Myth busting Project Risk Management

Written by Infrastructure SIG Committee member Chantelle Morrisette, Project Risk Mgmt & Risk Intelligence and Corporate Infrastructure Manager at Bechtel 

‘The great enemy of the truth is very often not the lie, deliberate, contrived and dishonest, but the myth, persistent, persuasive and unrealistic.’ - John F. Kennedy 

The discipline of risk management and managing risks has evolved significantly over the past 60-70 years. This evolution has resulted in different frameworks, standards, and methodologies for managing risk.  Enterprise Risk Management (ERM) and governance frameworks addressing compliance and risk have become popular and wide-spread, however these frameworks are not wholly effective in managing project risks and they have the potential to cause confusion on how to take and manage risk on projects.

More recently, in the nineties, Australia and New Zealand developed risk management guidelines and standards which became the foundation for the first release of ISO 31000 in 2009 and the subsequent 2018 update which, in my view, is suitable to manage risks on projects.

The various risk management approaches and frameworks have led to some confusion and some myths about what project risk management is and how it is applied to infrastructure projects. This article attempts to dispel some of the main myths.


Myth #1:  Risk management only looks at threats (is pessimistic). 

ISO 31000 is clear in defining risk as the ‘effect of uncertainty on objectives’ and that ’an effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.’  Hence, the aim of project risk management is to help projects maximise opportunities while minimising threats.  Most infrastructure project risk registers at present have more threats than opportunities.   If opportunities are ignored, projects could be missing out on activities which could help improve their delivery and performance, and their achievement of objectives.The earlier in the project opportunities are identified, the higher the chances to successfully implement them and for the project to benefit. Ideally, opportunities should not be limited to the project delivery timeframe but for the overall asset lifetime.  This is logical, yet it is does not always happen this way.

Regarding threats, all projects are exposed to threats.  Even when initial conditions are understood, “things” happen, and a project needs to be prepared ahead of time to reduce the impacts of negative risks that turn into events.  It is not about being pessimistic, it is about being prepared and building resilience.  For example, think about weather related risks.  When projects consider weather, they typically allow for a certain number of days for delays and costs and may take out insurance to cover the accounted for potential loss consequences.  However, when a risk management process is employed against these scenarios, a more thorough understanding of potential weather events can be understood and, more importantly, a robust response plan developed should those events occur.  Having a well-established plan can help a project prevent possible personnel and property issues and to recover from such events more quickly.  The response plan could also include business continuity strategies to optimise the time and resources required to get back to business as usual, decreasing the impact of the threat considerably.  This is a core aspect of organisational (and project) resilience.  It protects the project objectives and the reputation of the parties involved.


Myth #2: If the project has a risk register it has a project risk programme. 

Definition of a programme: A plan or system under which action may be taken toward a goal - Merriam-Webster online dictionary

Risk management is a programme where the steps proposed by ISO31000 (identify, assess, prioritise, treat, and manage) are continuously executed in an iterative process.  This is the key to an effective project risk management programme: Continuous, active iteration of the process, stitched into how the team works on a daily basis.  Within the process, the Manage step is integral to everything to be effective.  Managing the process includes: Verbal and written communication, following up with risk and treatment (response) plan owners, engaging with the project team, and so much more.  The ultimate objective of risk management is to help improve and increase project performance, enhancing the chances of delivering the agreed objectives. 

The risk register is not the objective, it is a tool to keep track of:

-     Status of the identified risks

-     Status of the implementation and effectiveness of the risk treatment plans

-     Changes in identified risk likelihood and consequences


A risk register is only effective if the project risk programme (or schedule) includes:

-     A clear division of responsibilities

-     Someone in charge of and actively communicating the status of project risk, not only in reports but most importantly through timely verbal communication

-     Timely implementation of risk treatment actions, controls, and fallbacks

-     Active monitoring of risk treatment plan effectiveness


Myth #3: Project risk programmes are purely a cost and schedule control tool. 

It is clear that risk management on a project can be used to help calculate the contingency and management reserve for time and cost. This is just one small part of what it can support.  

