EXPLOITING POSITIVE RISK THROUGH ORGANIZATIONAL CULTURE AND PROACTIVE IDENTIFICATION

Risk management is commonly accepted as a foundational management process to increase the likelihood of project success. Risks can be categorized as either threats (negative events or conditions) or opportunities (positive). This qualitative study explored the positive side of risk management to examine if opportunity management is still underutilized by practitioners, as has been reported in previous studies and standards. Recommendations from this study for improved use of opportunity management include development of: (a) speciﬁc training on opportunity management (b) catalog of opportunity examples, and (c) template for the business case for opportunity management. This research provides greater insight to improve the eﬃcacy for current and future project, program


Introduction
The purpose of this qualitative study is to examine responses to open-ended questions from experienced project, program and risk managers and understand the practitioner state of positive risk management.This is achieved through an understanding of risk culture, practices associated with opportunity identification and executing opportunity plans.Through proactive positive risk management, the project manager can improve the likelihood of successfully meeting or exceeding project objectives, including such factors as scope, cost, schedule, quality, and/or stakeholder values.
The study asks and analyzes the following research question: How do practicing managers, associated with projects, define and use positive (opportunity) risk management, as contrasted by negative (threat) risk management?This question is explored by examining specific examples of the following: (a) Who defines opportunities?(b) What tools are used to define opportunities?(c) When are opportunities identified in the project lifecycle and is it an iterative cycle?(d) How is opportunity handling funded?
The project management profession recognizes that decision making is complex and multi-dimensional (for example, Smith, 2016).Risk management, as a specific instance of complex decision making uses a variety of tools, processes and techniques.While formal definitions will be discussed shortly in this paper, project risk management has the goal of avoiding or minimizing the impact of hazards while proactively seeking opportunities with potential for benefit to the project, program, or organizational objectives.
One approach to definitions is state the contrary position: what isn't a risk.According to early writings (Hillson, 2004, p. 69) risk does not include events which do not affect project objectives, or had already occurred.Examples include difficulties in executing agreed tasks, political, organizational, or personnel matters.Another element of risk management is proactivity.However, Lehtiranta (2014) found that many practitioners use a reactive versus proactive approach to risk management, and project management in general, despite what standards and training advocate.
A focus on opportunities provides a much needed balance to only focusing on the negative.Bekefi, Epstein, and Yuthas (2008), observe that while awareness of risk as a threat is important, so too is the recognition that risks can provide opportunities leading to a competitive advantage.Hillson (2016) also describes the competitive advantage aspect of opportunity management.Fundamentally, opportunity management generally means changing the organizational focus from reactive to proactive management (Hillson, 2016;Kendrick, 2015;Zaman, 2016).
The concepts associated with risk and uncertainty management are not new, nor unique to risk management.Uncertainty is everywhere: even Pliny the Elder acknowledged that the only certainty is that there is nothing certain.
There are many historical perspectives of project management topics including Stepanyan (2016) who provides an excellent summary of risk through the ages.In the middle ages, risk was viewed primarily as an external danger, as is found in nature.At the beginning of the 19 th century, risk was primarily viewed as an accident and as a result of human fault.By the end of that century, risk was described as a social phenomenon.Risk management, as it applies to projects really began in the 1970s.However, it was not until the early 1980's that papers and books began to truly recognize risk.For example, project risk management was mentioned in the Project Management Institute (PMI) literature in 1987, even though the first version of the publication of the first Project Management Body of Knowledge (PMI, 1996) was not until nine years later.
There are many longstanding project management textbooks which serve as an excellent longitudinal example for the evolution of risk concept.One such evolution is found in Dr. Harold Kerzner's works.In these textbooks, the term risk management appeared for the first time in the 2 nd edition (Kerzner, 1984), however, it was not until the 5 th edition (1995), that there was any meaningful detail on the topic (with 28 index entries with risk vs. one in the 2 nd edition).That growth continued throughout subsequent editions from 29 index entries (1998), to 37 (2001), to 50 (2003), to 66 (2006), to a peak of 73 (2009).The two most current Kerzner editions consolidated the topics back to 71 (2013) and 57 (2017), presumably to make room for emerging topics and simplify the applications to the practitioner.
Literature and Standards Review Risk management, as part of project management, has been a mainstay of the profession for decades and is an ever-looming concern on projects.This brief literature review covers formal definitions of risk, managing risk through the lifecycle, threat vs. opportunity literature comparison, and the human nature bias toward the negative.

