Risk Treatment

Risk treatment is the fifth and final step of the risk management process. It is an important factor in project management, and should be developed integrated into any organization that is involved in projects. A risk treatment plan is a detailed plan that helps an organization select and implement actionable options on dealing with risks, whether they are threats or opportunities. Risk management is a cyclic five step process that establishes context, identifies, analyzes, evaluates and treats potential risks during a projects lifetime. Successful implementation of a risk treatment plan lowers uncertainty of a project, thereby increasing the overall chance for project success. Any project will face unforeseen challenges and risks that can have severe consequences, by preparing and implementing an actionable risk treatment plan, risk threats can be eliminated, reduced or at least be prepared for, and risk opportunities can be enhanced in gain or probability.

Although, a general step-by-step risk treatment standard is yet to be defined in detail, some industries have developed some guidelines. This is the case for the cybersecurity industry. The European Union Agency for Cybersecurity has developed a industry specific guideline on application of risk treatment, which can be used as an example for other industries. The example from Enisa is a five step process that includes: Identification of Options, Development of Action Plan, Approval of Action Plan, Implementation of Action Plan and Identification of Residual Risks.

Efficient risk treatment planning is a difficult task and it has a few limitations. One major limitation is that a risk treatment plan deals with uncertainty, and not matter the level of expertise in planning, it is impossible to be perfectly prepared for all possible risks. Another limitation that is yet to be figured out is poor knowledge sharing within this area of expertise, it is very difficult, as a project manager, to get your hands on standardized guidelines.

Big Idea

Figure 1: Risk Management Process ^[1]

Risk Management

Risk Management is a systematic process that assist decision-making within project management. It is an integral part of project success and should be integrated into the overall management structure. The process can be divided into five general steps excluding outlying support structures, the five steps progress in the following order: Establishing Context, Risk Identification, Risk Analysis, Risk Evaluation and Risk Treatment. Although, this is the general progression form, risk management is an agile tool, that requires the project manager to revisit earlier steps in the process throughout the project to mitigate potential risks created by the process itself and also unforeseen project risks. The five step process is visualized in Figure 1 ^[1].

Risk Treatment

Risk treatment is the vital final step, that helps the project manager efficiently and quickly handle the risks identified earlier in the risk management process if they occur. The objective in risk treatment is to have a detailed step-by-step action plan for as many imaginable future risks as possible or at least the ones that are the most probable or damaging. Since projects come in variations of an unlimited number, their purpose and challenges vary to the same degree. This variation makes standardization of the risk treatment process almost impossible, when the process needs to be tailored to the specific project and its risks ^[1].

Although standardization is a difficult task, there are some general methods that can be tailored to the specific risks of a project. Different risk management standards include/describe these method with slight variety, but commonly four methods are mentioned: Avoidance, Mitigation, Transfer, Acceptance ^[2].

Risk Avoidance When utilizing risk avoidance the risk profile of the project is reduced simply by not doing what would likely provoke the risk to occur. This usually involves development of a "back-up strategy" that is more costly, but has a higher chance of success. Examples of effective risk avoidance are; using an older and known technology, instead of a new technology that "promises" better performance or lower cost. Using reliable and known suppliers or vendors, instead of trusting new ones that, again, might promise lower costs or lead times ^[2].

Risk Mitigation Risk Mitigation involves taking precautious measures that will cause the risk to as little damage as possible, and/or attempt to reduce the probability of occurrence of the risk ^[2].

Risk Transfer Risk transfer can be split into two under categories: sharing and transferring. Where risk sharing is partnering with others to share the responsibility for risks. An example of risk sharing is when an international company partners with a local company. The local company will have some experience and expertise, which reduces risks for the international company. In the event that a risk occurs, the local company will also take a share of the impact, thereby reducing the impact on the international company. The local company will however, also enjoy some of the profits for a successful project. Risk transferring involves paying a third-party to take the risk away from you, most commonly this is done through insurance ^[2].

Risk Acceptance If none of the risk reducing measures are possible, there are only two options lefts - accept the risk or close down the project. Accepting a risk does however, not mean not preparing for/analyzing probability, impact etc. It means that the project manager either considers the impact of the risk to be of lower cost than the measures of reducing/eliminating the risk, or that it is impossible to do so. This process will allow for considerations of alternatives and a preparedness of the impact if actually occurs ^[2].

Threat vs. opportunity

The term risk entails two different definitions: threats and opportunities. Where a threat is a risk with a negative outcome and an opportunity is a tisk with a positive outcome. Efficient risk treatment should include planning for both types of risk, and it should be recognized that one is not more important for project success than the other. It has been widely discussed whether the same approaches and measures can be taken towards both types of risk, however they are not qualitatively or quantitatively different, since they both stem from uncertainty. Aligned with the general methods for dealing with typical threats, which are described in the sections above, opportunities have related responses. Instead of avoiding a threat, an identified opportunity should be exploited. Instead of mitigating a threat, an opportunity should be enhanced. Instead of transferring a threat, and opportunity should be shared. Instead of accepting a threat, an opportunity should be ignored. ^[3].

