Managing risk in an IT project – what can be done with a risk?

Risk type and response strategy

Risk identification usually brings to mind one specific response: you have to do something thanks to which the threat will not realize, something that will mitigate it. However, you need to remember that it is not the only possibility. There are other methods of managing risk. They even can seem quite simple when we read about them, and maybe that is why we forget them surprisingly often.

In the first article of the series about managing risk, I mentioned that a risk is not always negative. Sometimes, it relates to benefits, and such a case is commonly called an opportunity. However, the word ‘opportunity’ is associated with dependence on external events or luck. It is important to remember that in the case of positive risks, we may respond differently than in the case of threats.

How to respond to negative risks?

• Mitigation. It is the reduction of the probability of risk by performing additional work. For example, if there is a risk that bots will clutter the database of our newsletter, we add captcha verification to reduce the probability.
  However, mitigation can be significantly more expensive than in the example given above, that is why it is worth counting its cost in terms of expenditure related to the potential risk. Sometimes, it turns out that the damage is cheaper than the mitigation.
• Avoidance. It is the elimination of potential reasons for risk. We do that by instinct very often, for example, if there is a risk that creating a given functionality will take us not three days, but three weeks, we decide not to do it all. In such a case, we take into account its business value, the deadlines, etc. Avoidance is the least expensive method, but it may be associated with hidden costs (such as lowered product value for the customer.)
• Transfer. It means transferring responsibility to someone else, and it is not about corporate passing the buck. For instance, risk transfer may consist of buying insurance against specific damages. It may also be renting an external supplier who will be obliged to deliver a solution and will bear all the risks associated with it. And yet, if the transfer is done, we still can be affected with negative effects of risks such as delays. On the markets where the most important thing is time-to-market, the usual contractual penalty does not compensate the loss against the competitors if they overtake us in delivering the solution.

How to respond to positive risks?

• Exploitation (the opposite of avoidance.) It is making sure that the positive risk will be realized. We may assign the brightest developer to the project, and thanks to that — be the first to provide the market with the solution.
• Enhancement. The opposite of mitigation that is adding specific operations in order to increase the effect or the probability of positive results. For example, the we can expand the team to increase the productivity.

The differences between leverage and enhancement are, in my opinion, purely theoretical. They are worth mentioning, but in practice, both solutions are associated with a quest for taking advantage of the opportunity.

• Sharing. It means combining forces to reap the benefits together, for example, buying a device, hiring an expert, using infrastructure, sharing costs, lobby, and many more.

What are other options? For both types of risks, there is a simple additional option — acceptance.

• Acceptance. In everyday life, it is the fifth stage of dealing with grief, usually preceded by denial and anger. In a project, you may avoid the previous stages because commonly well-carried-out risk analysis shows that we can live with it. Sometimes, a question arises why we would even analyze it if we did nothing about it. I compare it to crossing a road: there is always a risk that something can happen to us. But when we are not aware of the threat, we step onto the road blindfolded. Risk acceptance is often a test of manager’s maturity. Especially in the corporate environment, managers will strive for expensive mitigation instead of acceptance. Why? Because they are afraid of holding the responsibility for failure in the case of risk acceptance. It is a much broader problem of organizational culture, and often it comes down to a situation in which acceptance really means “it better not explode because we will have a problem.”

Summary

The presented division is quite theoretical, and for some, it may seem like another artificial, textbook distinction of something that is commonly understood. However, I believe that classification brings with it more significant value as well as it is an important part of the risk management process.

The awareness that we do not always have to mitigate a risk so it would not occur is crucial. Surprisingly often, we forget about simple ways, and we follow well-trodden paths. Besides, it is worth remembering that risk acceptance is not capitulation or a waste of time — it is a conscious decision, one of the stages of risk management. Readiness to take such a decision may help in differentiating good managers from the bad.