Project Risk Management: Do You Know the 5 Hidden Estimating Flaws?

The basic principles of project risk management will be familiar to project managers.  The steps are straightforward, the need is obvious, and the underlying concepts are familiar. But, beneath all of that is a lot of subtlety. And plenty of traps for the unwary PM. And the biggest of these is the belief that we can readily assign likelihoods to the risks we identify.

However, estimating likelihoods for project risks is problematic for a number of reasons – I will focus on five.

Less Work; Better Risk Management

For most projects, there is one very simple, easy-to-implement solution, which I will offer you.

This article will not take a lot of your time. But it will save you a lot of time – and probably improve your risk management as well.

Our Agenda

So, in this short article, I will overview:

• A Basic Introduction to the Topic of Project Risk Management
• Why Risk Likelihood is so Tricky to Estimate
• How to Solve the Probability Problem

If you are familiar with project risk management, you may want to skip the first section.

There’s not too much to get through, so we may as well get started!

Familiarity Brings Risk:
A Basic Introduction to the Topic of Project Risk Management

Let’s start with an overview of project risk management… in video form.

The Risks of Familiarity

Our familiarity with the risk management process poses its own, significant, risk.  If the basics are simple to grasp, here is another case of ‘simple is not the same as easy‘.  The four fundamental steps of risk management each need a lot of careful attention.  They are, in truth, rather tricky.

One part of the process has always seemed to me a particular challenge.  It rarely bothers people who are new to risk management, so I take pains, when speaking about risk, to emphasise it.  It is the problem of probability.

Or, to be more precise, the problems …

Let me start by going back to basics, briefly.  At the heart of Risk Management is the need to analyze your risks. It’s at the heart, not just because it in the middle of my four steps, but because it rounds off the first two steps and sets up the last two).  When we analyse risk, we look at a whole raft of information, but two things stand out as essential.

These two things define risk

Definition: Risk is uncertainty that can affect outcomes.

First, risk represents an uncertain event.  How uncertain or certain it is, is measured by the probability, or likelihood

Second, if the risk manifests, it will make a difference – usually for the worse. We call these adverse risks ‘threats’ and positive risks ‘opportunities’. How bad a threat is or how good an opportunity is, is measured by the consequences, severity, or impact.

There are lots of scales on which to estimate the potential impact of a risk, and many of them are robust and easy to apply.  What is far harder to work with is likelihood.

Why Risk Likelihood is so Tricky to Estimate

Quite simply, human beings are extremely poor at estimating the likelihood of uncertain events.  This is because:

1. Few of us have a sophisticated understanding of the math of probability and statistics, and
2. We are equipped with a set of biases that get in the way and rapidly lead us astray.  I will examine some of my favourites, and invite you to use the comments to add some of your own.

But first, is the problem of data…

1. Data set

Projects are, in the words of PMI, ‘unique endeavors’. As a minimum, each new project has some distinctive features from its context and timing. We often don’t have the data to assess real probabilities.

This will change, of course. As we increasingly recognize the capabilities of Artificial Intelligence systems, and start to maintain, collate, and standardize performance data, AI will have increasingly large and reliable data sets to work from. There will be a time (probably soon) when AI tools can make good estimates of risks, alongside their likelihoods as well as impacts.

But, until then, we have the problem of data, along with four other factors…

2. Control Bias

We tend to think bad things are less likely to occur, when we are in control – which makes sense.  The problem arises, when we are not in control, but somebody else is.  Our own ‘passenger’ status then leads us to over-estimate the risk, even when the person is in control is very capable. 

Most people feel safer when they are driving than when somebody else is – regardless of the other person’s safety record.  Many people feel safer driving than on public transport, despite the overwhelming weight of statistics and the simple fact that the person who is in control is a professional (driver, pilot, …).

3. Recency

‘But what’ some people say, ‘about the pilot who was drinking in the cockpit, or the bus driver who was using a mobile phone?‘ These are examples of how recent newsworthy events take over our consciousness and lead us towards new mistakes. 

