up collaborative business structures such as joint ventures, special purpose vehicles or mergers, or possibly subcontracting or selling the project entirely.
Reduce/Enhance. The reduce strategy seeks to minimise downside risk exposure, while enhance aims to maximise upside. This often involves re-planning the project, changing scope, modifying project priority levels, changing resource allocations, etc. The goal of both reduce and enhance is to improve the answers to the two key questions, namely: “What is the potential range of variation in outcome?” and “How likely is this project to succeed (or fail)?” as follows:
- Variation in outcome. Responses to overall project risk should aim to reduce uncertainty by narrowing the overall range of potential variation. Where possible, responses should also aim to shift the distribution of variation toward the upside. Taking the example in Exhibit 3, where the overall variation in total project cost was 22% (– 4% / +18%), effective reduce responses might seek to reduce overall variation to, say, 15%, and use of enhance responses might shift the spread to – 10% / + 5%, thus increasing the potential for cost savings.
- Probability of project success. Here the purpose is clearly to increase the chances of success as predicted from the quantitative risk analysis model.
Accept. As for individual risks, accepting the existing level of overall project risk means continuing with the project as currently defined, aware of how much risk is being carried, monitoring changes in overall project risk as the project proceeds, and ensuring appropriate levels of contingency at the whole project level.
Most risk responses are not cost-free, and it is important to ensure that selected responses are both cost-effective (the potential saving exceeds the cost of the response) and risk-effective (the response changes overall project risk exposure significantly and proportionately). This is likely to require consideration of more than one candidate risk response strategy before selecting the most suitable response for implementation.
Reporting and Monitoring Overall Project Risk
It is important to communicate the status of overall project risk to key stakeholders throughout the lifetime of the project, including:
- Current level of overall project risk
- Major causes of overall project risk
- Key responses underway or planned
- Trend in overall project risk since the project started
- Predicted level of overall project risk at next reporting point
Overall project risk is dynamic—changing constantly as the project progresses—due to effective implementation of risk responses, internal developments within the project over time, and changes in the organisational and external environments. As a result, it is essential to monitor overall project risk levels regularly, to determine the effectiveness of chosen responses, to track the trend in overall project risk exposure, and to ensure that the project remains on course for success.
Responsibility for Managing Overall Project Risk
A key principle of risk management is that ownership of a particular risk should lie with the person or party who owns the objective that would be affected if the risk occurred, known as the risk owner. (This is of course different from an action owner, who is responsible to the risk owner for implementing agreed actions to address a risk; the action owner is the person or party best able to manage the risk effectively.) This principle then raises the question of who is responsible for managing overall project risk.
Returning for the last time to the definitions used by the professional bodies, that overall project risk is “the effect of uncertainty on the project as a whole" (PMI, 2009, 2013), or “the exposure of stakeholders to the consequences of variations in outcome" (Association for Project Management, 2004, 2012), the question becomes “Who owns the overall project objectives?”
This makes it clear that the project sponsor is ultimately accountable for ensuring that overall project risk is managed effectively and that it stays within the overall risk threshold set by key stakeholders for this project. This accountability of the project sponsor is, however, delegated to the project manager, who is responsible for managing overall project risk as part of his or her duty to deliver the objectives of the project.
As a result, management of overall project risk becomes a shared duty of both project sponsor and project manager, acting in partnership to ensure that the project has the optimal chance of achieving its objectives within the allowable risk threshold. Successful management of risk at this whole-project level therefore depends largely on the effectiveness of the working relationship between these two key players.
Conclusion: Toward Holistic Risk Management for Projects
This paper has highlighted the concept of overall project risk that has featured in Project Risk Management guidelines for the past decade (Association for Project Management, 2004), but which is largely ignored by most project-based organisations. These seem to prefer to concentrate on managing individual risks within their projects while not addressing the overall riskiness of those projects. This is reinforced by the major project management associations, whose Project Risk Management processes do not explain how to manage overall project risk, even where they include the concept in their definitions (PMI, 2009, 2013; Association for Project Management, 2004, 2012).
It is clearly important for project managers to be able to answer the question, “How risky is this project?” Answers to date have been based on various aggregations and summaries of a list of individual risks, which do not provide a satisfactory indication of the overall riskiness of a project viewed as a whole.
This paper unpacks the concept of overall project risk, explaining how it can be identified, assessed, and managed. The question remains as to whether project-based organisations will take up the challenge to implement the guidance in this paper, and begin to address risk at the whole project level as well as considering individual risks. This dual integrated approach might be called holistic risk management, reflecting the fact that it deals equally with the risks in the project as well as the risk of the project.
In addition, project management professional bodies such as the Project Management Institute (PMI) and the Association for Project Management (APM) should ensure that future updates of their risk management guidance are extended to include overall project risk alongside individual project risks. Only then can we give our projects the best possible chance of succeeding, by managing both the risks in the project and the risk of the project.
Association for Project Management. (2004) Project risk analysis & management (PRAM) guide (2nd ed.). High Wycombe, Bucks, UK: APM Publishing.
Association for Project Management. (2008) Prioritising project risks. High Wycombe, Bucks, UK: APM Publishing.
Association for Project Management. (2012) Body of knowledge (6th ed.). High Wycombe, Bucks, UK: APM Publishing.
Hillson, D. A. (2002, June) The risk breakdown structure (RBS) as an aid to effective risk management. Fifth European Project Management Conference, PMI Europe, 2002, Cannes, France.
Hillson, D. A. (2009) Managing risk in projects. Farnham, UK: Gower.
Hillson, D. A., Rafele, C., & Grimaldi, S. (2006) Managing risks using a cross risk breakdown matrix. Risk Management: An International Journal, 8(1), 61–76
Hillson, D. A. & Simon, P. W. (2012) Practical project risk management: The ATOM methodology (2nd ed.). Vienna, VA: Management Concepts.
Hulett, D. T. (2011 ) Integrated cost-schedule risk analysis. Farnham, UK: Gower.
Project Management Institute. (2009). Practice standard for project risk management. Newtown Square, PA: Author.
Project Management Institute. (2013) A guide to the project management body of knowledge (PMBOK Guide) - Fifth edition. Newtown Square, PA: Author.
Vose, D. (2008) Risk analysis - A quantitative guide (3rd ed.). Chichester, UK: Wiley.
This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI or any listed author.
© 2014, David Hillson
Originally published as a part of 2014 PMI Global Congress Proceedings – Dubai, UAE
This standard focuses on the “what” of risk management, including: core principles; fundamentals; and life cycle.