How risky is your project — And what are you doing about it?
The Risk Doctor Partnership, firstname.lastname@example.org
How do you answer if your project sponsor or customer asks you “How risky is your project?” Even more important, what do you say if they ask “And what are you doing about it?” The answers to these two vital questions will not be found in your project risk register or routine risk reports. The overall riskiness of your project is more than the sum of individual threats and opportunities.
Standards from the Project Management Institute (PMI®) answer the first of these two questions with a concept called “overall project risk,” which is different from “individual project risks.” Individual risk is “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.” Overall project risk, on the other hand, is defined as “the effect of uncertainty on the project as a whole … more than the sum of individual risks within a project, since it includes all sources of project uncertainty … represents the exposure of stakeholders to the implications of variations in project outcome, both positive and negative.”
Unfortunately the concept of overall project risk is usually overlooked in the project risk management approach adopted by most organizations. Risk processes focus exclusively on individual risks and fail to identify, assess, or proactively manage the overall risk exposure associated with projects.
This paper clarifies the concept of overall project risk, explains its importance, and outlines how it can be identified, assessed, managed, and reported. Only by broadening our risk approach to include this aspect can we answer the two key questions from project sponsors, stakeholders, and customers: “How risky is your project? And what are you doing about it?”
Defining Overall Project Risk
Current Risk Standards
When considering risk in projects, there are two levels of interest, typified by the scope of responsibility and authority of the project manager and the project sponsor.
- The project manager is accountable for the delivery of project objectives, and therefore needs to be aware of any risks that could affect that delivery, either positively or negatively. Their scope of interest is focused on specific sources of uncertainty within the project. The project manager asks “What are the risks in my project?”—and the answer is usually recorded in a risk register or similar document.
- The project sponsor, on the other hand, is interested in risk at a different level. Project sponsors are interested in the big picture. Their question is “How risky is my project?”—and the answer does not usually come from a risk register. Instead, the project sponsor is concerned about the overall riskiness of the project. This represents their exposure to the effects of uncertainty across the project as a whole.
These two different perspectives reveal an important dichotomy in the nature of risk in the context of projects. The project manager uses a risk register to list identified risks, prioritize them for attention and action, and plan responses and owners for each risk. But a list of risks cannot answer the sponsor’s “How risky” question. A different concept is needed to describe the overall risk exposure of a project.
“Risks” versus “Risk”
The Project Management Institute (PMI®) has addressed this dual perspective of overall risk and individual risks in the Practice Standard for Project Risk Management (Project Management Institute, 2009, p. 10), and also in A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Fifth Edition (Project Management Institute, 2013, p. 310), both of which have two distinct definitions of risk:
- “Individual risk” is defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives.”
- “Overall project risk” is defined as “the effect of uncertainty on the project as a whole.”
The U.K. Association for Project Management (APM) also has two similar definitions of risk in its Project Risk Analysis & Management (PRAM) Guide (Association for Project Management, 2004, p. 17), as well as in the most recent edition of the APM Body of Knowledge (Association for Project Management, 2012, p. 178):
- “Risk event” is defined as “an uncertain event or set of circumstances that, should it occur, will have an effect on achievement of one or more of the project’s objectives.”
- “Project risk” is defined as “the exposure of stakeholders to the consequences of variations in outcome.”
These two levels might be distinguished as the risks in the project and the risk of the project. This is more than mere semantics or a question of singular and plural. These two terms refer to entirely different (though related) concepts of risk, arising from and affecting the project at different levels, and requiring radically different approaches to their management. Both professional associations give further details on the distinction between these two levels, as shown in Exhibit 1.
Exhibit 1– Risks versus risk in project risk management guidelines
This dual concept of risk is important and useful when considering how to manage risk in projects. At one level the project manager is responsible for identifying, assessing, and managing the individual risks that are recorded in the risk register. At another higher level the project manager is also required to account to the project sponsor, the project owner, and other stakeholders for the overall risk exposure of the project.
Limitations of Current Practice
Given these two levels of risk exposure, any approach to risk management in projects needs to be able to answer the risk-related questions of both project manager and project sponsor. An effective project risk management process should identify individual risks within the project and enable them to be managed appropriately, and it should also provide an indication of overall project risk exposure. This second aspect is less well-developed in current thinking and practice, although it is the subject of active development by leading practitioners (for example Hillson & Simon, 2012) and professional bodies.
