ISO 21502:2020 Clause 7.8.4 Treating risk

Project Management 11 Minutes

Treating risks should involve developing options and actions to enhance opportunities and reduce threats to the project. Risk treatment measures can include, but are not limited to:
a) accept;
b) avoid;
c) mitigate;
d) transfer;
e) use contingency;
f) exploit;
g) enhance.
Actions taken to treat a given risk should be appropriate to the threat or opportunity, cost-effective, timely, realistic within the project’s context, understood by the parties involved and assigned to an appropriate owner.
Residual risks can result from the measures taken to treat each risk. When treating risks, a deviation from the plan or a change to the baseline can be needed.

In risk management, treating risk involves implementing strategies to address and mitigate the potential impact or likelihood of identified risks on project objectives. The treatment of risk aims to reduce the overall risk exposure and increase the likelihood of project success. Here are common approaches to treating risk:

  1. Avoidance: Avoidance involves taking actions to eliminate the risk or prevent it from occurring altogether. This may include modifying project plans, processes, or activities to remove the source of the risk or changing project parameters to avoid exposure to the risk entirely. Avoidance is typically preferred for risks with severe consequences or a high likelihood of occurrence.
  2. Mitigation: Mitigation focuses on reducing the probability or severity of a risk event and its potential impacts on project objectives. Mitigation strategies may involve implementing preventive measures, controls, or safeguards to minimize the likelihood of the risk occurring or limit its adverse effects if it does occur. Mitigation is often used for risks that cannot be entirely avoided but can be managed effectively.
  3. Transfer: Transfer involves shifting the responsibility for managing the risk to another party, such as an insurance provider, subcontractor, or supplier. Transferring risk may involve purchasing insurance policies, outsourcing specific project activities, or entering into contractual agreements to allocate risk to third parties. Transfer is commonly used for risks that cannot be avoided or mitigated internally and where external parties can better manage or absorb the risk.
  4. Acceptance: Acceptance involves acknowledging the existence of the risk and deciding not to take any further action to mitigate or transfer it. Acceptance may be appropriate for risks with low probability or minor consequences that fall within acceptable tolerance levels or where the cost of mitigation outweighs the potential benefits. Acceptance does not mean ignoring the risk but rather consciously choosing not to pursue active risk treatment measures.
  5. Exploitation: Exploitation focuses on maximizing the potential benefits or opportunities associated with certain risks. Instead of avoiding or mitigating positive risks, project teams may seek to exploit them to gain competitive advantages, enhance project performance, or achieve additional project objectives. Exploitation involves identifying and capitalizing on opportunities for innovation, growth, or strategic advantage.
  6. Contingency Planning: Contingency planning involves developing alternative courses of action or fallback options to address potential risk scenarios that may arise during project execution. Contingency plans provide a structured framework for responding to unforeseen events or changes in risk conditions and help project teams maintain flexibility and resilience in the face of uncertainty.

By treating risk through avoidance, mitigation, transfer, acceptance, exploitation, or contingency planning, project organizations can effectively manage uncertainties and enhance their ability to achieve project objectives within predefined constraints. The selection of appropriate risk treatment strategies depends on factors such as the nature and severity of the risk, available resources, project priorities, and organizational risk appetite. Effective risk treatment requires careful analysis, decision-making, and implementation to ensure that risks are managed proactively and systematically throughout the project lifecycle.

Treating risks should involve developing options and actions to enhance opportunities and reduce threats to the project.

Treating risks involves not only addressing threats but also maximizing opportunities for the project. This balanced approach ensures that project teams not only mitigate potential negative impacts but also leverage positive outcomes to enhance project success. Here’s how treating risks can involve developing options and actions to enhance both opportunities and threats:

  1. Threat Mitigation: For risks that pose potential threats to the project, such as cost overruns, schedule delays, or quality issues, treating them involves developing options and actions to mitigate their impact. This may include implementing preventive measures, contingency plans, or risk response strategies aimed at reducing the likelihood or severity of adverse events. By proactively addressing threats, project teams can minimize their negative effects and maintain project performance.
  2. Opportunity Enhancement: In addition to mitigating threats, treating risks also involves identifying and maximizing opportunities for the project. This may include developing strategies to exploit positive risks or capitalize on favorable circumstances that could benefit the project. For example, opportunities such as cost savings, schedule acceleration, technological advancements, or market advantages can be leveraged to enhance project outcomes and achieve additional benefits. By actively pursuing opportunities, project teams can increase project value and optimize resource utilization.
  3. Risk Response Planning: Treating risks involves developing comprehensive risk response plans that address both threats and opportunities. This includes identifying specific actions, allocating resources, and establishing timelines for implementing risk response strategies. Risk response plans should be tailored to each individual risk, considering its likelihood, impact, and unique characteristics. By developing proactive response plans, project teams can effectively manage uncertainties and maintain project resilience.
  4. Continuous Monitoring and Adjustment: Treating risks is an ongoing process that requires continuous monitoring and adjustment throughout the project lifecycle. Project teams should regularly review the effectiveness of risk treatment strategies, reassess risk priorities, and update response plans as needed. By staying vigilant and responsive to changing risk conditions, project teams can adapt to evolving circumstances and ensure that risk management efforts remain aligned with project objectives.
  5. Integration with Project Objectives: Treating risks involves aligning risk treatment strategies with project objectives and stakeholder expectations. This requires balancing the trade-offs between risk mitigation and opportunity exploitation to optimize project outcomes. By integrating risk treatment activities with project planning, execution, and control processes, project teams can ensure that risks are managed in a manner that maximizes value creation and supports overall project success.