Application

Successfully creating and implementing a risk treatment plan is a difficult achievement in any project. Definitions and sources on generalized application are so far lacking, because projects are such a wide definition. However, some specific industries that have begun to create an organized structure of a risk treatment plan and its progression. The cybersecurity industry is an example of this, although it is a new industry they are experts in handling risk. The European Union Agency for Cybersecurity has developed a progression template for risk treatment. With lacking general definitions, their template will be used as an example to learn from in other industries.

The progression template includes five sections: Identification of Options, Development of Action Plan, Approval of Action Plan, Implementation of Action Plan and Identification of Residual Risks ^[4].

The following segments will generalize and elaborate on the template created for cybersecurity, such as it can be used as a standardized guide for risk management and risk treatment in general project management.

Identification of Options

After a detailed risk assessment the first step is to identify appropriate alternative options to handle the risks. The impact of such risks vary in probability and size, but they are not necessarily negative. A risk can both be a threat and an opportunity, and management of both options vary accordingly.

The identification and assessment of the options for risk treatment, can in generally be perceived as a form of cost/benefit analysis. Many things needs to be considered when choosing treatment options, whether tangible or intangible and compared to the overall risk management context i.e. align with the purpose and success criteria of the project, and in the end the choice depends on whether the costs outweigh the potential benefits (or the other way around). The available resources can effect and/or limit the choice options, and in that case, it is important for the project manager to prioritize which options should be pursued and implemented early on ^[4].

Treatment of risk opportunities

There are several ways a project manager can attempt to increase the potential or probability of an identified risk opportunity, these include but are not limited to ^[4]:

• Pursue actions that are likely to create or maintain the opportunity result.
  • Actions that increase probability of the risk.
  • Actions that increase the gain from the risk.
• Share/transfer risk to a third-party that can contribute with resources that increases probability or gain.
• Retain the positive residual risks.

Treatment of risk threats

The treatment of risks are similar in nature to opportunity treatment, however with the opposite association, the treatments options for threats include but are not limited to ^[4]:

• Avoidance of a threat by pursuing or stopping/diverting/postponing actions that are likely to remove the cause of the threat.
  • Actions that reduce the probability of the threat.
  • Actions that reduce the severity/damage of the threat.
• Share/transfer parts of or the entire threat to a third-party. This could result in turn create new risks in form of bad management from the other risk "shareholder".
• Retain the risk and/or its residual risks.

Development of Action Plan

When it has been identified if the risk is a threat or an opportunity and it has been chosen which treatment options to pursue, the project manager can start the development of an action plan. The action plan describes, in detail, how the treatment options will be implemented.

A well made action plan is extensive and should contain detailed description of the implementation from start to finish. It should include which specific options should be started/maintained/stopped etc. in a prioritized order with a specific time plan. What the resource requirements are, including raw materials, staff etc. Description of everyone involved and their responsibilities, including both external and internal managers, staff, stakeholders etc.

Finally, and potentially the most important factor, a description of performance indicators and how these are reported/monitored. Continuous performance data is vital for successful implementation of a risk treatment plan. It gives the project manager knowledge on whether the treatment is working or not, and therefore the ability to act should it be necessary ^[4].

Approval of Action Plan

Only in rare cases the project manager and the top management will be the same person. When this is not the case, it is important for the project manager to keep in continuous contact with the top management of the organization and keep them informed. Communication is key in project management, and risk treatment is not an exception. This will also help ensure continuous support and correct allocation of resources throughout the projects life-cycle, as well as help spread information to the entire organization, which can increase chances of successful implementation ^[4].

Implementation of Action Plan

A risk treatment plan will spread over various departments in an organization. Therefore, it is important that the plan defines how risk management is to be handled in all the affected departments, to ensure efficient implementation. The most commonly relevant departments include: development process, business and strategic planning and change management. In these departments (as well as other relevant departments in the specific project) it is extra important to embed risk management and treatment directly into their policies.

The risk treatment plan does not necessarily have to be general for all departments in the organization, it can be specialized for some or for each of the involved departments. However, every section has to align with the organization's overall risk management strategy.

To successfully implement a risk management or treatment plan it is necessary to have support and commitment at all levels of the organization. Support, awareness and commitment at top level management is vital for implementation, it helps streamline and execute the plan. Therefore, it can be helpful to appoint a senior manager to lead the initiatives across the organization, as well as involve all top level managers in the plan.

The organization should also in detail define and document a policy for risk management. This policy should include but is not limited to:

• Main objectives and logic behind the risk management.
• Links between the treatment plan and the organizations over all strategic plans.
• Which types of risk the organization are willing to pursue and to what extent, as well as the balance between threats and opportunities.
• Specific options that will be used to manage/treat risks,
• Who is accountable for each risk.
• The available resources for those handling the risks.
• Specific performance measures for risk treatment and how they will be monitored/reported.
• A written commitment to review risk management on a continuous basis.
• A written commitment to the policy by top level managers

If published to internal and external stakeholders to the organization, a such policy, will not only create overview of the plan, accountability, resource allocation etc. but also demonstrate commitment from the top level management.

