TechRepublic columnist Tom Mochal receives dozens of e-mails each week from members with questions about project management problems. He shares his tips on a host of project management issues in this Q&A format.

When I plan my projects, I always go through a risk identification process. I then create a Risk Management Plan to try to avoid the risks.

On my current project, one of my team members identified a risk associated with using a new software technology. As we analyzed it, we found that the risk actually had negative and positive connotations. As we started to think about this risk, the team saw that there could be a silver lining in many risks.

How do you factor this concept into your project planning?


I congratulate you for being diligent in your identification of risks as a part of your project planning process. You have actually hit on a topic that is currently being discussed in some project management organizations: positive and negative risk.

Defining risk
Risks are potential events or circumstances that could have a negative effect on your project. They’re not problems today, but they have the potential to become problems.

Identifying the risks that you need to focus on is a combination of identifying the risk event, determining the potential impact to your project, and determining the probability that the risk event will actually occur. When you’re finished with this exercise, you look for high-risk events and put together a plan to deal with each one.

Let’s look at an example of a normal project risk. Let’s say you have a supplier that you’re counting on to provide raw materials to build a prototype. The supplier has a union contract that expires in the next 60 days. There is a risk that the supplier will have a strike that will disrupt shipments. You need to identify this as a risk, estimate the probability of occurrence (perhaps this will increase or decrease over time), determine the impact to the project if it occurs, and then put together a plan to minimize the impact on the project if it occurs.

Positive risk
Negative risk is represented by potential events that could harm the project. In general, these risks are to be avoided. Positive risk, on the other hand, refers to risk that we initiate ourselves because we see a potential opportunity, along with a potential for failure. This is what we’re referring to when we say that we are intelligent risk takers.

Your example of new technology may be a good one to explain this concept. Let’s say that you have a software development project that is scheduled to take 90 days to complete. Your business client would rather the project be delivered earlier, and would get more value if it were delivered earlier, but understands that 90 days is how long the project will take.

One of your team members has an idea: If you utilize a new software-testing tool, it’s possible that you can deliver the project in 60 days instead of 90. If this were a guaranteed solution, you would jump on it.

However, there is risk, since it will be the first time you’ve used the tool. You have to deal with a lack of expertise and a learning curve. It’s possible that if the tool doesn’t work out, the project could end up taking 110 days to deliver. What would you do?

Of course, you don’t have enough information to make the decision now, but this example illustrates the concept of positive risk. The business client will accept delivery in 90 days. If you decide to use the tool, it’s a risk you’re introducing yourself, based on an evaluation of the chances of success and the impact of success vs. the chances of failure and the effect of that failure. When we say that we’re intelligent risk takers, these are the types of decisions we’re making.

Let’s look at another example. Let’s say you have a medium-size software development project that you think will take six months to complete. After extensive reading, you think you might be able to complete the project more quickly if you use some of the new Extreme Programming techniques. With these new techniques, you think you can deliver the first iteration to the client in three months and subsequent updates every month after that.

Of course, there is also a real chance that the new techniques will not work well or that the staff may resist the changes, which could end up delaying the project. There is your dilemma: do you take a chance and introduce risk for positive gain? Or do you go with traditional development techniques and be happy with a six-month delivery date?

The debate is on
This concept of positive and negative risk is a hot topic right now in many groups, including the Project Management Institute (PMI). The question it is asking is whether the current concept of risk as being only associated with threats is too narrow a definition.

In a recent poll of the members of the PMI Risk Management Specific Interest Group (SIG), the respondents tended to think that the definition of project risk should be expanded to include the more general notion of positive risk.

So, to answer your question, even though we commonly think of project risks as having a negative connotation, you can also use risk management to identify and quantify potential positive risk.

Since you would be the one introducing the risk, the risk management plan is within your control. You and your client can determine whether you want to accept the risk after understanding the risk plan, the chances of success, the payoff if you’re successful, and the impact if you’re not successful.

Tom Mochal is president of TenStep, Inc., a project management consulting and training firm. Recently, he was Director of Internal Development at Geac, Inc., a major ERP software company. He’s worked for Coca-Cola, Eastman Kodak, and Cap Gemini Ernst & Young. Tom has developed a project management methodology called TenStep and an application support methodology called SupportStep.