Managing Uncertainty and Risk on the Project

From apppm
Jump to: navigation, search

Developed by Daniel Agervig Krogh

One of the most challenging aspects in projects is to manage the risk and the uncertainty. Yet with the knowledge we possesses, it is a topic, which for many is difficult to handle. Many stakeholders are involved in the projects and therefore might have different opinions of what is the best solution approach is. The majority of people tends to think in deterministic terms of an optimal solution instead of probabilistic terms of a robust solution. This article will highlight the main differences of the risks and the uncertainties, which relates to (Project management. The risk management processes will be clarified in its four stages, where the identification of the problem, assessment of the risks, how to respond to the risks and lastly how to control the risks. To assess the risks, a risk-management process tool will be utilized and further explained and management a tool, impact/probability matrix, will be applied to be a part of the process.



Figure 1: The relationship between risk, uncertainty and the opportunities [1]

Risk and uncertainty has many different definitions and can be hard to settle down to only one way to define it. Risk management had their origins in the insurance industry in USA in the 1940s. Project management can be explained as a discipline where projecting or planning, organizing, motivating and controlling resources to achieve specific goals and meet the specific criteria’s. When talking about risk, people often link it together with uncertainty, while others refer to it as opportunity. Risk can also be defined as a combination of the probability of an event and its consequences. There is a relationship between risk, uncertainty and opportunities. This is illustrated in Figure 1. [1]

The definition of uncertainty is:

“An unexpected event, if it occurs, may have either no effect or a good or bad effect on at least one of the project’s objectives and success.“[1]

And risk is defined as:

“An uncertain event or situation, if it occurs, may have threat(s) or bad effect(s) to at least one of the project’s objectives and success”[1]

Figure 2: Uncertainty over time [2]

Risks and uncertainties has a big role in projects. The uncertainty is by definition the lack of the information that is available to take a decision at a given time. In Figure 2 it is illustrated the difference between the information required and the actual information available. Uncertainty have two sources and the first source is the complexity, which is where the information is available, but is too costly to collect and analyse. Second is the predictability, which is where you are able to predict uncertainties, based on previous experiences.

Figure 3: Risk sources and risk events and how to approach them [2]

In the beginning of the a project the uncertainty is very high and depending on the size of the project and to decrease the mission uncertainty it can some extend be used e.g. standardised components and solutions etc. As a project moves forward more information will become available and therefore the dynamic uncertainty will be decreased since some parts of the project will be finished and therefore has less impact on the actual uncertainties. To understand the relation between risk and uncertainty, Figure 3 illustrates the risk sources which is an element that is alone or in combination with others to rise to risk. [3] The management team can respond to the risk source and can plan to respond when or if the risk event occurs. The risk event is an occurrence or change of the circumstances. An event can be one or more occurrences and have several causes and can be referred as an incident or accident, but can also be without consequences. That can be a near miss, incident, a near hit or close call. The model explains in short terms how you can deal with the risk sources and events.

Figure 4: Four stages of knowledge [2]

The relationship between risk source is thus the dimensions of the risk source, the impact of the risk and to which extent the management team can respond to the risk source and events. The understanding of risk in relation the probability is divided up into four terms:

  • The objectivist believes that a sample of previous observations can be used for predicting the future risk sources. The predictions rely therefore on statistics inferred from experience.
  • The logical could be an engineer who is solving problems with an engineered system. Engineers’ understanding of the design and the scientific properties they might be able to identify risk sources and therefore possible risk events. It rely closely up against the basis of (Failure mode and effects analysis).
  • The subjectivist rely mostly on subjective decisions. That means that despite from the information available, the observer might consider other factors than just historical facts. Therefore might there not be a clear result from two different subjectivists in the same situation unless it is an obvious decision.
  • The behavioural has focus on the actual behaviour with the decision-making under uncertainty. Therefore it is relied on how decisions are made in practice.

When managing risks and uncertainties, the four different terms is important when looking at decision-making. There is a difference between the definition of uncertainty and risk where there is probability of a risk event could occur. The reason is the subjective term where the decision-maker has an impact on the outcome where the decision is not relied on historical event and statistics. When trying to understand the underlying definition of risk and uncertainty can be divided into four different stages of knowledge of the risk and uncertainty, which is defined as the cognitive standpoint. They are stated as follows:

  • Known knowns is the condition of the risk where the risk source has been identified and a probability can be assigned to certain risk event. This is the standpoints which has most concentration because many advocates the use of subjective probabilities.
  • Known unknowns is where the uncertainty plays its role where a risk source has been identified but cannot be assigned to the risk event.
  • Unknown knowns is a condition where the uncertainty appears because somebody knows about the risk source and its chances to appear. Therefore, the information is kept private instead of sharing the information.
  • Unknown unknowns is the uncertainty where the risk source has not been identified and therefore the risk event cannot because of that be known. That phenomenon has been called the ‘black’ swan.