By developing options and actions to enhance opportunities and reduce threats to the project, project teams can adopt a proactive and balanced approach to risk management. This holistic perspective enables project organizations to effectively manage uncertainties, capitalize on favourable conditions, and navigate challenges to achieve their goals and deliver value to stakeholders.

Risk treatment measures can include, but are not limited to accept; avoid; mitigate; transfer; use contingency; exploit; and enhance.

This outlines several key risk treatment measures that project teams can employ to address risks effectively. By considering these risk treatment measures, project teams can develop a comprehensive risk management strategy that addresses both threats and opportunities, optimizes resource allocation, and enhances the likelihood of project success. The selection of appropriate risk treatment options depends on factors such as the nature and severity of the risk, available resources, project priorities, and organizational risk appetite. Effective risk treatment requires careful analysis, decision-making, and implementation to ensure that risks are managed proactively and systematically throughout the project lifecycle. Let’s briefly elaborate on each of these risk treatment options:

  1. Accept: Accepting a risk involves acknowledging its existence and deciding not to take any further action to mitigate or transfer it. This approach is typically chosen for risks with low probability or minor consequences that fall within acceptable tolerance levels. Acceptance does not mean ignoring the risk but rather consciously choosing not to pursue active risk treatment measures.
  2. Avoid: Avoidance entails taking actions to eliminate the risk or prevent it from occurring altogether. This may involve modifying project plans, processes, or activities to remove the source of the risk or changing project parameters to avoid exposure to the risk entirely. Avoidance is preferred for risks with severe consequences or high likelihood of occurrence.
  3. Mitigate: Mitigation focuses on reducing the probability or severity of a risk event and its potential impacts on project objectives. Mitigation strategies may include implementing preventive measures, controls, or safeguards to minimize the likelihood of the risk occurring or limit its adverse effects if it does occur. Mitigation is often used for risks that cannot be entirely avoided but can be managed effectively.
  4. Transfer: Transfer involves shifting the responsibility for managing the risk to another party, such as an insurance provider, subcontractor, or supplier. This may include purchasing insurance policies, outsourcing specific project activities, or entering into contractual agreements to allocate risk to third parties. Transfer is commonly used for risks that cannot be avoided or mitigated internally and where external parties can better manage or absorb the risk.
  5. Use Contingency: Contingency planning involves developing alternative courses of action or fallback options to address potential risk scenarios that may arise during project execution. Contingency plans provide a structured framework for responding to unforeseen events or changes in risk conditions and help project teams maintain flexibility and resilience in the face of uncertainty.
  6. Exploit: Exploitation focuses on maximizing the potential benefits or opportunities associated with certain risks. Instead of avoiding or mitigating positive risks, project teams may seek to exploit them to gain competitive advantages, enhance project performance, or achieve additional project objectives. Exploitation involves identifying and capitalizing on opportunities for innovation, growth, or strategic advantage.
  7. Enhance: Enhancement involves developing strategies to improve the likelihood or magnitude of positive risk outcomes. This may include investing in additional resources, capabilities, or technologies to increase the probability of realizing potential benefits or opportunities. Enhancement strategies aim to optimize the value-creation potential of positive risks and maximize project success.

Actions taken to treat a given risk should be appropriate to the threat or opportunity, cost-effective, timely, realistic within the project’s context, understood by the parties involved and assigned to an appropriate owner.

By adhering to these principles, project teams can develop and implement risk treatment measures that are tailored, cost-effective, timely, realistic, well-understood, and appropriately owned. This approach enhances the effectiveness of risk management efforts, strengthens project resilience, and increases the likelihood of project success. Let’s break down each point:

  1. Appropriateness to Threat or Opportunity: The actions taken to treat a risk should be proportionate to the level of threat it poses or the opportunity it presents. This means tailoring the response to the specific characteristics and potential impact of the risk. For example, a high-risk threat may require more extensive and robust mitigation measures compared to a lower-risk threat.
  2. Cost-effectiveness: Risk treatment measures should be cost-effective, meaning that the benefits gained from implementing the treatment should outweigh the costs associated with it. Project teams need to consider the resources required to implement the treatment and the potential savings or benefits it provides in terms of mitigating the risk.
  3. Timeliness: It’s crucial that risk treatment actions are taken in a timely manner. Delays in implementing risk responses can increase exposure to the risk and exacerbate its potential impact. Project teams should prioritize and execute risk treatment measures promptly to minimize the likelihood and severity of adverse events or maximize the realization of opportunities.
  4. Realistic within the Project’s Context: Risk treatment measures should be realistic and feasible within the project’s context, considering factors such as project scope, schedule, resources, and constraints. Unrealistic or overly ambitious treatments may not be achievable or sustainable, leading to ineffective risk management. It’s essential to assess the practicality of proposed treatments and ensure they align with project realities.
  5. Understanding by Parties Involved: All stakeholders involved in the project should have a clear understanding of the risk treatment measures and their implications. Communication and transparency are key to ensuring that everyone is aware of the actions being taken to address risks and their roles and responsibilities in implementing those actions. Clear communication helps build trust and alignment among project team members and stakeholders.
  6. Assigned to an Appropriate Owner: Each risk treatment measure should have a designated owner responsible for its implementation and oversight. Assigning ownership ensures accountability and accountability for executing the treatment effectively. The owner should have the necessary authority, expertise, and resources to carry out the treatment and monitor its progress. Effective ownership facilitates proactive risk management and ensures that treatments are executed according to plan.

