The Differences Between Internal and External Risks in Projects

The Differences Between Internal and External Risks in Projects

I recently read a report on internal and external project risks. The author wrote that the project team has no control over the external risks. Is that really true? An interesting aspect, where it is worth taking a closer look. In this article you will read what internal and external risks are and how you can influence them. I’m already telling you, it doesn’t look as bad as this author wrote. Curious? Then read on!

Risks Threaten Projects from Inside and Outside

Risks threaten projects from many sides. In the above mentioned report, the author distinguishes between risks that affect the project from within the project (internal risks) and risks that affect the project from outside the project (external risks).

As internal risks, the following risks were listed:

  • Cost Risks: Risks of project costs being exceeded due to inaccurate estimates of costs or creeping scope changes.
  • Schedule Changes: Risks that activities take longer than expected, which in turn usually leads to cost increases, later benefits and a possible loss of competitiveness.
  • Performance or Quality risks: Risks that the project fails to deliver the planned results with the promised performance and quality.

All these risks arise from project execution.

As external risks, the following examples were cited:

  • Governance risks: These are related to business management, project support, leadership and corporate reputation.
  • Strategic risks: These result in errors in the strategy definition, e.g. in using a technology that does not bring the desired success.
  • Operational risks: This results from poor implementation and process problems, e.g. in purchasing, production and sales, but also in protection against theft and fraud.
  • Market risks: These include competition risks, currency risks, commodity and interest rate risks as well as liquidity and credit risks.
  • Legal risks: These arise from changes in regulatory requirements, contract risks or patent risks.
  • Environmental risks: Risks related to earthquakes, storms, flooding, vandalism, sabotage, civil unrest or strikes.

The report states that project risks include both types of risk, the internal risks associated with the successful completion of each project phase (project execution risks) and the external risks over which the project team has no control. That statement seemed a little suspicious to me. Let’s take a closer look.

Does the Project Team Only Have an Influence on Internal Risks?

Does the project team really only have influence on risks that lie within the range of time, costs, quality and project scope, and therefore on internal risks?

In principle, measures can only be taken for known risks (the known unknowns) in order to reduce the probability of occurrence or impact of the risk or to completely avoid the risk. For example, you can hold more status meetings with the project team as an action in order to be able to react more quickly to project execution problems. So, the project team can always influence the known internal risks. But what about the external risks?

Are we Simply at the Mercy of External Risks?

So, what about external risks? Are we really at their mercy? No, it’s not like that! For external risks, this is similar to internal risks.

For example, as a measure you can inform the sponsor and management (external risk) more often and better about the project and get feedback so that they do not decide something what is harmful to the project.

There is a special type of external risk for which you cannot reduce the probability of occurrence with measures. These are usually environmental risks, such as hurricanes, tsunamis or earthquakes. But are you simply at the mercy of these risks?  No, here you can take measures to reduce the impact of the risk. Unfortunately, it is not possible to reduce the probability of occurrence here.

So we are only exposed to risks that we do not know, but which still exist (the unknown unknowns). So make sure that you identify as many risks as possible in your project and take appropriate measures to do so. With the unknown unknowns, praying does not help, so it makes more sense to have a Contingency Reserve to cover such (emergency) cases!

We are only exposed to risks that we do not know.

I hope in this article you have learned something new about Project Risk Management.

Here is Even More Knowledge


Would you like to know more about Project Risk Management? My books on project risk management take you an important step forward!

Do you know someone who might be interested in this article? Then just forward it or share it. Thank you!

Posted in Risk Management.