Project Management Institute

The meaning of risk in an uncertain world


Risk Is Not Real!

Describing something as a “risk” is a convenient way of describing an unknown state that may occur in the future (and, consequently, may not). If something has occurred, it is a fact or an issue. If something will occur (e.g., the setting of the sun), there is no uncertainty and therefore no “risk.”

The mathematical processes and understandings that led to our current perceptions of risk have evolved since the mid-seventeenth century. These developments are the absolute underpinning of modern civilisation. It would be impossible to buy insurance or calculate a reasonable return on an investment if the “insurer” or “investor”' were unable to calculate the risk involved in the transaction. The story of the transition from belief to calculated probability is elegantly told in the book Against the Gods, The Remarkable Story of Risk (Bernstein, 1996) and underpins much of the thinking in this paper.

However, even from the earliest developments in understanding and calculating risk, the inherent uncertainty of the process was clearly understood by some. As Leibniz wrote in a letter to Bernoulli in 1703, “Nature has established patterns originating in the return of events, but only for the most part.”

Complexity theory recognises the absolute impossibility of accurately predicting the future, particularly at the detail level. Couple this phenomena with the problem that the decisions/reactions of people creating the future are only partially predictable and are linked to their current set of relationships through the “Complex Responsive Processes of Relating,” or CRPR (Weaver, 2007b), and the uncertainty associated with predicting future outcomes is obvious.

The challenge addressed in this paper is to deal effectively with risk based on current understandings of “how the world works” in today's business environment, whilst always recognising the impossibility of actually predicting the future to eliminate all risk.

Understanding Risk

PMBOK® Definitions

The definition of “risk” used by the authors of A Guide to the Project Management Body of Knowledge (PMBOK® Guide) is consistent with most modern risk management standards. The PMBOK® Guide describes risk as, An uncertain event or condition, that if it occurs, has a positive or negative effect on a project's objective. The key element of this definition is that the effect of the uncertainty, if it occurs, may be positive or negative on the objectives of the planned endeavour. Many things are uncertain; risks are by definition only those uncertainties that will impact the project should they occur.

Understanding the Building Blocks of Risk: Uncertainty, Probability, etc.

Some of the key “building blocks” in developing a pragmatic risk attitude include understanding the following.

Uncertainty vs. Variability

Uncertainty refers to a situation that may, or may not, occur; whereas every process has an intrinsic level of variability—the existence of variability in a process is not a risk; it is a guaranteed fact. Where the two elements come together is that typically there may be uncertainty about the degree of variability in a process and/or uncertainty about the actual variability in the process remaining within acceptable limits. Quality processes, such as Six Sigma, do not attempt to eliminate variability, they seek to minimise unexplained variability and to achieve outcomes that are consistently acceptable.

Accuracy vs. Precision

Accuracy typically focuses on how close, “on average,” a series of outcomes is compared to the “target.” Precision focuses on the consistency of the outcomes. (See Exhibit 1.) Arguably, “Group 1” in Exhibit 1 is more accurate and potentially more useful in the short term than “Group 2”; at least one of the five “Xs” is in the target area, and the average of all five “Xs” is close to the centre. “Group 2” is more precise; its results are consistent and have a lower variability (measured in terms of the average distance each “X” is from the centre), but “Group 2” has no acceptable outcomes and, on average, is less accurate! All of these factors need to be considered when specifying acceptable levels of variability.

Accuracy vs. Precision Understanding the Difference between Chance and Probability

Exhibit 1 – Accuracy vs. Precision Understanding the Difference between Chance and Probability

Understanding the Difference between Chance and Probability

The next theoretical element we need to introduce in this paper is understanding the difference between the “chance” of an event occurring and the “probability” of it occurring.

