PHANTOM RISKS: what to report in a risk register 2

phantomPhantom risks are, technically, unproven or unprovable facts which, if true, would pose as risks.  At the macro level they are an issue for western societies as they generally arise from poorly made scientific inferences which are hijacked and used to legislate pet projects.  Think of the religious right in the US trying to use scientific quackery to get creationism taught in schools.  Dangerous stuff.

Equally so for the corporate world.  Phantom risks are poorly made out inferences or assumptions, when misapplied, have teams chasing them for the life of the project.   This is commercially dangerous for 5 key reasons:

  1. It is a dangerous absorption  of executive time.
  2. It causes unnecessary management hysteria.
  3. Phantom risks fuel pet projects and hidden agendas.
  4. At best they increases drag on project, and
  5. At worst they dangerously misappropriates essential liquidity by artificially inflating the need for contingency.

More importantly, without an accurate, precise and robust quantitative methodology for identifying, defining and quantifying risk it is most likely that the corporate risk register will be full of phantom risks.


The purpose of a risk register is to define the amount of liquidity needed to cover unexpected project risk.  This means:

  1. Risk register risks must be below 50%.  If they are over 50% then they have a better than even chance of happening (i.e. they are expected) and therefore they should be managed in the baseline project cost model.
  2. Unexpected project risks – truly unexpected – should have liquidity assigned from outside the project budget.

The last point is a hugely contentious issue.  Logically, a project should not be saddled with the financial burden of improbable risks not of their making, i.e. if a project did not bake in its own risks by its own poor design and management then it should not have to pay for them when they occur.  The necessary contingency funds should come from Treasury.  This means that project teams are encouraged to sail as close to the wind as possible and are not penalised for doing so.


In most cases, however, savvy project teams will artificially inflate risks in order to create the greatest possible contingency.  These funds, held outside the project budget, then act as a black-budget slush fund for the project.  The nett result is a project which is more likely to hit its margin targets but an unhealthy corporate balance sheet.


A risk is not a risk when it is an issue.  Much of the difficulty in generating real risks is that most risk register risks contain elements of risk.  They allude to risk and there is usually a gold nugget in there somewhere.  However, until there is a quantifiable financial impact they cannot be used to determine liquidity requirements and they should not be included on a risk register.  They may be pressing issues for the business but they are not risks. The difference is key:  Risks require liquidity.  Issues require analysis.

quopteMost risk registers contain risks which have no business relevance.  These things are, technically, risks but they are usually so remote or unprovable that they (i) are hard to argue with, and (ii) obfuscate the real risks often hidden within their confused semantics.  Most of these things are pressing business issues but issues require further analysis and planning.  They do not belong in a risk register.


  1. Firstly, to be a risk a thing must satisfy the following criteria:
    1. it must be derived from a structural weakness, i.e. a design flaw in the program plan, the technical architecture, a contract clause, a cost model imperfection.
    2. there must be a threat/disposition.  For instance, a chair with the broken leg might highlight a structural weakness but it does not represent a real risk until someone becomes disposed  to sitting on it.
  2. Secondly, in order for risks to be commercially relevant they must satisfy the following criteria:
    1. they must be HOT:  They need to part of an emerging or ongoing adverse variance in the costs.
    2. they must be VALUABLE:  these variances must show high volatility in the cost model, i.e. if the risk is realised there will be worrying financial implications.
    3. they must be WEAK:  they need to be part of something (or dependent upon) that the business often gets wrong.  This is critical because adverse variances and financial volatility might merely represent the natural trajectory of a cost variance in a project.  There is often little cause for concern.  Unless, however, these variances are part of a statistical problem within the company’s projects.

If all the criteria above are satisfied and a relatively accurate number can be used to quantify the financial impact of the risk, then it is a real risk.  If it has high probability and was found during the estimating process then it probably needs to be managed as part of the Baseline and not the risk register.  If, however, it’s a low probability risk and not something the project team should be held responsible for then it likely belongs on a risk register (the funds for which should come from Treasury).