Risk Definition Variations
Risk has evolved from one that focused on the likelihood of a negative outcome, to an assessment of both negative and positive outcomes.An early comprehensive comparison of the definition of risk in standards and guidelines showed a focus primarily on the negative (Hillson, 2004).One explanation is that organizations traditionally viewed risk management primarily as a defensive exercise-one which was meant primarily to protect against potential losses and minimize economic damages (Sharma & Bachar, 2016).
One key element of the risk definition in the literature includes uncertainty (Bowman, 2016;Cooper, 2016;Hillson, 2004;Lark, 2015;Larson & Gray, 2018;Kerzner, 2017;Zinn, 2017).Of particular note, Chapman and Ward (2015) include the subtitle: why uncertainty management can be a much better approach than risk management.Today, one of the most commonly used definitions combining risk and uncertainty is "risk is uncertainty that, if it occurs, will have a positive or negative affect on the achievement of objectives" (Hillson, 2016, p. 5).Other definitions that include both positive and negative aspects are found in a number of standards (including but not limited to APM, 2017; ICE/IFA, 2014; IEC, 2013; IRM/ALARM/ AIRMIC, 2002;ISO, 2009;OGC 2010;PMI, 2013PMI, , 2017)).
Managing Risk Through the Project Lifecycle Hillson (2002Hillson ( , 2004) ) is generally the first to be credited with the assertion that a similar, but modified process can be used for managing both threats and opportunities.The terminology may differ slightly, but the concepts and philosophy are self-consistent.As with threats (or negative risks), opportunities (or positive risks) are identified and assessed in terms of likelihood and impact; responses are determined, and contingency plans and funds can be established to take advantage of an opportunity if it occurs.
Most risk processes use similar steps, albeit with some different terms.One notable exception is a formalized lesson learned step which is absent in most standards (Hillson, 2016).In this paper, the terms adopted by the PMI, which is the leading not-for-profit professional membership association for the project management profession (PMI, 2018) are used.These include: plan, identify, qualitative risk analysis, quantitative risk analysis, response planning, response implementation, and monitoring risks.
One of the differences between managing threats and opportunities is in planning of risk responses.Table 1 compares some of the well-known author recommendations and standards.Section (a) of the table shows the common strategies of negative risks while section (b) shows the common strategies of positive risks.The differences between sources within threats or opportunities is beginning to merge toward common terminology.Such was not the case in prior versions of these sources.It is instructive to note the authors who do not currently include strategies of opportunity management.Also, the PMBOK Guide (PMI, 2018) is one of the few sources which includes an escalation option, primarily due to an increased focus on portfolio management in the profession.Hillson (2016) describes the handling strategies of a spectrum from radical to doing nothing.Radical action avoids threats or exploits opportunities.Influencing the level of risk exposure reduces threats or enhances opportunities.Involving another party transfers threats or shares opportunities.Finally, deciding to do nothing, such as for cost of implementation, is an acceptable response.Even though there are a number of sources which identify risk response strategies, it is not uncommon for practitioners to generically refer to strategies as risk mitigation or the need to reduce risk exposure (Hillson, 2004).
Another differing aspect of threats and opportunities includes discussions of what should be listed on the risk register.Bourne and Weaver (2016) recommend only putting risks that will have a significant effect on the achievement of objectives on the list.In contrast Seville (2016) takes a broader approach with a discussion of resilience and risk management.Seville (2016, p. 257) recommends including risks that have not been previously identified including: • "risks where we have a very limited knowledge of risk source, scale, failure routes, or chains of causality; • risks where the likelihood of occurrence is so low that they are not deemed sufficient priority for treatment; • risks where there is an adversary, and therefore estimations of likelihood and consequences change dynamically; • complex system risks where …it is very difficult to anticipate consequences…; • risks where ownership and/or responsibility for managing that risk is unclear so the risk essentially remains 'unmanaged'." Another process difference in the literature between threats and opportunities focuses on monitoring risks.Only a few authors focus on the use of acceptance criteria, instantiated as metrics and leading indicators, as a criterion for monitoring (Carr, Konda, Monarch, Ulrich & Walker, 1993;Pritchard, 2015).This suggests that success likelihood of each strategic goal or desired outcome can be judged to be acceptable or not based on the decision maker's expectations.Fundamentally, the process of monitoring risks must include a means for examining potential new opportunities as they arise to estimate their future likelihood of success (PMI, 2013).

Relative Dearth of Opportunity Literature
Approaches to opportunity management are sparse and mostly reactive rather than proactive according to Hillson (2001).More recently, Lehtiranta's (2014) found only 15% of the articles held a primary risk view of opportunity, while the remaining held a primary risk view of threats.Examining the Department of Defense Risk, Issues, and Opportunity Management Guide for Defense Acquisition Programs (DOD, 2015) support this finding.The DOD Guide does acknowledge that opportunity management is complementary to threat management -although disproportionately so.The document contains 96 pages and of these, 49 percent are focused on threat and issue management, whereas only five percent are focused on opportunity management.
The ProQuest Central Database can be used as an example for quantifying the number of articles about threat vs. opportunity.All queries used peer reviewed, journals, where the terms appear in the abstract.
This search yields a different conclusion from that which was just discussed.Three types of searches were conducted and data collected by decade: (1) "risk management"; (2)" threat management" OR "negative risk"; (3) "opportunity management" OR "positive risk".The results are shown in figure 1.On (a), the number of "risk management" articles greatly exceed the number of either threat (negative risk) or opportunity (positive risk) such that the latter two are barely evident on the scale.Graphics (b) [by decade] and (c) [cumulative decade] show how the opportunity articles are outpacing the threat articles demonstrating an increased interest in the topic, at least by academia.Finally, (d) shows the ratio of opportunity to threat has remained nearly constant since the 1990s.While many variables affect a search such as this, such as the exact phrase used, database, or text location, figure 1 documents that opportunity management is written about more often (about 1.3x) that of threat management giving credence to increased interest by academia.Still the number of articles about risk management in general (without either discussing positive or negative) is troublesome.From this, we conclude that risk terminology is still not widely accepted and consistent in the literature.

