Risky Business

In the world of Project Management, the topic of risk is HUGE. Massive. Behemoth, even. Ok, I might be getting a little carried away. The reality is though, that the amount of risk – and hence the level rigor applied to managing it – will vary with the type, size and complexity of your project.

If you have a small project with a well-defined set of requirements, a familiar technology, a long-time customer, the proper equipment and resources, your project is probably low risk so an informal process to manage your risk may be ok. If however, you’re staring down a project with, basically the opposite of any of the above noted items, you will likely want a more robust process for managing your project risk.

Before we go any further, we should probably take a quick step back to define what a risk actually is. The Project Management Body of Knowledge (PMBOK) – Fourth Edition, defines risk as: “Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Objectives can include scope, schedule, cost and quality.”

Two things jump out at me with this definition, (1) it’s something that is uncertain, that may or may not happen and (2) it has an ‘effect’ on the project – though it doesn’t state specifically that it will be a negative effect. We’ll come back to these a bit later.

As there are so many facets of risk management, I suspect this will be a topic that I’ll post about often – rather than trying to cover it all in one ridiculously long, excruciatingly boring (hey, who said that?) post. For this post I thought I would touch on the topic of risk responses. Basically, what are you going to do about these pesky risks that you have identified?

Before I get into the various available responses, I’ll note that the impetus for this post – in addition to providing some exciting reading – is how the term ‘mitigate’ has become something of a ‘catch-all’ term when it comes to talking about risk. Mitigating risk is great, but it’s not the only thing you can do with it.

See below for a few additional strategies, as well as some notes on risk mitigation, based on the teachings of the Project Management Body of Knowledge (PMBOK) – Fourth Edition, and the world according to Evan.

Risk responses for negative risks (threats)


Why mitigate a risk when you can avoid it altogether? One strategy to avoid risks is to shut down the project; but that’s a bit drastic. Other strategies to avoid risks are to make adjustments to the project plans, be it schedule changes, requirements clarifications, updates to assumptions or what have you so that the threat can be eliminated altogether. These options aren’t always available, but when they are, keep risk avoidance on your radar as a tactic for managing your risks.


That’s not my risk; that’s your risk. Another strategy is to look at options for transferring the risk to a 3rd party. The example often given for this is in the insurance industry, where for the cost of an insurance premium, you transfer the risk to this 3rd party. Another way to handle this in a project related context might be from a contract types and terms perspective – e.g. Fixed price billing versus Time & Materials billing as each billing type has different levels of risk for the buyer and seller. (A topic for another day).


Risks tend to be evaluated on (1) probability – how likely is each risk event is to occur and (2) impact – if a risk does occur, how big will the impact be. Risk mitigation is about reducing one or the other, or both. Tools are available such as the aptly named ‘Probability/Impact’ matrix where risks can be evaluated on the basis of their probability and impact, and mitigation strategies can developed for each risk. Pro-tip: Risks that are high probability AND high impact; deal with these ones first!


For the risks you aren’t able to identify a suitable strategy for, or for ones where the cost of the mitigation strategy is higher than the cost of its potential impact, the strategy here is acceptance. Acceptance can be ‘passive’ – do nothing and deal with them if they occur or ‘active’ – establish a contingency reserve (money, time, resources etc.) to be better equipped to deal with them if they arrive.

Risk responses for positive risks (opportunities)

Intuitively, most of us think of risks as being threats, but this isn’t always the case, since where there are risks, there are opportunities (said some optimist somewhere). Here are a few strategies for turning risks on their head for the good of your project.


The enhance strategy is one whereby project teams take actions to try and realize an opportunity by taking measures to increase the probability, impact or both. A common example is where project scheduling techniques such as crashing (adding resources) or fast-tracking (performing tasks in parallel) are used in order to finish a project ahead of schedule.


Exploiting a risk, turned opportunity is a bit like the enhance strategy, except – as Yoda would say – “there is no try; only do!” Exploiting is all about making SURE that you are taking advantage of an opportunity that has presented itself. Using a similar scheduling example, some projects will have financial incentives for finishing early so project teams give top priority to exploiting this sort of opportunity any way they can.


Similar to how project teams will want to transfer the negative risks, they will sometimes want to share the positive ones. An example might include joining with another team or organization to deliver a project, each agreeing on their respective scope of work and how risks and rewards can be allocated.


Again, much like with negative risks sometimes the best strategy is to accept the risk. Related to opportunities, this strategy simply means being ready to take advantage of an opportunity if it comes along, but not taking steps to actively pursue it.

Well, so much for this NOT being a ridiculously long, excruciatingly boring (hey – it wasn’t that bad!) post. If you made it this far, I commend and thank you.

Be careful out there.



Filed under Project Management

2 responses to “Risky Business

  1. Pingback: T4G Big Data Congress II (Update 2 of 3) | Semi-Frequent Musings on Project Management, Business & Technology

  2. Pingback: A Practical Approach to Risk Management | Semi-Frequent Musings on Project Management, Business & Technology

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s