Everyone knows that the chance of a coin, when it is tossed, landing on “heads” is 50%; the coin will either land on “heads” or “tails.” The first vital consideration is that each throw of the coin is independent. Therefore, for any single toss of the coin, there is always a 50% chance of “heads” being the outcome, even if the coin has landed on “heads” in 10 or even 100 previous throws. However, whilst the “odds” in favour of any single toss landing on “heads” is one to one (or even), the probability of 10 consecutive throws landing on “heads” is extremely low. The probability of “heads” being tossed 10 times in a row is 1/2 to the power of 10 = 0.00048828125 (or roughly 1/2000). But remember whilst the probability of tossing 10 “heads” in a row is very low, the chance of any single toss of the coin coming up “heads” remains 50/50.

Understanding the Importance of Normal Distribution Curves and Standard Deviations

A Normal Distribution

Exhibit 2 – A Normal Distribution

The solution to some of the issues raised by Probability Theory when applied to partial sets of data were solved by demonstrating that a set of random tests would distribute themselves around their average value. Today this is known as a “normal distribution,” and the degree of variation (shown by the width of the bell; see Exhibit 2) is measured by a “Standard Deviation.”

In a Normal Distribution, approximately 68% of the tests will fall within one Standard Deviation (SD) of the Mean and 95% within two SDs (see Exhibit 2). An important thing to remember is that this process is designed to identify the degree of error in a set of data, not to prove its accuracy. The ratios for 1SD, 2SD, etc., are constants; variations in the shape of the actual distribution of a set of measurements to the “normal curve” and the size of the average error defined by the “Standard Deviation,” or σ (sigma), indicate how reliable the information is.

The Case Studies

Given that the basic structures of risk management, or at least the mathematical elements, were firmly established whilst Napoleon ruled large tracts of Europe, observing the very different outcomes on two major projects completed in the last year, with very similar issues to manage, in a very similar environment suggests that project risk management is not a mathematical/actuarial process. The art of the actuary is essential to insurance businesses, major investors, etc.—the mathematics drive decisions. Effective project risk management seems to be far more closely aligned with developing the right attitudes, expectations and relationships in and around the project team and with the key stakeholders.

Project #1: Wembley Stadium

The Completed Stadium

Exhibit 3 – The Completed Stadium

Australian builder Multiplex won the “Guaranteed Maximum Price” (GMP) contract to design and construct a new, world-class 90,000-seat Wembley football stadium. Work commenced in September 2002, with completion planned well ahead of the FA Cup Final in May 2006. The stadium was eventually finished just in time for the 2007 FA Cup Final (see Exhibit 3.)

Some of the key points include the following:

  • In March 2006 Multiplex announced a loss of £106 million and the work was estimated at one month behind schedule. In the final accounting, Multiplex lost AU$355 million on the project (£150 million) and is the subject of shareholder litigation in Australia over the adequacy of its disclosure of the loss.
  • Wembley National Stadium Limited (WNSL) withheld £38 million from Multiplex as a penalty for the late finish, which was less than 10% of the £431 million cost overrun.
  • Multiplex issued a £350 million claim against Wembley National Stadium Limited (WNSL), the venue's owner, to cover loss of earnings and were prepared for litigation to last several years, blaming WSNL for many of the project's problems.
  • After negotiations, everyone walked away from the disputes accepting their losses and declining to add to their respective financial pain with the additional costs associated with years of expensive litigation.

The confidential nature of the final settlement precludes a proper analysis of the issues in dispute, but it is safe to assume that both parties believed they faced a significant probability of losing any court action (or certainly did not feel sufficiently confident of success to justify court action). The GMP contract was the real problem; by attempting to contract out of any price risk, WNSL ended up paying an additional £431 million whilst Multiplex's shareholders “donated” another £150 million to the project.

The fact that Wembley is seen as a success now that it is finished is a testament to the construction workers and management who were focused on creating a great national monument despite the pressures, not the system that generated the “failure.”

Terminal 5, Heathrow

At £4.3 billion, T5 is the biggest construction project currently under way in Europe (see Exhibit 4), yet it appears to be running like clockwork, reportedly on schedule to open on 27 March 2008 and “under budget.” Its success is attributed to the commitment made by the client, BAA Limited (BAA), to an entirely different way of working focused on proactive collaboration with its contractors.

T5 under Construction, September 2005

Exhibit 4 – T5 under Construction, September 2005

Under the unique procurement strategy developed for T5, BAA retains all the financial risks of the project; it also created an incentivision strategy that rewards “best practice” suppliers and invested heavily in the “soft” skills of communication and leadership that have made this innovative approach work so well. These two strands of formal contracts and measurements, supported by a strong emphasis on developing relationships, are mutually dependent. They both contribute to the process of team building and help ensure that the ethos of collaboration extends to every link in the supply chain.

An outstanding example of this approach was the construction of the terminal roof. Completed sections of the roof, including the box girders, purlins and cladding, were planned to be erected in six 2,000 tonne lifts. To minimise any chance of mishaps, BAA funded the “roof team” to conduct a £2.4m “dummy run” in Yorkshire to see whether the concept was feasible. This trial is credited with saving three months' work on the Heathrow site and significant costs. This type of initiative would have been impossible under a GMP Contract similar to the one used at Wembley.

Before starting the project, BAA's management had realised that conventional contracts do not really work because ultimately any major risk falls back on the client, so rather than taking the conventional approach of trying to “avoid all risk” by passing it on to their contractors, they made the key decision to accept and manage the risks inherent in this massive project directly.

Case Study Conclusions

When the initial flights arrive and depart Terminal 5 after 4 a.m. on 31 March 2008, the final success of BAA's approach will be known; however, the approach used on Terminal 5 to proactively embrace risk appears to have saved a fortune. In contrast, the attempts by the clients on the Wembley project to avoid “all risk” by contracting out of any involvement in the project simply did not work. The difference between the projects lays in the clients' risk attitudes.

Managing Variability

A key management attitude that works against achieving a successful project outcome is the expectation of unrealistic levels of accuracy in many project management processes. Variability is inevitable in every process; demanding assurances that unrealistic levels of accuracy and precision have been, or will be, achieved simply creates failure.

Variability in Cost Estimating

Whilst it is theoretically possible to identify and price all of the elements of a project and then to accurately compile the “estimated prices” into an arithmetically accurate “estimated project cost,” this answer is never going to be the actual project cost at completion. The factor many management teams forget is that the process of “writing prices” into a project-estimating system cannot influence the actual cost the project will have to pay for the item in the future—all the system can tell you is how different the two prices are!

Cost estimating processes establish the expected cost parameters for the project and then provide a framework that can be used to guide the project team as they expend “budgets” and for recording the actual costs spent on the work. Variances from the plan can be measured using a variety of techniques, and management action can be taken to lock in gains and mitigate cost overruns.

As soon as a management team accepts the fact that cost estimating cannot control future costs, but by comparing actual costs with the estimate, the systems can tell you how wrong the estimating process was, the real benefit of a good cost estimate becomes apparent. The estimate provides the framework for managing the project's costs and predicting trends based on performance to date using techniques such as Earned Value Analysis. Using this knowledge wisely allows management to proactively engage in the running of the project to optimise future outcomes.

Deciding on the “appropriate” level of detail to include in a cost estimate is not a scientific or mathematical process; it is governed by intuitive decisions on what is optimal, acceptable or traditional. However, demanding unachievable levels of accuracy and then requiring the project estimators to agree that they have been achieved simply creates unrealistic expectations, and unrealistic expectations are unlikely to be fulfilled! The challenge is to know when “enough” estimating has been done.

Variability in Scheduling (Time Estimating)

All of the above discussion on variability in cost estimating applies to time estimating with several additional layers of uncertainty. These issues have been discussed at length in other papers published by the author and will only be highlighted below:

The purpose of a “good cost estimate” and a “good schedule” are different. The purpose of the cost estimate is to establish the likely total cost of the project by incorporating as nearly as is possible every element of cost. The purpose of a “good schedule” is to “provide a useful road map that can be used by the project manager and the project team” (PMI, 2007). This means that a “good schedule” highlights the key elements of work that summarise the overall flow of the project without an unnecessary clutter of detail.

The net effect of this valuable simplification is to make precise measurements of actual “float,” the “critical path,” etc., impossible. The schedule is there as a guide and an aid to effective coordination and management, not as some precise statement of the future.

A well-developed schedule is an invaluable management tool for developing an understanding of the work involved in a project, coordinating the efforts of resources and optimising the overall time management of the project. However, no schedule is correct in every detail, and attempts to make a schedule fully detailed and totally accurate destroy its usefulness as a communication and motivational tool without increasing its accuracy.

Identifying the Likely Range of Outcomes

It is only after the inevitability of variability in cost and time estimating is accepted by management that determining a likely range of outcomes and focusing on reducing inappropriate variability becomes possible.

Monte Carlo Simulation

The most effective tool for dealing with the residual variability and uncertainty in project estimates is simulation. The project team assesses optimistic, pessimistic, and most likely cost and time outcomes for each element of the project and evaluates the likely distribution of outcomes within the range. The model is then analysed many times, each analysis randomly selecting values from within the distribution nominated for each activity. A typical set of results for an assessment of “time” is shown in Exhibit 5.

A Monte Carlo Simulation of a Project Created by PertMaster

Exhibit 5 – A Monte Carlo Simulation of a Project Created by PertMaster

The blue bars on the chart in Exhibit 5 show the number of times out of 1,000 each date was the result of an analysis. The twenty-sixth of February is the most likely date for the project to finish (i.e., it is the Mode, or the most frequently achieved answer during this set of simulations), but overall 26 February only has a 21% chance of being achieved. The Mean is 2 March—this date has a 50% chance of being achieved. If management wants a date that has a 90% probability of being achieved, then 9 March should be selected as the projected completion date. To achieve this, a “reserve” of eleven days needs to be created and added to the “most likely” result.

Managing Variability Conclusion

Variability in time and cost estimates cannot be managed if management does not accept that variability is inevitable. The key to success is accepting variability and then focusing on two strategies. The first is to design processes that minimise excessive variability (narrowing in on the “mean”), but only to the extent this is feasible and cost effective. The second is monitoring actual variability against the plan to understand trends and appreciate “what is real” and use this information to modify the project delivery strategy to maximise gains and minimise losses.

Getting the Focus “Right”

Different levels of the organisational and project structure need different focuses on risks, variability and targets to generate successful outcomes. Some of the key differences follow:

  • The project team should focus on achieving an “optimistic” outcome (stretch targets). The best outcomes are achieved by a motivated team striving to achieve the best possible outcome. They almost certainly will not be 100% successful but in trying will have achieved the optimum result.
  • The project manager or contracting organisation should be more conservative and develop contingencies within its estimates. Each project should have at least a 50% chance of being achieved (i.e., the target is focused on the Mean) or possibly a more conservative outcome (maybe 80% certainty).
  • The client and/or senior management need to focus on achieving an overall “safe outcome”; this includes adding appropriate “reserves” to protect the organisation from project overruns. It also involves balancing gains and losses. If an organisation in a competitive market can achieve an 80% probability of not losing money on all of its projects, the four out of five that achieve or better their cost targets should generate sufficient “profits” to offset the predictable loss on the remaining one out of five projects that can be expected to lose money. The balance is between remaining competitive and remaining profitable overall.

All of these focuses should exist in a risk-aware culture. Mature, risk-aware organisations deal with the different focuses in an open and communicative (trusting) relationship.

Managing Uncertain Events (the Risk Register)

The core document in the risk management process is the risk register. The register lists all of the known risks together with any planned responses. The primary element of the register is a description of the risk, usually in a standard format, such as the following:

“If cause, event may occur, leading to effect.”

“If a compression test fails, the rejection of the whole batch may occur, leading to a three week delay.”