So how can overall project risk be identified, assessed and managed? This should be considered during the pre-project or concept phase, when the scope and objectives of the project are being clarified and agreed to. Here the project sponsor or owner defines the benefits that the project is expected to deliver, together with the degree of risk that can be tolerated within the overall project. Each decision about the risk-reward balance involves an assessment of overall project risk, representing the inherent risk associated with a particular project scope and its expected benefits. At this level, overall project risk is managed implicitly through the decisions made about the scope, structure, content, and context of the project.
Once these decisions have been made and the project is initiated, then the traditional project risk management process can be used to address explicitly the individual risks that lie within the project. At key points within the project, it will be necessary to revisit the assessment of overall project risk to ensure that the defined risk thresholds have not been breached, before returning to the ongoing task of managing individual risks within the project.
So two levels of risk management are important for projects:
- Implicit risk management addresses overall project risk through decisions made about the structure, scope, content, and context of the project, particularly (though not exclusively) in the pre-project phase;
- Explicit risk management deals with individual project risks through the standard risk management process to identify, analyze, respond to, and control risks, mostly during the remainder of the project life cycle.
There are, however, more detailed approaches to managing overall project risk throughout the project life cycle than just addressing it implicitly through decisions about project scope. The remainder of this paper explores these further.
Identifying and Assessing Overall Project Risk
Identifying Sources of Overall Project Risk
“Overall project risk” is “the effect of uncertainty on the project as a whole” (Project Management Institute, 2009, 2013), so identifying overall project risk requires a high-level whole-project perspective.
Standard project risk identification uses structured techniques to address the interface between potential sources of risk (often defined in a hierarchical risk breakdown structure) and potential areas of impact on the project (defined in the risk impact breakdown structure, work breakdown structure, cost breakdown structure, project breakdown structure, etc.). This naturally produces a focus on the detailed risks that arise from specific sources and that affect particular project elements (Hillson, Rafele, & Grimaldi, 2006). These individual risks are of course important because they could significantly affect the ability of the project to meet its objectives.
However, a higher view is required in order to identify risk at the overall project level. Indeed while a project will have multiple individual risks associated with it, overall project risk is a unitary concept: each project has a single given level of overall risk at any point in time. This means that the focus of the identification phase for overall project risk is actually not on the risk itself, but on its causes and effects.
Like individual risks, overall project risk arises from one or more causes and has one or more effects (see Exhibit 2), but both the causes and the effects of overall project risk exist at a higher level than for individual risks.
Exhibit 2 – Bow tie diagram for overall project risk
Causes of Overall Project Risk
Where causes of individual risks can be described in a hierarchical risk breakdown structure in increasing degrees of detail (Hillson, 2002), overall project risk arises from wider influences in the environment and context of the project. Risk identification techniques can use a variety of frameworks to structure the search for overall project risk, including:
- PESTLE – political, economic, social, technological, legal, environmental
- PESTLIED – as PESTLE, with the addition of international (or informational) and demographic
- STEEPLE – as PESTLE, with the addition of ethics
- InSPECT – innovation, social, political, economic, communications, technology
- SPECTRUM – socio-cultural, political, economic, competitive, technology, regulatory/legal, uncertainty/risk, market
- TECOP – technical, environmental, commercial, operational, political
- VUCA – volatility, uncertainty, complexity, ambiguity
Each of these frameworks can act as a prompt list, suggesting potential causes of overall project risk. They can be used as inputs for a structured brainstorm or risk workshop, or as part of a SWOT (strengths, weaknesses, opportunities, threats) analysis or Ishikawa analysis, or to form the agenda for risk interviews or Delphi groups.
Effects of Overall Project Risk
Like individual risks, overall project risk can be positive or negative, presenting either an opportunity or a threat for the project as a whole. However, unlike individual risks, the impact of overall project risk is not on the objectives of the project, but on the project itself. In other words, where individual risks might result in delay or acceleration in meeting milestones or end dates, or they might cause budget overrun or underspend, unacceptably high levels of negative overall project risk might result in project cancellation or significant de-scoping, or the scope of a project with a high exposure to positive overall risk might be extended or additional benefits may be identified.
Assessing Overall Project Risk—Qualitative Analysis Not Applicable
Overall project risk is defined as “the effect of uncertainty on the project as a whole” (Project Management Institute, 2009, 2013), or as “the exposure of stakeholders to the consequences of variations in outcome” (Association for Project Management, 2004, 2012). These two complementary definitions show that overall project risk has the same two dimensions as individual risks, namely uncertainty and significance. Indeed, overall project risk is just another manifestation of the proto-definition of risk as “uncertainty that matters” (Hillson, 2009).
