Tuesday, April 16, 2013

Opportunity v Threats (again)

I was stunned by a paragraph in a recent 'briefing' -- "Opportunities are the Same as Threats" -- from the 'Risk Doctor' telling us that threat and opportunity are the same thing, except for a minus ( - ) sign in the impact column.

The proposition was stated thus:
The secret to effective opportunity management is to recognise that an opportunity is the same as a threat, apart from the sign of the impact . Once we see this similarity, the way to address opportunities becomes obvious. We can take the standard risk process which we already use for threats, and apply it to opportunities, with simple modifications to recognise that we are dealing with positive upside risks
My take: Not exactly!

In some situations the six step risk management process described in Chapter 11 might be applicable to opportunities, but most of the time the sponsors, funding, and impact to the baseline or the business scorecard are so remarkably different that a different management paradigm -- SMEs, tasks, workflow, approvals/trade-offs -- is invoked and applied. That said, the opportunity responses in PMPBOK 11.5.2 are still reasonable and applicable, even to a different paradigm than the risk management paradigm.

And, I'm not talking about the simple difference of having a risk register vs an opportunity register. That's just a  matter of the database schema -- schemas don't change the facts/estimates/forecasts. You can use one register if you want -- I teach my risk classes using one register for both; the case study for my students has both opportunity and risk.

Allow me this digression: in my risk management classes, I instruct on how to link/map PMBOK 11.5.2 risk responses to opportunity responses by having a common field on which to join. Then, if you want to map between registers, it's a simple matter of joining the registers on the common field. (If you know SQL and relational theory, then you know that if want a many-many relation between separate registers, you'll need a third register that is used as the common place to join)

The larger issue in my mine, unspoken in the Risk Doctor's briefing, is that opportunity and risk are quite different psychologically. One might hope that psychological factors shouldn't drive different managemenet paradigms, but they do because unique factors enter the frame. A simple minus sign ( - ) does not fix this. (And the 'Risk Doctor' knows all of this; he was a co-author of the rather decent book: "Understanding and managing risk attitude" which covers this very material)

If everyone were rational and objective, immune to bias and especially the effects of the non-linearities of utility, we would not have these issues:
  • Foremost, Prospect Theory -- an advanced variant of simple expected utility -- tells us that there are profound psychological differences in the way we approach an opportunity vs a threat; that these differences are quite material; and these psychologies lead to quite dramatic decision and planning non-linearities that are quite difficult to calibrate. Fear -- representing risk -- is simply not the flip side of joy -- representing opportunity.

  • Second, even though the PMBOK is correct to suggest quite different responses to opportunity as compared to risks, (See Chapter 11, para 11.5) these different responses not just a matter of a minus sign ( - ); it's a matter of how opportunities are handled differently because they are often a change in the baseline or even a change in the business plan.

    One simply does not go about changing baselines for opportunity like one responds with planning contingencies to risks from the risk register. There are usually quite different governance paradigms reflecting quite different cultural attitudes about risk vs opportunity.

    At this point, some of you may be thinking: Opportunity or change? Are they same, different without a distinction, or really different? I put my ideas in a recent posting. The way I use 'opportunity' brings sales and marketing into the frame; 'change' may not. Thus, there may be quite different paradigms even between opportunity management -- commonly thought of as external to the project -- and change management commonly thought of as internal to the project

  • And, finally to the anecdotal evidence: in my risk management courses I put this question (risk vs opportunity) to my students. The overwhelming response -- from hundreds of students across the world and industry and government -- is that the two are not handled as just the opposite sign of the other. Indeed, among those that have a formal risk management process, only a few include opportunity in the mix.
What about this idea that I hear a lot from my students?: 'Every opportunity entails risk'. Yes, that's certainly the case. Every opportunity is in the future, the future is uncertain, and uncertainty brings risk. That's why I counsel my risk students to avoid silos between risk and change management, and between risk and opportunity management.

And what about this?: 'Taking a risk is just exercising an option for opportunity'. Yes, that's valid also. Just as in finance where options are a common strategy for managing opportunity without obligation, the same can be applied to projects, setting up the possibility (but not the obligation) of exercising an option to take advantage of  situation/condition/event if it happens (Berra, Y: if you see a fork in the road, take it!)

