The sixth edition of ‘A Guide to the Project Management Body of Knowledge’ (PMBOK6) takes a major step forward in its treatment of risk, not only addressing a wider range of ‘uncertainty’ than the simple event (it happens or it doesn’t) risk, but also acknowledging the necessity to integrate project risk management with enterprise-wide risk management, the latter aimed at addressing risks to benefit delivery and achievement of strategic objectives.
Risk and Uncertainty
But what is meant by risk and uncertainty?
If they are to be effectively managed, then not only is it important to differentiate between the different types of uncertainty, but also to understand the different ways in which they behave.
These differences are not simply theoretical – at a simple level, many project risk registers suffer because they are populated with entries that are not actually ‘event risks’, however at a more important level, the failure to understand and consolidate uncertainties across projects means that organisations face poorly understood and poorly managed risks to the delivery of projected benefits.
At a consolidated strategic level, poor risk management means that threats and opportunities are neither understood, nor optimised, and might mean that there is poor understanding of worst case scenarios.
Good Risk Management
Good risk management starts with the basics however – understanding the different types of risk and uncertainty. Unfortunately, differences in terminology between professional bodies do not help, however PMI bodies of knowledge are internally consistent.
PMBOK6’s risk knowledge area ‘aims to identify and manage risks that are not addressed by the other project management processes’. But where else is risk addressed within the PMBOK?
At one level, it might be stated that other processes ‘manage risk’ simply by their nature, for example, the creation of a communication plan might manage some communication risk. However, more specifically, ‘uncertainty’ in its general sense (you might say ‘estimating’ uncertainty) is managed primarily within cost and schedule knowledge areas. It is worth considering this in more detail, as, in practice, it forms a common source of misunderstanding.
Uncertainty in Estimating
Let’s imagine that I decide to drive from Paris to Frankfurt. A colleague tells me that this will take 5 hours on the Saturday that I intend to travel. Of course, we don’t like single point estimates in projects, and I would like to know whether this represents the best case, the worst case, the most likely case, or some other measure.
Looking up various sources of data (expert opinion, corporate database, benchmarking), I determine that the fastest time achieved between the cities by car was 5 hours the most likely 6 hours and the slowest 25 hours(admittedly caused by a car breakdown). Our estimate range of 5 to 25 hours certainly needs some refinement if we are to have any confidence in our travel arrangements. Of course, we hope that project estimates do not vary by +/- 400% but let’s bear with the example!
In refining our estimate, it must be understood that the range 5 to 25 hours comprises two completely distinct forms of uncertainty. The range 5 hours to (let’s say) 8 hours comprises what we may call ‘estimating’ uncertainty, that is, we only have enough information at the moment to say that the duration will be, say 6 hours +/- a certain percentage This equates to accuracy levels addressed in the PMBOK cost and schedule knowledge areas.
If accuracy is to be tightened within this range then we must produce a refined estimate as more information becomes available. For example, Google Maps tells me that this journey will take me 5h 23m at the precise time of writing this article, under actual traffic conditions.
The range 8 hours to 25 hours comprises ‘event’ risk as understood traditionally by the PMBOK. In order to refine this estimate we must take a conventional risk approach: identify risks, analyse, prioritise, and develop responses to the high priority risks. If car breakdown remained the biggest risk, then perhaps we can tighten our range to between 8 hours and 10 hours by ensuring that we make sure the car is serviced.
Uncertainty or Risk?
The risk register is the place to document these types of risks, but not the ‘estimating’ uncertainties mentioned previously. Confusing these two types of uncertainty is a common problem with risk registers. ‘Because of inconsistent standards, there is a risk that the customer supplies us with the wrong specifications for the power supply’ is a risk – it may or may not happen, and has a likelihood and impact. ‘We do not know how experienced the client project manager is’ is a statement of uncertainty and does not belong on the risk register (go and find out!).
Turning to the PMBOK6 Risk Knowledge area. Of course, the PMBOK has always defined risk as ‘an uncertain event or condition that, if it occurs, has a negative effect on one or more project objectives…’, however, traditionally, PMBOK risk has concentrated on event risks. These were identified and qualified, and, although quantification might take place, this was simply to put some numbers on the event risks, with a particular objective of decision-making (for example, was it cost-effective to build a prototype, given a high likelihood of the customer acceptance test failing without one?).
It states that a trend and emerging practice is the consideration of non-event risks (presumably the ‘condition’ mentioned within the risk definition), including variability and ambiguity risks. These are different from the estimating uncertainties described above – even with the tightest accuracy in estimates, there will be normal variation, for example in productivity. Similarly, depending on the development approach, ambiguities may exist in the solution to be developed.
So how does PMBOK6 address the total of these uncertainties?
The answer is within the expanded role of the quantification process.
Perform Quantitative Risk Analysis (performed using computer simulation) now consolidates all areas of uncertainty within the project with a view to understanding overall project exposure, and assisting the planning of risk responses. Significantly, therefore, as inputs it takes not only the outputs of earlier risk management steps, but also project estimates and forecasts and the basis upon which these were generated.
Importantly, PMBOK6 places a much greater emphasis on the organisational context of every project. It can only be successful if it plays its planned part in delivering business benefits, and the organisation can only be successful if projects and programs are delivered in alignment with strategic direction.
The PMI’s practice guide to the Governance of Portfolios, Programs and Projects provides a framework aligning organisational project management with the individual management of portfolios, programs and projects, and includes as one of its four domains the governance of risk. On that basis, a successful risk management strategy ensures that risks at project level are aligned with enterprise-wide risk management.
Overall responsibility for alignment lies with the project sponsor and business management, however if the project manager is to deliver a successful project than they must work with the sponsor and higher management to ensure that projects remain aligned with the benefit management plan, and the governing framework of organisational strategic direction.