Skip to content

Threat Risks vs. Opportunity Risks: Are they the same thing?

ISO 31000 Management Process for Threat and Opportunity Risks
ISO 31000:2009 Risk Management Process

A short while ago, I read through a presentation which seemingly tried to convince me that the only difference between threat and opportunity risks was the sign of the impact. That is, threat risks result in negative impacts and opportunity risks result in positive impacts.

This, along with another statement in the presentation which read, “Not identifying and capturing opportunities means GUARANTEED FAILURE” (in bold-caps no less) disturbed me to such a degree that I finally decided to crawl out of my risk management closet and publish my own take on these two assertions.

Firstly, let me say that I am in no way trying to discourage the pursuit and taking of opportunity risks. Society, industry and life in general would just not be where it is today were it not for mankind continuously seizing opportunities and making the most of them. Many failed, but many also succeeded, and this is what has kept us evolving and developing since we first emerged as the confused, knuckle-scraping homo-sapiens that we were some two hundred thousand years ago.

However, seizing opportunity risks does, in my opinion, need to be exercised with some degree of caution, and not identifying or capturing these opportunities certainly does NOT result in guaranteed failure. So, to say the only difference between threat risks and opportunity risks is the sign of the impact is, I find, a rather simplistic and misleading statement.

Depending on the nature of the venture being undertaken, one will generally try to adopt a style of management which, hopefully, best suits the objectives of that venture. The more complex and valuable the venture, the more conservative the management style (generally). This corresponds directly with how risks are managed in these ventures. Opportunity risk is a good thing (in that it suggests a positive outcome). However, it is also a deviation. In large and complex projects, deviation is more often than not a bad thing. For example:

Assume we are about to commence an activity in which the project team has planned for, and secured, the use of specialised installation equipment available on a rental basis, to commence work on the planned date. The team then finds out that some technically superior equipment has become available which can do the job sooner, faster and at a lower rental cost. It would make sense to take advantage of this opportunity would it not? However, changing equipment at this stage of the project results in several new threat risks which now need to be considered, such as:

  • Carrying out the work with different equipment is likely to require a change in execution procedures to ensure the new equipment can complete the job safely, efficiently and within project quality standards.
  • Carrying out the work with different equipment is likely to require a review of operator certification and may result in re-training requirements.
  • Carrying out the work with different equipment may result in site access and security issues.
  • Commencing the work ahead of schedule may result in multiple interface clashes with other work scopes and schedule activities.
  • Completing the work ahead of schedule may result in preservation issues if the original plan was to hook-up, commission and energise the installed materials immediately after the activity was complete.

All of this would necessitate a formal Management of Change process to be undertaken with a review of the new equipment specifications, revisions to technical documentation and procedures, re-evaluation of operator credentials, another site survey to be conducted, a review and revision of the project schedule, identification and coordination between all interfaces etc. If, at any point during these revisions and reviews, it became evident that more serious threat risks were now exposed, the project would have to consider scrapping this opportunity and reverting to the original plan which, if any hasty decisions had been taken in trying to exploit this “opportunity”, could result in the original plan no longer being viable.

Now, as I said earlier, I’m not trying to pour cold water over the enthusiasm for embracing opportunity risk, far from it. I firmly believe that projects should grasp opportunities wherever they can, but this needs to be done in an environment where the opportunity risks can be properly evaluated, planned, controlled and managed without disrupting existing project activities. Attempting this during the execution stage of large, complex projects with multiple interfaces and overlapping activities generally opens up a very large can of worms in my experience. For these types of projects, I maintain that the best way to achieve project success is by sticking to the old mantra of: “Plan the work, and work the plan”.

Even though opportunity risks may share the same basic ISO 31000:2009 management process as threat risks (see process flow diagram at the top of this article), the way in which opportunity risks need to be assessed and managed within this process is significantly different from the way threat risks are assessed and managed.

For more information about our project risk management services and software, or if you just want to express your own views on the subject, please feel free to get in touch via our “Contact Us” page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.