Risk Management | By Dave Nielsen | Read time minutes
The terms used to describe the various aspects of risk management are bewildering, even to an experienced project manager. At least I find them bewildering. I'm going to examine some of the terms used to describe risks and the way they are managed and hopefully shed some light on what they refer to and what they mean. I hope to clear some common misconceptions up at the same time.
The first misconception I'd like to address is the meaning of the word "risk." We tend to view that word, especially in the project world, as having a negative connotation. Frequently it does imply a negative consequence, but not always. Actually a risk can have a positive outcome such as when we risk money on a lottery ticket and our ticket wins. Risks that have a positive outcome are called opportunities and risks that have a negative outcome, such as when we refer to the risk of a car accident, are called threats. We take action to encourage our opportunities, such as buying lots of lottery tickets, and we discourage our threats, such as when we get inoculated against the threat of a flu virus. Both opportunities and threats are forms of risk, the key difference is our approach to managing them.
There is a great deal of confusion around the terms used for our difference approaches to managing risks. We commonly refer to our management of risk as "mitigation." The dictionary definition of this verb is "to make less severe: to mitigate a punishment", or "to lessen in force or intensity, as wrath, grief, harshness, or pain; moderate." While it is true that we mitigate some of the risks to our projects, mitigation is just one strategy used to address potential risk. Sometimes we choose to avoid a risk altogether, such as when we respond to the risk of encountering a traffic jam on an expressway by choosing an alternate route (we may still risk encountering a traffic jam, just not the traffic jam on that expressway).
Transference is another term used to describe our response to risk. The classic example is when we buy insurance on our car to deal with the risk of an accident. We aren't necessarily reducing the chance of an accident, or even reducing the impact of the accident, we are simply reducing the impact on us should the risk event (the accident) happen by sharing the financial burden with the insurance company. There are other types of transference. Outsourcing work to an organisation with more skill and experience in performing the work than we have is another example. In that case, our intent is to reduce the likelihood of the event happening by having someone more skilled and experienced do the work. We may also be reducing the impact on ourselves, depending on the type of contract we choose.
Mitigation is the strategy we use when we can't avoid the risk altogether and we can't transfer the risk, or don't want to. Mitigating the risk requires us to take some action that will reduce the severity of the impact of the risk event if it should happen. Another way of looking at our traffic jam scenario is the relative likelihood of a traffic jam occurring on the expressway as opposed to the alternate route. If the alternate route has never experienced a traffic jam we could view that response as avoidance. If traffic jams happen on the alternate route less frequently, we've simply reduced the likelihood of being caught in one, or we've mitigated our risk. This is where common usage departs from the dictionary. We commonly refer to any strategy that either reduces the impact of the risk event, or the likelihood of it happening.
Contingency plans are a specific type of mitigation. The contingency plan differs from a other mitigation strategies in that no action is taken until the risk event happens, unlike other strategies that require the action to be taken before the risk event can happen. Taking the alternate route is only effective if we plan our trip that way. It isn't much use when we find ourselves in a traffic jam on the expressway. A contingency plan to deal with our expressway traffic jam might be bring along a flask of hot coffee or cold drinks to refresh ourselves while we wait for the traffic jam to clear. A term that should always be associated with a contingency is trigger. Trigger refers to the circumstances, or set of circumstances that will cause us to deploy our contingency plan. Pouring ourselves a cup of hot coffee from our flask while we're cruising down the expressway at 60 mph is not a good idea, it is likely to cause a crash and involve us in a traffic jam, the very event we seek to avoid! We shouldn't indulge in the hot coffee until our car is stopped and we can see from the traffic ahead that it isn't likely to start moving again anytime soon. This set of circumstances is referred to as the trigger.
Another common response to a risk is to simply accept it. We usually do this when the probability of a threat happening or its impact if it does happen make it impractical to spend any money or effort on a response. I've planned to walk to the bus stop to catch a bus and the weather forecast calls for a 50% chance of showers. It's summer, I'm wearing jeans and a tee shirt - do I want to buy an umbrella to avoid getting a wetting? Probably not, I'll probably be hot by the time I get to the bus stop and a rain shower may be refreshing! In this case I'm simply accepting the risk. Another term sometimes used to describe this response is "assume", as in I assume the risk. Assume means to take on or to appropriate. I'm doing neither when I walk to the bus stop without the umbrella. The risk is already there, I don't have to appropriate it. When I hire an insurance company to protect me against a collision, they assume the risk, or at least the financial impact of the risk. When I choose not to respond to a risk, I'm accepting it.
"For every action there is an equal and opposite reaction." The actions we use to respond to opportunities are just about the direct opposite of those used to respond to threats. Instead of avoiding the opportunity, we exploit it. Exploit is not the grammatical opposite of avoid, strictly speaking. Seek or confront are probably closer to opposite. Exploit is used in reference to risk management because it more accurately describes the action we take. Whenever a poker player sits down to play the game for money there is an opportunity to make money. A cheat, or card "mechanic" will exploit this opportunity by fixing the cards so they can't lose. Potential victims of the cheat can avoid falling prey to their exploitation by avoiding playing in a game with the cheat. If there is a chance that a telecommunications company can capture a large market share by being the first to market with some new technology, they will exploit that opportunity by shortening the time to market.
Rather than transfer a risk to someone else, we share an opportunity. Usually we share the opportunity with someone, or some organisation, whose strengths are uniquely compatible with our own and our partnership will improve the chances of realising the opportunity. This is corporations enter into joint ventures. Each corporation can contribute something to the venture that their partner cannot. Singly they cannot deliver what the project calls for but collectively they can. The opportunity in this case is may be a contract they bid on together, or the capture of a market share for a product they jointly produce.
Instead of mitigating a threat we enhance an opportunity. Enhancement takes a very similar approach to mitigation. We may do something that will increase the impact of the opportunity if it occurs. For example, we will prepare an ad campaign that boasts of our being first to market with our new technology. This does nothing to improve our chances of getting to market first, but will increase our market share even more if we do get there first. Alternatively, we may choose to improve our chances of getting to market first by shortening our development time, or we may do both.
The term accept has the same meaning for both threats and opportunities. In both cases acceptance of the risk means that we do nothing to avoid it, exploit it, transfer it, share it, mitigate it, or enhance it. If it happens, great, if it doesn't, that's OK too. We may be able to enhance our chances of winning the lottery by buying many tickets (although not much), but most of us are willing to accept the opportunity presented with a single ticket.
I hope this clears up any misconceptions you held about risks, threats, and opportunities. Just remember two things: risks include both opportunities and threats, and mitigation is only one response to dealing with threats.
Dave Nielsen is a principal with three O Project Solutions, the vendors of AceIt. Dave was also the key architect responsible for the creation of the product. AceIt has prepared Project Managers from around the world to pass their PMP exams. You can find endorsements from some of his customers on three O's web site https://threeo.ca