Although, top level management ultimately is responsible for managing risks in the organization, all staff have responsibilities in their own areas. Successful risk management at personnel level can be achieved with systematic performance measurements and reporting ^[4].

Identification of Residual Risk

Residual risks are risks that have not been covered by the risk management planning and implementation. These include unforeseen risks, untreated risks and risks that evolve from risk management itself, that have not been handled. Even if the risk have been purposely left, it is important to define and document it in as much detail as possible, so that all decision makers in the organization are informed of it. Although, the risk is residual at a certain point of time during the project, it might become necessary to handle it at another time. Without proper preparation the consequences of a former residual risk can be increasingly larger, while it might even have been avoided completely ^[4].

Comparison of ENISA template with general standards

The ENISA template gives a very generic overview of how to create a risk treatment plan. In fact there are many similarities between the ENISA approach to a treatment plan, and how the general risk management process are, as shown in Figure 1. First step in both processes is to identify which risks needs to be handled, then evaluate and analyze how these risks can be treated, and finally develop an attack plan and implement it. From this perspective the ENISA template does not differ from much from the risk management definitions given in the DSI and PMI standards on project mangement.

Limitations

Risk management in general is a project managers best attempt at foreseeing the future. A risk treatment plan is a project manager trying to foresee the future and plan on how to tackle every imaginable problem. It is impossible for a risk treatment plan to be 100% accurate, and this might be its biggest limitation. Although, it can be helpful and increase project success by decreasing its uncertainty, it can be a huge project in itself to set up a well made risk treatment plan. On top of the practical difficulty, it is also best suited for large organizations, since it most likely will be a costly affair to identify the potential risks, as well as create and implement action plans. For a smaller organization it is probably more cost effective to handle most risks head-on when they arise, and only plan for the most damaging or probable risks if any.

Another limitation is poor public knowledge on risk treatment. Risk management is a well defined and standardized process, however the last step - risk treatment - is not. The available public resources on risk treatment are either very specific or very briefly described, such as in ISO 21502, ISO 31000 and the PMI standards ^{[5] [1] [6]}

The limited standardized knowledge could be due to the competitive nature of many organizations, i.e. not sharing how they handle and plan risk treatment is a competitive advantage, or because projects are so individual and specialized that it is difficult to create a generalized step-by-step guide across industries.

Annotated Bibliograhpy

1. Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI).

   Retrieved from: https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management

   • General standard on project, program and portfolio management. Includes many definitions.
2. International Organization for Standardization (2018), DS/ISO 31000:2018, Risk management - Guidelines

   Retrieved from: https://sd.ds.dk/Viewer?ProjectNr=M296412&Status=60.60&Inline=true&Page=1&VariantID=41

   • General standards on risk management. This standard gives brief definition of general risk management terms used in this article, such as risk management and risk treatment.
3. ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment.

   Available at: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment

   • This website provides a detailed guideline on the application of a risk treatment plan in the cybersecurity industry. It is used throughout this article as an example of a generalized progression on implementation of risk treatment in any organization and/or indunstry.
4. Project Management Institute (2001), Effective Strategies for Exploring Opportunities.

   Retrieved from: https://www.pmi.org/learning/library/effective-strategies-exploiting-opportunities-7947

   • This article provides detailed insight in how to deal with opportunities compared to threats, which are usually the risks that are focused on.

References

1. ↑ ^{1.0 1.1 1.2 1.3} International Organization for Standardization (2018), DS/ISO 31000:2018, Risk management - Guidelines, Retrieved from https://sd.ds.dk/Viewer?ProjectNr=M296412&Status=60.60&Inline=true&Page=1&VariantID=41
2. ↑ ^{2.0 2.1 2.2 2.3 2.4} BcCampus Open Education, Adrienne Watt, Project Management, Risk Management Planning, Retrieved from https://opentextbc.ca/projectmanagement/chapter/chapter-16-risk-management-planning-project-management/
3. ↑ Hillson, D. (2001). Effective strategies for exploiting opportunities. Paper presented at Project Management Institute Annual Seminars & Symposium, Nashville, TN. Newtown Square, PA: Project Management Institute, Retrieved from: https://www.pmi.org/learning/library/effective-strategies-exploiting-opportunities-7947
4. ↑ ^{4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7} ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment
5. ↑ International Organization for Standardization (2020), DS/ISO 21502:2020, Project-, programme and portfolio management - Guidance on project management, Retrieved from https://sd.ds.dk/Viewer?ProjectNr=M351700&Status=60.60&Inline=true&Page=1&VariantID=
6. ↑ Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management