Yes, apples and oranges are the same, both are fruit. But, then again, they’re not the same…
The same can be said for control and mitigation in the risk management process. They’re the same, both manage risk. But, then again, they’re not the same…
Time for a short story.
Bob looked genuinely disinterested in the question. He’s a project manager with a large engineering company based in Scotland. He’s well-respected and leads a high-performing team, who are known by senior management to successfully deliver projects.
Bob’s company hired me as a senior project manager to drive a suite of essential projects, including Bob’s. We were in a weekly progress meeting when I observed an expression on his face suggesting disinterest. I’d asked, “Bob, what are the risk control actions outstanding?” Even before I asked, I suspected I might be asking the wrong person. Nevertheless, I was chairing the meeting, so I had to ask.
Bob never differentiates between control and mitigation actions, so his answer was “Succession planning in case one of my senior team members leaves the project.”
“But Bob” I responded “That’s not a controlling action. It’s a mitigating action; you would be reducing the impact.”
Bob’s reply was “Controlling, mitigating. Call it what you like. It’s an action.”
Now, most of us understand what control and mitigate is, but very few people use these terms in the correct context. So, let’s throw a spotlight on the issue.
Control vs Mitigation
Institute of Risk Management guidance tells us that control actions are specific actions aimed at reducing the probability of a Risk Event occurring. Whereas defining a mitigation action reduces the impact of a Risk Event.
So, it’s clear from the Institute of Risk Management guidance that control relates to likelihood, as mitigation relates to impact.
Let’s look at Bob’s answer again “Succession planning in case one of my senior team members leaves the project.”
Is it about risk, in this case, a threat? Yes. The Risk Event hasn’t happened, so it’s not an issue. The action is about “planning in case” – in effect decreasing the impact on the project by having a succession plan.
Let’s consider if Bob had made a different statement, such as “I need to reduce the chances of senior team members leaving the project.” That would be a control action. Leaving could occur in future, it hasn’t happened so far, so again it’s not an issue, but it needs to be avoided or, at least, made less likely.
Both types of Risk Events (threats and opportunities) can have a bearing on a project. Likelihoods and impacts can be estimated, and control and mitigating actions completed to reduce the overall project risk. Control actions help minimise the possibility of the Risk Event occurring. But if it does happen, mitigation is required to ensure the impact is a small as possible.
The reality is that work execution can be given more importance over risk management planning. However, risk identification, risk assessment, control and mitigating actions, and contingency plans, are an essential part of project management; but in some cases, they aren’t given the necessary importance.
After all, who wants to spend time or money on possible future risks that may or may not happen? As project managers, we should!
Senior managers must ensure all project managers have a risk management process and risk register; and provide for both types of action, control and mitigation, that address the Risk Event, as well as a contingency plan available if and when appropriate.
So, whenever you take up a project management role, and before doing anything else, take note of project risks and ensure both types of action, control and mitigation, are present.
What are your thoughts?