Bias Toward the Negative
While this literature review shows a larger number of opportunity based articles compared with threat-based, risk bias toward the negative is well documented.There are three primary reasons why this exists.
First, assumptions for opportunities are often imbedded as assumptions in the baseline of a project."Opportunities are fundamental to business case for projects and are the source of many [positive and negative] risks" (Kendrick, 2015, p. 144).Further, and these assumptions are often skewed toward adverse consequences instead of the positive.Additionally, opportunities that does not appear to be a substantial shift in the scope are often called just good planning.
Second, there is a difference in the approval process to implement opportunities as discussed by Kendrick (2015).While a project team may uncover new opportunities, taking action, particularly if scope is involved, almost always requires escalation to the management hierarchy.
Third, project and program managers and program participants may be unaware of opportunities and focus on personal experience.Olsson (2007) claims that the main reason is that the existing risk management processes were developed to manage the "tame project" problems, while leaving the "wicked project" problems aside.Here tame problems are the well constrained, less complex problems while wicked problems are the antithesis.Since opportunities are mostly developed from "wicked project" problems or types of uncertainty, it is more difficult to design approaches for identification and realization of opportunities.Hillson agrees and (2004) asserts that human nature finds it easier to find faults or to be concerned about potential hazards (negative risks) than be constructive (positive risks).Further, Hillson (2004) hypothesized that the PMBOK Guide focuses more on threats because it reflects practitioner experience.
Research Questions The research questions include the following: RQ1.To what extent is opportunity (positive risk) management practiced by project, program and portfolio managers relative to threat (negative risk) management?
RQ2.What improvements are necessary to make opportunity management more effective for project, program and portfolio managers?
Research question 1 (RQ1) includes an examination of positive risk examples, how risks are identified, when risks are identified, and by whom opportunities are identified.This research question includes how opportunities are funded and documented.To extend the state of the practice, RQ2 examines practical steps to improve the efficacy of opportunity management for the practitioner.
Methodology The research falls in the "exempt" category per the Institutional Review Board (IRB) at Embry-Riddle Aeronautical University as defined in the provisions stated in 45 Code of Federal Regulations 46, Subpart A (Common Rule).Exempt research is research with human subjects that generally involves no more than minimal risk.Each respondant received a written description of the project and gave informed consent for participation in this study.
This qualitative research was conducted by having respondents provide written responses to five open ended, essay-type questions related to the research topic.Each respondent was asked to write approximately 400 to 500 words per question to help the researcher understand the respondent thought process from the perspective of their practical experience.Respondents were solicited through a variety of social media and personal contact mechanisms.Postings were placed on risk, project, program, and business management LinkedIn groups with a brief description of the research and contact information.Seventy-six individuals responded with interest to this qualitative study, were screened, and agreed to participate in this study, with 63 qualified respondents completing the responses."Qualified" respondents are defined as those with a minimum of five years of risk, project, or program management experience.Those with only academic or consulting experience were excluded since they likely would not have sufficient practical experience for this study.While five years was not a hard and fast rule, the researcher, a program management subject matter expert on threat and opportunity management, determined that from the responses, those with five or more years clearly understood the context of the topic and had more practical examples that those less than five years.
The average amount of experience for the participants was 22.9 years (STDEV 6.7).All of the participants (100%) held a Project Management Institute (PMI) Project Management Professional (PMP) credential or other industry or government certification in Program Management.The population was fairly evenly divided among government employees, government contractors, information systems professionals, professional service and business service employees.
Electronically distributed, written questions were used in lieu of open ended, recorded interviews to allow the respondents adequate time to reflect on an appropriate answer.The survey was distributed and data was collected using SurveyMonkey®.A copy of the questionnaire is shown in table 2. RQ1 (the extent is opportunity (positive risk) management practiced relative to threat (negative risk) management) is explored through Q2, Q3, and Q4.Question 1 (Q1) is intended to provide background information on participant maturity in understanding risk management terminology, as a basis for this analysis.Question 5 (Q5) is used to understand if there is a practical distinction between a risk, concern, or issue.
Once the data was collected, responses were imported into NVivo-11® and iteratively coded and analyzed (Corbin & Strauss, 2008;Saldana, 2011).All responses were in vivo since the respondents wrote the responses directly without researcher transcription.Categories were not determined a priori to avoid analyst bias and the categories were derived from the data.A single analyst reviewed the data since upon initial coding, there was significant consistency within in the answers.The original plan was for a second researcher to code the data, but analysts agreed that another independent coding was not necessary based on the clarity of results.

