The Tower of Risk Management Babel

Why are many project managers confused about project risk management?

Why do some project managers include positive risks in risk management and others do not?

Why do project managers talk about risk management in different terms, as though they are speaking in different languages?

Let’s take a look at how risk is defined and why project managers need to clarify the definition and concepts of risk management with their project teams.

Photo courtesy of

Photo courtesy of

Risk is a Choice

Merriam-Webster defines risk as “the possibility of loss or injury: peril.” Most people think of risk as pure risk, as a possibility of loss. However, risk management has evolved to include a more holistic view that includes the potential for positive outcomes.

In his book Against the Gods: The Remarkable Story of Risk, author Peter Bernstein says, “The word ‘risk’ derives from the early Italian risicare, which means ‘to dare.’ In this sense, risk is a choice rather than a fate.” A modern definition of risk sees risk as “uncertainty about outcomes that can be negative or positive.”

The project manager’s job is to meet the project’s objectives through the management of risks, both positive and negative. The project manager’s choices drive their success or failure.

“When we take a risk, we are betting on an outcome that will result from a decision we have made, though we do not know for certain what the outcome will be.” -Peter Bernstein

Why So Much Confusion?

Ever wonder why there is so much confusion on the definitions of risk and risk management? There are several risk management standards that differ in purpose, definitions, and process. Within the world of project management, we also have different definitions and processes.

Sample of Risk and Risk Management Definitions 

SourceDefinition of RiskDefinition of Risk Management
COSO Integrated Framework(Standard)The possibility that an event will occur and adversely affect the achievement of objectives.The identification, assessment, and response to risk to a specific objective.
RIMSAn uncertain future outcome that can either improve or worsen your position.Strategic risk management is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.
PMBOK (ANSI Standard)An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality.
PRINCE2 (Methodology)An uncertain event or set of events, that if they occur, will have an effect on the project objectives.

Cutting Through the Babel of Voices

With so many definitions, how can a project manager eliminate the noise and provide a practical foundation for managing risks?

PMs should determine whether their organization has standard definitions for risk and risk management. If so, adopt the definitions to ensure integration with the management principles of the governing organization.

If your organization lacks standard definitions, work to define definitions for your organization that align with the organizational objectives.

Include your definitions in the glossary of your Risk Management Plan. Also include your risk response categories (e.g., accept, avoid, mitigate, transfer) that align with your definitions.

Review the definitions with your project team. Provide examples. As you identify and monitor risks, review the definitions. Repetition reinforces the principles.

Question: In your experience, what are the most common misunderstandings about risk and risk management?

Join the 21 Day Challenge

Receive daily emails--learn to identify, evaluate, respond to, and control project risks.

Spend five minutes per day for 21 days--discover practical risk management techniques that can help you turn uncertainty into success!

Powered by ConvertKit

Please note: I reserve the right to delete comments that are offensive or off-topic.

4 thoughts on “The Tower of Risk Management Babel

  1. In my experience in discussion forums, the most common misunderstanding about risk and risk management consists of the low valuation placed on the skill. The skill does not come via osmosis. You have to study it, and managers need to teach it.

    In my experience, the most common misunderstanding about risk and risk management is that the practice is only performed at the beginning of the project and at the beginning of engineering. A risk could be addressed by both the PM and by Engineering, and nobody would know because organizations don’t integrate the practices. One cause of this is that project offices practice “risk management” whereas engineering addresses “failure… analysis” and “reliability.” Another cause is that project risk management does not include all areas, such as configuration management, HR management, and many functions do not consider risk management. Risk management needs to be practiced throughout the project vertically at all levels, horizontally across all functions, and latitudinally across time.

  2. I think risk has only evolved in theory to include uncertainty of positive outcomes. I used to think that maybe we just need to better explain the theory. Now I am more focussing on good communication. Let’s discuss risk management for the negative outcomes, and opportunity management for the positive outcome. It makes the whole communication and process easier and much more value added.

    Why do we insist on confusing both?

  3. When designing risk management for any given project, we talk about project and opportunities. Having many non-english natives, makes the term “positive risk” incomprehensible. So here, I agree with Michael.

    Personally, I dislike the RIMS definition, which essentially talks about the outcome rather than the root causes that impacts the outcome. One example, your profit is not a risk, but it may be at risk due to a number of things that may happen … and these are the issues, you have to address.

    Then looking at projects – we explicitly define and address (negative) risks as well as (positive) opportunities. We have found that the option to look at opportunities drives a lot of energy into the project besides creating value.

    We also explicitly use a holistic approach, and identify issues based on what can happen to the project as well as what impact this project invokes on the rest of the organization. This “forces” us to involve all stakeholders in the risk management, and we do that. An example … If we change a process in production to something faster/more agile, we look at how this may impact products development (upstream) as well as customers (downstream) and e.g. finance (supporting process) … and also address potential risks/opprotunities from technology, legislation or the like.

    We have found that this “spots” a significant number of uncertainties, which we can (and do) beneft from addressing proactively, and yes – some projects may run 10% over budget in pursuit of an opportunity, which then may enhance the value of the project significantly.

Comments are closed.