So now that we’ve looked at avoid and transfer, let’s look at accept and mitigate:
Accept. There are two kinds of acceptance: passive and active. Passive means exactly what it sounds like – I recognize the risk but don’t do anything about it. This is typically for a risk that is so low in impact and probability that you don’t need to come up with a strategy for it. But you do keep your eye on it lest it bubble up and become more critical. Active acceptance means that while you don’t do anything proactive, you might “establish a contingency reserve, including amounts of time, money, or resources to handle the risks.”1 Interestingly, while one might think that a low-impact, low-probability risk is the only one you’d accept, you might sometimes accept a high risk. Case in point: a student of mine recently told me that she identified a high risk of a competitor beating her company to market. But even though it was rated high, she treated it as low, simply because she felt there was nothing she could do about it. And so if it happened it happened.
So what is mitigate? The dictionary definition of this word is, “make less severe, serious, or painful.” In this case I am reducing the probability and/or impact of a risk to bring it down to an acceptable level. Let’s take an example. Let’s say you’re the PM running an IT project in New York. And further that you want to hire a Chicago-based contractor to do some Oracle development. While the developer has good skills, he is sometimes known to leave projects before they are finished. And so, with your team, you plan how you might mitigate the impact or probability of losing him. Some ideas:
-Bonus. Incentivize him to stay on till the end
-Penalties. A reverse incentive if you will.
-Travel. Fly him to NY occasionally to bond with the team
-Backup and train. So you train someone on your current team to know what he knows.
There may be other steps but the important thing is that you’ve done something proactive. And each of those proactive steps may cost you money and/or time. And so now you have to convince your boss to spend money for something that may never happen. What will his response be? Agree? Throw you out of his office? And that, along with fundamental lack of understanding of the process, is one of the big reasons that risk management is so hard to implement in organizations. It reminds me of the fact that during Y2K the world was divided into two camps: those who thought we needed to prevent it and those who thought we need do nothing. When Year 2000 came and went with no problems, the “preventers” said, “See. We prevented it.” The other camp said, “See. Nothing happened. You spent all that money for nothing.”
I should also mention that PMBOK encourages you to look for opportunities while you ferret out risks. There may be some good that arises from your project and you definitely want to make it happen if at all possible.
So there you have the risk response options and an overview of the risk management process. The only other thing you should be aware of is that you should continue to identify, retire and monitor all risks throughout the project. Risk management is very important to the health of your project simply because there is so much uncertainty. If you can sell it to your management, do so. If not, try doing it in small steps on smaller projects to prove its worth on larger projects. I think you’ll be amazed at the results.
NOTE: After the holidays, the Useful Project Manager will be taking a Scrum Master course. Watch these pages for a description of what this is all about (as soon as I figure it out). Happy holidays!
1. PMBOK, p. 304. (electronic edition)