When done right this method usually reduces risks by 80%.  What is left are real risks which point to real liquidity requirements and the need for real action plans in order to minimise real legal exposure.  A risk register of such quality is useful and practical not only to Operations but also to Legal and Finance as well.  Most importantly, no one is chasing phantom risks.

Measuring Legal Exposure Reply

Mind the gapThe function of a contract is to cover legal exposure.  It does not, by and large, govern the relations between parties.  Those are already established by the community and contracts merely document well established facts.  The way the parties will behave will already be a an established reflection of their education, training and previous business experience.  It is naïve to think, for instance, that a contract will be used by engineers to help manage the construction of a building.  On the contrary, the contract will present a myriad of hurdles, obstacles, impasse and problems as the workers try to get on and do their job – build.  It is a truism to say then that almost all litigation is a function of poor contract management rather than poor contract design.  Indeed, I have never met a client who had either fully read OR fully understood the contracts they were in.

A contract, rather, seeks to cover the inevitable areas of risk when two parties necessarily compromise to enter into an agreement. as my father used to say, ‘there are two parties to a contract – the screwor and the screwee.  One party is always disadvantaged.  The lesser party needs to cover their legal exposure and the greater party needs to ensure that not so much risk flows down that the lesser party is overloaded with risk, making the contract unworkable. Picture1Legal exposure is derived from financial risk.  Contracts will generally cover most financial exposure.  However, in Westminster-based systems much of the law of contract is still based in Equity.  Usually, there is still some degree of exposure that remains.  A party can only be forced to  indemnify so much; can only warrant so much and not beyond the reality of the exposure

Most contracts, however, do not measure the legal exposure a party faces.  Most contracts stick with the standard blanket coverage formula, i.e. zero exposure.  This approach is unhelpful and in many cases counter-productive, because namely:

  • Phantom Exposure.  contract negotiations become unnecessarily bogged down over non-existent risk.  Arguing for 100% coverage when the risk is well covered already is just chasing phantom risk.
  • Lazy.  Quite frankly, the body of knowledge which exists in each sector, the sophistication of clients and the modern quantitative tools which exist to make contracting easier give no excuse for legal laziness.

Measuring legal exposure is both qualitative and quantitative.  Firstly, deriving financial risk is a mathematical function.  Secondly, as exposure is derived from the limitations of contractual coverage then legal exposure is a function of qualitative assessments.

My own method uses a threefold approach, namely:

  1. sensitivity analysis to measure financial risk, and then
  2. three separate qualitative measurements to define whether an element is a legal risk, then
  3. a legal assessment to determine if the remaining elements are covered (i.e. measure the exposure) and to what degree.

All of this is done as a collaborative process around a single bubble chart (shown below).  As is shown in the chart,

  • the bubble size (Z ‘axis’) relates directly to the mathematical analysis of financial sensitivity.
  • the X-axis is a qualitative scoring designed to assess the relative complexity of each item of volatility.
  • the Y-Axis is another qualitative scoring to determine just how close the item is to the project team, i.e. can they actually do something about it?  The less a team can influence a risk the more such risk needs to be pushed upwards so that the corporate functions of a business (Legal, Finance) can act upon it with centralised authority,
  • the colouring, lastly, deals with the notion of immediacy, i.e. prioritisation.

In this way, if a risk is both very complex and not able to be influenced by the project team (i.e. cannot be mitigated) then it, most likely, needs to be dealt with by the Legal function as there will be no way to otherwise influence it when the risk is realised.

Risk-Based Bubble Chart to engender cross-functional collaboration

Once legal risk is conceptually isolated in the upper-right quadrant of the bubble chart then lawyers may make a qualitative determination as to the amount of legal exposure.  For instance, a builder may warrant the quality of workmanship on a specific structure and cover it with insurance.  Legal may determine that there is virtually no statistical evidence that such risk is likely to be realised.  Therefore, the existing premiums easily cover the risk highlighted in the chart.

Alternately, the chart may have defined financial risk beyond, say, the indemnities provided by a firm’s subcontractors.  In such a case insurance or contractual renegotiation may be necessary.  It is important to know that in such circumstances it is precisely targeted cross-functional management energy that is being expended to determine, define and collaboratively deal with specific  financial risks.  Indeed, there is little more any business could hope for.