Risk management is more than just risk mitigation

Often when I am in meeting where the topic of risk arises, I will hear some one say something like, “We need to determine how we are going to mitigate [these risks].” For some reason, people often jump to the word “mitigation” when they are speaking about managing risk. (Perhaps the word “mitigation” sounds impressive.) However, mitigation is just one of four techniques to manage risk. (Ironically, in reality, it is one of the least used forms of risk management).

The four techniques to manage risk

A risk is a possible situation that could materially affect your operation (if it occurs). The size of a risk (and the required level of your response is driven by two factors: the likelihood of its occurrence and the size of the impact if it occurs. The four generally accepted techniques employ different strategies to address these two factors:

Technique Number 1: Avoidance

Avoidance techniques aim at reducing the likelihood that a risk will occur (preferably reducing the likelihood to zero). As such, it can be the most powerful technique for managing risk. Here are some examples of risk avoidance:

  1. Operations: Risk that we will be late or over budget because we do not have experience doing X. Avoidance technique: bring in a consulting expert with experience in X.
  2. Technology: Risk that implementing a feature will cause us to be late. Avoidance technique: delay implementation of the feature to a later phase.
  3. Everyday Life: Risk that I will get hit by a car if I run out in the street. Avoidance technique: look both ways first.

There are few risks where you would not want to apply risk avoidance (the only times you do not want to do this is where the cost is prohibitive).

Technique Number 2: Mitigation

Mitigation techniques aim at reducing the impact that a risk will create if it occurs. As such, it should be used in situations where a risk is both sizable and cannot be avoided (or avoided at low enough cost). Here are some examples of risk mitigation:

  1. Operations: Risk that we will not have enough capacity to take customer orders. Mitigation technique: setup of a variable contract support structure that I will only
  2. Technology: Risk that my application will not receive the correct data from a client (calling application). Mitigation technique: creation of exception processing to deal with these situations without crashing
  3. Everyday Life: Risk that I will get badly hurt if I am in a car accident. Mitigation technique: wear a seat belt and install an airbag.

While people default to using risk mitigation it is not always preferred: would you rather wear a Michelin Man suit when you cross the street (mitigating the impact of getting hit by a car) or simply look both ways first?

Technique Number 3: Transfer

Transfer techniques move the impact of a risk (if it occurs) to an external party. This can get complicated. As such, risk transfer is best reserved for situations where the impact of a risk can be clearly measured and fully addressed by an external party. Here are three examples of using Risk Transfer:

  1. Operations: Risk that an employee will burn your store down. Transfer technique:  buy fire insurance
  2. Technology: Risk that your customers will not understand how to use your product and will need support. Risk Transfer technique: set up a lower-cost-per-hour Help Desk to provide support.
  3. Everyday Life: Risk that I may incur large health care costs. Risk transfer technique: buy health insurance.

There are many risks that you would not want to address through risk transfer. Would you want to buy insurance that pays you out in the event that a customer safety event destroys you brand’s reputation? Unfortunately, most transferred risks are transferred unintentionally (i.e., without managing the risk). A clear example is insufficiently testing a process or application, leaving your customers to deal with the consequences (I am sure you can name a few examples of this).

Technique Number 4: Active acceptance

Risk acceptance is the process of actively deciding that you will accept the consequences (impact) of a risk if it occurs. When applied correctly, i.e., when you actively document a risk and the decision to accept its potential consequences, it truly is risk management. This technique is best when the impact of a risk is small (much smaller than the cost to avoid, mitigate or transfer it). Here are three examples:

  1. Operations: Risk that we will not finish all of our tasks on time. Active risk acceptance technique: padding your schedule to account for this lateness.
  2. Technology: Risk that using a new technology will cause more overtime debugging and testing. Risk acceptance technique: using the technology and pressing the team to do the overtime work.
  3. Everyday Life: Risk that I may get a ticket if I speed on a road but deciding the benefit of going faster is greater than the combination of the ticket price and chance of getting caught

While use of Active Risk Acceptance is often appropriate, formal use of this technique is rather rare. Unfortunately Passive Risk Acceptance, i.e., writing down a potential risk but not estimating its size and actively taking steps to manage it, is all-too common., i.e., “hoping” a risk will not occur.

Which technique is best?

At first blush, it looks like the best risk management technique is Avoidance and the worst is Acceptance. This is not true. Some risks you must avoid (e.g., destroying your brand), others you can easily accept (e.g., getting more purchase orders than you can process). The key is picking your technique based on the size and structure of the risk. This is the very definition of risk management.

What if I cannot determine which technique I am using?

Sometimes I will hear two people debate if something like setting up a Help Desk is transfer (moving the risk from the implementation team to the agents) or mitigation (accepting that the risk is likely to occur but reducing the cost of its impact.) If you hear an argument like this, do not worry. It is a great sign that your team is actively managing risk (something much more important than figuring which “bucket” to use to classify their response).

Can I use more than one technique?

Using more than one technique to manage a risk is more common than many people realize. (It is also very wise.) A typical example can be found in managing technology infrastructure:

You have a risk that a server will fail (a risk that is certain to eventually happened). You employ three techniques to manage this risk. First, you split your traffic across lots of small servers. This reduces the likelihood of failure: a two-CPU server has a much longer mean-time-between-failure than a 192-CPU server. It also reduces the impact: when one server fails it only affects a small percentage of clients. Second, you invest in a Network Operations Center and/or Help Desk to deal with the consequences of server failure: this is a combination of mitigation (of failure cost), transfer (requiring your clients to call for help if they need it) and acceptance (recognizing that failure will occur).

While defining the techniques of risk management is simply, figuring out how to apply them is often complex.

Author’s Acknowledgment: I would like to credit the following past associates with whom I have worked with for years to develop and apply the lessons regarding response to risk: James Gaines, Simon Grant and Igor Mandrosov.

Post Topics:

Comments

Share your thoughts