INSTRUCTIONS:
In this study, the terms positive risk and opportunity are used interchangeably.Please choose your current organization, or a former organization that you are familiar with.Please use the same organization for the remainder of these discussions.There are no set or standard or expected answers.This is not a "check the box" or "select the best answer" exercise.The more you write and provide context, the more it will help me understand your thought process as an experienced professional and add a practical dimension to the myriad of theoretical research.Q4.POSITIVE RISK FUNDING-How were the positive risks (or opportunities) you identified funded, or were they *not* funded, particularly relative to the negative risks?Some of the literature talks about using contingency reserve for known risks and management reserve for unknown risks.How were contingency reserve, management reserve, or other funding sources used to handle positive risks?To what extent do you perceive that positive risks were funded equally with negative risks, or were they?How do you address the situation where there are still positive risks you would like to fund, but there is no money?Please provide as much explanation as possible to understand the context and the practical applications of funding positive risks.

Q5.
A RISK BY ANY OTHER NAME-Some organizations document a large number of risks (both positive and negative), while others document only a very few.What is NOT a risk?What should not be listed on the risk register?What is the difference between risks and concerns (or worry stone)?Please provide detailed examples of as many situations that you can think of regarding that should not be on the risk register.Please ignore examples where a risk had already been realized; that is, it no longer has a probably of happening--it already happened for the good or the bad.

Results and Discussion
Results and discussion are provided in the order that the questions were asked in the paragraphs that follow.All data and analysis resulting from the study is included here, even that which did not lead to significant findings.This analysis shows that there is a generally inconsistent understanding that the term risk includes both positive (opportunity) and negative (threats) elements.Therefore, an adjective will be used throughout this paper each time the word risk is used to distinguish between positive and negative risk.In this paper, the terms positive risk and opportunity are synonymous; the terms negative risk and threat are synonymous.Organizational Risk Culture (Q1) The purpose of Q1 was to provide background information as a basis for this analysis.By answering fundamental questions, the researcher expected to baseline participant maturity in understanding risk management terminology.Taylor (2016), describes the importance of understanding the organization's openness in pursuing an objective, as well as an organization's willingness to accept the possibility of negative outcomes as fundamental elements.
Risk attitude in the respondent organization.The first part of the question asked explored risk attitude including the appetite for uncertainty, threshold of risk levels that are unacceptable, and risk tolerance which are the primary characteristics of a risk attitude and culture (Hillson, 2004;Zaman, 2016).In contrast, Alamn (2012) used appetite, attitude and aptitude, but the Hillson definition appears more frequent.By design the researcher did not provide a definition of risk appetite, risk levels, or tolerance so as to not bias the responses.Common research and survey biases include loss aversion, anchoring, expert, representativeness, availability, attentional, optimism, and confirmation (Bourne & Weaver, 2016;Smith, 2016).
According to the PMI (2017), risk appetite is defined as: "the degree of uncertainty an entity is willing to take on in anticipation of a reward" (p.720).This is a subjective description of the degree of risk which is acceptable to the organization or its' stakeholders.In comparison to risk appetite, the PMI (2013, p. 560) defines risk tolerance as: "the degree, amount, or volume of risk that an organization or individual will withstand."Thirdly, the PMI (2017, p. 720) defines risk threshold as: "the level of risk exposure above which risk[s] are addressed and below which risks may be accepted." While there are a number of risk attitude taxonomies, Hillson and Murray-Webster ( 2006) is used here since Dr. Hillson has been a seminal leader in risk and opportunity for decades.Using the coded data, the researcher identified the relative comfort or discomfort with risk for each respondent based on text analysis.With this sample, respondents were characterized as ranging from risk paranoid to risk seeking.Participant organizations covered the range from risk paranoid to risk seeking as shown in figure 2. ).27% showed a relative risk comfort, 9% tolerant (neutral), and 64% relative risk discomfort.There was no evidence in the respondent answers of any risk addicted (high or extreme risk comfort).
To further characterize the organizations that the participants work in, the researcher examined any relationship between certification and risk attitude, and between experience type and attitude and did not find an apparent relationship.According to Hillson (2004), an individual or organization with relative risk discomfort might both overstate the significance of threats and underplay potential opportunities.A person or organization with a relative risk comfort may take a casual approach to threats, but be quite willing to exploit opportunities.The preferred risk attitude for an organization is neither risk-averse nor risk-seeking, since those individuals accepts that uncertainty is inevitable (Hillson, 2004).
Bias on risk attitude in the respondent organization.Only five participants commented on the second part of this question about risk bias: shooting the messenger was common.This impacts whether people will bring things forward, and how many threats and opportunities are identified.With so few answers on this second part of this question, no conclusions can be drawn from this part of the study.

