How to interpret a Risk Distribution Curve – particular points of interest for promoting risk informed decision making

In Risk Management, distribution curves are used extensively for understanding the behavioural impacts of specific risk events or scenarios. The curve typically represents a recorded account of events that have either already happened (a historical record), or future scenarios which could potentially happen (a probabilistic view).

In its simplest form, distribution curves convert raw numeric data into helpful graphics for easier stakeholder visualisation, evaluation and decision making. This method is most commonly referred to as "descriptive statistics" and at heart, is a form of Complex Problem Solving. That is, the method turns a broad set of random variables (complex data) into a more digestible graphic (simple visual). Distribution curves are thus an invaluable risk management tool, as the method allows entire spreadsheets of rough risk data to be summarised into useful graphics ala a picture is worth a thousand words.

Surprisingly however, it would seem that comparatively few appointed risk officers fully understand how to use these data driven curves to best effect and thus often don't. In turn, the full value of a particular risk data set is often left undiagnosed, thereby resulting in an incomplete understanding of the risk circumstance, when attempting to make informed decisions.

There is a certain tragedy in having access to rich, informative risk data but not knowing how to fully evaluate it

In project risk management specifically, distribution curves are the most common method for evaluating the impact of known risks on project cost & schedule. However, even within projects distribution curves are often misunderstood, misapplied or just ignored. The tragedy of such a situation is that appointed risk officers are missing out on one of the most informative means of evaluating a particular risk circumstance.

So, with improved risk management in mind, this paper aims to help invested stakeholders better understand how to evaluate a risk based, distribution curve for the purposes of informed decision making, and endeavours to do so without engaging in an overly intensive academic description. More specifically, the paper serves as a user-friendly guide as to the most material aspects of a risk distribution curve, which every invested risk management stakeholder should know.

So with stakeholder usefulness in mind, let us first start by explaining the "Why".

Purpose

The purpose of a distribution curve (in risk management) is to demonstrate the probabilistic impacts of a specific risk circumstance, on a particular objective. In general statistics, a distribution is described as a mathematical function that demonstrates the probabilities of occurrence of various possible outcomes, within a defined experiment or problem

A distribution is most commonly achieved by mapping out on an X-Y axis, the number of times a particular risk event occurs (Y-Axis) and at what level of impact the event materialised at (X-Axis). Each individual vertical bar in the distribution then represents the number of times a particular impact value has occurred at a particular impact level. Provided is a graphic example which demonstrates the number of times a specific risk circumstance has occurred, and its associated cost impact ($). Such an example is common in Project Risk Management and will serve as the basis for further discussion within this paper.

Shape

The overall shape of the curve represents the demonstrable behaviour of the selected risk/s when repeated a large number of times. A distribution curve thus doesn't merely record a set of numeric results, it explains how a risk behaves. This is a particularly important premise.

In the provided example, the skewed nature of the curve tells us that the majority of the risk incidences are expected to materialise on the low/left side of the distribution range. The rapidly declining nature of the curve, from left to right after the peak, suggests that high impact events are less probable than low impact events. However the presence of a prolonged right hand side tail, suggests there is some potential for an extreme outcome e.g. a cost blow out. In brief, what the example shape tells us, is that in most cases the risk should behave in a rational, low impact manner, however we should remain aware that there is still some demonstrable potential for a high impact outcome.

There are many different recognised distribution shapes in general statistics, the most common being the bell curve, aka a normal distribution aka histogram aka Gaussian distribution. In project risk management specifically, the PERT or Triangular shapes are most common. The Triangular shape is more appropriate for risks which display mostly consistent or rational behaviours and are not expected to manifest in an abnormal or extreme manner. Whereas the PERT shape is more appropriate for those risks which retain a greater uncertainty or irrationality and thus could possibly manifest as an abnormal or extreme event. In both shapes, the contributing risk scenarios are mostly expected to manifest on the low impact, left hand side of the distribution curve, not the high impact right.

