You have probably all had to describe assumptions and risks,
but did you realize that the two concepts are closely related? In fact, they
could be thought of as two sides of the same coin. Let me describe the
relationship simply at first.

  • Let’s
    say you recognize an event or condition that exists in the future. There
    is a probability that the event or condition will occur, but it is less
    than 100%.
  • Let’s
    also say that you don’t want this event to happen. If it does there will
    be a negative impact on your project.
  • The
    question now is how comfortable you are that the event or condition will
    not occur. If you are comfortable, you could state this event or condition
    as an assumption. That is, you are “assuming” the event or
    condition will not occur. On the other hand, if you’re concerned that the
    event or condition will occur, you could identify it as a risk.
    Identifying it as a risk allows you to put a plan into place to endure
    that the event or condition actually does occur.

Let’s take an example of a common statement that is included
in many Project Definitions — “The resources needed for this project will
be available when needed.” What kind of a statement is this? Most people
would say it is an assumption. After all, when a project starts, you always
assume you will get the resources you need.

However, is it always an assumption? Can you imagine
starting a project where the people and equipment were not available and there
was a realistic possibility that they would not be ready when you need them —
perhaps because another project needed to finish first? It’s not too difficult
to imagine that scenario. In that case, the same statement would definitely be
a risk — not an assumption.

The key thing to remember is that the same statement might
be an assumption or a risk depending on the circumstances of your particular
project. In fact, assumptions can be simply viewed as low-level risks.

Now let’s get a little more sophisticated with our
definitions of assumptions and risks. Let’s say again that we have a future
event that will have an adverse impact on our project. In other words, if the
event occurs, it will cause some difficulty for your project. If the
combination of the probability of the event occurring and the impact to your
project is unacceptable, we can identify it as a risk. If the combination of
the probability of the event occurring and the impact to your project is acceptable,
then we can call it an assumption. If it is an assumption, we can “assume”
that it will not happen, or we can “assume” that if it does happen
the impact on our project will be acceptable.

Identifying a future event or condition as a risk allows you
to put a proactive plan in place to manage the risk. Identifying it as an
assumption let’s everyone know that you did foresee the event, but you think
that it will not be a factor. All of your risks and assumptions should be
monitored and validated throughout the project to ensure that you continue to
understand their nature.

Remember — you can live with your assumptions. You must
manage your risks.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays