This is the second article of our series on Project Risk Management
In this article we will discuss key definitions related to a common debate on risk management, which is: are risks always threats or we can consider opportunities as risks as well?
Two School of Thoughts
When we discuss risk management or project risk management, there are two main school of thoughts.
The first school of thoughts view risks as threats; always. Human nature lead people to think of a “risk event” as “threat”, “danger”, “hazard”, or any other word that reflect negative or bad situation.
Another school of thoughts; mostly reflecting a business perspective, view “risk events” as uncertain events that could have negative or positive consequences on the objective of the task, project, or mission that we are undertaking.
Regardless of which school one follows, we need to shift our paradigm to think of positive and negative consequences to events on our projects and our lives.
If you subscribe to the second school of thought, then you already “understand” or “accept” that risks could be a threat or an opportunity.
On the other hand, if you are from the first school, then you can continue to think of risk as bad but you also need to think of opportunities.
Current Reality of Practices
Based on our observations from numerous project management and project risk management classes that we have led, the focus is mostly limited to risk being threats … and therefore risk management is about the threats to the projects. Even in situations where people accept that risk management is about the threats and opportunities they maintain a focus on the threats and ignore the opportunities. This is what we call the “wishful thinking syndrome”, meaning since it is an opportunity so it is OK if it happened … forgetting that a risk is uncertain and may or may not happen.
If we accept the concept that risks are threats and opportunities; then we can discuss risk and opportunity management. Here again, the vast majority of participants struggle with this concept and could not relate to what would be an opportunity.
Missing Out on Opportunities
If an organization focuses on the threats only – then we could be missing out on great opportunities.
For example, (simplistic example) if there is an opportunity that would allow us to save three weeks on a project and a threat that could cause us to lose a week. Where would you focus?
- If the threat happen but not the opportunity – we lose a week (bad)
- If they both happen – OK we gain two weeks (gain three, lose one – net gain of two)
- If we can eliminate the threat and ensure that the opportunity happen – then we gain three weeks
In this case, do you think you can still afford to miss out on the opportunities?
How do we change the mindset?
Take a look at the next image, is the shark a threat or an opportunity? If you are afraid of sharks then you view them as threats. On the other hand, there are people who makes a living from diving and swimming with shark. So once again, is this a threat or an opportunity?
We will be touching on project risk management (threats and opportunities) in future articles.
Please share your thoughts.
It is a case of is the glass half full or half empty. Our school systems have fallen short in providing the mind set you prescribe to. I believe we have to continually remind ourselves that no matter how bad (threatening / risk) it may seem there is always a positive to every situation.
In what appears to be a threat (risk) one needs to see that there is an opportunity to succeed if you manage that threat in a positive open and creative mind set. All risk even those that appear to be negative provide an opportunity to turn it around. There is always a choice and alternate method we just need to be open to the option / opportunity to see it.
Agree but we need to be careful with one thing — opportunities are not ONLY about turning a threat into a positive by dealing with it. There are positive things (independent of threats) that we should exploit – pursue in order for us to capture such opportunities
It is unfortunate that opportunities are most often not considered as part of the project risk management process as these can no doubt be beneficial to the outcome of any project. Risk management is one of these areas of Project management which is not well understood and is often confused with other aspects of the engineering process such as the hazop study. I have found that the leaner the project management team becomes the greater the tendency is to overlook processes such as risk management. Has anyone done a study on this? Does anyone really know what the real cost of making processes such as Planning and control, risk management communication and stakeholder management lean is?
This comment was posted on LinkedIn ISO 21500 Project Management group
by Marc Gewertz
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
It is about both and is better called “Risk and Opportunity Management”. This article means well but it is misleading. Risks are threats. Opportunities are not risks, they
are opportunities. Opportunities are situations for further advancement than
normal situations provide. Taking advantage of opportunities is used to offset
managed risks which turn out to be events regardless of the mitigation applied.