When reviewing a specific shape for the purposes of historical risk/incident analysis, invested stakeholders need to be able to describe what displayed behaviours are being suggested by the shape. This act should then ultimately lead to more informed decision making when selecting controls & treatments. Equally, when reviewing a specific shape for the purposes of probabilistic risk analysis, invested stakeholders need to ensure the selected distribution shape offers a reasonable representation of the expected future behaviour of the risk circumstance.

Historical vs Probabilistic

Historical Risk Distributions are normally developed by recording the outcomes of events which have occurred. For example, recording the lost time impacts of safety incidents or recording the cost impacts of realised risks. If sufficient historical data is collected, then a behavioural profile can be mapped out in the form of a recorded distribution curve.

If the recorded distribution is consistent and convincing enough, it can then be used as the basis for conducting a projection (forecast) of possible future risk events which are expected to behave in a similar manner (ala predictive analysis).?Logically, if a particular risk event behaves in a manner that is sufficiently repeated, then any similar future risk is potentially predictable. Thus, the historically recorded distribution curves of rational risks can be used to forecast future distributions of similar risk types. This logic is the basic premise which underpins most probabilistic distributions found in risk management.

Building on this logic, future distribution curves are normally constructed through a probabilistic method such as a Monte Carlo simulation. In its simplest form, the Monte Carlo simulation attempts to fit a high number of possible scenarios of a particular risk problem (10,000+), into a pre-selected historical distribution shape (e.g. a PERT), under the guidance of a number of pre-determined guiding rules (a model). The simulation then returns a probabilistic distribution, based on a "best fit" comparison of the particular risk problem, measured against the pre-selected distribution shape and the defined guiding rules.

SPECIAL NOTE: Forward looking, simulated comparisons of future risk outcomes are rarely perfect and so for this reason, probabilistic distributions are meant to serve as a point-in-time indicator only, not as an undisputable, divine prophesy

P-Values

P-values are indicators of various probabilistic points of confidence on a distribution curve, ranging from the P-0 (the lowest value on a curve) to the P-100 (the highest value). In its simplest description, the P-value represents the probability, certainty or confidence of a particular value on the distribution being exceeded. Such values are thus more relevant to forward looking, probabilistic distributions than to historical distributions, but can be used in historical distributions as indicative values of possible future events.

When describing a P-value, the P-75 (as an example) suggests that there is no more than a 25% probability this particular value will be exceeded and thus there is a 75% probability the value will not be exceeded. It is important to note, that the P-75 does not specifically indicate there is a 75% probability of this impact value occurring, rather that there is a 75% probability of the value not being exceeded. This an important distinction, one which is often confused when describing P-values. Regardless, the lower the P-value, the higher the confidence that particular value will be exceeded (and vice versa).

In project risk management, the P10, P50 & P90 are the most frequently emphasised points of confidence. As the P10 represents the point at which there is 90% certainty that the related impact value will be exceeded, it often referred to as the "Optimistic Case". Similarly, the P90 represents the point whereby there is a 10% confidence that the related impact value will be exceeded and is thus most often referred to as the "Pessimistic Case". The P50 in turn represents the exact middle point, on the distribution curve, where there is an equal (50/50) chance of the risk impact value either being exceeded or subceeded.

It is particularly important to note that the P50 value is not the "Most Likely Case", rather it is just the mid point of the distribution range. The most likely/highest probability is actually the value represented by the highest bar (peak) in the distribution. To better understand why this difference exists we will need to discuss the Mode, Mean & Median points.

Mode, Mean & Median

The Mode (aka the Peak) is the most frequently returned value in the distribution. It is therefore generally considered the most likely outcome. The higher the peak when compared to the distribution range, the more confidence (determinism) there is in the displayed values. A low peak accompanied with a particularly wide range, suggests a relatively low confidence/certainty in the contributing data. The immediate area around the Peak is considered the highest probability range as it is where the "bulk" of the data returns are gathered.

The Mean is the arithmetic average when considering the total summed values of all results divided by the number of qualifying samples/scenarios. The value is based on the simple, but universally understood equation of Average = Total Sum / Number of Samples. Statistically, 68% of all distribution values fall within one standard deviation of the Mean. This means that in a reasonably normal distribution, there is roughly a 70% probability of a particular risk impact materialising closer to the Mean value than to either extreme end (P0 or P100).

