Yes, apples and oranges are the same; both are fruit. But then again, they’re not the same.
The same can be said for risk control and risk mitigation in the project risk management process. They’re the same; both manage potential risk. But then again, they’re not the same.
Time for a short story.
Bob looked genuinely disinterested in the question. He’s a project manager with a large engineering company based in Scotland. He’s well-respected and leads a high-performing team known by senior management to deliver projects successfully.
Bob’s company hired me as a senior project manager to drive essential projects, including Bob’s. We were in a weekly progress meeting when I observed an expression on his face suggesting disinterest. I’d asked, “Bob, what are the risk control actions outstanding?” Even before I asked, I suspected I might be asking the wrong person. Nevertheless, I was chairing the meeting, so I had to ask.
Bob never differentiates between risk control and risk mitigation actions, so he answered, “Succession planning in case one of my senior team members leaves the project.”
“But Bob”, I responded. “That’s not a controlling action. It’s a mitigating action; you would be reducing the impact.”
Bob’s reply was, “Controlling, mitigating. Call it what you like. It’s an action.”
Now, most of us understand what control and mitigation are, but very few people use these terms in the correct context. So, let’s throw a spotlight on the issue.
Risk Control vs Risk Mitigation
Institute of Risk Management guidance tells us that control actions are specific actions to reduce a risk event’s probability of happening. Whereas defining a mitigation action reduces the impact of a Risk Event.
From the Institute of Risk Management guidance, it’s clear that control relates to likelihood, as mitigation relates to impact.
Let’s look at Bob’s answer again “Succession planning in case one of my senior team members leaves the project.”
Is it about risk, in this case, a threat? Yes. The Risk Event hasn’t happened, so it’s not an issue. The action is about “planning in case” – decreasing the project’s impact through a succession plan.
Let’s consider if Bob had made a different statement, such as “I need to reduce the chances of senior team members leaving the project.” That would be a control action. Leaving could occur in future; it hasn’t happened so far, so again, it’s not an issue, but it needs to be avoided or, at least, made less likely.
Both types of Risk Events (threats and opportunities) can affect a project. The likelihoods and impacts can be estimated, and control and mitigating actions completed to reduce the overall project risk. Control actions help minimise the possibility of the Risk Event occurring. But if it does happen, a mitigation measure is required to ensure the impact is as small as possible to reduce the residual risk.
Risk Control Definition
What is the meaning of risk control?
Risk control actions are taken to eliminate, prevent or reduce the occurrence of an identified risk. By adopting risk control measures, you aim to reduce (risk threat or hazard) or increase (risk opportunity) the probability of the risk event occurring.
Risk Control Examples
Using the example of a car.
- The correct inspection and maintenance of the car reduce the likelihood of mechanical failures, such as brake failure; this reduces the probability of being involved in an accident
- Reducing the travelling speed lessens the probability of being involved in an accident by giving additional thinking time
Risk Mitigation Definition
What is the meaning of risk mitigation?
Risk mitigation is an action(s) to reduce or increase an identified risk’s impact or consequence. By adopting risk mitigation measures, you aim to reduce (risk threat or hazard) or increase (risk opportunity) the effect once a risk event has occurred.
Risk Mitigation Examples
Again, using the example of a car.
- The inherent design of a crumple zone reduces the impact of the damage within the driver and passenger zone
- Airbags are used to reduce the impact of an accident on the passengers and driver
The reality is that work execution can be given more importance over risk management planning. However, risk identification, risk assessment, control and mitigating actions, and contingency plans are essential parts of project management; but they aren’t given the necessary importance in some cases.
After all, who wants to spend time or money on a possible future business risk that may or may not happen? As project managers, we should!
Senior managers must ensure all project managers have a risk management process, risk matrix and risk register; and provide for both types of action, control and mitigation, that address the Risk Event and a contingency plan available if and when appropriate.
So, whenever you take up a project management role, and before doing anything else, take note of project risks and ensure both types of action, control and mitigation, are present.