Positive Risk Examples (Q2)
The purpose of Q2 was to look for specific, well-written examples of positive risks to evaluate if the respondents truly understood the concepts and implementation of positive risk.Here, respondents were not asked to simply define the term opportunity.Instead examples from the responses gave insight into how opportunities differ from threats.
Opportunities as distinct from threats.Only 38% of the participants were able to provide specific examples of positive project risk.The majority of the examples focused on being proactive early in the lifecycle looking at the upside of a situation.This may be best illustrated by the following: "For one specific bid (~$27M Fixed Price) -the team had regular risk and opportunity meetings.Goals were set for the opportunities and tracked zealously.People were recognized for bringing forward new ideas to save money" (personal communication, summer 2016).This example illustrates the use of a rigorous, continuous process with a tangible motivation method.This also illustrates the strategic vs. tactical focus as discussed in the paragraphs that follow.
Do the practitioners truly use the terminology and definitions previously discussed?A brief historical review is in order.Almost two decades ago, Hillson (2001) acknowledged that the traditional practice of risk is negative, characterizing risks as 'threats" that come with adverse consequences on an organization's objectives.Only a few years later (Hillson, 2004, p. 17), he commented "no doubt that the common usage of the word "risk" sees only the downside".More recently, Kendrick (2015, p. 144) wrote that "acceptance of opportunities is almost always more complex than the threat assessment".It is significant to note that study participants showed a poor distinction between positive and negative risks.They were referred to as opportunities and risks, instead of opportunities and threats.Apparently, there remains a disconnect between definition and practice, just as Hillson (2001Hillson ( , 2004) ) and Kendrick (2015) suggest.
A second type of opportunity centered around new business as a growth area.For example, a small program that "expands several times or runs substantially longer" than expected (personal communication, 2017) or "capturing more business than expected" (personal communication, 2017).Researchers (Cooper, 2016;Cooper, Bosnich, Grey, et al, 2014;Hillson, 2016) distinguish strategic from tactical opportunities as a means of categorization.Taylor (2016) provides a simple way of looking at these as a spectrum in which strategic is most closely related to organizational risk, and tactical is most closed related to operational or project risk.The strategic elements often emphasize business growth, while tactical project management focuses on meeting or exceeding the current project objectives.Similarly, authors (Benjamin, Dezfuli, Everett, Politt, & Sen, 2014) advocate that enterprise threat and opportunity management is the means by which organizations develop and implement their strategic goals.
From these definitions, this second type of opportunity is predominantly strategic, instead of tactical.This is consistent with the researcher's decades of practical experience as a technical program manager in the aerospace-defense industry.Experience showed that identifying opportunities of business growth were commonplace while identifying opportunities for meeting or exceeding project objectives were not.
Only a few examples of opportunities.With only 38% of study participants providing at least one positive risk example, one must ask why not?Some participants (17%) admitted they had never really seen a good example.An additional 25% were only able to identify a generic example and go no further.Participants implied that this is due to lack of training, or organizational cultures which do not appreciate the value of opportunity management.
A handful of respondents failed to identify any examples, but instead gave a textbook-like answer of why opportunities should be identified and managed.The first reason identified by the participants was as a competitive advantage.It is noted that this focus on competitive advantage is consistent with the earlier discussion on strategic opportunities (Bekefi, Epstein, & Yuthas, 2008;Cooper, 2014Cooper, , 2016;;Hillson, 2016).
The second reason is priority of project objectives."Opportunities are often not emphasized until there is a [push] from leadership to earn more profit [or reducing costs], or [to] try and reduce the impact of cost and schedule overruns….opportunities are necessary to either help create more management reserve or avoid the erosion of the management reserve" (personal communication, summer 2016).
This focus on opportunities only when required was evident in response to the direct question of why they have not seen many examples and why they do not often identify positive risks.Almost 94% of the respondents answered this part of the question.One respondent replied with a comment on the project environment "[The] team is now spending all of their effort just staying afloat and moving forward and does not have the time to stop and look for new opportunities" (personal communication, 2017).This lack of focus on the future was identified by two other respondents as well.Others commented that daily problems or a lack of resources in this constrained environment prevented their ability to focus on opportunities.Other reasons included a lack of understanding of what a positive risk is, and negative perceptions of the value of positive risks, and lack of focus on opportunities by management.
In summary, the results of Q2 suggest a gap between the written standards and practice with respect to identifying opportunities.Often, respondents had not personally witnessed good examples of positive risk identification nor could they identify a well written, well executed opportunity plan.
Two good resources for training were found in the literature and should be emphasized further in practice.Hillson (2004, p. 75) provides one of the best examples of a metalanguage which can aid in starting the opportunity identification discussion.Simply "if we could relax or remove <constraint> we might be able to create/exploit <opportunity> which would lead to <benefit>".
Second, Kendrick (2015) provides good discussion of scope, resource and schedule opportunities with a reasonable starting list of each.This might be useful as a framework for developing a catalog of opportunity statement examples.Using a simple opportunity definition with examples could move the state of the practice forward to practitioners.