Additional information—including risk categories, the person responsible for managing the particular risk, qualitative and quantitative analysis data, trigger events, prioritisation, etc.—should be included as appropriate. Importantly, the “action items” in the risk register—to avoid, mitigate, transfer and/or exploit risks—need to be linked to items in the plan (schedule tasks, budgets, etc.) and actioned. The “risk register” is frequently combined with the projects “issues register”; this practice has much to recommend it. The only practical difference between a “risk” and an “issue” is that risks are “uncertain events that may occur in the future;” and issues are “events” that have occurred. Both require managing, and risks become issues when they occur.

The PMBOK® Guide's risk processes follow:

  • Plan the risk management.
  • Identify risks.
  • Analyse risks (Qualitative and Quantitative) and, by implication, prioritise risks.
  • Plan risk responses.
  • Monitor and control risks (including implement planned risk responses).

These follow the generally accepted pattern of all risk management standards: “Identify,” “Analyse,” “Evaluate,” and then “Treat” the risks, within an appropriate context and with ongoing monitoring and controlling.

The key to successful risk management is the routine “ongoing” process of “monitoring and control” required by all of the recognised standards. Another critical factor in managing risk is the effective administration of contingencies and reserves. Here are some key guidelines for managing reserves:

  • Reserves are released for defined risk events as they actually occur, not to compensate for poor performance.
  • The amount of reserve released should be based on an assessment of what is needed to safely manage the project through to its conclusion, not the cost of the occurrence.
  • The trends in the use of reserves should be monitored and used to forecast likely outcomes.

One interesting development in 2007 was the publication of the Interfacing Risk & Earned Value Management draft guide by the UK EV-Risk Working Group (UK, 2007). This guide suggests a range of practical processes for integrating the rigour of the “Performance Management Baseline” (PMB) developed by the application of earned value principles with the “specific risk provisions” (contingencies) established for defined risk events and the “non specific risk provisions” (reserves) needed by management. The final version of the guide is awaited with interest.

The Human Dimensions of Risk

The major area of potential enhancement in most project-focused risk standards (including the PMBOK® Guide) is to more closely align risk management with stakeholder management. It is people who must work the risk management process; it is people who are often the source of risk and people who decide what are “acceptable risks.” Even the best way to manage risk is uncertain; it depends on how each risk is perceived both by those administering the risk management practices and those who run the organisation, their “risk attitude” (Hillson & Murray-Webster, 2005). The human element is central to the problem and also central to the solution. There are no right answers here, only “acceptable” ones, and what is acceptable is very much driven by people's risk attitudes and the organisation's culture.

Understanding Stakeholders

Based on the above, people (or stakeholders) are the source of many risks and the solution to the management of all risks. However, no project has the time and resources to communicate fully with every stakeholder. The project team needs to identify the best stakeholders to invest their communication effort in, focusing on the “right stakeholders” at the “right time.” Achieving this objective needs a structured process to identify and map the stakeholder community and then understand and manage the expectations of the key stakeholders.

The Stakeholder Circle® methodology offers one tool for this purpose (Bourne, 2006); the methodology involves a five-step process, and the five steps for the Stakeholder follow:

  • Identification (including understanding expectations and “mutuality”)
  • Prioritisation (to determine the level of influence of each stakeholder)
  • Visualisation (to understand the overall community and who are the “key stakeholders”)
  • Engagement (communicating for effect)
  • Monitoring and reviewing the stakeholder community on a regular basis

From a project's risk management perspective, it is impossible to manage the expectations of stakeholders if they have not been identified and understood. The expectations then need managing in an ethical way to reinforce positive expectations and perceptions (as long as they are realistic) and to properly address negative expectations and perceptions if the final project outcome is to be perceived as successful.

Managing Stakeholder Expectations and Perceptions

One of the underpinning concepts within the Stakeholder Circle® methodology is that a project is only successful if its stakeholders perceive it to be a success. The concepts of “on time” and “on budget” are important measures of value but are only part of a successful outcome (Bourne, 2007). There is a need to balance between maintaining relationships, acceptable levels of risk, and the delivery of value to the stakeholders for the project to be considered successful. All of these parameters can be influenced by effective communication.