The Median (aka the P50) is the value point where there are exactly the same number of returned scenarios on either side of that particular value. It is the exact middle value which splits the total number of scenarios in half. There is thus an equal chance (50/50) of the risk impact coming in under or over this value. It is particularly important not to confuse the P50 (aka the Median) as the "Most Likely Case" (aka the Mode) as they are not technically the same value. Invested project risk stakeholders are often caught out by misquoting the P50 as the most likely impact value, this is only true in a normal bell shape distribution, but rarely true in a project risk distribution.

Note: In a symmetrical bell curve shape (aka normal distribution), the Mode, Mean & Median values are the same. However in a skewed shape such as a PERT or Triangular, they are three distinctly different values.

Distribution Range

The spread between the minimum and the maximum values on a distribution, is commonly referred to as the Range. The Range denotes the full span of possible impacts of the evaluated risk circumstance. That is, the risk is expected to materialise between these two limits.

A?narrow range suggests the final outcome of an evaluated risk is limited to a more defined spread of possible outcomes. Thus the narrower the range, the more certainty and general determinism which is implied to exist in the evaluated numbers.

Equally, a wider range, suggests the evaluated risk could materialise between a much broader spread of values. Wide ranges can at times be problematic as they suggest there is too much uncertainty in the supporting data, to limit the range of possible outcomes. For this reason, quantitative risk analysis is normally discouraged when the supporting data is noticeably immature or not yet trusted.

Ideally, invested stakeholders need to work their risk data to a reasonable level of maturity and confidence, so as to promote a reasonably narrower distribution range with a higher peak.

Inherent Risk Range

In Quantitative Risk Analysis, Inherent Risk is the title given to those higher probability risks that are expected to occur under normal operating circumstances. That is, they are considered naturally inherent to the particular circumstance.

The basic planning logic which underpins an Inherent Risk is that if invested stakeholders are expecting the risk to occur, then the impact of the risk needs to be accounted for within standard planning and practice. In project risk management specifically, Inherent Risk allowances which are commonly included within the base cost & schedule include, the potential for planning inaccuracies, price increases, schedule slippages, delivery delays, common weather impacts and so on. All are considered high probability risks and thus are included (in some part) within the base planning.

When evaluating the full impact distribution of a particular project risk for the purposes of base planning, the P0-P20 is generally considered the inherent impact range as it has the highest probability (80-100% confidence) of being exceeded. Such high certainty thus suggests that decision makers need to evaluate the related values in light of "how much" to cater for in their budget & schedule.

It should however be noted that there appears to be no universally agreed, non-debated method for selecting an appropriate P-value to cover the expected impacts of Inherent Risks. For example, due to the fatalistic nature of many safety risks, the safety profession has a much lower tolerance and a much higher duty of care, when planning for risk. Thus the profession tends to plan for inherent risk impacts upwards of the P90 for many risk classes, even though the probability of occurrence is low.

Regardless, if a particular risk impact has a high probability of materialising, it is closer to certainty than uncertainty and thus should be planned for as a normal operating circumstance. In this regard, the P0-P20 impact range provides a good reference for discussing "just how much" should be inherently planned for. Once a suitable inherent risk allowance has been included in the base plans, all risk impacts over and above this amount are then considered to be Contingent.

Contingent Risk Range

Contingent Risks are those risks of varying probabilities which have not already been accounted for as an Inherent allowance in the standard operations or base plans. Typically, Contingent risks are those with a lower than 80% probability of occurrence and include all unplanned events, shocks, bad luck and disasters.

In project planning, the optimal Contingent Risk range normally sits between the P60–P90 and represents the additional amounts ($/days) that need to be made available to account for all the remaining, unplanned risk possibilities which could materialise during the life of the project. The specific contingency P-value that is selected tends to represent the invested stakeholder's appetite for risk taking. That is, those stakeholders who are generally intolerant of risk taking may choose a higher contingency (P90?) so that they are able to bear a greater range of potential risk impacts. Equally, those who are more tolerant of risk taking may choose a lower amount (P60?) so as to bear only a moderate range of risk impacts.