Strangely, the millions of bus, train, and plane journeys in which no incident occurs are never reported.  Perhaps our attitudes may change if every road traffic accident were on the news.

4. Dread

The worse the outcome, the higher we will rate it on the Impact scale.  What also seems to occur is that we unconsciously adjust our estimation of likelihood, according to perceived impact.  Higher impact events seem more likely than they really are, because we notice them and focus our attention on mitigating them. They become more salient.

In the real world, most uncertain events cluster around a diagonal line on our familiar Impact versus Likelihood graph:  Highly likely events tend to be low impact; whilst high impact events tend to be rare.  What we often do is distort our estimates.

5. Contamination

Another distortion comes when we consider the context of the risk. We also consider a bad outcome is more likely when it is associated with something we consider to be, in itself, bad. So, we feel more likely to catch a dread disease in a foreign country, industrial accidents seem more likely in a ‘bad’ industry. 

What is important is not an objective assessment of the context (you can decide for yourself which countries or industries feel dangerous to you).  What matters is our subjective assessment.

How to Solve the Probability Problem

Unless you are an expert in something, and until AI starts to access huge (and accurate) data sets, you won’t have sufficient data and analytical tools to estimate probabilities accurately.  So the solution is simple:

Don’t try!

I told you it would be simple!

If you try to estimate likelihood with accuracy, you risk falling into another trap: The Precision Trap. This is where you mistake precision for accuracy; the more precise your estimate, the more convincing it seems. 

To avoid the Precision Trap, the safest route is to stick to low-precision estimates.  Avoid the temptation to use too many categories on the likelihood scale of your risk assessment.  Absolutely reject the use of probability-based likelihood estimates unless you have real data on which to base your probabilities and you also understand statistics and probability theory.

The ‘so what?’

Treat risk analysis with care, be aware of the risks of bias in your likelihood estimates, keep your estimates simple, avoid being too precise.

My favourite scale for likelihood:

High
The sort of things that seem to happen a lot – most of us have experienced them, and we all know people who have.

Medium
The sort of things that seem to happen from time to time – a few of us have experienced them and most of us know someone who has.

Low
The sort of things that do happen, although few of us know someone who has actually experienced them.

Estimating likelihood with a five-point scale

If you really do need a five-point scale for estimating likelihood, then I recommend:

1. Very Low
2. Low
3. Medium
4. High
5. Very High

If all this sounds imprecise, then it is supposed to. I don’t want project managers to believe their risk estimates:  I want them to act on the best evidence and good judgment.

If all this sounds imprecise, then it is supposed to. 

I don’t want project managers believing their risk estimates:  I want them acting on best evidence and good judgment. Rather than focus on coming up with numbers that have little merit and spurious precision, I want you to think carefully about what a risk means and how best to prepare.

What Do You Think?

As always, I’d love to hear your thoughts, experiences, and questions. And I will respond to every comment.

You Might Also Like…

Think You Know Risk? Top 15 Risk Management Myths Busted. If you are new to project management, or just starting to focus your attention on risk, you may come across some of the common misconceptions about risk, and not know how to respond. Here, then, are my top 15 risk management myths and fallacies.

More about Risk ManagementThere is a lot of material on this site about risk management. Here are some highlights:

How to Do Risk Management in Agile Projects | VideoHow to Create a Risk Management Plan | VideoUltimate Guide to Project Risk ManagementProject Risk Management – How to Manage Project Risk | Video10 Step Risk Management Kick-off for Your Project10 Things Project Managers Need to Know about Strategic Risk ManagementPMI-RMP: All you Need to Know about PMI’s Risk Management CertificationRisk Identification: How to Identify Project Risks | VideoUncertainty Performance Domain: How to Deal with Risk in a VUCA Context5 Ways to Remove a Risk Entirely | VideoWhat to Put in Your Risk Register (Risk Log) | VideoHow to Build a Robust Project Risk Culture [8 Steps]