Sustainable Risk Management

Sustainable Risk Management – Overview

This post is intended to provide the foundational concepts around sustainable risk management.  This post also recommends adopting sustainable risk management as a core discipline within sustainable change delivery.  This is part of a series that provides the foundation for understanding sustainable change delivery.

“It is far better to grasp the universe as it really is than to persist in delusion, however satisfying and reassuring” – Carl Sagan (1997).

(Quote borrowed from Douglas Hubbard’s The Failure of Risk Management)

Risk management is a core discipline in sustainability.  The importance of risk management is magnified exponentially in change delivery initiatives.

The classic Machiavelli quote from The Prince sets the stage:

“…it ought to be remembered that there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things, because the innovator has for enemies all those who have done well under the old conditions, and lukewarm defenders in those who may do well under the new” (Machiavelli, Kindle Locations 477-479, 2015).

In short… a lot of risk.  From an organizational perspective, sustainable change delivery offers the following, with sustainable risk management as an essential and integrated component:

Exhibit 1: Sustainable Risk Management (Copyright Peter Milsom 2015)

Sustainable Risk Management Overview

With numerous resources for risk management, the following will provide a high-level overview.  The following represents the traditional Western viewpoint regarding the foundational concepts of risk management:

  • Risk
    • A risk is an uncertain event or set of events that, should they occur, will have an effect on the achievement of objectives. A risk is measured by the combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives.
  • Threat
    • “A threat is used to describe an uncertain event that could have a negative impact on objectives” (OGC, p. 77, 2009).
    • “Because it has been raining heavily (risk cause), there is a threat that the river flowing through the farmer’s field might overflow (risk event), which would severely damage the farmer’s crop (risk effect)” (OGC, p. 82, 2009).
  • Opportunity
    • “An opportunity is used to describe an uncertain event that could have a favourable impact on objectives” (OGC, p. 77, 2009).
    • “Because the weather has been particularly mild this winter (risk cause), there is an opportunity that fewer people will be hospitalized with influenza (risk event), which will mean that there will be less disruption to planned routine operations (risk effect)” (OGC, p. 82, 2009).

There are different perspectives on whether risks should include opportunities.  This is discussed in a related post entitled “Current Challenges with Risk Management“.

A few more foundational risk management concepts are outlined below in exhibit 2 to provide context:

Exhibit 2: Risk cause, event and effect from Managing Successful Projects with PRINCE2 2009 Edition, Figure 8.4 (OGC PRINCE2, p. 82, 2009)
  • “Risk cause
    • It should describe the source of the risk, i.e. the event or situation that gives rise to the risk. These are often referred to as risk drivers. They are not risks in themselves, but the potential trigger points for risk. These may be either internal or external to the project
  • Risk event
    • This should describe the area of uncertainty in terms of the threat or the opportunity
  • Risk effect
    • This should describe the impact(s) that the risk would have on the project objectives should the risk materialize ” (OGC, p. 81, 2009).

Exhibit 3 provides a table that outlines some scenarios and descriptions to help understand what a risk event actually is and how to describe risks.

“In stating risks, care should be taken to avoid stating impacts which may arise as being the risks themselves, and to avoid stating risks which do not impact on objectives; equally care should be taken to avoid defining risks with statements which are simply the converse of the objectives. A statement of a risk should encompass the cause of the impact, and the impact to the objective (cause and consequence) which might arise” (UK HM Treasury, p. 14, 2004).

Exhibit 3: Understanding and Defining Risks (UK HM Treasury, p. 14, 2004).


Exhibit 4 provides a helpful model for understanding the types of risks based on probability and outcome and context.

Exhibit 4: Event categories (Reuvid, p. Kindle Location 470, 2014)


Exhibit 5: Sample Risk Management Method (OGC, p. 30 & 29, 2012).

There are a variety of risk management methods and processes.  Exhibit 5 is a reasonable representation:

The following list describes the steps in the risk management process:

  • “Identified
    • This includes risks being considered that could affect the achievement of the project’s objectives, and then described to ensure that there is a common understanding of these risks
  • Assessed
    • This includes ensuring that each risk can be ranked in terms of estimated likelihood, impact and immediacy, and understanding the overall level of risk associated with the project” (OGC, Kindle Locations 2570-2571, 2009).
  • Plan
    • The goal of a plan is to prepare specific management responses to the threats and opportunities identified ideally to remove or reduce the threats and to maximize the opportunities. (4.8)
  • Implement
    • The goal of implementation is to ensure that the planned risk management actions are implemented and monitored as to their effectiveness, and corrective action is taken where responses do not match expectations.

