Rethink Your Project Risk Management Strategy

If I were to ask you what your project management risk strategy was, would you respond something like this? “Duh! We will deal with the problem when it comes.” In my experience, that is the most common approach to project risk management or response strategy. However, that doesn’t make it a good strategy. I believe risk management (otherwise known as “project management” in my book) should be proactive and preemptive rather than reactive.

In this article I offer guidance on how to develop a project risk strategy based on the different kinds of threats projects face and then explain how to evolve project risk response into opportunities.

The Four Risk Management Strategies

Why do most project managers follow a reactive risk response strategy? The answer is simple. If a PM identifies and reports project risks, it somehow characterizes that person as inefficient, feeble and incompetent.

It’s like any really tough endeavor — ice skating, bicycling up hill, writing novels. Professionals make it look easy. When a PM manages risks well by identifying, prioritizing, planning, responding and controlling projects and is therefore successful, there isn’t necessarily appreciation or rewards for a job well done. Other people may simply believe that the PM succeeded because the project was very simple. On top of that, if the PM overcomes innumerable problems against all odds (that may have been partially caused because he or she wasn’t being proactive), he or she is treated as a superhero or a miracle worker.

Project Management Institute (PMI)®’s PMBOK® Guide defines four risk management strategies that deal with project threats as well as concomitant opportunities:

Avoid and exploit;
Mitigate and enhance;
Transfer and share; and
Accept and accept…

There are two important components of any risk event — probability and impact. In order to deal with the project threats, you can act upon one or both of these components . Let’s examine each strategy in the context of probability and impact.

Avoidance and Exploitation

Adopt this strategy if you want to completely remove the possibility of a project threat. This absolute risk response strategy eliminates the uncertainty (probability) associated with the negative risk event. By adopting this strategy, you make sure that the threat event won’t occur because you take steps to reduce the probability of the negative risk event as low as it can go. How do you do this?

By extending the project schedule to ensure timely completion;
By reducing project scope to isolate the threat; or
As an extreme case by terminating the project.

Exploitation is the opportunity side of the coin. By removing all uncertainty, you’re also guaranteed a positive risk event by absolutely making sure the project opportunity is realized.

This is the approach you take when you buy an off-the-shelf product instead of developing one or use a new technology to reduce cost of development.

Mitigation and Enhancement

As the word suggests, this strategy is adopted when you want to reduce the probability (or uncertainty) or impact or both associated with a negative risk event. By employing this strategy one of three things might happen:

The probability of the negative risk event will decrease;
The impact of the negative risk event will decrease; or
Both will decrease.

You can accomplish this by:

Developing prototypes early to reduce rework;
Assigning work to more skilled people to reduce duration; and
Regularly taking feedback from customers to reduce chances of rejection.

If your risk response strategy is mitigation, use enhancement to increase the likelihood of a positive risk event. By employing this strategy one of the following three things might happen:

The probability of the positive risk event will increase;
The impact of the positive risk event will increase; or
Both will happen.

You can achieve this by adding more resources to reduce project time and training people to improve quality.

Transference and Sharing

This strategy is usually adopted if the project team lacks the capability or capacity to deal with a project threat. In this strategy part or all of the impact is shifted to an external organization. The responsibility and ownership of the response is transferred to the external organization. It’s important to note that the external organization just takes the management responsibility for the threat; the threat itself isn’t eliminated. In this strategy the project team may pay a premium to the external organization assuming the threat.

As a result of this strategy, the impact of the negative risk event is transferred but the probability might not change. One example of this is buying insurance and transferring the cost impact to the insurance company. Another example is hiring a sub-contractor.

The opportunity strategy that goes hand in hand with transference is sharing. In this strategy complete or part of the ownership of the project is shared with an external organization that has similar objectives. The project team and the external organization may share costs, resources and knowledge in order to pursue the opportunity. If the approach works, the benefits are also shared.

The forms it takes are typically:

A technology partnership;
A joint company; or
A jointly launched product.

Acceptance and Acceptance

This strategy is adopted if the project manager doesn’t want to deal with a project threat actively. This is really a “do nothing” strategy. The impact of the negative risk event is accepted and dealt with if and when it comes. By employing this strategy, the project plan is left unchanged, which means there’s no change to the probability or impact of the negative risk event.

The other side of the “do nothing” approach is to accept the benefits of the opportunity if and when they come. By employing this strategy the project plan doesn’t change and no change happens to either the probability or impact of the positive risk event.

My suggestion is to embrace the idea of developing project risk strategies and then examining what opportunities they also incorporate. You may find that the opportunities make the risks that much more palatable.

Photo by Graeme Maclean under CC 2.0