The terms used to describe the various aspects of risk management are bewildering, even to an experienced project manager. At least I find them bewildering. I'm going to examine some of the terms used to describe risks and the way they are managed and hopefully shed some light on what they refer to and what they mean. I hope to clear some common misconceptions up at the same time.
The first misconception I'd like to address is the meaning of the word "risk". We tend to view that word, especially in the project world, as having a negative connotation. Frequently it does implict a negative consensus, but not always. Actually a risk can have a positive income such as when we risk money on a lottery ticket and our ticket wins. Risks that have a positive output are called opportunities and risks that have a negative exit, such as when we refer to the risk of a car accident, are called threats. We take action to encourage our opportunities, such as buying lots of lottery tickets, and we discourage our threats, such as when we get inoculated against the threat of a flu virus. Both opportunities and threats are forms of risk, the key difference is our approach to managing them.
There is a great deal of confusion around the terms used for our difference approaches to managing risks. We commonly refer to our management of risk as "mitigation". The dictionary definition of this verb is "to make less severe: to mitigate a punishment", or "to lessen in force or intensity, as wrath, grief, harshness, or pain; moderate". While it is true that we mitigate some of the risks to our projects, mitigation is just one strategy used to address potential risk. Sometimes we choose to avoid a risk altar, such as when we respond to the risk of encountering traffic jam on an expressway by choosing an alternate route (we may still risk encountering traffic jam, just not the traffic jam on that expressway).
Transference is another term used to describe our response to risk. The classic example is when we buy insurance on our car to deal with the risk of an accident. We are not necessarily reducing the chance of an accident, or even reducing the impact of the accident, we are simply reducing the impact on us should the risk event (the accident) happened by sharing the financial burden with the insurance company. There are other types of transference. Outsourcing work to an organization with more skill and experience in performing the work than we have is another example. In that case, our intent is to reduce the likelihood of the event happening by having someone more skilled and experienced do the work. We may also be reducing the impact on ourselves, depending on the type of contract we choose.
Mitigation is the strategy we use when we can not avoid the risk altogether and we can not transfer the risk, or do not want to. …