Introduction
The traditional view of risk is negative, characterizing risks as “threats” with adverse consequences on project objectives. But current risk thinking includes the possibility of “upside risk” or “opportunity,” which could have a beneficial effect on achieving objectives. Despite this theory, most applications of the risk process still concentrate on managing threats, and approaches to opportunity management remain patchy and reactive. The tools and techniques available to practitioners seem to focus attention only on the negative side of risk. This is particularly true of the Risk Response Planning phase, where the common strategies of avoid, transfer, mitigate, and accept are only appropriate for dealing with threats. New strategies are required for responding to opportunities.
This paper proposes approaches for responding to opportunities, which are based on the familiar threat response strategies. Each threat response strategy is generalized to determine the underlying principle, then the positive equivalent is developed, namely eliminating the uncertainty to exploit identified opportunities, sharing opportunities with a third party best able to manage them, enhancing probability and/or impact, and ignoring residual minor opportunities.
By modifying Risk Response Planning strategies as proposed, management of opportunities can become integral to risk management, giving them equal status with threats, and seeking to manage them proactively in order to achieve the benefits. Risk practitioners claim to believe that uncertainty has both a positive and a negative side—applying the approach outlined here will enable them to put those claims into practice.
What Is “Risk”—One Definition or Two?
It is clear from experience that all projects are subject to uncertainty, arising from a multiplicity of sources (including technical, management and commercial issues, both internal and external to the project). It is also widely recognized that successful management of uncertainty is a key contributor to project success. This has led to the current high profile of project risk management, which offers a structured approach to managing the inevitable uncertainty in projects.
It is also clear that if/when uncertainty strikes, it can have a range of effects on achievement of project objectives, from the total disaster to the unexpected welcome surprise. Despite this, the traditional risk management process as practiced by the majority of project managers tends to concentrate almost exclusively on the potential negative effects of uncertainty. As a result of this focus, considerable effort is spent on identifying and managing threats, while opportunities tend to be overlooked or at best addressed reactively (or “opportunistically”?).
Some risk management practitioners are beginning to promote an integrated common process for management of both threats and opportunities together, in order to ensure that unwelcome negative effects are minimized while at the same time maximizing the chances of exploiting unexpected positive effects (for example Hillson, 2001).
The suggestion that a common process can be used to manage both threats and opportunities has arisen from the inclusion of positive aspects in recent definitions of “risk.” This in turn has provoked vigorous debate among the community of risk practitioners, with individuals and groups taking and defending strong opposing positions. The issue is whether the term “risk” should encompass both opportunities and threats, or whether “risk” is exclusively negative with “opportunity” being qualitatively distinct. There appear to be two options:
1. “Risk” is an umbrella term, with two varieties:
• “Opportunity” which is a risk with positive effects
• “Threat,” which is a risk with negative effects.
2. “Uncertainty” is the overarching term, with two varieties:
• “Risk” referring exclusively to a threat, i.e., an uncertainty with negative effects
• “Opportunity,” which is an uncertainty with positive effects.
There is no doubt that common lay usage of the word “risk” sees only the downside. This is reflected in the traditional definitions of the word, both in standard dictionaries and in some technical definitions (see for example Collins, 1979; Norsk Standard NS5814, 1981; Godfrey, 1996; British Standard BS8444-3: 1996; National Standard of Canada CAN/CSA-Q850-97, 1997).
However, some professional bodies and standards organizations have gradually developed their definitions of “risk” to include both upside and downside. Several of these have definitions where the nature of the effect is undefined (for example Australian/New Zealand Standard AS/NZS 4360,1999; Simon et al., 1997) and which could therefore implicitly encompass both positive and negative effects. Others are explicit in naming both opportunities and threats within their definition of “risk” (for example Institution of Civil Engineers et al., 1998; British Standard BS6079-1: 2000; British Standard BS6079-3:2000).
The most recent of the standards to include both opportunity and threat within its definition of “risk” is the latest edition of the Guide to the Project Management Body of Knowledge (PMBOK® Guide) published by the Project Management Institute (PMI®) in December 2000, which states that “Project risk is an uncertain event or condition that, if it occurs, has a positive or a negative effect on a project objective … Project risk includes both threats to the project's objectives and opportunities to improve on those objectives.” (Project Management Institute, 2000,127).The PMBOK® Guide also defines risk management as “The systematic process of identifying, analyzing and responding to project risk. It includes maximizing … positive events and minimizing … adverse events.”
The decision to encompass both opportunities and threats within a single definition of risk is a clear statement of intent, recognizing that both are equally important influences over project success, and both need managing proactively. Opportunities and threats are not qualitatively different in nature, since both involve uncertainty, which has the potential to affect project objectives. As a result, both can be handled by the same process, although some modifications may be required to the standard risk management approach in order to deal effectively with opportunities (Hillson, 2001).