The RISK DOCTOR responds: See the posted comments for the RD's response.

Check out these books I've written in the library at Square Peg Consulting


  1. I asked the Risk Doctor to comment on this posting; I received this reply. In fairness, as I often do, I edited the original a bit from the version the RD saw. Nonetheless, his comments are applicable:

    And, I had to post this as Part I and Part II
    Dear John,

    I’m pleased that you thought my recent Risk Doctor Briefing was stunning! However I think you’ve misunderstood what I was trying to say in this short one-page briefing. The briefing had two main aims. The first was to remind people that the concept of risk includes both opportunity (upside risk, risk with positive impact) as well as threat (downside risk, risk with negative impact). The second was to point out that if opportunities and threats are both types of risk, then they can both be managed using the same risk process. Obviously a lot more can be said about the relationship between opportunity and threat, and I’ve given a more detailed treatment in my 2004 book “Effective Opportunity Management for Projects: Exploiting Positive Risk” (pub. Taylor & Francis).

    Perhaps I can address the areas in your comments where I think you misunderstood my position. Firstly I should say that the content of this briefing is not merely outlining my personal opinion. It also reflects the international risk management standard ISO31000:2009, which defines risk as “effect of uncertainty on objectives”, with a note that “effect is deviation from the expected: positive or negative.” The same double-sided definition of risk is found in all other risk standards, including the PMI PMBoK Guide.

    I was interested to hear that you rarely come across organisations with a formal risk management process that includes opportunity, and you’ve never seen a Risk Register that contains both threats and opportunities. This may reflect the type of organisations you work with – my experience is the exact opposite and I find this consistently and routinely, and I would say it is common practice in many industries around the globe.

    Part II in following comment

  2. Part II of the Risk Doctor response:

    You also say that responses to opportunities are different from those for threats, and you quote the PMBoK Guide in support. Actually I drafted the current section 11.5.2 of the PMBoK Guide, and the intention was to clearly show parallel response strategies for opportunities and threats. So avoiding a threat and exploiting an opportunity are analogous – both are aggressive responses aimed at removing uncertainty. Similarly threat transfer matches opportunity sharing, and to reduce a threat is the equivalent of enhancing an opportunity. I think you’re mistaken to suggest that opportunity responses most often require a change to the baseline, and the examples given in the PMBoK Guide section 11.5.2 are not like that.

    I think the root of your confusion becomes clear in your closing comments. Like “risk”, the word “opportunity” is used in several different ways in natural language. Opportunities exist at various levels in organisations. The PMBoK Guide covers risks within projects, which means threats that would hinder achievement of project objectives as well as opportunities that would assist in achieving objectives. The important point here is that project opportunities do not result in scope creep or a change to the requirements. An opportunity in the project context is an uncertain event or condition that, if it occurred, would have a positive effect on achievement of one or more project objectives. But you talk about opportunities requiring a change to the baseline, and you say that opportunities need to be addressed through the change management process. Now it becomes clear that you are talking about opportunities outside the project context, or business opportunities. So the problem seems to be that you’re talking about opportunity at the business level while I’m talking at project level.

    There is one area where we’re in agreement though, which is that individuals and groups attach different utilities to opportunity and threat. I didn’t actually mention this in the latest Risk Doctor Briefing, and I wasn’t trying to imply that they would be treated with the same level of risk appetite. The article was merely pointing out that the process for managing opportunities is that same as that for threats.

    Well this response is now longer than the original one-page Risk Doctor Briefing which prompted your comments, so I’ll stop here! I hope my response clarifies my position (and that of ISO31000:2009 and the PMBoK Guide), and I trust you will agree that there are synergies in managing both upside risk (opportunity) and downside risk (threat) in an integrated common risk process. Thank you too for giving me this “right to reply”.

    With best wishes,
    Dr David Hillson, The Risk Doctor

    tel : +44(0)7717.665222
    email david@risk-doctor.com
    web www.risk-doctor.com