Dear Marc
Thanks for the feedback and we agree with what you said. The only difference is whether opportunities are risks.
On this point there are two leading schools of thoughts one that says risks are always threats and opportunities are opportunities (the way you described it) and the other says risks are ANY uncertain events, if they happen could have negative or positive impact (hence threat and opportunity).
This comment was posted on LinkedIn Leadership in Project Management Group by David MacLeod
https://www.linkedin.com/groupItem?view=&gid=3737709&item=5947983459019411457&type=member&commentID=discussion%3A5947983459019411457%3Agroup%3A3737709&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983459019411457%3Agroup%3A3737709
Mounir,
My experience matches yours – project managers who attend my project management training courses consider risks only as threats … and I completely agree with them. I think it is nonsense to use the risk management process to manage opportunities. The word ‘risk’ according to my dictionary has no positive connotations at all.One day, the PMI and the APM will realise that their decision to make the risk definition neutral was wrong.
Regards, David
This comment was posted on LinkedIn ISO 21500 Project Management group
by Marc Gewertz,
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
I understand that as that is what your article is about. The definition of risk is negative, a loss, not a positive, not a gain. The second school should not use risk in a manner that contradicts its definition. Plain and simple. It is better called “Risk
and Opportunity Management”.
This comment was posted on LinkedIn ISO 21500 Project Management group by Max Wideman,
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
@Mounir and Marc — As usual our lexicon of
project management terms and their understanding are thoroughly screwed up. Of course
“risk” has negative connotations and “opportunity” has
positive connotations. Both terms stem
from “uncertainty” or, to be exact “an uncertain
environment” Therefore we might
better be talking about “uncertainty management”, but we don’t,
probably because that would be meaningless to most people. However, project
risk management does encompass both risk events and opportunities by virtue of
the fact that the objective of the management of risk *should be* to find ways
to turn a risk event, should it occur, into an opportunity. Unfortunately, that
possibility does not often appear in the standard literature.
This comment was posted on LinkedIn ISO 21500 Project Management group by Marc Gewertz
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
@ Max – I agree with you. To call it exactly what it is, it is “uncertainty management” which borders meaningless in conveying what that is, and why all the industry standards refer to it as “Risk and Opportunity Management”. Although
there is a “probability” that what is thought of as a “risk” can turn into an”opportunity” when the event occurs, the “probability of occurrence” of that happening is so minuscule, it is not worth thinking about and is almost alchemy.
The problem is, of those that understand “Risk and Opportunity Management” they often abbreviate it as just “Risk Management” but that is understood by those that understand to include “opportunities” also, and hence the confusion by those that do not understand it, such as the “2nd school of thought.”
There is so much confusion and malpractice in “Risk and Opportunity Management” that we don’t need to confuse the confused anymore than they are by stating things like “risks can be a threat or an opportunity.” There are possible
occurrences of events that may happen and these events can be risks or
opportunities.”
The issue in what is being said by the 2nd school of thought beside violating the definition of a risk, is in the action that one takes based on the type of possible occurrence of an event there can be. Because risks are negative, are bad, can result in trouble, loss, degradation, the action is “to mitigate” them. Because
opportunities are positive, are good, can result in bliss, gain, appreciation, the action is “to take advantage of” them.
Does the 2nd school of thought think “there is a risk that we may live so let’s mitigate it” or “there is an opportunity we can die so let’s take advantage of it”? Or can mitigate also mean make more severe, serious, and painful? Or can a
advantage also mean non-beneficial or loss; lose?
Secondly, the “risk” comes along with a “severity of occurrence”. So if an opportunity is a risk, is the “severity of occurrence” a negative number or can “severity” also be a positive thing like a risk can be a positive thing?
I’m sorry if I’m offending somebody out there, but the thought of the second school is just ridiculous, nonsense, is wrong, is dangerous, and should be ignored.SUKAD
needs to know the article needs to be corrected, the debate is over and stop
promoting the problem.