Effective Communications

There are three steps involved in managing stakeholder expectations:

  • You need to identify the expectations by listening effectively to the right people. If you don't know an expectation exists, then it is impossible to manage it.
  • Communicate effectively to manage expectations (Weaver, 2007a).
  • Monitor the situation—expectations aren't fixed. Efficient two-way communications are the basis for an effective relationship that allows trust to develop, which in turn gives the stakeholders' confidence that their expectations are being properly considered.

Communications are the key to understanding current expectations and managing those expectations, either by fulfilling them or adjusting them to a point where they can be satisfied. Unrealistic expectations cannot be fulfilled, and the disappointed stakeholder is likely to view the project outcome as a failure.


The conclusions to be drawn from this paper are relatively simple:

  • All projects are “risky,” i.e., the outcome is uncertain.
  • Variability is inherent in every process and must be acknowledged in order to be managed.
  • Adding unnecessary detail does not improve accuracy or reduce variability.
  • Managing risk is safer than ignoring risk; attempting to avoid “all risk” is impossible and doomed to fail.
  • Expectations must be identified in order to be managed; unrealistic expectations are unlikely to be fulfilled.
  • Organisations need to aim to win overall; attempting to win every time is impossible.
  • The primary commercial advantage of any organisation is its ability to manage the risks inherent in its environment better than its competitors. Changing environments changes the risks.
  • A mature risk attitude at all levels of management is critical to the success of both the organisation and its projects (but must be appropriate to the organisation).


Bernstein, P.L. (1996). Against the gods, the remarkable story of risk. New York: John Wiley & Sons Inc.

Bourne, L.M. (2006, July). Project relationships and the stakeholder circle. PMI Research Conference. Montreal, Canada. Retrieved on February 11, 2008, from

Bourne, L.M. (2007, Jan.). Avoiding the successful failure! PMI Global Congress, Asia Pacific, Hong Kong. Retrieved on February 11, 2008, from

Hillson, D., & Murray-Webster, R. (2005). Understanding and managing risk attitude. Gower Publishing Ltd, Aldershot.

Project Management Institute. (2007). The practice standard for scheduling. Newtown Square, PA: Project Management Institute.

Weaver, P. (2007a). Getting the “soft stuff” right: Effective communication is the key to successful project outcomes! PMI Global Congress North America. Atlanta, USA. Retrieved on January 9, 2008, from

Weaver, P. (2007b). A simple view of “complexity” in project management. World Project Management Week #4. Singapore. Retrieved on January 9, 2008, from

UK EV-Risk Working Group. (2007). Interfacing risk & earned value management: working group draft. The Association for Project Management, High Wycombe. (Final Publication due April 2008.)

© 2008, Patrick Weaver
Originally published as a part of 2008 PMI Global Congress Proceedings – Malta



Related Content

  • PM Network

    Trees of Life

    By Hendershot, Steve The world needs more trees—and a lot of them—to stem the damage wrought by mass deforestation. Brazil alone is destroying the equivalent of three football pitches per minute in the Amazon rainforest…

  • PM Network

    Playing with Fire

    By Jones, Tegan With the coastline of an entire continent burning, a scorched-earth urgency had teams across Australia racing to control the damage. Between September 2019 and January 2020, bushfires ravaged…

  • PM Network

    Rising Risks

    By Nilsson, Ryan For as long as humans have been building cities, they have migrated toward the coasts -- for food, ease of transportation and any number of ecological benefits. Today, it's estimated that more than…

  • PM Network

    From the Rubble

    By Thomas, Jennifer Puerto Rico's infrastructure woes began long ago. But a series of earthquakes this year coupled with hurricanes Irma and Maria in 2017—which racked upUS$139 billion in damage—exacerbated the U.S.…

  • PM Network

    Protection Clause

    By Parsi, Novid As harbors of sensitive client information, law firms are ripe targets for hackers. According to PwC's 2019 global survey, 100 percent of the top-10 surveyed law firms experienced a cybersecurity…