The Importance of Risk Response Planning
There is broad agreement on the elements of an effective risk process, although the scope and names of various phases may differ. The risk management process is not complex, and is simply a commonsense and structured approach to dealing with uncertainty, ensuring that proper account is taken of every foreseeable risk. The aim is to allow proactive management in advance, rather than waiting for risks to mature leading to situations requiring a reactive crisis response. A typical risk management process will include a preparation/set-up and scoping phase, followed by identification of risks. These are then assessed, evaluated, or analyzed, using qualitative and/or quantitative techniques. Next responses are developed to address or treat identified risks, and agreed responses are then implemented, after which the process concludes with a feedback and review loop to update the risk assessment.
However, one phase of the risk management process appears to be more important than the others in ensuring that risk is dealt with appropriately. Risk identification and analysis phases, including both qualitative and quantitative, merely describe and analyze the risks to which the project is exposed. It is the Risk Response Planning phase where strategies are determined and actions are developed, the implementation of which will have a direct effect on risk exposure.
If it is accepted that the definition of risk includes both threats and opportunities, and that the risk management process must deal equally effectively with both, then the question arises whether the Risk Response Planning phase as currently practiced meets this requirement.
Risk Response Planning—Current Practice
Most risk management guidelines recognize at least four types of strategy in responding to identified risks. Hillson (1999a, 1999b) defines risk response strategy types as:
• Avoid—seeking to eliminate uncertainty
• Transfer—passing ownership and/or liability to a third party
• Mitigate—reducing the probability and/or severity of the risk below a threshold of acceptability
• Accept—recognizing residual risks and devising responses to control and monitor them
The commonly used risk standards and guidelines adopt identical or similar sets of strategies, with minor variations in terminology (APM-BoK, 2000; Australian/New Zealand Standard AS/NZS 4360, 1999; Simon et al., 1997; Institution of Civil Engineers et al., 1998; Project Management Institute, 2000). The intention is to provide a strategic framework of response types, allowing a suitable response strategy to be selected for each identified risk, which can then be developed into actions for dealing with the risk proactively.
Since similar approaches to risk response planning are widely promulgated in risk management standards and guidelines (Australian/New Zealand Standard AS/NZS 4360,1999; Simon et al., 1997; Institution of Civil Engineers et al., 1998; Project Management Institute, 2000), it represents current practice in terms of risk response planning. It is clear however that if the risk management process is to encompass management of opportunities, then the traditional approach to risk response planning is inadequate, since it is mainly targeted at threats. Clearly no project manager would wish to avoid an opportunity, neither is it usually considered appropriate to transfer a potential benefit to a third party. Mitigating an opportunity to make it smaller is also the wrong approach, and passively to accept that an opportunity might happen seems unwise.
Given that the Risk Response Planning phase has the most direct influence over risk exposure, one might expect this phase to be the part of the risk management process, which most clearly targets both opportunities as well as threats. However some modification is required to the standard risk response strategies to make them suitable for handling opportunities.
Planning for Opportunities
If the Risk Response Planning phases of the existing risk management standards and guidelines are examined, none of them presents suitable approaches for dealing with positive upside risks/opportunities, with the exception of the British Standard BS6079 Part 3 (BS6079-3:2000).The “risk treatment” phase in the BS6079-3:2000 process suggests dealing with threats under four headings of “eliminating or avoiding, risk sharing, reducing the possibility, reducing the consequences,” and also offers four options for addressing opportunities namely “facilitating, involving facilitators, enhancing likelihood, enhancing consequences”. Despite this attempt to guide practitioners toward strategies for responding to identified opportunities, few details are given for the recommended approaches, and they represent neither an internally consistent set of response types nor a complete range of options. The descriptions of each opportunity response type in BS6079-3:2000 are minimal and overlapping, viz.:
Exhibit 1. Generalizing Threat Responses to Deal With Opportunities
• Facilitating is defined as “choosing project approach accordingly and enhancing other beneficial stakeholders’ outcomes”
• Involving facilitators means “involving stakeholders who can help facilitate occurrence of the opportunity”
• Enhancing likelihood can be achieved by “changing project approach, examining causal links between opportunity and project”
• Enhancing consequences is described as “developing plans for taking full advantage of an opportunity if it occurs”
The British Standards Institution is to be commended for at least attempting to offer explicit strategies for managing identified opportunities. However their recommended approaches lack consistency and completeness, and a more structured set of strategies is required.
Since project managers and risk practitioners are used to the four common risk response strategies (for threats) of avoid, transfer, mitigate and accept, it seems sensible to build on these as a foundation for developing strategies appropriate for responding to identified opportunities. This can be done by seeking to understand and generalize the underlying principle behind each threat strategy, then extending this to develop the positive equivalent approach for dealing with opportunities. The principle is illustrated in Exhibit 1, and detailed in the paragraphs below.
Generalizing and extending the four common threat strategies results in the following concepts:
• Avoidance strategies that seek to remove threats are actually aiming to eliminate uncertainty. The upside equivalent is to exploit identified opportunities—removing the uncertainty by seeking to make the opportunity definitely happen.
• Risk transfer is about allocating ownership to enable effective management of a threat. This can be mirrored by sharing opportunities—passing ownership to a third party best able to manage the opportunity and maximize the chance of it happening.
• Mitigation seeks to modify the degree of risk exposure, and for threats this involves making the probability and/or impact smaller. The opportunity equivalent is to enhance the opportunity—increasing its probability and/or impact to maximize the benefit to the project.
• The accept response to threats includes the residual risk in the baseline without special measures. Opportunities included in the baseline can similarly be ignored—adopting a reactive approach without taking explicit actions.
It is generally accepted that strategies for dealing with threats should be considered in the order avoid-transfer-mitigate-accept. This means that for each risk (threat), one should first ask whether it can be avoided, then look for possible transfers, thirdly consider mitigation, and only as a last resort accept the residual risks left over. Factors in deciding which response strategy is most appropriate include the type and nature of the risk, its manageability, the potential severity of impact, availability of resources to implement the chosen response, and cost-effectiveness. In the same way, opportunity response strategies should be considered in the order exploit-share-enhance-ignore.
Each of these four opportunity strategies can be developed further, as described below.
Opportunity Response Strategies
Exploit
The aim of this risk response strategy is to eliminate the uncertainty associated with a particular upside risk. An opportunity-risk is defined as an uncertainty that if it occurs would have a positive effect on achievement of project objectives. The exploit response seeks to eliminate the uncertainty by making the opportunity definitely happen. Whereas the threat-risk equivalent strategy of avoid aims to reduce probability of occurrence to zero, the goal of the exploit strategy for opportunities is to raise the probability to 100%—in both cases the uncertainty is removed. This is the most aggressive of the response strategies, and should usually be reserved for those “golden opportunities” with high probability and potentially high positive impact, which the project or organization cannot afford to miss.
In the same way that risk avoidance for threats can be achieved either directly or indirectly (see Hillson 1999a, 1999b), there are also direct and indirect approaches for exploiting opportunities. Direct responses include making positive decisions to include an opportunity in the project scope or baseline, removing the uncertainty over whether or not it might be achieved by ensuring that the potential opportunity is definitely locked into the project, rather than leaving it to chance. Indirect exploitation responses involve doing the project in a different way in order to allow the opportunity to be achieved while still meeting the project objectives, for example by changing the selected methodology or technology. Where avoidance goes round a threat so that it cannot affect the project, exploitation stands in the way of the opportunity to make sure that it is not missed, in effect making it unavoidable.
Share
One common objective of the Risk Response Planning phase is to ensure that ownership of the risk response is allocated to the person or party best able to manage the risk effectively. For a threat, transferring it passes to a third party both liability should the threat occur and responsibility for its management. Similarly, sharing an opportunity involves allocating ownership to a third party who is best able to handle it, both in terms of maximizing the probability of occurrence, and in increasing potential benefits should the opportunity occur. In the same way that those to whom threats are transferred are liable for the negative impact should the threat occur, those who are asked to manage an opportunity should share in its potential benefits.
Clearly it is sensible to consider project stakeholders as potential owners of this type of response, since they already have a declared vested interest in the project, and are therefore likely to be prepared to take responsibility for managing identified opportunities proactively.
A number of contractual mechanisms can be used to transfer threats between different parties, and similar approaches can be used for sharing opportunities. Risk-sharing partnerships, teams, special-purpose companies or joint ventures can be established with the express purpose of managing opportunities. The risk-reward arrangements in such situations must ensure equitable division of the benefits arising from any opportunities that may be realized. The target-cost-incentivization type of contract is also suitable for both threats and opportunities, since it provides a mechanism for distributing either profit or loss.
It is important that risk sharing does not become mere abdication of responsibility on the part of the project manager, who should retain an active involvement in the management of all risks that could affect project objectives.
Enhance
For risks that cannot be avoided/exploited or transferred/shared, the third type of response strategy aims to modify the “size” of the risk to make it more acceptable. In the case of threats, the aim is to mitigate the risk to reduce probability of occurrence and/or severity of impact on project objectives. In the same way, opportunities can be enhanced by increasing probability and/or impact, by identifying and maximizing key risk drivers.
The probability of an opportunity occurring might be increased by seeking to facilitate or strengthen the cause of the risk, proactively targeting, and reinforcing any trigger conditions that may have been identified. (Of course if probability is increased to 100%, then this is effectively an exploit response.) Impact drivers that influence the extent of the positive effect can also be targeted, seeking to increase the project's susceptibility to the opportunity, and hence maximize the benefits should it occur.
Where several opportunity-risks have been identified as arising from a common cause, it may be particularly cost-effective to look for generic enhancement actions that target the common cause. If these actions are successful they will influence more than one opportunity, and could result in a significant increase in benefits to the project.
Risk enhancement responses are likely to be specific to the individual opportunity-risk identified, since they address the particular causes of the risk and its unique effects on project objectives. It is therefore not possible to provide a comprehensive list of actions under this strategy, and a considerable variety of actions are to be expected.
Ignore
Residual risks are those that remain after avoid/exploit, transfer/share, and mitigate/enhance responses have been exhausted. They also include those minor risks where any response is not likely to be cost-effective, as well as uncontrollable risks where positive action is not possible. The common terminology adopted for threats in these categories is to accept the risk, with application of contingency where appropriate, and ongoing reviews to monitor and control risk exposure.
Opportunities that cannot be actively addressed through exploiting, sharing or enhancing can perhaps be ignored, with no special measures being taken to address them. In the same way as accepting threats, ignoring opportunities involves taking the risk and hoping to “get lucky”—whereas for a threat this would mean hoping that the risk will not occur, for an opportunity one hopes that it will. The ignore strategy might appear to mean taking no action at all, but a better phrase would be “Do nothing, but …”
One way in which opportunities can be included in the project baseline without taking special action to address them is by appropriate contingency planning. As for threats, this involves determining what actions will be taken should the opportunity occur, preparing plans to be implemented in the eventuality. Funds could be set aside to be spent on emerging opportunities, or resources and facilities nominated to be used if necessary.
It is also important for the project team to remain risk-aware, monitoring the status of identified opportunities alongside threats to ensure that no unexpected changes arise, and the use of an integrated risk process to manage both threats and opportunities together will assist in achieving this goal (Hillson, 2001).
Risk Response Effectiveness
Seven criteria have been defined (Hillson, 1999a) against which the effectiveness of risk responses can be assessed, summarized as:
• Appropriate—the correct level of response must be determined, based on the “size” of the risk. This ranges from a crisis response where the project cannot proceed without the risk being addressed, through to a “do nothing” response for minor risks.
• Affordable—the cost-effectiveness of responses must be determined, so that the amount of time, effort and money spent on addressing the risk does not exceed the available budget or the degree of risk exposure. Each risk response should have an agreed budget.
• Actionable—an action window should be determined within which responses need to be completed in order to address the risk. Some risks require immediate action, while others can be safely left until later.
• Achievable—there is no point in describing responses which are not realistically achievable or feasible, either technically or within the scope of the respondent's capability and responsibility.
• Assessed—all proposed responses must work! This is best determined by making a “post-response risk assessment” of the size of the risk assuming effective implementation of the response.
• Agreed—the consensus and commitment of stakeholders should be obtained before agreeing responses.
• Allocated and accepted—each response should be owned and accepted to ensure a single point of responsibility and accountability for implementing the response.
These criteria were originally outlined in relation to the types of risk response commonly implemented to deal with threats. However the same criteria apply equally to opportunity responses, which must also be appropriate, affordable, actionable, achievable, assessed, agreed, allocated, and accepted. The two-stage approach should also be applied for opportunities as for threats (Hillson, 1999a), namely selecting a response strategy first (which is appropriate/affordable/etc…), then developing tactics to implement the chosen strategy. This strategic approach to risk response planning should be followed for each identified risk, whether it is a threat or an opportunity.
Conclusion and Summary
Effective risk responses are vital if the risk management process is to meet its objectives of “… identifying, analyzing, and responding to project risk … including maximizing … positive events and minimizing … adverse events” (Project Management Institute, 2000). The Risk Response Planning phase is arguably the most important phase of the risk management process, since this is where appropriate actions are developed in the light of identified risks—both threats and opportunities. If effective responses are not developed and implemented, the risk process will fail, and the chances of the project achieving its objectives will be reduced.
It is however clear that the risk process as commonly implemented does not include a structured framework for dealing with identified opportunities, since common response strategies only target threats. Building on the well-known threat strategies, this paper has described strategies that can be used to ensure that identified opportunities are also exploited effectively. Using the approaches outlined here will enable the project manager to take full advantage of those uncertainties with potential upside impact; failing to implement proactive opportunity management strategies will guarantee that only half of the benefits of risk management can be achieved.