This comment was posted on LinkedIn ISO 21500 Project Management group by Marc Gewertz
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
@ SUKAD – Tell the 2nd School of thought opportunities are not risks or threats. Risks are threats. Opportunities are the opposite of risks and threats. Risks and threats are bad. Opportunities are good. Risks and threats can never be good. Opportunities can never be bad.
If an Opportunity turns out to be bad, it wasn’t an opportunity, it was misjudged as being an Opportunity. Opportunities can turn out not be good, but that does not make them bad. Risks and threats can turn out to not be bad, but that does not make them good. In both cases they just did not turn out they way they were expected.
Risks are any uncertain events that are threats and if they happen they will have negative impact. Opportunities are any uncertain events that are not threats and not risks and if they happen they will have positive impact.
Losing or missing an opportunity is bad but it does not mean the opportunity was bad. Likewise, finding a risk or opportunity is good but it does not mean the risk or threat was good.
I hope this explanation helps to straighten out their misconceptions about risks, threats and opportunities. They can also look in the dictionaries and the industry
standards, as that is what those documents are for.
A follow up article 2: http://blog.sukad.com/20141211/is-risk-management-about-threats-and-opportunities-a-debate/
This comment was posted
on LinkedIn group by Shawn
Akrawi, https://www.linkedin.com/groupItemview=&gid=1788861&item=5947983870933610497&type=member&commentID=discussion%3A5947983870933610497%3Agroup%3A1788861&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983870933610497%3Agroup%3A1788861
Risk management in a project should be about
both! Threats and
opportunities are different sides of the same coin. What determines
whether there will be an inhibiting or stimulating output is our vision,
understanding and our actions. For is it not true
that threats creates opportunities as well as opportunities may create threats? In any case, it is
absolutely right to claim that threats creates the necessity for innovations
and change that is full of opportunities. I think it is
enriching for a project to look at the threats as opportunities, but after some
efforts.
Shawn Akrawi
A follow up article: http://blog.sukad.com/20141211/is-risk-management-about-threats-and-opportunities-a-debate/
Thank you Marc and Max for your contribution and exciting debate. I tried to post an answer here but turned out to be too long – so i put it into a blog post. http://blog.sukad.com/20141211/is-risk-management-about-threats-and-opportunities-a-debate/
This comment was posted on LinkedIn ISO 21500 Project Management group by Marc Gewertz
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
@SUKAD/Mounir – Business is
no different from Programs/Projects when it comes to Risk and Opportunity
Management. In both cases there is a condition of uncertainty that has to be
addressed.
Your business
example eludes to the problem in the way some businesses respond to it. The
error is in thinking there are only risks that can have positive or negative
impact. That type of thinking is inadequate at properly addressing risks and
opportunities.
In reality there
are conditions of uncertainty that can be a risk or an opportunity. The risks
and opportunities are expressed as events which may possibly occur and each has
(1) a probability
of occurrence,
(2) a potential
impact, which for risks are expressed in severity if they occur, and for
opportunities are expressed as benefits if they occur, and
(3) an associated
action plan to address them, which for risks are expressed as a mitigation, and
for opportunities are expressed as advantage.
The point to made
is each event that has a possibility to occur has to be addressed as an
individual event. You cannot take a risk event and an opportunity event and
combine them into one event that can go one way or the other. Nor should you
combine two different risk events into one risk event. It is important to drive
each condition of uncertainty into fundamental events so they can be properly
addressed by fundamental actions based on the probably of occurrence and the
potential impact if they occur.
Although once they
are addressed as individual events, with different potential impacts and
different action plans, this does not preclude them from not being associated
to the same conditions of uncertainty or to other events. In other words, if a
business sees a condition of uncertainty, if it does not separate the risks
from the opportunities, and drive each to a fundamental event, it has not fully
analyzed the condition of uncertainty, and their risk management thereafter
will be flawed, as it does not have sufficient granularity to distinguish how
to properly address and assess the condition of uncertainty as a whole.