Positive Risk Identification Resources and Timing (Q3)
The purpose of Q3 was to understand who identifies positive risks and when they are identified.Here, the researcher sought to understand if there are differences between the resources used to identify negative risks and the resources employed for positive risks.
Opportunity identification and the role of experts.Respondents listed a variety of individuals who are involved in identifying opportunities.The results in decreased order of frequency included subject matter experts including lean experts, everyone, regular business rhythm, risk and opportunity (ROM) meetings, and the people closest to the process.Respondents commented on the type of experts and distinguished between in-house experts, such as lean and subject matter experts, and external experts, such as consultants.
Tools and techniques for opportunity identification.This part of the analysis focused on any formalized tools or techniques that were used to identify opportunities.Tools identified by respondents in the study are summarized in table 3, along with a comparison of other identification tools.From these responses, there does not appear to be a difference between the tools used for risk (threat) identification in the literature and from respondent answers.However, the number used was relatively limited.This is an area for further investigation.
One respondent identified an aggressive method for identifying opportunities.This use of mandatory opportunity goals by an organization could be an intriguing future study.
We made [identifying opportunities] … part of the organizations' required commitments for the year… When I required this it interestingly was met every year!The managers took the time to meet with their teams and seek out opportunities.That led me to believe that people will move forward to what is measured… If we also hold organizations to deliver opportunities, my experiences have been that they will also deliver that requirement (personal communication, summer 2017).
Opportunity identification timeline.The majority of the respondents identified that opportunities are identified during the capture phase or proposal phase of the program.Similarly, the respondents commented that while opportunities are identified early, the process generally did not continue beyond early parts of the lifecycle.Key in vivo responses included: "most of the opportunities get put into the baseline bid itself" [and are not managed separately].Then the opportunity side of the equation gets lost and [negative] risks become the focus" and "opportunities must be built into the program to gain customer support" (personal communication, 2017).
Throughout this research, respondents commented that negative and positive risks are treated differently.For example, "our weaknesses are identified addressed and rectified, mitigated, or compensated for.Strengths are identified, documented, and emphasized in the proposal" (personal communication, 2017).This is consistent with documented practice of imbedding opportunities in a project baseline (Kendrick, 2015).

Positive Risk Funding (Q4)
The purpose of Q4 is to understand how positive risks are funded and the extent to which funding is equal to negative risks.
Equivalent opportunity funding.Most respondents answered this question, but most commented on how opportunities are not funded, instead of how they are funded.About half the respondents, commented that opportunities are generally not funded at all.For example, we "will fund areas … that are weak [negative risks] and possibly can break but seldom do we … seek … opportunities in their daily expenditures" (personal communication, summer 2016).Another commented that "… I have not seen funding set aside as reserve or anything else for positive risk" (personal communication, summer 2016).
Four respondents commented that opportunities are only funded on a case by case basis and only after an extensive business case.There are two key comments that summarizes this funding mechanism as reactive nature (as opposed to proactive).First, the attitude is if "[an opportunity] comes, we will deal with that good news then" (personal communication, 2017).Second, "opportunities [and funding] aren't typically identified until objectives aren't being met" (personal communication, 2017).
Use of contingency or management reserve.The PMBOK Guide (PMI, 2017) identifies the need to conduct a reserve analysis which is used to determine the amount of contingency and management reserve needed for a project.Contingency reserve is "time or money allocated in the schedule or cost baseline for known risks with active response strategies" (p.702).In contrast management reserve is "an amount of the project budget or project schedule held outside of the performance measurement baseline of management control purpose, that is reserved for unforeseen work that is within the scope of the project" (p.710).A contingency reserve is an estimated figure, while management reserve is often a percentage of the cost or duration of a project.
While guidebooks, such as the PMI provide specific definitions and differences between contingency reserve and management reserve, an imprecise distinction between the terms was found in the respondent answers.While 12% of the respondents mentioned management reserve or other funding sources, all of them also stated that it was built into the financials and not accounted for separately.Only a single respondent identified how much of the entire budget (10%) is put in management reserve.Other sources of funding beyond contingency or management reserve included overhead funds, research and development funds, supplier funds, unrealized profit or returns, and customer funded or customer cost sharing.As such, opportunities did not appear to be managed in the same manner as positive risks such that a ROM board prioritized, funded, and monitored the handling of the risks (PMI, 2009).
Opportunities vs. threat funding.Are they funded in the same way?From this study, the answer is a resounding no.The following statement summarizes the thoughts of a majority of participants: "obligating funds to prevent a down side always wins.Only when the upside begins to break the 75% likely threshold do I see attention being paid to it.If I want a positive risk to be funded, I treat it like a separate opportunity and tee it up …when it becomes more likely" (personal communication, summer 2016).
Four respondents, all from the same organization, commented on using net factored risk or offsetting risks with opportunities as a mechanism to more clearly balance risks with opportunities (similar to Benjamin, Dezfuli, Everett, Politt, & Sen (2014) and Dow & Taylor;2015).The goal is to achieve a balance between minimizing the potential loss or threat, while maximizing the chance of potential gain (opportunity).Here, the emphasis was on having a plan on how the funding of both risk and opportunities would be spent, in a manner that is acceptable to the customer stakeholders.As an additional sign of disciplined management, two participants discussed the idea that net factored risk should have a burn down plan for both reserves.By focusing on how many risks and opportunities to identify, one respondent stated that "focusing on high and medium level risks helps along with net factored values however a list of hundreds … would likely not be well received" (personal communication, summer 2016) by the stakeholders.
The concepts of developing a net factored risk is similar to a formalized risk assessment where the probability of occurrence times the impact of each risk is calculated and summed to developed an overall risk exposure (such as Bowman, 2016;Hillson, 2004).In this study, participants separately calculated the exposure of the threats (negative risks) and of the opportunities (positive risks) and subtracted the two showing a net for the project.Browning (2014) advocates using an integrated project value, risk and opportunity (PVRO) framework.The quantitative model defines risk associated with an outcome as its consequence weighted by its likelihood (Risk = Probability x Impact).The model considers multiple attributes simultaneously and balances the value of the project at risk with the opportunity value -it minimizes the value gap.Overall, the PVRO framework focuses effort on choosing realistic project goals, diminishing problematic uncertainties (risk), and seeks ways to seize potential beneficial outcomes (opportunities).In this authors' opinion, the PVRO framework is too complex for adoption by most practitioners, but remains an interesting concept for further investigation.
General observations on Q4.In some of the responses, it remains unclear whether respondents were referring to negative risks, when the question was about positive risks.This remains an opportunity for future study.The majority of the respondents provided evidence that even if you do identify an opportunity, often there is no funding to explore it.Often, opportunities were not integrated in the management of the program at all.Throughout the study, only a single respondent provided a concrete example of an opportunity that was funded, but the entire purpose of the program was dedicated to improvements.Commenting on the lack of funding, one respondent stated "positive risks (or opportunities) … were [often] met with no funding.Negative risks are usually funded and at 90+%" (personal communication, 2017).

Recommendations
Now that the analysis has been completed and findings documented, the next step is to determine a plan of action.This recommendations section addresses RQ2.What improvements are necessary to make opportunity management more effective for project, program and portfolio managers?
Risk is everywhere, but the extent to which opportunities (positive risk) is treated equally to threats (negative risk), remains to be seen.While there is a well-documented academic and standards-based framework of opportunity management, in practice, opportunities continue to be emphasized less than threats.Further, terminology and definitions of a risk remains confusing for practitioner implementation.
There are three primary recommendations that result from this study and the findings previously presented as summarized in table 5. First, develop training specifically focused on the process and importance of opportunity management and include practical case studies.Hillson (2004, p. 278) stated that a training awareness can benefit proactive management and opportunities.However, it can fail to produce the necessary motivation and cultural barriers.While many risk training opportunities exist through universities, consulting firms, professional development firms, and corporations, few, if any, focus on opportunity management in detail.The participants in this study all have had some formalized means of risk management training, yet, the focus on opportunities still lags.A comprehensive view of available open source risk and opportunity training, with a focus on opportunity management will be used to complete this task.
At a minimum, the training will target the findings of this study with a particular emphasis on tools and techniques that are particularly useful for opportunity management (as opposed to threat management).A rather comprehensive list of identification tools has already been provided in table 3. The PMI (2009) Practice Standard for Project Risk Management [which is currently undergoing an update] provides an excellent starting point for the other process steps and a table similar to table 3 is currently under development.Potentially, the training would compare and contrast threat and opportunity management through the life cycle phases or risk management process steps.Taxonomies, or categories of risk (Carr, Konda, Monarch, Ulrich & Walker, 1993;PMI, 2013;Pritchard, 2015) can be used to group risks and opportunities into categories that assist in the identification of leading indicators, facilitate the identification of planning alternatives, and assist in properly allocating resources among the entities or organizational units of the enterprise.In an alternate vein, Kendrick (2015) looked at business portfolio as a spectrum of opportunities including those related to (1) specifications or other aspects of the deliverable, (2) decisions made during planning and execution that result in tradeoffs, and (3) exploiting uncertainties that may be beneficial.That characterization may also be of value in the proposed training.e. 17% admitted to never having seen a good opportunity example f. 25% were only able to identify a generic (non-specific) opportunity example.
3-Develop a template-a business case for positive risk management.g.Difficult to keep up with current commitments / lack of future focus i. Lack of opportunities because negative perceptions of the value of positive risks l.Focus on opportunities often not emphasized until leadership needs recovery plan p. Opportunities often only identified during the capture phase or proposal phase The second recommendation is to develop a catalog of examples of opportunity statements.This could be used to supplement training, or as additional reference material for the practitioner.While, 17% that have never seen a good opportunity example statement, this value cannot be generalized to the project management population.However, it is still clear that opportunity management is underemphasized in part due to inexperience in developing opportunities.This is consistent with early studies of Hillson (2004) and Olsson (2007).
The third recommendation is to develop a template on the business case for positive risk (opportunity) management.The template to assist practitioners in demonstrating the value of opportunity management to the management of the organization.Bekefi, Epstein, and Yuthas (2008) assert that when companies successfully exploit and protect opportunities and drive innovation while at the same time manage risk, they move beyond the traditional view of risk as a value destroyer to seeking risk as a potential value enhancer.This can develop into a competitive advantage.Another approach for the template development is to examine it from an innovation and survival perspective.When companies successfully exploit and protect opportunities and drive innovation while at the same time manage risk, they move beyond the traditional view of risk as a value destroyer to seeking risk as a potential value enhancer.This requires creativity and vision.Accordingly, they become more capable of leveraging past successes and capturing opportunities that define their future success.Zaman (2016, p. 109) provides an excellent short discussion on the success of innovative companies such that they view risk opportunity lens, rather than just internal control and compliance.Innovation can be closely related to managing disruption to be ready for the future as described by Barber (2016).