This two-dimensionality of overall project risk might suggest that we can use the same qualitative assessment approach as is commonly used to prioritize individual risks, namely a matrix plotting uncertainty against significance (the “Probability-Impact Matrix”). However the unitary nature of overall project risk means that each project would occupy only one position in the matrix at a given time. As a result, qualitative assessment of overall project risk is of limited use, although plotting trends over time could indicate whether the project as a whole is becoming more or less risky.
Assessing Overall Project Risk—Quantitative Analysis
The definitions of overall project risk as “the effect of uncertainty on the project as a whole” (Project Management Institute, 2009, 2013), or “the exposure of stakeholders to the consequences of variations in outcome” (Association for Project Management, 2004, 2012), raises questions about the riskiness of the whole project that have quantitative answers. For example:
- How likely is this project to succeed (or fail)?, and
- What is the potential range of variation in outcome?
Answering these questions requires use of quantitative risk analysis methods to model the effect of uncertainty on the project as a whole and to determine the potential magnitude of variation in outcome (Vose, 2008).
The standard Monte Carlo simulation approach is ideal for this type of analysis, since the main output presents the range of possible outcomes against the probability of each value being achieved. This is usually shown as a cumulative probability density plot, or S-curve, and an example of cost risk analysis is shown in Exhibit 3.
Exhibit 3 – Example S-curve for total project cost
We can answer the two key quantitative questions directly using the results in the S-curve.
Addressing the first question (How likely is this project to succeed (or fail)?), the S-curve in Exhibit 3 shows that the probability of meeting the project cost target of US$2.2M is 23%, with a 77% chance of exceeding the budget. The analysis predicts an expected outcome of US$2.35M, which is an overspend of US$0.15M or 7%. The project sponsor can determine values of total project cost that correspond to chosen confidence levels; for example, there would be an 85% chance of meeting a revised budget of US$2.45M. This allows the project sponsor to make risk-informed decisions trading off increased cost (+ US$0.25M) against increased probability of success (from 23% to 85%).
On the second question (What is the potential range of variation in outcome?), this example shows that the potential variation in total project cost is US$0.5M against a target budget of US$2.2M (i.e. 22% of the expected project value), with a range of possible values from US$2.1M (5th percentile) to US$2.6M (95th percentile). This tells the project sponsors that in the best case they might expect to beat the budget by US$0.1M (representing a 4% underspend), but at worst the project might exceed its budget by US$0.4M (18% overrun).
This type of analysis allows the “How risky is this project?” question to be answered quantitatively. So for the example in Exhibit 3, the two subsidiary questions could be answered in detail as follows:
- How likely is this project to succeed?
- Probability of meeting US$2.2M target = 23%
- Expected value = US$2.35M (+7%)
- What is the potential range of variation in outcome?
- Total potential range = US$0.5M (= 22% of project value)
- Realistic best case = US$2.1M (− 4%)
- Realistic worst case = US$2.6M (+18%)
The example in Exhibit 3 discussed above focuses only on the project budget, describing overall project risk solely in cost terms. It is of course possible to undertake similar quantitative risk analyses on other project outcomes such as time, performance, return on investment (ROI), etc. Indeed current best practice is to analyze overall project risk in terms of both cost and time together in an integrated risk model (Hulett, 2011). In this case variations in both outcomes can be shown in a single output, as in Exhibit 4 (the so-called “eyeball plot” or “football plot”), allowing project stakeholders to visualize overall project risk in terms of both cost and time.
Exhibit 4 – Example output from integrated cost-time quantitative risk analysis
Since quantitative risk analysis is the main means of determining the extent of overall project risk exposure, it is vital that risk modelling is done well. Some guidance is given in Chapter 7 of the PMI Practice Standard for Project Risk Management (Project Management Institute, 2009) and standard risk textbooks (Vose, 2008; Hulett, 2011; Hillson & Simon, 2012).
The quality of output from any risk model depends critically on two factors: the quality of the input data, and the structure of the underlying model. While the need for good-quality input data is well understood, the ability to produce robust and realistic risk models remains rare. Basic requirements are often missed, such as:
- use of appropriate distributions to reflect different types of risk (not just three-point triangular distributions);
- modelling of both variability in planned tasks (via distributions) as well as discrete risk events (via stochastic branching);
- “many:many” mapping of risks to tasks;
- inclusion of correlation and dependency to model links between related elements, etc.
The absence of these fundamental modelling techniques will render the model outputs meaningless and misleading.