For example, if
there is a (one) condition of uncertainty, there could be two events that pose
risk-a, risk-b and risk-c that may have negative impact if they occur and
opportunity-x, opportunity-y and opportunity-z that may have positive impact if
they occur.
Risks-a&b are
associated with the first event.
Risk-a has a
mitigation plan and as part of the mitigation plan may involve taking advantage
of opportunities-x&y.
Risk-b has a
mitigation plan and as part of the mitigation plan may involve taking advantage
of opportunity-z.
Risk-c is
associated with the second event and
has a mitigation
plan which may also take advantage of opportunity-z,
but not
opportunities-x&y.
This comment was posted on LinkedIn ISO 21500 Project Management group by Max Wideman
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
Or on short, risk and opportunity management are speculative exercises wherein both may have degrees of multiple associated events. This can lead management down a cobweb of paths and the problem becomes a determination of how far to go and along which paths. It would be nice to find a practical case study that illustrates this dilemma.
This comment was posted on LinkedIn ISO 21500 Project Management group by Dennis Little
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
I really enjoy reading this
debate and agree with the points being made. One perspective I’d like to share
is that the term “Risk Management” has progressed beyond its original
value as a separate entity in Business Management and has creeped into the
lexicon of cliche’; everyone uses it now as a way to demonstrate that they know
something needs to be addressed.
For me, I have
always looked at “Risk Management” as an enhancement tool in
business/project management. Risk is inherent in any process (business,
production, etc.) Risk Management addresses all of the items (events – seen and
unseen) that will/can/may have an impact. I view the handling of these matters
as calculating Risk/Reward payoffs. In other words, every “Risk” has
a component of outcome that must be determined by “value”, or
desirability to the process. This is where we come up with the “Positive
or Negative” notion regarding risks. The focus for me is that I am
identifying EVERY risk, assessing its potential impact and creating a plan to
address its contingency. In the end, I am “Taking a Calculated Risk”,
meaning, I have considered the potential risk (Risk – by definition) and have
determined that my course of action will allow me to navigate that risk
successfully through mitigation. (Reward – Opportunity). This thinking probably
fits into the First school of thought described by @SUKAD/Mounir
I agree with Marc’s
assessment above regarding how Risk and Opportunity are intertwined in the
process of identifying and mitigating “Risk”. What works for me is
this:
My first
description is how I view “Risk Management” as a STRATEGIC process
for business or project management. The process by which I mitigate Risks in my
assessments would be similar to that described by Marc and I view it as a
TACTICAL process that is more dynamic and adaptable to any given scenario or
circumstance.
One thing I can say
with certainty. EVERY Business/Project is faced with risk. “Risk
Management” was borne of this fact. Risk, by definition, implies negative
impact on your process. To ask if “Risk Management is about Threats or
Opportunities”, for me the answer is both – We identify, assess, and
mitigate threats so that we may increase our ability to identify, assess, and
capitalize on opportunities. This is a STRATEGIC Process. The way I achieve my
goals in this realm is through the TACTICAL process as described. Even in that,
I utilize both threats and opportunities.
This comment was posted on LinkedIn ISO 21500 Project Management group by Tim Sephton
https://www.linkedin.com/groupItem?view=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
interesting
This comment was posted on LinkedIn Leadership in Project
Management group by David MacLeod
https://www.linkedin.com/groupItem?view=&gid=3737709&item=5947983459019411457&type=member&commentID=discussion%3A5947983459019411457%3Agroup%3A3737709&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983459019411457%3Agroup%3A3737709
Mounir,
My experience matches yours – project managers who attend my project management training courses consider risks only as threats … and I completely agree with them. I think it is nonsense to use the risk management process to manage opportunities. The word ‘risk’ according to my dictionary has no positive connotations at all. One day, the PMI and the APM will realise that their decision to make the risk definition neutral was wrong.
