When a risk is not thought of as a risk?

How would you respond if a question asked you to define the term "risk"? Maybe something along the lines of "terrible things that could happen"? Could it be something about "risk and reward"? Perhaps you could say that some choices carry higher risk than others? Practitioners of risk will probably mention both the likelihood of favorable and unfavorable events. Simply put, there isn't a single definition that applies to all situations, which could lead to misunderstandings and contradictory messages. In general, people think that risk is something that should be avoided (or at the very least minimized) and that having "too much" risk is bad.

Although there are actually far more effective ways to provide this information, we'll save that discussion for another time. Many organizations regularly produce risk reports, perhaps once a month or once every three months. It will typically make an effort to list a number of potential "bad things" that could occur and negatively impact a certain part of the organization's operations. Most of the time, no meaningful attempt will be made to calculate these impacts, with the possible exception of assigning a color based on some arbitrary and subjective technique that has never been explicitly stated or contested by those making the judgments.

If the persons choosing what should be included in the risk report are the same people who believe risk is bad and if they are asked to identify risks within their sections of the organization, they are unlikely to be impartial about what is included in the report. Instead of offering objective information that would paint them in a negative light, it is in their natural nature to highlight the positive aspects of their own areas.

Risk in the real world involves more than just the possibility of negative outcomes. You take risks every time you decide something, like choosing a strategy. Large risks come with big decisions. There will always be a degree of uncertainty surrounding the delivery date and overall cost of the projects you are managing. Making an assumption involves risk; if you push it too far, the results could be disastrous. An example of this would be relying on a specific source, system, or person.

If you want risk reporting to be useful, it needs to include more than just terrible things. For example, it needs to include important decisions that are currently being considered and significant assumptions. Without this data, there is a chance that those reading these reports won't have the complete picture and may be misled into believing that everything is being properly managed and under control when, in fact, things may be very different.

If you're a senior risk consultant who solely includes lists of potential negative things in your risk reports, you may be unintentionally withholding crucial information from your senior management.

If you're in a senior position reading risk reports and you don't think they provide you with enough assurance and clarity regarding significant areas of uncertainty, such as important upcoming decisions, key assumptions, and an understanding of when key projects will be delivered, you should be asking for more information.

So When a risk is not thought of as a risk? When it’s an assumption, decision, dependency or uncertainty that may be important to the organization,  but which isn’t being communicated effectively.