Regardless of the contingency P-value selected, all impact values beyond this chosen value are then considered to be "uncovered risk". That is, if the agreed Contingent value is exceeded, then additional funding (or time) will be need to be sought out, as there is no planned allowance (cover) for the excess. Seeking additional funding (or time) from investors/owners, normally comes with all sorts or reputational and performance questions and is thus best avoided.

Simply put, contingency serves as a buffer for absorbing/bearing the impacts of unplanned risks which may materialise above the selected Inherent P-value and below the Contingent P-value limit. However, in order for any selected contingency amount to be considered valid, invested stakeholders will need to determine the "right" amount based on their personal tolerances, contextual circumstances and access to resources.

Determining the "right" amount of Contingency

Determining risk based contingency values is a notoriously contentious exercise. There are numerous books, guidelines, standards & certified courses which claim to help in this regard, but in the end the method is still highly subjective (sorry but it is true).

Argue it any way you wish, but allocating adequate contingency to cover potential risks which may or may not happen, requires a valid understanding of how future events will play out, it also requires a fair amount of assumption and fortune. For these reasons, allocating the "right" contingency is almost always based on a particular stakeholder group's personal levels of comfort.

Again, there are no universally accepted rules for selecting a specific contingent amount, but the general rule in project management is to aim for the P75, as this amount is comfortable enough to provide a demonstrable risk buffer for unplanned risks, but not so luxurious that appointed risk officers can completely ignore their risk management obligations. Regardless of method, the "right" contingency value is actually fairly personalised, and thus is case specific.

Note: to avoid double accounting in contingency allocations, invested stakeholders need to ensure that Inherent Risk Impacts and Contingent Risk Impacts are clearly delineated in their planning. Specifically, if a particular risk impact allowance has been agreed in the base budget or schedule, this value can not then also be included in the agreed contingency, as it is a duplication.

Beware the Tail

The tail end of a risk distribution curve is a particularly fascinating area fraught with mystery and concern. Most commonly "the Tail" represents the extreme right side of a distribution wherein the lowest probability, but highest impact risks, occur. It is a particularly contentious area to manage as it has the highest levels of uncertainty and irrationality ala Here be Dragons.

In its simplest description, the Tail is where unknowns, disasters, disruption, outliers, abnormalities and black swans occur. The longer the tail, the greater the potential for an extreme outcome which is exponentially disproportional to the Mean. Statistically, long tail risks are those which materialise at an impact greater than 3 standard deviations from the mean (>P95).

In project risk management, long tail cost & time risks are notorious for exceeding the original estimation by a few hundred percent. During the post Covid period (2022-2024) unforeseeable cost escalations in excess of 30% were rampant across the project delivery industry. Fuel, steel, cement and labour experienced heavy escalations, as much as 90%. In turn, cost blow outs became the most common "long tail" threat to major projects, globally.

Invested stakeholders thus need to pay particular attention to whether a distribution curve has a notable tail or not. The longer the tail, the more care that is required to ensure that a particular risk does not escalate or trend towards an extreme outcome. Admittedly, much industry debate exists as to how the Tail can be most effectively planned for. Regardless, invested stakeholders do have a responsibility to ensure that the Tail is given its due attention when planning for risk - it can not just be ignored.

Note: Most project risks which materialise within the Tail, are not considered to be Contingent Risks, as they are mostly unquantifiable abnormalities (e.g. disasters). For this reason, Tail end risks are more commonly considered to be "re-baselining events" whereby the project has to be re-evaluated and re-planned due to the catastrophic impact of an unforeseeable event.

Consider the impacts of Covid disruption on global infrastructure projects during 2020/21. In most cases these projects were not expected to cover the impacts of the Global Lockdown Restrictions with their allocated Contingency, as this was an unforeseeable/abnormal risk event. Rather these projects revised their budgets, schedules and related contingencies (aka re-baselined) to account for the unforeseen impacts of an emergent global disaster.

Irregular Distributions

If a particular distribution does not demonstrate a clearly distinguishable or complete shape, this is normally a signal that the contributing data is either incomplete or insufficient.