The four different standpoints are illustrated in Figure 4.

When looking at the figure, the y-axis illustrates occurrence of any future events is either certain, impossible or in between the two. It happens rarely that a proper data set is available and is not possible to make any changes in the data set so that the objectivist only have a point between certainty and impossibility. [2]


Practice of managing risk and uncertainty

Figure 5: A stakeholder matrix, mapping stakeholders by their power and interest, towards a project. [2]

When you have the knowledge and insight of what you are dealing with regarding the potential uncertainties and risks in a project there is several protocols of how to manage them in a proper way. When looking at known unknowns, it can without problem be managed proactively and also be able to mitigate the impact of unknown unknowns. One of the basic models describing the risk management process is illustrated in Figure 5, which has four main elements. This is not a tool in its self, but a process of the procedure when handling with risks.

  • Identify and classify the what risks sources that has to be managed
  • Assess the risks so that you have a fully understanding of the risks and how they can affect each other.
  • Respond to the risks sources and decide what to do about them if they occurs.
  • Control the risks throughout the whole project, so that they have minimum impact on the project.

The process is like a loop learning model, where it is a process through time. [2]



Figure 6: A stakeholder matrix, mapping stakeholders by their power and interest, towards a project. [2]

This section will guide the reader through the different stages there is when using the impact/probability matrix tool. The tool is being used every day whether either consciously or unconsciously. The purpose of impact/probability matrix is used to rank the risk sources, risk events and the treatments based on the level of the risk. [4] It is a common tool when screening a project for many risks which makes it is easier for the management team to plan how and when to handle the risk sources and risk events. The tool is illustrated in Figure 6. The tool is also a great when it comes to communication. It helps the organization with the decision about the risk appetite on the specific project. The impact/probability matrix is used for a bigger purpose. It is used for a criticality analysis in Failure mode, effects, and criticality analysis (FMECA) or to set priorities in Hazard and operability study (HAZOP). The tool is also an effective way to handle risks when the available data is not good enough or when there the resources available cannot fulfil qualitative analysis.[4]. Many of the risks have different outcomes and have different level of consequence. It is therefore important to some projects to distinguish between unlikely catastrophic risk events and the common problems, which has a more serious impact and therefore a threat. [4]

Identify and classify the risk sources

The risk identification involves the identification of risk sources, event and their causes and potential consequences. [3] The identification stage is one of the crucial elements in the model to actual succeed in being able to discover the risk sources. However, it is one of the less formalized elements in risk management, which in itself can have consequences. Normally this area is done by experienced employees within the actual field, which can be a problem when you thinking in e.g. knowledge sharing. It can also be done by workshops etc. and when the information gathering is done, a risk register is made with all the knowns, which is a document or a log where all the available information is accessible. It is important that risks sources be identified even though the risks are evident. [5] The identification must include identification of the knock-on effects of a possible consequence, with that including the cascade and cumulative effects. [4]

Assess the risk sources

When the risk sources has been identified, the next task is to assess and analyse the identified risks. The tool can be shown in (different forms) but it illustrates the impact of the risk and the likelihood [5] for occurrence of the risk. [4] The tool has in this case four different groups, where risk is being evaluated. [4]

The different risk sources are identified and are classified in terms of their probability of occurrence and the magnitude of their impact on the project. The model can be used for assessing known unknowns whether it has high impact or probability when it occurs. Hence, it will be possible for the managers to prioritize the risk sources and schedule the risk sources. The decision of the risk level and its sensitivity to predictions and assumptions should be included in the analysis and be communicated to the decision makers and stakeholders. [5] The level of risk can variate from project to project and is dependent on the purpose of the analysis, the information, data and resources available. An analysis is either qualitative, semi-quantitative or quantitative or a combinations of these. [5]

Respond to the risk sources

When the risk sources has been identified and analysed the next task is what to do with each of them. To be able to place the risk sources in the right area in the impact/probability matrix that is illustrated in Figure 6, a further explanation of areas are described as follows:

  • Accepting the risk as it is, and plan to respond to the risk. Since it is bad luck, there is not much to do.
  • Externalise the risk down the supply chain by subcontracting. This is only done when the subcontractor is in a better position than the principal is. When externalising the risk, the subcontractor has to have better managerial capability otherwise it can have fatal consequences and in extreme cases is when the subcontractor is bankrupted because of a risk event. The general rule is to communicate with the actors who is closest to the risk source and motivate them to manage them effectively so that they have as small as possible impact.
  • Mitigating the risk by changing the project mission or scope to minimise the probability for the risk to happen. When mitigating the risk a systematic reduction of the risk and also called a risk reduction. This kind of risk can also be associated with e.g. the choice of technology etc. and as mentioned earlier if using the technique like Failure mode and effects analysis (FMEA), then would make the solution more robust.
  • Rare catastrophes cannot be controlled of the actors, such as fire on construction projects and therefore insurance is a normal way to solve that. By mitigating the risk, it will almost be possible to avoid the risk event. A classic way is an indemnity insurance and if that is not an option, then mitigation is preferable. The last option will only be suitable if the magnitude of the risk event would not bring the company down.
  • Delay the decision until the needed information is available. This will make as mentioned earlier more secure and will make the risks more known. This is crucial for high-impact risks.