Another representation is provided below in exhibit 6 for dealing with asset integrity management, which is also a foundational concept for sustainable change delivery.

Exhibit 6: The overall risk management process for asset integrity management (Reuvid, p. 38, 2014)

Due to the importance of the ISO standard 31000 Risk Management, exhibit 7 provides the important concepts including the recommended process:

Exhibit 7: ISO 31000 Principles, Framework and Process (ISO 31000:2018)

Organizational Risk Management

Please refer to Sustainable Risk Management – 2 Organizational Risk Management.

Organizational Risk Management Competencies

Please refer to Sustainable Risk Management – 3 Organizational Risk Management Competencies.

Change Delivery Sustainable Risk Management Competencies

There are numerous ways to integrate sustainability into risk management. One straightforward approach is to employ the P5 Standard (outlined below), facilitate a P5 impact analysis concerning the various risks (threats and opportunities), incorporate the high-impact areas into a Sustainability Management Plan (SMP) and use the organizational Sustainability Management System (SMS) to mitigate/enhance the risks.

Exhibit 8: GPM P5 Standard



A foundational understanding of risk management is critical for any project.  There are numerous risk management programs to provide guidance, including GPM Global’s sustainable risk management training program.  The GPM Global program helps organizations evaluate their risk management systems, mature their risk management understanding and competency, and provide new tools and techniques to incorporate sustainable risk management into their change delivery initiatives.


Series Objectives

This series is all about raising awareness of sustainable change delivery and the integral elements, disciplines and competencies associated with it. In the graphic below, each of these elements is identified in terms of its use in allowing for sustainability. These elements form the basis of the GPM® Global’s P5™ Standard for Sustainability in Project Management, the GPM® Global Training Programs and the GPM® Global Portfolio, Program and Project Sustainability Model (PSM3™) for organizational assessment.

Exhibit 9: Organizational Sustainable Change Delivery Competencies


Association for Project Management. (2014). Project Risk Analysis and Management Guide, Second Edition. Retrieved September 21, 2015, from

Atkinson, R., Crawford, L., & Ward, S. (2006). Fundamental uncertainties in projects and the scope of project management. International Journal of Project Management, 24(8), 687–698. doi:10.1016/j.ijproman.2006.09.011.

Bacon, R., & Hope, C. (2013). Conundrum: Why every government gets things wrong and what we can do about it by. Retrieved October 18, 2015, from Why every government gets things wrong and what we can do about it&qid=1445198964&ref_=sr_1_2&sr=8-2

Baxter, Keith (2012). Risk Management: Fast Track to Success. Financial Times/ Prentice Hall Limited.

Capers Jones. 1994. Assessment and Control of Software Risks. Yourdon Press, Upper Saddle River, NJ, USA.

Chapman, C. (2006). Key points of contention in framing assumptions for risk and uncertainty management. International Journal of Project Management, 24(4), 303–313. doi:10.1016/j.ijproman.2006.01.006.

Chapman, C., & Ward, S. (2004). Why risk efficiency is a key aspect of best practice projects. International Journal of Project Management, 22(8), 619–632. doi:10.1016/j.ijproman.2004.05.001.

Connolly, T. & Arkes, H.R. & Hammond K.R. (1999).  Judgment and Decision Making: An Interdisciplinary Reader (2nd ed.).  Cambridge Series on Judgment and Decision Making. Cambridge University Press.

Dallas, M. F. (2008). Value and Risk Management: A Guide to Best Practice. Retrieved September 21, 2015, from

Down, A., Coleman, M., & Absolon, P. (1994). Risk Management for Software Projects. Retrieved September 21, 2015, from

Hamzah, S. Z. (2012). Use Bow Tie Tool for Easy Hazard Identification. Retrieved December 22, 2015, from

Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal of Project Management, 20(3), 235–240. doi:10.1016/S0263-7863(01)00074-6.