As we discussed earlier, risk management primarily focuses on identifying project risks (threats and opportunities) and then doing something about them.  This is accomplished by designing effective, innovative, and creative treatment plans and then successfully implementing them.  Taking preventive actions to improve the risk profile are much more important to improving project performance than just calculating the reserve or risk contingency.  What is best to have an “accurate” contingency for risks in case they happen or for the threats not to occur?  Risk management is a strategic tool. Used well, it can potentially increase productivity and teamwork.


Myth #4: Transferring risk to another party absolves you from it.

Transferring risk as a strategy to mitigate risk is not well understood.  It provides the illusion of “diverting the risk.”  Some professionals think they can forget about that risk as it is “contractually assigned” to another party.  However, in the case of a principal contractor “transferring the risk” to subcontractors, the principal contractor is still responsible for delivering the overall scope.  The same situation applies when an owner subcontracts part of the work.  As an analogy, when you have a contractor working in your house, if the contractor starts the work and then gets delayed or simply stops the works and walks away, who ends up having to cleaning up the mess?  The owner.

Of course, a contractor “walking away” is unlikely and becomes more unlikely when dealing with reputable contractors. However, we are seeing more and more contractors not being able to meet delivery milestones and, in some cases, declare bankruptcy.  Even if a risk is “transferred” we still should remain engaged with the scope transferred and promote adequate conditions for our subcontractors to have greater chances to deliver as promised.  Their success is our success.  This can be achieved by, for example, making sure they have access, materials if it is provided by main contractor or owner, etc.  Successful subcontracting is based on mutual collaboration and where both parties gain something by doing business together.  Hence, instead of transferring the risk itshould be call sharing the risk.


Myth #5:  If the project cannot control the risks, there is no point to include it within the risk programme.

Some risk workshop participants believe that if the project doesn’t have direct control of a risk, then there is no point on including it as part of the risk programme.  Risks such as change of regulation, political elections, or civil unrest could be left out.  Changing the likelihood (or probability) of any of these types of risks is unlikely; however, the project could look to reduce its exposure or potential impact if the risk does occur, or at least be aware of the potential impact ahead of time to communicate the impacts to any interested parties. How good are its controls to manage these risks? Any trigger points identified? How is the project going to respond if it does happen?


Myth #6: “I have been doing these kinds of projects for more than 20 years, I don’t need risk management.”

Experience is definitely very valuable when it comes to managing risk and we all manage risks to certain extend in our daily lives, but is that robust enough to protect multibillion dollar projects from uncertain events?

The world is constantly changing, now at a pace never experienced before, and there are so many novel dynamics which are hard to really understand.  We all need to be agile to adapt.  For example, projects are now facing technological obsolescence risk before they are even completed.

Internally, we are also experiencing changes.  Pressure to execute projects faster and cheaper means finding different and more efficient ways of executing projects.  Change is good but brings new uncertain events.  To add complexity, risks tend to be multifunctional in nature and frequently don’t reside in a single location.  Therefore, managing risk requires a multidiscipline approach.  Risk management should be the glue helping to orchestrate a coordinated approach with the collaboration of project experts.


Myth #7 Risk management is boring!

The cliché is that the risk management professional is a “numbers driven person” who doesn’t speak much, is reserved, isolated, and a “risk avoider”.  This cliché doesn’t reflect the profile of most project risk personnel.  Project risk personnel need to be change agents, devil’s advocates who challenge assumptions and preconceptions to facilitate a more creative and effective way of actively manage risks. 


Myth #8: Risk management equates to having great risk management software.

As we all know, the software output is only valuable if its input is valuable.  Risk management could be done without software, though in some cases the complexity is so great that it could be inefficient to do so.  However, the software is useless without a clear commitment from the organisation to dedicate resources to risk management performing risk identification workshops and having experienced risk personnel that go beyond recording information on the software.  Risk personnel facilitate powerful conversations among individuals of different disciplines and backgrounds to maximise opportunities and mitigate threats.  


In summary, there are a number of myths about project risk management, which need to be dispelled if we are to effectively perform our duties and communicate the value generated by taking and managing risk well.  The need for high quality risk management is more important than ever in today’s fast-changing and agile world.