Managing Overall Project Risk
Responding to Overall Project Risk
Once the level of overall project risk is understood, the project sponsor and other stakeholders can make appropriate and proactive risk-based decisions about the future of the project. In most cases, risk responses use information on the causes of overall project risk gained during the identification phase. Having identified root causes of overall project risk, these can be targeted specifically during the response phase in order to remove or reduce potential negative outcomes for the project and to capture or enhance potential upside.
Various response strategies can be applied to address overall project risk, analogous to the standard responses for individual risks (avoid/exploit, transfer/share, reduce/enhance, accept), but applied at the level of the whole project.
- Avoid. This response strategy to negative overall project risk exposure involves removing high-risk elements of scope from the project, recognizing that this is likely to reduce the available value or benefit that the project can deliver. The ultimate risk avoidance response at the overall project level is to cancel the project. While this may be a last resort, it is often the right course of action if overall project risk exposure remains unacceptably and persistently high.
- Exploit. The aggressive response to high levels of upside risk at the overall project level is to increase project scope to take advantage of areas where additional value or benefit is available. Done in an intentional and controlled way, this does not equate to “scope creep,” but instead represents a rational and chosen management response to significant opportunity.
- Transfer/Share. These two response types match their counterparts in the individual risk space, involving third parties to manage overall project risk where they are more competent than the current project team. Transfer requires someone to bear the potential downside of the project and take responsibility for minimizing overall project risk. Share invites a partner to take responsibility for capturing the potential upside in return for a proportion of the additional value created. At the whole project level, these two strategies often involve setting up collaborative business structures such as joint ventures, special purpose vehicles or mergers, or possibly subcontracting or selling the project entirely.
- Reduce/Enhance. The reduce strategy seeks to minimize downside risk exposure, while enhance aims to maximize upside. This often involves re-planning the project, changing scope, modifying project priority levels, changing resource allocations, etc. The goal of both reduce and enhance is to improve the answers to the two key questions, namely: “How likely is this project to succeed?” and “What is the potential range of variation in outcome?”—as follows:
- Probability of project success. Here the purpose is to increase the chances of success as predicted from the quantitative risk analysis model.
- Variation in outcome. Responses to overall project risk should aim to reduce uncertainty by narrowing the overall range of potential variation. Where possible, responses should also aim to shift the distribution of variation towards the upside. Taking the example in Exhibit 4, where the overall variation in total project cost was 22% (−4% / +18%), effective reduce responses might seek to reduce overall variation to say 15%, and use of enhance responses might shift the spread to −10% / +5%, thus increasing the potential for cost savings.
- Accept. As for individual risks, accepting the existing level of overall project risk means continuing with the project as currently defined, aware of how much risk is being carried, monitoring changes in overall project risk as the project proceeds, and ensuring appropriate levels of contingency at the whole project level.
Most risk responses are not cost-free, and it is important to ensure that selected responses are both cost effective (the potential saving exceeds the cost of the response) and risk effective (the response changes overall project risk exposure significantly and proportionately). This is likely to require consideration of more than one candidate risk response strategy before selecting the most suitable response for implementation.
One way to determine where responses might be most effective is to use a bow tie diagram mapping causes and effects of overall project risk, as shown in Exhibit 2. Preventative responses can be focused on the main cause-risk drivers on the left-hand side of the bow tie, while protective responses address the risk-effect links on the right-hand side.
Reporting and Monitoring Overall Project Risk
It is important to communicate the status of overall project risk to key stakeholders throughout the lifetime of the project, including:
- Current level of overall project risk
- Major causes of overall project risk
- Key responses underway or planned
- Trend in overall project risk since the project started
- Predicted level of overall project risk at next reporting point
Overall project risk is dynamic, changing constantly as the project progresses, due to effective implementation of risk responses, internal developments within the project over time, and changes in the organizational and external environments. As a result, it is essential to monitor overall project risk levels regularly, to determine the effectiveness of chosen responses, to track the trend in overall project risk exposure, and to ensure that the project remains on course for success.
Since the concept of overall project risk does not feature prominently in the risk approach of most organizations, there is little guidance on appropriate reporting formats. Exhibits 5–8 present suggested formats for reporting overall project risk, including current level and trends over time, which could be built into an overall project risk dashboard.
One option is to reflect the risk tolerance of the project sponsor and other key stakeholders for overall project risk using a Red/Yellow/Green “barometer” format. For the example in Exhibit 5, a probability of success <50% is deemed unacceptable (red) requiring urgent and radical action; where probabilities are in the range 50-80% (yellow), continued and focused attention is required; and any chance of success >80% is acceptable (green). The probability of project success is then plotted on the “Overall Project Risk Barometer,” either using markers to indicate current and previous levels of exposure, or as a graph showing changes over time (Exhibit 5).
