Cutter Consortium
7 November 2006

Risk Management Approaches

by Jerry Peterson, Senior Consultant, Cutter Consortium

Today's Cutter Edge is excerpted from Cutter's Enterprise Risk Management & Governance advisory service. For more information, please contact Dennis Crowley at +1 781 641 5125 or e-mail dcrowley@cutter.com

After we've done a risk assessment, we should begin to develop management plans for the highest-priority risks. There are four general approaches that can be used to manage any particular risk.

1. Accept It

De facto, this is what you do if you do not do anything else. It is appropriate for low-impact risks that are not worth actively managing. And for some very high-impact risks, it may be the only available course of action.

No one likes the risk of getting cancer, but everyone has to accept it because there is (as it stands now) no choice.

2. Avoid It

Sometimes you can simply choose not to do an activity that carries too much risk. Of course, if you attempt to avoid every risk, you will end up doing nothing, but on a selective basis, eliminating some particularly risky activities from the program scope, or spreading them out over time, may be the right approach.

3. Transfer It

A third approach is to get someone else to take on the risk. Of course, the other party will usually expect some compensation for this, but if they are significantly better at managing such risks, the expected cost tradeoff (their price versus your expected loss if you manage the risk yourself) may be favorable. For example, you might choose to outsource the hosting of a new ERP system, using a fixed-price contract with performance guarantees for availability and response time.

Compared with doing it yourself, such a contract might be pricey, but the price premium can be viewed as insurance against the problems that you would inevitably encounter providing your own service. If the outsourcer is substantially more experienced and efficient than your own organization at this type of work, you might end up significantly better off. There are other ways to transfer a risk, too. If you need custom development of some industry-specific feature for your ERP system, you might join with a consortium of similar companies to share the cost and risk. There would be extra costs here, in the form of complex negotiations and possibly compromise on specifications, but the tradeoff still might be a good one. There is no such thing as a free lunch, so risk transfer takes careful analysis, but in the right circumstances, it may be the best way to deal with a particular risk.

4. Reduce It

The fourth approach, and the one typically adopted for most risks, is to reduce the danger by either (1) reducing the probability that the risk event will actually happen or (2) taking steps to limit the damage if it does happen. To reduce the probability, we might study the things that could trigger the risk event and then take steps to eliminate or lessen these causes. To limit the harm, we might put a contingency plan in place, or we might plan to launch in phases to limit the downside at each step.

-- Jerry Peterson, Senior Consultant, Cutter Consortium

Risk Management Approaches