The terms used to describe the various aspects of risk
management are bewildering, even to an experienced project manager. At least I
find them bewildering. I'm going to examine some of the terms used to describe
risks and the way they are managed and hopefully shed some light on what they
refer to and what they mean. I hope to clear some common misconceptions up at
the same time.
The first misconception I'd like to address is the meaning
of the word "risk". We tend to view that word, especially in the project
world, as having a negative connotation. Frequently it does imply a negative
consequence, but not always. Actually a risk can have a positive outcome such
as when we risk money on a lottery ticket and our ticket wins. Risks that have
a positive outcome are called opportunities and risks that have a negative
outcome, such as when we refer to the risk of a car accident, are called
threats. We take action to encourage our opportunities, such as buying lots of
lottery tickets, and we discourage our threats, such as when we get inoculated
against the threat of a flu virus. Both opportunities and threats are forms of
risk, the key difference is our approach to managing them.
There is a great deal of confusion around the terms used for
our difference approaches to managing risks. We commonly refer to our
management of risk as "mitigation". The dictionary definition of this
verb is "to make less severe: to mitigate a punishment",
or "to lessen in force or intensity, as wrath, grief, harshness, or pain; moderate". While it is true that we mitigate
some of the risks to our projects, mitigation is just one strategy used to
address potential risk. Sometimes we choose to avoid a risk altogether, such as
when we respond to the risk of encountering a traffic jam on an expressway by
choosing an alternate route (we may still risk encountering a traffic jam, just
not the traffic jam on that
expressway).
Transference is another term used to describe our response
to risk. The classic example is when we buy insurance on our car to deal with
the risk of an accident. We aren't necessarily reducing the chance of an
accident, or even reducing the impact of the accident, we are simply reducing
the impact on us should the risk event (the accident) happen by sharing the
financial burden with the insurance company. There are other types of
transference. Outsourcing work to an organization with more skill and
experience in performing the work than we have is another example. In that
case, our intent is to reduce the likelihood of the event happening by having
someone more skilled and experienced do the work. We may also be reducing the
impact on ourselves, depending on the type of contract we choose.
Mitigation is the strategy we use when we can't avoid the
risk altogether and we can't transfer the risk, or don't want to. Mitigating
the risk requires us to take some action that will reduce the severity of the
impact of the risk event if it should happen. Another way of looking at our
traffic jam scenario is the relative likelihood of a traffic jam occurring on
the expressway as opposed to the alternate route. If the alternate route has
never experienced a traffic jam we could view that response as avoidance. If
traffic jams happen on the alternate route less frequently, we've simply
reduced the likelihood of being caught in one, or we've mitigated our risk. This
is where common usage departs from the dictionary. We commonly refer to any
strategy that either reduces the impact of the risk event, or the likelihood of it happening.
Contingency plans are a specific type of mitigation. The
contingency plan differs from a other mitigation strategies in that no action
is taken until the risk event happens, unlike other strategies that require the
action to be taken before the risk event can happen. Taking the alternate route
is only effective if we plan our trip that way. It isn't much use when we find
ourselves in a traffic jam on the expressway. A contingency plan to deal with
our expressway traffic jam might be bring along a flask of hot coffee or cold
drinks to refresh ourselves while we wait for the traffic jam to clear. A term
that should always be associated with a contingency is trigger. Trigger refers
to the circumstances, or set of circumstances that will cause us to deploy our
contingency plan. Pouring ourselves a cup of hot coffee from our flask while
we're cruising down the expressway at 60 mph is not a good idea, it is likely
to cause a crash and involve us in a traffic jam, the very event we seek to
avoid! We shouldn't indulge in the hot coffee until our car is stopped and we
can see from the traffic ahead that it isn't likely to start moving again
anytime soon. This set of circumstances is referred to as the trigger.
Another common response to a risk is to simply accept it. We
usually do this when the probability of a threat happening or its impact if it
does happen make it impractical to spend any money or effort on a response.
I've planned to walk to the bus stop to catch a bus and the weather forecast
calls for a 50% chance of showers. It's summer, I'm wearing jeans and a tee
shirt - do I want to buy an umbrella to avoid getting a wetting? Probably not,
I'll probably be hot by the time I get to the bus stop and a rain shower may be
refreshing! In this case I'm simply accepting the risk. Another term sometimes
used to describe this response is "assume", as in I assume the risk.
Assume means to take on or to appropriate. I'm doing neither when I walk to the
bus stop without the umbrella. The risk is already there, I don't have to
appropriate it. When I hire an insurance company to protect me against a
collision, they assume the risk, or at least the financial impact of the risk.
When I choose not to respond to a risk, I'm accepting it.
"For every action there is an equal and opposite
reaction". The actions we use to respond to opportunities are just about
the direct opposite of those used to respond to threats. Instead of avoiding
the opportunity, we exploit it. Exploit is not the grammatical opposite of
avoid, strictly speaking. Seek or confront are probably closer to opposite.
Exploit is used in reference to risk management because it more accurately describes
the action we take. Whenever a poker player sits down to play the game for
money there is an opportunity to make money. A cheat, or card
"mechanic" will exploit this opportunity by fixing the cards so they
can't lose. Potential victims of the cheat can avoid falling prey to their
exploitation by avoiding playing in a game with the cheat. If there is a chance
that a telecommunications company can capture a large market share by being the
first to market with some new technology, they will exploit that opportunity by
shortening the time to market.
Rather than transfer a risk to someone else, we share an
opportunity. Usually we share the opportunity with someone, or some
organization, whose strengths are uniquely compatible with our own and our
partnership will improve the chances of realizing the opportunity. This is
corporations enter into joint ventures. Each corporation can contribute
something to the venture that their partner cannot. Singly they cannot deliver
what the project calls for but collectively they can. The opportunity in this
case is may be a contract they bid on together, or the capture of a market share
for a product they jointly produce.
Instead of mitigating a threat we enhance an opportunity.
Enhancement takes a very similar approach to mitigation. We may do something
that will increase the impact of the opportunity if it occurs. For example, we
will prepare an ad campaign that boasts of our being first to market with our
new technology. This does nothing to improve our chances of getting to market
first, but will increase our market share even more if we do get there first. Alternatively,
we may choose to improve our chances of getting to market first by shortening
our development time, or we may do both.
The term accept has the same meaning for both threats and
opportunities. In both cases acceptance of the risk means that we do nothing to
avoid it, exploit it, transfer it, share it, mitigate it, or enhance it. If it
happens, great, if it doesn't, that's OK too. We may be able to enhance our
chances of winning the lottery by buying many tickets (although not much), but
most of us are willing to accept the opportunity presented with a single
ticket.
I hope this clears up any misconceptions you held about
risks, threats, and opportunities. Just remember two things: risks include both
opportunities and threats, and mitigation is only one response to dealing with
threats.