Exhibit 5 – Overall project risk barometer
The “Overall Project Risk Barometer” indicates changes in the probability of project success over time, and a time series showing changes in variability can be combined with this, as in Exhibit 6. This can show potential ranges (minimum/expected/maximum) either for a single factor such as project budget/cost, or for a composite “project success factor,” which combines schedule, budget, performance, etc.
Exhibit 6 – Expanded overall project risk barometer showing variability
A final candidate graphic showing changes in variability draws on the integrated cost-time quantitative risk analysis shown in Exhibit 4. The ellipse in the top-right corner of the eyeball/football plot shows potential variations in project budget and schedule, plotting a best-fit curve around the majority of cost-time pairs. The size of the ellipse represents the total amount of uncertainty in project time-cost outcomes, so a plot overlaying ellipses from different time-points will show how overall project risk is changing, as shown in Exhibit 7. The orientation of the ellipse also indicates whether the primary effect of uncertainty is on budget or schedule (see Exhibit 8).
Exhibit 7 – Overlaid ellipses from integrated cost-time quantitative risk analyses
Exhibit 8 – Interpreting orientation of integrated cost-time quantitative risk analysis ellipses
Responsibility for Managing Overall Project Risk
A key principle of risk management is that ownership of a particular risk should lie with the person or party who owns the objective that would be affected if the risk occurred, known as the risk owner. This principle also applies to responsibility for managing overall project risk. The right owner for overall project risk is the person who owns the overall project objectives, namely the project sponsor (although in some cases this might be delegated to a program manager).
The project sponsor is ultimately accountable for ensuring that overall project risk is managed effectively and that it stays within the overall risk threshold set by key stakeholders for the project. This accountability of the project sponsor is however delegated to the project manager, who is responsible for managing overall project risk as part of their duty to deliver the objectives of the project.
As a result, management of overall project risk becomes a shared duty of both the project sponsor and the project manager, acting in partnership to ensure that the project has the optimal chance of achieving its objectives within the allowable risk threshold. Successful management of risk at this whole-project level therefore depends largely on the effectiveness of the working relationship between these two key players.
Conclusion: Next Steps
The concept of overall project risk has featured in project risk management guidelines for the past decade (Association for Project Management, 2004, 2012; Project Management Institute, 2009, 2013), but it is largely ignored by most project-based organizations. These typically concentrate on managing individual risks within their projects while not addressing the overall riskiness of those projects.
It is clearly important for project managers to be able to answer when their project sponsor asks “How risky is this project?” Equally important is the second question: “What are you doing about it?”
This paper explains how overall project risk can be identified, assessed, managed and reported. The question remains as to whether project-based organizations will take up the challenge to begin to address risk at the whole project level as well as considering individual risks. This has important implications not just for project success, but also for the management of risk at program, portfolio, and strategic levels.
In addition, project management professional bodies such as the Project Management Institute (PMI) and the Association for Project Management (APM) should ensure that future updates of their risk management guidance are extended to include overall project risk alongside individual project risks. Only then can we give our projects the best possible chance of succeeding, by managing both the risks in the project and the risk of the project.
Association for Project Management. (2004). Project risk analysis & management (PRAM) guide (2nd ed.). High Wycombe, Bucks, UK: APM Publishing.
Association for Project Management. (2012). Body of knowledge (6th ed.). High Wycombe, Bucks UK: APM Publishing.
Hillson, D.A. (2002, June) The Risk Breakdown Structure (RBS) As an Aid to Effective Risk Management. Fifth European Project Management Conference, PMI Europe 2002, Cannes, France.
Hillson, D.A. (2009). Managing risk in projects. Farnham, UK: Gower.
Hillson, D.A., Rafele, C., & Grimaldi, S. (2006). Managing risks using a cross risk breakdown matrix. Risk Management: An International Journal 8 (1), 61–76/
Hillson, D.A., & Simon, P.W. (2012). Practical project risk management: The ATOM methodology (2nd ed.). Vienna, VA: Management Concepts.
Hulett, D.T. (2011). Integrated cost-schedule risk analysis. Farnham, UK: Gower.
Project Management Institute. (2009). Practice standard for project risk management. Newtown Square, PA: Project Management Institute.
Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK® guide) – Fifth edition. Newtown Square, PA: Project Management Institute.
Vose, D. (2008) Risk analysis: A quantitative guide (3rd ed.). Chichester, UK: Wiley.
© 2014, David Hillson
Originally published as a part of the 2014 PMI Global Congress Proceedings – Phoenix, Arizona, USA