If a sponsor asks you how much to set aside for risk and you answer "ten percent of the base cost," you are guessing. If you answer "$184,000, with eighty percent confidence, based on a Monte Carlo over our risk register," you are doing your job. The difference is not the rigour of the maths; it is the rigour of the record you leave behind.
What Monte Carlo simulation is
Monte Carlo simulation is a numerical method, not a forecast. It takes your assumptions about risk and runs the project through them many thousands of times in software, sampling a different outcome for each risk on each run. The result is not a single number. It is a distribution showing how often each total cost came up. From that distribution, you can read the reserve at any confidence level you choose.
The name comes from the casino district in Monaco, after the method was used in the 1940s by physicists working on nuclear-weapons design who needed to estimate quantities that were too complex to solve analytically. The same logic applies to a project. The total cost of risk is a function of many uncertain events, each with its own probability and impact. Solving that by formula is hard. Sampling it by simulation is easy and gives you everything you need.
Why it beats a percentage
A flat percentage applied to base cost is the most common approach in practice. It is also the most defensive thing to do, because nobody asks how you arrived at the percentage. The trouble is that it conveys neither a level of confidence nor a shape of risk, and it does not respond when your register actually changes.
Monte Carlo does three things a percentage cannot. It expresses your uncertainty as a probability distribution, so a sponsor can choose how much coverage to buy. It surfaces the joint effect of many risks occurring together, which is where most overruns actually come from. And it leaves a defensible record of the assumptions, which means the next time someone challenges the number you can answer with the inputs, not with your reputation.
The inputs it needs
The technique sounds intimidating, but the inputs are simple. Each entry in your risk register needs four numbers and one strategy.
- Probability. The likelihood the risk occurs, as a percentage. A rough estimate is fine; precision is unimportant relative to having a number at all.
- Optimistic impact (O). The best plausible cost if it does occur. Not the impossible-best, the realistic-best.
- Most likely impact (L). The single most likely cost if it occurs.
- Pessimistic impact (P). The worst plausible cost if it occurs. Again, realistic, not catastrophic.
The three-point estimate is the heart of the method. It captures the spread of uncertainty, which is what a single estimate throws away. The simulation samples from a Beta-PERT distribution shaped by your three points, so the most likely outcome is the most common in the sample, but the long tails are represented in proportion to your pessimistic estimate.
How the simulation works, in plain language
For each simulated run of the project, the software walks the register. For each risk, it rolls a die against the probability: if the risk occurs in this run, it draws a cost from the Beta-PERT distribution between your O and P. It adds those costs to a running total for the run. When it has walked the entire register, that run is one observation. Repeat ten or twenty thousand times.
The output is a list of total costs, one per run. Sort them. The lowest one is the best case across all simulated worlds; the highest is the worst. The middle value, the median, is the P50. The point below which eighty percent of the runs sit is the P80, and so on. The full sorted list is the distribution, and you can plot it as a histogram to see the shape.
How to read P50, P80, and P90
The percentile reads the same way a school grade would. P80 means: in 80 percent of the simulated project runs, the total cost stayed within this number. In 20 percent it did not. P50 is the median, meaning half the runs were under and half were over. P90 means you were inside the reserve in 90 percent of runs, which buys more coverage at the cost of holding back more capital.
Two notes are worth making to a sponsor. First, the percentile is a measure of confidence inside the model, not of certainty in the world. A risk you did not identify cannot be sampled, so the model can only be as good as the register. Second, a higher percentile is not always better. P95 may sound prudent, but if it ties up capital you could deploy elsewhere, the carry cost is real.
Run the simulation yourself
The SocraticFlow Risk Analyzer runs a real Beta-PERT Monte Carlo on your register, in your browser, in seconds. Free to use, with a one-time paid report.
Choosing the confidence level
There is no single right answer; only a fit between the confidence level and the appetite of the people whose capital is at stake. A few practical anchors:
- P50 matches the case where the organisation is comfortable being right roughly half the time and rebudgeting otherwise. Rarely the right choice for capital projects.
- P70 to P80 is the typical sponsor range for projects with normal risk appetite. P80 is a common default.
- P90 to P95 suits projects where overrun is politically or operationally catastrophic, or where access to additional funding is constrained.
Whichever you choose, brief it that way. "We are running at P80 confidence" is a sentence a sponsor can act on. "Twelve percent" is a sentence they cannot.
Common objections, answered
"The numbers are made up."
The probabilities and impacts are estimates, yes. So is every alternative, including the flat percentage. The difference is that Monte Carlo forces the estimates into the open, where they can be challenged and improved. A method that hides its assumptions is not more accurate; it is less auditable.
"It is overkill for our size of project."
The arithmetic is independent of project size, and a modern tool runs twenty thousand simulations in under a second. The barrier to use is not compute; it is the discipline of estimating three points instead of one. That discipline pays for itself on any project with material risk.
"The sponsor will not understand it."
The sponsor does not need to understand the sampler. They need to understand "we are eighty percent confident the total cost will not exceed this number, and ninety percent confident it will not exceed that one." That is plainer than a percentage with no confidence attached.
Try it on your project
Build your register, run the simulation, and read the reserve at the confidence you choose. Pay only when you want the report.
Frequently asked questions
What is Monte Carlo simulation in project risk?
Monte Carlo simulation runs a project many thousands of times in software, drawing each risk's cost from its estimated probability distribution. The output is a probability curve over total cost, from which you can read a contingency reserve at any chosen confidence level.
How many simulation runs are enough?
Ten thousand runs is typically enough for a stable distribution on a register of up to fifty risks. Twenty thousand runs is a safe default. Running more rarely changes the answer but slows the tool.
What does P80 mean for a contingency reserve?
P80 means that, across all simulated project runs, the total cost stayed within the reserve in 80 percent of them. It is a common choice because it balances coverage against the cost of holding capital aside that may not be needed.
Is Monte Carlo simulation only for large projects?
No. The arithmetic is independent of project size. A small project with five to ten risks benefits from a Monte Carlo run because the alternative is a single percentage applied to the base cost, which conveys no confidence and no shape of risk.
What is the difference between PERT and Monte Carlo?
PERT gives a single expected value from three-point estimates by formula. Monte Carlo samples from those three points many times to produce a full distribution. PERT tells you the average; Monte Carlo tells you the average and the spread.