Residual risks can result from the measures taken to treat each risk.

Residual risks are those that remain after risk treatment measures have been implemented. Despite the best efforts to treat risks effectively, there may still be residual risks that persist due to various factors such as inherent uncertainties, limitations in risk treatment options, or unforeseen consequences of implemented measures. Here are a few reasons why residual risks can result from risk treatment:

  1. Partial Mitigation: Risk treatment measures may only partially mitigate the risk, reducing its likelihood or impact but not eliminating it. In such cases, residual risks remain, albeit at a reduced level compared to the original risk. Partial mitigation may occur due to constraints such as resource limitations, technical feasibility, or time constraints.
  2. Unforeseen Consequences: Sometimes, risk treatment measures can inadvertently introduce new risks or exacerbate existing ones. For example, implementing a new technology to mitigate a risk may introduce technical complexities or dependencies that create additional vulnerabilities. These unforeseen consequences can lead to residual risks that need to be addressed separately.
  3. Changing Risk Landscape: The risk landscape is dynamic, and new risks may emerge or existing risks may evolve over time. Risk treatment measures that were effective initially may become less effective or obsolete as project conditions change. As a result, residual risks may arise due to shifts in the risk environment that were not anticipated during the initial risk assessment.
  4. Risk Interdependencies: Risks are often interconnected, and treatments applied to one risk may impact or influence other related risks. In some cases, risk treatments for one risk may inadvertently create or exacerbate risks elsewhere in the project. These interdependencies can lead to residual risks that require additional attention and management.
  5. Human Factors: The effectiveness of risk treatment measures can be influenced by human factors such as communication breakdowns, resource mismanagement, or human error. Even when appropriate treatments are identified and implemented, failures in execution or adherence to procedures can result in residual risks that persist despite mitigation efforts.

Given the potential for residual risks, project teams need to recognize that risk management is an ongoing process that requires continuous monitoring, reassessment, and adjustment throughout the project lifecycle. By actively identifying and addressing residual risks, project teams can strengthen their risk management efforts, enhance project resilience, and improve overall project outcomes.

When treating risks, a deviation from the plan or a change to the baseline can be needed.

When treating risks, it’s common for deviations from the original plan or changes to the baseline to occur. Treating risks effectively often involves making adjustments to the project plan or baseline to accommodate changes in risk management strategies, resource allocations, scope, schedules, budgets, and stakeholder expectations. These deviations from the plan are necessary to ensure that risks are managed proactively and that project objectives are achieved within the constraints of the project environment. By monitoring and responding to changes in risk conditions, project teams can adapt and optimize their risk management efforts to enhance project success. Here’s why this might happen:

  1. Revised Risk Response Strategies: As new risks are identified or existing risks evolve, project teams may need to adjust their risk response strategies. This could involve modifying existing response plans, implementing new measures, or reallocating resources to address emerging risks effectively. These changes may require adjustments to the project plan or baseline to reflect the revised approach to risk management.
  2. Resource Reallocation: Implementing risk treatment measures may require reallocating resources from other project activities or tasks. For example, if additional funds or personnel are needed to mitigate a high-priority risk, project budgets or schedules may need to be revised to accommodate these changes. This reallocation of resources can result in deviations from the original plan or baseline.
  3. Scope Changes: Some risk treatment measures may involve changes to the project scope or deliverables. For instance, avoiding a particular risk may require modifying project requirements or specifications to eliminate exposure to the risk. In such cases, changes to the project scope may necessitate updates to the project plan or baseline to reflect the revised scope and associated implications.
  4. Impact on Schedule or Budget: Implementing risk treatment measures can impact project schedules, budgets, or other performance metrics. For example, mitigating a risk may require additional time or resources, resulting in schedule delays or cost overruns. Conversely, successfully exploiting an opportunity may accelerate project timelines or reduce costs. These changes in project performance may require adjustments to the project baseline to reflect the updated expectations.
  5. Stakeholder Expectations: Changes to risk treatment strategies or outcomes may impact stakeholder expectations regarding project outcomes, timelines, or quality standards. Project teams may need to communicate and negotiate with stakeholders to manage their expectations and address any concerns or issues arising from deviations from the original plan or baseline.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply