Risk Treatment

Risk treatment as a method is an under category of risk management. It is an assessment of what to do, if the uncertainties identified during risk management occur. In other words it is a pre-defined action plan of how to handle potential problems in a project. The implementation of risk treatment before or early in a project increases the probability of general project success, by reducing the impact of unforeseen problems throughout the project.

Big Idea

Figure 1: Risk Management Process

Risk Management

Risk Management is a systematic process that assist decision-making within project management. It is an integral part of project success and should be integrated into the overall management structure. The process can be divided into five general steps excluding outlying support structures, the five steps progress in the following order: Establishing Context, Risk Identification, Risk Analysis, Risk Evaluation and Risk Treatment. Although, this is the general progression form, risk management is an agile tool, that requires the project manager to revisit earlier steps in the process throughout the project to mitigate potential risks created by the process itself and also unforeseen project risks. The five step process is visualized in Figure 1. (PMI 31000:2018)

Risk Treatment

Risk treatment is the vital final step, that helps the project manager efficiently and quickly handle the risks identified earlier in the risk management process. The objective in risk treatment is to have a detailed step-by-step action plan for as many imaginable future risks as possible. Since projects come in variations of an unlimited number, their purpose and challenges vary to the same degree. This variation makes standardization of the risk treatment process almost impossible, when the process needs to be tailored to the specific project and its risks.

%%%% SKRIV MERE

Threat vs. opportunity

Application

Successfully creating and implementing a risk treatment plan is a difficult achievement in any project. Definitions and sources on generalized application are so far lacking, because projects are such a wide definition. However, some specific industries that have begun to create an organized structure of a risk treatment plan and its progression. The cybersecurity industry is an example of this, although it is a new industry they are experts in handling risk. The European Union Agency for Cybersecurity has developed a progression template for risk treatment. With lacking general definitions, their template will be used as an example to learn from in other industries.

The progression template includes five sections: Identification of Options, Development of Action Plan, Approval of Action Plan, Implementation of Action Plan and Identification of Residual Risks. (ENISA)

Identification of Options

After a detailed risk assessment the first step is to identify appropriate alternative options to handle the risks. The impact of such risks vary in probability and size, but they are not necessarily negative. A risk can both be a threat and an opportunity, and management of both options vary accordingly.

The identification and assessment of the options for risk treatment, can in generally be perceived as a form of cost/benefit analysis. Many things needs to be considered when choosing treatment options, whether tangible or intangible and compared to the overall risk management context i.e. align with the purpose and success criteria of the project, and in the end the choice depends on whether the costs outweigh the potential benefits (or the other way around). The available resources can effect and/or limit the choice options, and in that case, it is important for the project manager to prioritize which options should be pursued and implemented early on.

Treatment of risk opportunities

There are several ways a project manager can attempt to increase the potential or probability of an identified risk opportunity, these include but are not limited to:

• Pursue actions that are likely to create or maintain the opportunity result.
  • Actions that increase probability of the risk.
  • Actions that increase the gain from the risk.
• Share/transfer risk to a third-party that can contribute with resources that increases probability or gain.
• Retain the positive residual risks.

Treatment of risk threats

The treatment of risks are similar in nature to opportunity treatment, however with the opposite association, the treatments options for threats include but are not limited to:

• Avoidance of a threat by pursuing or stopping/diverting/postponing actions that are likely to remove the cause of the threat.
  • Actions that reduce the probability of the threat.
  • Actions that reduce the severity/damage of the threat.
• Share/transfer parts of or the entire threat to a third-party. This could result in turn create new risks in form of bad management from the other risk "shareholder".
• Retain the risk and/or its residual risks.

Development of Action Plan

When it has been identified if the risk is a threat or an opportunity and it has been chosen which treatment options to pursue, the project manager can start the development of an action plan. The action plan describes, in detail, how the treatment options will be implemented.

A well made action plan is extensive and should contain detailed description of the implementation from start to finish. It should include which specific options should be started/maintained/stopped etc. in a prioritized order with a specific time plan. What the resource requirements are, including raw materials, staff etc. Description of everyone involved and their responsibilities, including both external and internal managers, staff, stakeholders etc.

Finally, and potentially the most important factor, a description of performance indicators and how these are reported/monitored. Continuous performance data is vital for successful implementation of a risk treatment plan. It gives the project manager knowledge on whether the treatment is working or not, and therefore the ability to act should it be necessary.

Approval of Action Plan

Only in rare cases the project manager and the top management will be the same person. When this is not the case, it is important for the project manager to keep in continuous contact with the top management of the organization and keep them informed. Communication is key in project management, and risk treatment is not an exception. This will also help ensure continuous support and correct allocation of resources throughout the projects life-cycle, as well as help spread information to the entire organization, which can increase chances of successful implementation.

Implementation of Action Plan

A risk treatment plan will spread over various departments in an organization. Therefore, it is important that the plan defines how risk management is to be handled in all the affected departments, to ensure efficient implementation. The most commonly relevant departments include: development process, business and strategic planning and change management. In these departments (as well as other relevant departments in the specific project) it is extra important to embed risk management and treatment directly into their policies.

The risk treatment plan does not necessarily have to be general for all departments in the organization, it can be specialized for some or for each of the involved departments. However, every section has to align with the organization's overall risk management strategy.

To successfully implement a risk management or treatment plan it is necessary to have support and commitment at all levels of the organization. Support, awareness and commitment at top level management is vital for implementation, it helps streamline and execute the plan. Therefore, it can be helpful to appoint a senior manager to lead the initiatives across the organization, as well as involve all top level managers in the plan.

The organization should also in detail define and document a policy for risk management. This policy should include but is not limited to:

• Main objectives and logic behind the risk management.
• Links between the treatment plan and the organizations over all strategic plans.
• Which types of risk the organization are willing to pursue and to what extent, as well as the balance between threats and opportunities.
• Specific options that will be used to manage/treat risks,
• Who is accountable for each risk.
• The available resources for those handling the risks.
• Specific performance measures for risk treatment and how they will be monitored/reported.
• A written commitment to review risk management on a continuous basis.
• A written commitment to the policy by top level managers

Identification of Residual Risk

Limitations

Comparison of ENISA model with PMI Standards

However, the Project Management Institute has created some sub-categories under risk treatment, that can help a project manager in the process. The placement of a certain risk in a certain sub-category of risk treatment, is dependent on the analysis and evaluation made earlier. The four most important sub-categories are as follows: Avoidance, Reduction, Transfer, Acceptance (PMI 31000).

Avoidance

The risk is avoided by not pursuing whatever is the cause of the risk.

Reduction

The risk is reduced by taking mitigative actions to reduce the probability of occurrence.

Transfer

The risk is eliminated by transferring it to a third-party. Examples of third-parties are insurance and outsourcing to other companies.

Acceptance

The risk is accepted. Examples where this choice is viable include when a risk is impossible to eliminate or when it is more costly to prepare for/eliminate the risk than the effect it would have. It could also simply be because the risk is considered a part of the total project risk.

Annotated Bibliograhpy

Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management

DS/ISO 21502:2020

DS/ISO 31000:2018

Project Management Institute, Inc. (PMI). (2021). A Guide to the Project Management Body of Knowledge (PMBOK ® Guide) – 7th Edition and The Standard for Project Management. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSPMAGPMP/guide-project-management/guide-project-management

ENISA, European Union Agency for Cybersecurity. Threat and risk management, Risk Treatment. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment