Risk Treatment Attributes

A risk’s treatment strategy refers to the overall combination of treatments that best capitalises on the opportunity or minimise its threat. Each risk should be assigned a combination of treatments that best suits both the risk itself and an organisation’s ability to influence the factors contributing to and the outcomes associated with the risk. Broadly speaking, there are eight different types of treatments for dealing with risks: four for threats, and four for opportunities.

• Avoid – Avoidance refers to the general strategy of eliminating the uncertainty associated with a threat by preventing it from occurring. Naturally, only some threats can be avoided, and this usually involves a change in strategy or similar to eliminate the possibility of the risk occurring.
• Transfer / Share – Through insurances, effective contracting strategy, or other similar means, it may be possible to transfer some or (rarely) all of the risk associated with a particular threat to a third party. This is known as threat transfer. Threat transfer is one of the most commonly practiced forms of risk treatment, but it usually indirectly or directly involves the payment of fees to the party assuming responsibility for the risk in order to compensate them for the additional threat exposure. For Project Owners, it is rare to be able to transfer a risk entirely; it is more realistic to consider this to be risk sharing.
• Reduce – In some instances, it is possible to reduce the overall threat exposure by either reducing (but not eliminating) the probability of occurrence and/or impact level. Reduction strategies are only effective in instances where an organization has the ability to directly affect the factors contributing to or outcomes associated with the risk. This form of treatment is usually known as risk mitigation and is what many think of when considering risk treatments.
• Accept – Organizations may choose to simply accept that a threat may or may not occur on a project and choose to do nothing about it. This is known as accepting a threat. There are many reasons for accepting a threat, but some common explanations are:
  • The threat is of little consequence to the project’s objectives;
  • No other mitigation strategy is possible; or
  • The cost of mitigating the threat does not provide a good pay-off in risk exposure reduction.
  • An extreme example may be to accept the threat of the project site being struck by a meteorite.

• Exploit – The polar opposite of avoidance strategies, opportunity exploitation refers to the process of ensuring that an opportunity eventuates (converting its probability to 100% certain).
• Share – An organization may choose to share an opportunity to create mutual benefit between itself and another stakeholder involved in a project to increase the risk exposure.
• Enhance – As opposed to reduction strategies for threats, enhancement strategies for opportunities seek to maximise the probability of an opportunity occurring or to maximise the positive impact on the project’s objectives should it occur.
• Ignore – If an opportunity is of little consequence, beyond influence, or too difficult / costly to treat in any other way to increase its likelihood or consequence, an organization may choose to simply ignore it. In doing so, they accept that the opportunity may or may not arise and their potential benefit from it will be limited to the inherent characteristics of the opportunity as originally identified.

Having decided on a general strategy for risk treatment, it is important to clearly identify how this is to be achieved. The first step in doing this is to clearly name and describe all of the various strategies that could be employed to modify the risk exposure. Similar to the strategies described for naming risks, we can also use a meta-language approach for naming treatments. An example of this might be; “By <performing action>, <describe outcome>, resulting in <effect on probability and/or impact of risk>”.

Similar to the assignment of an owner to each accepted risk, each accepted risk treatment must be assigned an Owner. This treatment Owner is accountable to the Risk Owner for the management and successful implementation of the treatment, must know how each step of the agreed treatment is to be implemented and have the authority to make decisions about their implementation. The Treatment Owner may delegate responsibility for day-to-day actions in implementing the treatment but remains accountable for the successful implementation of the treatment.

There may be multiple treatments implemented for individual risks and a different Treatment Owner for each treatment. The Treatment Owner and the Risk Owner may also be the same person.

The implementation of the risk treatment is an essential step in the risk management process, as without assignment of treatment accountability and subsequent implementation, treatment identification is a theoretical exercise only.

Treatment status refers to a progressive system of classifications for managing risk treatments through their lifecycle. There are five different statuses for risk treatments:

• Potential treatments are those that have been identified but not approved for further action.
• Accepted treatments are those that have been approved for further action including analysis of their effects on the risk, but the plan for implementation has not been started..
• Started treatments are those that have begun to be implemented, but are not yet completed.
• Applied treatments are those that have been fully implemented.

It is important to ensure that risk treatment statuses are accurately maintained and reported to ensure that all necessary actions are taken for the treatments to be effective in a timely way.

Until agreed treatments are fully implemented, risk management is not effectively applied to that risk.