Looking for risks in all the places they can occur

Once you have committed to creating a culture that enables active risk management, you will next need develop an organization-wide consistent method to seeking out and identify risk. This requires two critical steps: 1) Develop a clear definition of risk enterprise-wide and 2) Teach your staff to seek out and plan for all types of risk: positive, negative, internal and external. Once you do this, you will be ready to begin planning for and managing response to nearly any situation of importance that is likely to occur.

Step 1: Clearly define what a risk is

This may seem like a trivial (or even pedantic) first step. However, if you want to ensure your staff are managing risk in a consistent manner, you need to start with a clear definition of risk that everyone agrees with across your enterprise.

A simple definition of risk

If your organization’s reason for existence is something different than managing risk, it can be helpful to keep your definition of risk as simple as possible. This not only makes people more comfortable adding risk management to their everyday jobs, it also reduces the cost and time required to teach risk management.

I like to use the following “plain and simple” definition for risk:

A RISK is a possible unplanned situation that would
materially affect
your plan or operations—if it occurs

I have found this easy to adopt by people from a variety of markets, industries, operations and cultures.

Simple litmus tests to separate risks from issues, rumors and distractions

By using the highlighted key phrases, it is easy to test whether an item of concern is actually a true risk:

  • A risk is something that could possibly occur. If something has already occurred (or is 100% certain of occurring), it is not a risk: it is an issue. If something is untrue (or has no chance of occurring), it is a rumor or fallacy.
  • A risk is something with the potential to materially affect your plan or operations. If a the occurrence of a situation would not cause a material effect, it is not a risk to you: it is simply an external distraction. (Of course, if could create a risk by distracting your staff from their work.)

Once everyone in your organization begins using the same definition for risk, they can begin exploring and sharing risk information using the same language and terminology when encountering all types of risk.

Step 2: Recognizing the four major types of risk

Many people forget that there are four major types of risk:

Each of these types are defined by the following two quadrant “dimensions.”

Positive vs. negative risk

People tend to focus on negative risks, i.e., risks that would detrimentally affect plans and operations to a material degree. If is prudent to plan responses to negative risk (I have seen this “save the day” many times.) However, simply planning for negative risk is not sufficient. You also need to consider positive risk.

Positive risks are unplanned situations that would create a boon to your plan or operations. If you plan for positive risk, you can take advantage of these situations when they occur. This can be just as beneficial as planning for negative risk. Here is a simple real-world example:

Company A is launching a new release of their product. Based on past analysis, they understand that this product release may lead to short-term increase in customer service calls. To accommodate this, they setup a dedicated Contact Center queue to address this new need.

However, Company A has paid careful attention to design their new release to address many past customer requests. As a result, the release could either increase calls (a negative risk—due to confusion with new features), or decrease them (a positive risk—due to resolution of issues that caused past calls). To manage both aspects of risk, Company A does two things: 1) they use outsourcing to enable them to increase or decrease customer support without incurring a fixed cost and 2) use blended queues to enable them to absorb call volume into their existing Contact Center capacity.

Company A rolls out the new release. Initially, call volume spikes, but it drops below pre-launch levels within 30 days. Because Company A planned for both positive and negative risk, they reactive to both conditions at low cost—without creating long call queues.

Internal vs. external risk

People also tend to focus on internal risk, i.e., situations that could go wrong with their particular project or operations. While it is prudent to think about the risk of your operations, it is not to neglect external situations that could materially affect you.

One of the most successful Program Managers I know pays strict attention to External Risks. Here is his real-world example:

Company B is upgrading their IT infrastructure. This upgrade will bring better features and reliability to its staff. However, Company B’s business is NOT IT. As such, it the upgrade is not the first priority of the majority of Company B’s staff.

The Program Manager for the infrastructure upgrade recognizes that external situations (e.g., end of quarter sales or major product releases) could block or delay infrastructure upgrades at certain departments and locations during key times. To prepare for this, the Program Manager meets with each group to learn about these potential times. He negotiates both first choice and second choice upgrade windows for each department and location. This enables him to steer his upgrades around planned conflicts and—just as importantly—around unplanned ones. As a result, he completes his program on-time (and with high stakeholder satisfaction).

Apply your definition of risk vigorously across all four quadrants

Too many organizations only focus on Internal-Negative Risk (and often in a consistent manner across different projects and operations). As the examples above show, it is critical to start with a clear definition of risk and apply it across your entire enterprise with a focus on all four types of risk. If you do this, you will be ready for nearly any situation that can likely occur.

Author’s Acknowledgment: I would like to credit the following past associates with whom I have worked with for years to develop and apply the lessons regarding definition of risk: Neal Beliveau, Anne Dixon, James Gaines, Simon Grant, Jeff Kolar, Clare Little and Igor Mandrosov.

Post Topics:
, , ,


  • Nice summary Jim, Very concise. Love the folowing quote “Once everyone in your organization begins using the same definition for risk, they can begin exploring and sharing risk information using the same language and terminology when encountering all types of risk.” Without this things get more difficult! I look forward to more…………….

    Simon Grant13 January 2010
  • Jim,

    This is a great article. Managing a project by identifying and managing its risks, which is how we operated when we were in the PMO is now the standard for me in every program I manage. I can see how ignoring risks can derail a project and lead to waste and inefficiencies not to metion failure very quickly!

    I will share this article with my team.


    Mina Kermani18 January 2010
  • 22 December 2010

    […] risk is a possible situation that could materially affect your operation (if it occurs). The size of a […]

Share your thoughts