Hillson, D. (2007). Understanding and Managing Risk Attitude, Second Edition. Retrieved September 21, 2015, from

Hillson, D., & Simon, P. (2012). Practical Risk Management: The ATOM Methodology, Second Edition. Retrieved September 21, 2015, from

Hubbard, Douglas W. (2009). The Failure of Risk Management: Why It’s Broken and How to Fix It. Wiley.

Hubbard, Douglas W. (2014). How to Measure Anything: Finding the Value of Intangibles in Business, Third Edition. Wiley.

International Organization for Standardization. ISO 31000:2018, Second Edition: Risk Management – Guidelines. 2018.

Jaafari, A. (2001). Management of risks, uncertainties and opportunities on projects: time for a fundamental shift. International Journal of Project Management, 19(2), 89–101. doi:10.1016/S0263-7863(99)00047-2.

Kahneman, Daniel (2011). Thinking, Fast and Slow. Random House, Inc..

Kendrick, T. (2015). Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project, Third Edition. Retrieved September 21, 2015, from

Koletar, J. W. (2010). Rethinking Risk: How Companies Sabotage Themselves and What They Must Do Differently. Retrieved September 21, 2015, from

Kutsch, E., & Hall, M. (2010). Deliberate ignorance in project risk management. International Journal of Project Management, 28(3), 245–255. doi:10.1016/j.ijproman.2009.05.003.

Machiavelli, Niccolo (2015). The Prince (Xist Classics). Dover Publications.

OGC – Office of Government Commerce  (2012). Management of Risk: Guidance for Practitioners 2010 Edition, Third Edition. The Stationery Office (TSO).

OGC – Office of Government Commerce (2009). Managing Successful Projects with PRINCE2™ 2009 Edition.

Olsson, R. (2007). In search of opportunity management: Is the risk management process enough? International Journal of Project Management, 25(8), 745–752. doi:10.1016/j.ijproman.2007.03.005.

Pender, S. (2001). Managing incomplete knowledge: Why risk management is not sufficient. International Journal of Project Management, 19(2), 79–87. doi:10.1016/S0263-7863(99)00052-6.

Perminova, O., Gustafsson, M., & Wikström, K. (2008). Defining uncertainty in projects – a new perspective. International Journal of Project Management, 26(1), 73–79. doi:10.1016/j.ijproman.2007.08.005.

Ramsden, M. (2013). Ten rules for smart bowtie analysis. Retrieved December 22, 2015, from

Reuvid, J. (2014). Managing Business Risk: A Practical Guide to Protecting Your Business, Tenth Edition. Retrieved September 21, 2015, from

Savage, Sam L. (2012). The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertainty. Wiley.

Taleb, Nassim Nicholas (2010). The Black Swan: Second Edition: The Impact of the Highly Improbable Fragility” (Incerto). Random House Publishing Group.

Thibault, Marc (2010).  An Enhanced Tookit for Plans and Projections.

Thibault, M. (2013). Calculating Uncertainty. John Marc Thibault. Retrieved from

UK HM Treasury. (2004). Orange Book: Management of risk – Principles and Concepts. Retrieved November 3, 2015, from

Ward, S., & Chapman, C. (2003). Transforming project risk management into project uncertainty management. International Journal of Project Management, 21(2), 97–105. doi:10.1016/S0263-7863(01)00080-1.

Westerman, G., & Hunter, R. (2007). IT Risk: Turning Business Threats into Competitive Advantage. Retrieved September 21, 2015, from

Zwilling, M. (2014). How To Balance Business Risk Versus Opportunity. Retrieved March 6, 2016, from




Peter Milsom

Peter Milsom is an entrepreneurial advocate for sensible, sustainable change delivery practice. Peter has come to realize that sustainability is the perfect catalyst for Project / Programme / Portfolio / Risk / Value / Business Case and Benefits Management improvement. As an entrepreneurial methodologist Peter's unique value proposition is the vast array of tools and techniques that he brings to every engagement using the most cost effective and efficient methods based on the situation and tailored to meet your needs. This is based on his unique combination of experience and extensive training / certifications in change delivery, value / risk / benefits management business case, and business architecture.

2 thoughts to “Sustainable Risk Management – Overview”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.