Conclusions
The purpose of this qualitative study was to examine responses to open-ended questions from experienced project, program and risk managers to understand the practitioner state of positive risk management.The research questions include the following: To what extent is opportunity (positive risk) management practiced by project, program and portfolio managers relative to threat (negative risk) management (RQ1)?What improvements are necessary to make opportunity management more effective for project, program and portfolio managers (RQ2)?
RQ1 examined risk culture, practices associated with opportunity identification and executing opportunity plans.Despite the extensive set of written material on opportunity management, practice still lags that of threat management.
RQ2 asked what improvements are necessary to make opportunity management more effective for project, program and portfolio managers?The results of this study recommend three primary areas of improvement.First, expand training specifically focused on the process and importance of opportunity management and include practical case studies.Second, develop a catalog of examples good opportunity statements to aid practitioners.This could be used to supplement training, or as additional reference material for the practitioner.Third, develop a template for a business case for positive risk management.The template would be used to assist practitioners in demonstrating the value of opportunity management to the management of the organization.
Without doubt, the threat type of risk management is still needed, but practical project risk management should seek to maximize the likelihood and impact of positive events as well as the traditional negative view through a more balanced approach.Simply stated, "Denying opportunities to improve, means losing the upside, leaving on the possibility of downside impacts" (Hillson, 2004, p. 15).While this statement was made over 20 years ago, the practice of risk management remains generally focused on threats.

Figure 1 .
Figure 1.Risk Management Articles in ProQuest Central.(a) Depicts "risk management" vs. ("threat management" OR "negative risk") vs. ("opportunity management" OR "positive risk" by decade.(b) Excluded "risk management" from the graphic and the scale is adjusted for visibility.(c) Depicts that data in (b), but by cumulative decades.(d) Depicts the ratio of opportunity (positive risk) to threat (negative risk) cumulatively.
I am looking for your experience--including what has worked and what hasn't related to positive risk (or opportunity management) and why you perceive it that way.I am NOT looking for what the organization *tells* you, or what a textbook *says*; I am looking for what you *perceive*.Textbooks, and process manuals are filled with how the process *should* work.There are no right or wrong answers to these questions.I am looking for you to document truth, based on your experience, and why you believe it to be an accurate representation of the world around you.
There are two parts to this question: part (a) deals with HOW positive risks are identified and part (b) deals with WHEN positive risks are identified.(a) Describe how positive risks have been identified.Who identified these risks?To what extent have experts been involved?If experts have been involved, please comment on any perceived bias that you observed in using these experts.(b)Describe when positive risks are identified.Describe the extent to which positive risks were identified in a proactive, continuous manner throughout the project/program life-cycle, or was identification primarily limited to a particular phase of the project/program?Why?

Table 2
Research Questionnaire

Table 4
Summary of FindingsQuestionFindings Lack of opportunities because lack of understanding that risks can be positive or negative i. Lack of opportunities because negative perceptions of the value of positive risks j.Lack of opportunities because lack of focus by leadership team k.Gap between written standards and practice-risks continued to imply negative l. Focus on opportunities often not emphasized until leadership needs recovery

Table 5
Summary of Recommendations and Mapping to Findings.Most examples were strategic, rather than tactical. d