Regards, David
This comment was posted on LinkedIn ISO 21500 Project Management group by SUKAD Group,
https://www.linkedin.com/groupItemview=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
Interesting in deed 🙂 thank you all
This comment was posted on LinkedIn ISO 21500 Project Management group by Roeland Uytdewilligen,
https://www.linkedin.com/groupItemview=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agrou%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATE#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
A beautiful discussion is on-going and I believe everyone is right in the way they explore RISK management. For me, RISK Management is an always an opportunity. With RISK Management you first make an inventory of all possible threads to the project, then categorize them into levels of impact and discipline. By doing this exercise, you have the opportunity to make possible threads visible. If you don’t take the proper action as project manager afterwards, then you become a THREAD yourself to the project and you lose your CHANCE to have the OPPORTUNITY to prevent a THREAD becomes REALITY. If this happens, we have another tool available, called LESSONS LEARNED. My experience is
that many project managers are capable to do RISK mitigation and afterwards
create a clear lessons learned. However, I wonder why I see the same items
coming back project after project inside many companies because nobody is
taking the real initiative or action to make changes to the process, the RISK
document remains a list of facts or possible threads but is not turned into a
list of actions…
This comment was posted on LinkedIn ISO 21500 Project Management group by Vignesh Manimuthu,
https://www.linkedin.com/groupItemview=&gid=96642&item=5947983782505111554&type=member&commentID=discussion%3A5947983782505111554%3Agroup%3A96642&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREAED#commentID_discussion%3A5947983782505111554%3Agroup%3A96642
@ Mounir and Marc. Correct
me if I am wrong! You two are having a healthy discussion and I am Project
Management graduate with a year experience in Projects. So please feel free to
teach me.
When we estimate a
project and we always anticipate risk and assign a monitory value to it. Right!
For example if I am anticipating a rain delay during outdoor project works I
will consider as a Risk and assign a value for delay in Project schedule. In
the mean time if I can assign the resources to do something indoor than I
should consider this risk as Risk Management Opportunity, because I am managing
the risk as best I can and increase the productivity of the project. Am I right
its rule number 2?
I consider Risk
Management is Something you manage to minimise or eliminate it by following
certain set of rules or established methods. So in any projects as a Project
Manager we will work on eliminating risk completely as in the event of risk we
need to pay a heavy price or loss of reputation. In this context I think @Marc
is absolutely right.
But if you are
looking for new business opportunity or exploring a new area as a entrepreneur
you will certainly take risk or well planned risk to give it a go! But its an
opportunity more than a Risk Management right. For this purpose we use models
like SWOT or FMEA. Have I got it right?
This comment was posted on LinkedIn PMI Lebanon Chapter group by Nelly
Khnaizer Sakr , PMP,
https://www.linkedin.com/groupItemview=&gid=1486547&item=5976962491651997699&type=member&commentID=discussion%3A5976962491651997699%3Agroup%3A1486547&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5976962491651997699%3Agroup%3A1486547
I believe it is both; a threat and an opportunity and you are totally right that we mainly consider it as a threat (negative event)
The article’s approach is very informative; thank you Mr. Mounir Ajam
This comment was posted on LinkedIn PMO group by Mercy Momah ITIL, OCA, OCP,
https://www.linkedin.com/groups/Is-Project-Risk-Management-About-106439.S.5973091633435070464view=&gid=106439&item=5973091633435070464&type=member&commentID=discussion%3A5973091633435070464%3Agroup%3A106439&trk=hb_ntf_COMMENTED_ON_GROUP_DISCUSSION_YOU_CREATED#commentID_discussion%3A5973091633435070464%3Agroup%3A106439
Project Risk Management is about both threats and opportunities. However, there seems to be more emphasis on threats than opportunities when it comes to risk management.