For example, In project risk management a risk register that only contains a few risks with significantly differing probabilities, or with highly diverse impact ranges, may yield a distribution curve with multiple identifiable peaks or with some gaps in the distribution. Equally if the Monte Carlo simulation considers too few scenario iterations of the risk/s (<100?), similar levels of shape irregularity may be returned.

To prevent such unwanted distribution shape irregularities, Invested stakeholders should ideally aim to consider a sufficient range of risk scenarios (10+) as well as a sufficient number of simulation iterations (1,000+).

Advanced Complexity, Uncertainty & Irrationality

It is important that invested stakeholders understand that conventional quantitative models and probabilistic methods are known to struggle in environments that offer advanced complexity, uncertainty or irrationality. Argue it any way you wish, but risk distribution models have a contentious reputation when used to forecast the impacts of natural disasters, stock market crashes, rapidly unfolding crisis, mega-projects and various other advanced risk circumstances. There is just too much dynamism, variation and inconsistency within such environments for defined distribution models to be consistently reliable.

In project risk management specifically there is more than 70 years of data demonstrating that conventional forecasting models are not consistently reliable within highly complex, Mega Programs (ref Bent Flyvbjerg/Ed Merrow). Yet over and over again the profession will continue to try quantify the cost & schedule impacts of abnormal risk circumstances based on conventional models and historical case references... go figure.

Imagine being asked to quantify the costs, schedule and risk of building the first human colony on Mars - what historical reference classes or distributions would fit best? Such a complex-uncertain, abnormal project will not fit into any historical reference class, thus using a pre-defined distribution is a questionable method.

Again, there is much industry debate regarding what the best methods to plan for abnormal risk circumstances might be. Most do however appear to support the premise that planning for abnormal risk circumstances requires a much more contextually sensitive and fit-for-purpose approach, than that which is offered by the conventional, standardised methods.

Summary & Conclusion

Risk based distribution curves are an invaluable tool within the modern risk officer's decision making kit. Yet for what reasons, they are often misused or ignored. There is in turn, a certain tragedy in having access to rich, informative risk data but not knowing how to fully evaluate it.

Regardless, there are 5 primary lessons which invested stakeholders need to remember when approaching risk distribution curves.

1. A distribution curve offers a visual descriptive of the relevant probabilities and impacts of a defined risk circumstance. Such information is invaluable for understanding whether a risk is more likely to manifest at a higher or lower level of impact.

?2. Distribution curves don’t just display recorded data, they also display the expected behaviours of a specific risk circumstance. Such information is invaluable for understanding how a risk will potentially materialise and how it should be better controlled.

3. The full impact range & distribution of particular risk circumstance, demonstrates both the inherent and contingent risk impacts. Such information is invaluable for determining "just how much" investment in risk is required in standard operating practices and how much can be allocated as optional/additional contingencies.

?4.? The Tail of a distribution curve represents the highest impact-lowest probability risk outcomes. The longer the Tail the more care that is required to ensure a risk is controlled in such a manner that it does not escalate, as the Tail can represent an exponentially higher (even irrational) outcome.

?5. Operating environments which offer an advanced degree of complexity, uncertainty or irrationality do not readily conform to conventional risk distributions. Invested risk officers thus need to be particularly cautious of conventional case histories and standardised methods, when planning for risk in abnormal environments. Rather they should aim for contextually sensitive and fit-for-purpose approaches.

There you have it folks, I hope this helps...

If you want to learn more about quantitative risk methods check out https://www.dhirubhai.net/pulse/invested-project-stakeholders-guide-understanding-risk-black-kzupc/

#risk hashtag#riskmanagement hashtag#QRA hashtag#resilience hashtag#disruption hashtag#complexity hashtag#projects hashtag#projectriskmanagement hashtag#projectcontrols

This original piece was authored by Dr. Warren Black (2025) as part of the development of a training & education series into how Quantitative Risk Analysis should be budgeted, for, resourced and engaged within Major to Mega Projects.

Warren holds a PhD. in Risk Engineering and serves as a Risk & Resilience specialist for a Global Engineering Firm.

www.complexus.com.au