Risk management is a proactive process that helps you manage risks before they occur. In your project, you will encounter two types of risks: negative risks and positive risks. A negative risk could harm your objective, and a positive risk can positively affect your project.
Since these risks differ, the strategies to manage them are also different. You must manage both types of risks accordingly.
For positive risks, you will try to increase the likelihood of occurrence. For negative risks, you will try to decrease the probability of them occurring or reduce their impact if they do happen.
The following strategies can be used to manage negative risks:
- Mitigate
- Avoid
- Transfer
- Accept
- Escalate
And for positive risks, you can use the following strategies:
- Enhance
- Exploit
- Share
- Accept
- Escalate
So, there are eight types of strategies to manage risks. Accept and escalate risk response strategies are common for both types of risks.
In positive risk response strategies, the enhance risk response strategy and the exploit risk response strategy seem similar. They are a common cause of confusion among professionals because, in both cases, you intend to realize the opportunity.Â
Therefore, in this blog post, we will discuss these risk response strategies in detail. I hope to help you understand them better.
Enhance Risk Response Strategy
Enhancing is about increasing the probability and/or impact of positive risks.
Here, you take measures to increase the chance of the event happening or its impact, but there is no assurance that it will occur, i.e., the opportunity may or may not be realized.
Example of Enhance Risk Response Strategy
Assume you are constructing a building, and suddenly, the client tells you that he will give you a monetary reward if you complete the project two months earlier than scheduled.
Therefore, you take several measures to realize the opportunity; for example, you use fast-tracking.
As you can see in the above example, you are only trying to complete the project early to gain the opportunity; i.e., you are increasing the probability of completing the project early. There is no guarantee you will realize the opportunity.
This is an example of the enhance risk response strategy.
Exploit Risk Response Strategy
Exploiting is about doing everything to ensure that the event happens. In this risk response strategy, you make sure you realize the opportunity, take the opportunity seriously, and develop a strategy to realize it.
Simply put, with the exploit risk response strategy, you increase the chance of the event happening to 100%.
Example of Exploit Risk Response Strategy
Suppose you are constructing a building, and suddenly, the client tells you that if you complete the project two months before the actual completion date, he will give you a financial incentive.
This is an opportunity for you, and management asks that you realize this opportunity. Therefore, you do everything to complete the project ahead of time. You give overtime to your team members, bring in more employees, motivate the team members by announcing rewards if they help you complete the project ahead of time, etc.
This is an example of the exploit risk response strategy, as you make sure that the opportunity is realized.
In the exploit risk response strategy, you do everything to realize the opportunity. You do not merely try to get this opportunity; you ensure that you get it.
The Difference Between Enhance and Exploit Risk Response Strategies
The following are a few differences between enhance and exploit risk response strategies:
- In the enhance risk response strategy, you try to realize the opportunity, while in the exploit risk response strategy you ensure that you will realize the opportunity.
- In the enhance risk response strategy, you increase the probability of the opportunity happening, while in the exploit risk response strategy, you increase the probability to 100%.
- The enhance risk response strategy is opposite of the mitigation risk response strategy. In contrast, the exploit risk response strategy can be regarded as the opposite of the avoid risk response strategy.
Summary
Enhance and exploit are two kinds of positive risk response strategies. If the opportunity is not very important or you do not have any extra resources, you will use the enhance risk response strategy. In the enhance risk response strategy, you increase the chance of the risk occurring. However, if you have extra resources available or the opportunity is so important that you cannot let it go, you will use the exploit risk response strategy. In the exploit risk response strategy, you increase the chance of the risk happening to 100%.
The enhance risk response strategy takes the situation leniently, while the exploit risk response strategy takes it aggressively. The strategy chosen for the opportunity will depend on the situation, requirements, and available resources.
This topic is vital from a PMP and PMI-RMP exam point of view. You may see several questions from this topic on your exam.
So, what do you think about enhance risk response and exploit risk response strategies? Let me know in the comments section below.
I am Mohammad Fahad Usmani, B.E. PMP, PMI-RMP. I have been blogging on project management topics since 2011. To date, thousands of professionals have passed the PMP exam using my resources.
Thanks for the explanation, I have been thinking about enhance vs exploit and stumbled upon your good post.
