80 / 20 your risk management

This is a very short post which should work because it’s a very simple idea. Obviously, I’m a fan of simple (this is KISS risk management after all) but, as with lots of simple ideas, the trick is sticking to the idea and seeing it through without getting distracted.

The idea is that you use the Pareto principle, or 80 / 20 rule, when you’re thinking about your risk management system. In short, the principle or rule is:

80% of X arises from 20% of Y

There are countless blog posts and books about the principle and you can get an outline here or read this book but that’s the basic concept.

So what does this rule look like in practice?

  • 80% of a firm’s profits come from 20% of its offerings
  • 80% of your work comes from 20% of your clients
  • 80% of a school’s disciplinary problems come from 20% of students
  • 80% mastery of a skill / subject / ability comes from learning 20% of the content

This doesn’t necessarily mean you ignore the non-profitable product lines, cut off those other customers or expel the troublemakers. There are reasons you might want to sell loss-leading products or keep a marquee client on the books. But the 80 / 20 rule helps you identify where to put your focus and what will get you the most bang-for your buck.

80 / 20 risk management

So how do you apply this for risk management?

  • 80% of your risks are likely to come from 20% of your threats
  • 80% of those risks can be tackled with 20% of your mitigation measures

Now, I would say that a big part of this is going to depend on the measurement system you’re using. This is where having a quantitate assessment system is very helpful but even with a qualitative system or a matrix, you’ll be able to spot the most significant (e.g the darkest reds). These will probably make up about 20% of the overall portfolio.

This is nothing starting and most organizations focus on their highest risks, sometimes to the detriment of others. So nothing earth-shattering there.

However, where the 80/20 rule really helps is where it comes to the mitigation measures. If you look at your risk mitigation plans, you will see that there are (or could be) mitigation measures that can deal with more than one threat. For example, having insurance might help offset the potential impact of both destruction from flooding and damage to equipment by an inattentive employee. A robust, diverse and flexible supply chain helps you deal with the collapse of a vital supplier and weatehr delays casues by regulatry changes.

So you should be able to find a few mitigation measures that have a disproportionate effect limiting your risk.

And when you’re overstretched, under resourced and short of time and budget, getting 80% of your results from 20% of your activity will be a real game-changer. So why not give it a try.


On a personal note, I’m having to take some of this 80 / 20 advice myself and that means stepping away from the blog for a bit.

I get an enormous amount of enjoyment trying to wrestle ideas into shape or taking something complicated and simplifying it. But almost four years , close to 100 posts and two books, I’ve covered a lot of what I set out to do. These days, the blog is mostly for enjoyment and out of habit: it doesn’t really do anything as far as helping me achieve my other goals. That puts it in my 80% of things that aren’t a good use of time.

: (

So I’m going to take a break from the risk blogging while I concentrate on these other projects. Meanwhile, there’s plenty more in the blog archives or on the projects page to help you out with your risk management challenges.

See you soon (and stay safe)!

Photo by Taisiia Shestopal on Unsplash

What do you think? Leave a Reply