The treatment of the risk sources variate from risk to risk. Sometimes it will involve selecting one or more options to modify the risks. When choosing the treatment, it involves the balancing of the costs and efforts for implementation and what the benefits are. But the decisions are not only bounded by economic grounds e.g. the high negative consequences, but low likelihood risks. When treating the risks, secondary risks could occur, and those should be treated together with the original risk since the link between the two risks should be identified and maintained. [5]

Monitoring and Controlling

The final phase is to monitor the risk source throughout the whole project life cycle, so the information becomes available and when the probability and impact can be reassessed once the point where risk event could have been occurred has passed it can be removed from the risk document. To monitor risk sources a risk owner has to be selected to do the supervision. It involves regular checking or surveillance and can be periodic and ad hoc. [4] The rest of the management team has to have full engagement since this is the phase where the unknown unknowns will grow. The job encompasses all the aspects of the risk management process and the following points is highly relevant:

  • The management team has to be visible on sight noticing what is going on to be able to identify both threats to schedule and budget, but also see opportunities to do things better if possible.
  • Do routine informal meetings to freely exchange views without take any minutes or recordings. This can e.g. help reveal potential problems that would be there to discover and can have a potential progress for the project.
  • Spotting behaviour that might be improper and interpreting the correctly.
  • Ensuring that controls are effective and efficient in the design and operation.
  • Gathering information to improve the risk assessment.
  • Analysing and learning from events, including the near-misses, changes, trends, success and failures.
  • Observation of the external and internal changes and the changes in the current risk criteria and the risk it self.
  • Identifying upcoming risks.

All the observations during the project should be recorded so that it can be evaluated what went good and bad. This could help the organization in the future projects and also improve the management culture. [5]

Strengths and Limitations


The tool is an easy tool to use and does not need to educate the users to use it in practice. It gives a good overview of the risks and therefore makes it easier to scrutinise the project to a desired level. Moreover, it is a good tool to communicate with when it comes to decision making about what to do regarding the different risk sources that might occur. [4]


A matrix can be design for different purposes, which is why the same tool exists in different forms depending on which kind of project it is. It is hard to make a common matrix that fits every project, and can therefore have limitations if uses the tool wrong. The scales can be understood differently and therefore the ratings/decisions can vary depending on who is rating the consequences and impact on the project. Another limitation on the tool is that if a low impact risk is being repeated, then the level of impact can be a medium impact but the tool does not consider those elements on a project. The results differs depending on how detailed the analysis is. The more detailed the scenarios are, the lower is the risk event to actually occur. It is for this important for the raters to define the risk and which factors that applies. [4]

Annotated bibliography

Yu Shiwang, Guo Na (2013) Lecture Notes in Electrical Engineering, Vol.218 PP.815-822 - This book has a very interesting section, which explains the differences between the uncertainty and risks.

Winch Graham M. (2010) Managing Construction Projects” An Information Processing Approach, Second edition, PP. 3-8 and PP. 346-366 - This book explain how risks can be handled on advanced projects and have to manage them.

(2009) “ISO Guide 73” – Risk management Vocabulary - This standard has clear definitions of the different aspects in risk management, which is great when understanding the different articles and books.

(2009) “ISO 31010” – Risk Assessment Techniques, Edition 1.0 - This standard explains how to approach a given project. In this case the usage of the tool Impact and Probability matrix.

(2009) “ISO 31000” – Risk management Vocabulary, Edition 1.0 - This standard supported the ISO 31010 very good for further explanation.


  1. 1.0 1.1 1.2 1.3 Yu Shiwang, Guo Na (2013) Lecture Notes in Electrical Engineering, Vol.218 PP.815-822
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Winch Graham M. (2010) Managing Construction Projects” An Information Processing Approach, Second edition, PP. 3-8 and PP. 346-366
  3. 3.0 3.1 (2009) “ISO Guide 73” – Risk management Vocabulary
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 (2009) “ISO 31010” – Risk Assessment Techniques, Edition 1.0
  5. 5.0 5.1 5.2 5.3 5.4 5.5 (2009) “ISO 31000” – Risk management Vocabulary, Edition 1.0
Personal tools