Please correct me if i am wrong, in enhance i can work on enhancing probabilty and/or impact while in exploit i focus on probabilty making certian that the opportunity will occure so that i can exploit it.
For example, if there is a 80% probabilty that Euro value will increase by 20%. I cannot exploit this opportunity i can only enhance it by increasing the impact by buying more euros.
Thanks again.
Right Sultan.
Very nice explanation – especially like the idea of when to enhance and when to exploit. However, I feel PMI should do away with “exploit”. I don’t think PM can do a mitigation plan (which is supposed to be proactive) that will bring the probability of risk occurrence to 100%.
Mitigation is for negative risk. Exploit means the project manager is doing everything in hand to make it happen.
Your project is halfway complete and you see an opportunity that if you are able to complete the project a little early, you will get another project. So you ask your team members to find ways to complete the project one month earlier. Your team members come up with various ideas such as running many activities in parallel, using extra resources, overtime, and renting new equipment. You review these ideas and find most of them very costly so you decide to run many activities in parallel so the project can finish earlier. What kind of response it this?
(a) Exploit (b) Enhance (c) Mitigate (d) Accept
enhance
Correct.
1.Failure Mode and Effect Analysis is same as Risk, do we have to do a contingency for this?
2. Cause and Effect Diagram is an analytical technique or not because in PMBOK 5 in the Glossary it is mentioned that it is a decomposing technique?
1) FEMA is an analytic technique.
2) Cause and effect diagram is a tool and technique of plan quality management process.
Simple and to the point. Thanks!
I get a lot of different answer scenarios from test preps. For example, I have seen in a source that you should assume “exploit” if a plan needs to be changed (such as increased schedule time). Also, I have seen crashing go both ways “exploit” and “enhance” (not knowing if it is 100% or not trying to get the opportunity. The question just says, “crashing is a form of…”. If the test does that, how would I choose (ucertify says enhance and PM Instructors says exploit).
V/R,
Also, ucertify said that “training is a form of exploit”. How would I guess on that if I don’t know the ascertion of the PM?
Exploit and Enhance is not about any special technique. It is about the way that how you approach it. If you just trying to get it, it is enhancing. On the other hand, if you’re working hard to make sure to realize it, it is exploiting.
Don’t really agree with your example, although you are quite accurate in definition of exploit vs enhance. Though there are a lot of flaws in your interpretation of the scenario. Let me take one example. In the enhance part you have mentioned to enhance by using only fast tracking , and just by using crashing it becomes an exploitation effort? What if the project cannot be fast tracked due to a constraint in sequence of project schedule. And crashing and fast tracking both actually increase risk, doesn’t reduce it!
The key to understand here is to go back to PMBOK and dig the concept in more depth.
Exploit as per PMBOK means to “eliminate” the uncertainty
Enhance as per PMBOK means to “reduce” the uncertainty.
In many situations, the best we can do is really to enhance the opportunity, and cannot exploit it, especially when it comes to decisions regarding schedules. Remember, best you could do with a project schedule is to come up with a certain standard deviation on a target date. There is never an absolute schedule in PM terms.
In your construction project, best we can do is to enhance the opportunity. We can’t really exploit it as there will always be some probability of work not being completed 2 months earlier.
So when looking at enhance vs exploit, first we need to look at the situation, and determine what realistically is possible.
Still, in your example, you can exploit many small risks to enhance the final risk. For example, you could look at your schedule and if possible adjust the timing, or resources of work package such that it guarantees a specific outcome at activity level.
Hence, the risk of completing the whole building really cannot be exploited. Max it can be enhanced. Exploitation usually happens at smaller levels, such as resources, or work-package.
Crashing, fast tracking, etc. are not a complete list of action to be taken for either exploit or enhance risk response strategies. It is job of the project manager to decide the best course of action.
Point is, in exploit you will eliminate the uncertainty, and in enhance you will reduce the uncertainty.
Thank you Mr Xman for your visit.
Your blog is fantastic and really helps everyone to fully understand difficult terms and conditions related with project management.
I would like to ask you if you can provide tools and examples that calculate the total project risk. How calculated a total project risk and compared with other total project risks?
Thanks in advance
John
Thank you John for your comment.
I don’t have any tool or examples for the total project risk. Let me know if you have any specific question.
Fahad