An approach to risk management in the language industry

Consider the scenario where a professional translator reports being scammed by a client. Known contact information on the client turns out to be false. Money is hopelessly lost.

In a second scenario, a translation company owner complains that a translator just recruited for a critical job failed to deliver, and as a result the agency lost a good client.

In a third scenario, a dispute between a translator and an agency arises after a project is delivered, when it is discovered that the payment method used by the agency is not available in the translator’s country of residence.

What do these situations have in common? One or more parties experienced losses and other inconveniences because the circumstances were different than expected, and the problems could have been prevented simply by asking a couple of questions at the right time.

Welcome to risk management, the professional way of dealing with the uncertainties of the future!

Risk and risk management

Both in our ordinary lives and in our professional activities we make decisions based on assumptions (statements taken for granted) and predictions (statements about what will happen in the future). The filling of these cognitive gaps is done based on past experience, benchmarking, advice from others or the acceptance of other people’s statements.

In practice, many of these variables will not behave in line with our expectations. This can happen because randomness played against us, or we were deceived by our own wishes or by third parties, or maybe because we failed to consider possible deviations from the status quo, or we were simply wrong.

In a nutshell, our decisions involve a degree of uncertainty and, as the complexity of our processes and the number of decisions multiply, so do the possible negative impacts of uncertain events or conditions on our objectives, also known as risk.

Risks are characterized by their probability of occurrence and the possible impact of their consequences. Risks are always conditional and in the future. Once a negative condition occurs, it is no longer a risk but an issue.

Risk management is the process of handling these uncertainties in order to reduce their probability and/or impact, and it defines the difference between reactive firefighting and proactively managing projects and processes.

Risk management should be undertaken by all organizations, including the one-person companies otherwise known as freelancers. It requires commitment from the organization’s management, and a systematic approach must be pursued to develop consistent policies and practices.

We will present the widely accepted generic frameworks provided by the Project Management Institute (PMI) and the ISO 31000 standard, followed by a discussion on their application in the language industry (and the organizations working in this ecosystem).

The Project Management Institute’s approach

The PMI is, in its own words, “the world’s largest not-for-profit membership association for the project management profession, with more than 700,000 members, credential holders and volunteers in nearly every country in the world.”

PMI’s Project Management Body of Knowledge (PMBOK) is widely recognized in the project management profession. It provides guidelines, best practices and a comprehensive methodology based on five process groups: initiating; planning; executing; monitoring and controlling; and closing.

These processes are further grouped into ten separate knowledge areas, defined as a set of concepts, terms and activities that make up a professional field, project management field or area of specialization.

Since project risk management is one of these ten areas, any implementation based on the PMBOK Guide should take into account the whole picture, although that greatly exceeds the scope of this note.

The PMI identifies the six high-level risk management processes presented in Figure 1, where the first five items belong to the planning group and the last one is a monitoring and controlling process.

Note that the processes are represented as a flow, from first to last, due to the fact that projects always have a beginning and an end. The more generic ISO 31000, in contrast, has a “closed loop” topology typically associated with processes.

Plan risk management. This is the process of defining how to conduct risk management activities for a project, including methodology, roles, criteria for prioritizing risks and communication policies. Its output is a project risk management plan. This process ensures that risk management efforts are commensurable with both the risks and the importance of the project to the organization.

Identify risks. Determine which risks may affect the project and document their characteristics, thus providing the knowledge and the ability to anticipate events. This is an iterative process, as the risk information may evolve during the project. Its main output is the initial entry into the risk register, a document that will also receive the results of risk analysis and risk response planning.

Qualitative risk analysis. Prioritize risks for further analysis or action by assessing and combining their probability of occurrence and impact, usually in a matrix as the one presented in Figure 2. This helps identify the risks that should be actively managed, and it is usually a quick and cost-effective means for the planning of risk responses.

Quantitative risk analysis. Numerically analyze the effect of identified risks on overall project objectives. Tools may include sensitivity analysis, expected monetary value (EMV) analysis, modeling and simulation. It may not be cost- or time-effective in small projects, where the qualitative analysis may be enough.

Plan risk responses. Develop options and actions to enhance opportunities and to reduce threats to project objectives. The PMBOK Guide identifies four strategies for responding to threats:

Avoid: to eliminate the threat or protect the project from its impact usually by modifying the project plan to eliminate the threat entirely, isolating the objectives from the risk impact or changing the compromised objectives.

Transfer: to shift the impact of a threat to a third party, together with ownership of the response. Classic examples are insurance and outsourcing.

Mitigate: to reduce the probability of occurrence or impact of the risk, for example by adopting simpler processes, conducting more tests or by choosing more reliable suppliers.

Accept: to acknowledge the risk without taking any action unless it occurs. It can involve the establishment of a contingency reserve (time, money or resources) to handle the risk.

Control risks. Implement risk response plans, track identified risks and identify new ones, monitor residual risks and evaluate risk process effectiveness.

The ISO 31000 approach

The standard ISO 31000:2009 “Risk management — Principles and guidelines” was issued by the International Organization for Standardization (ISO) with the purpose of providing “the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context.” It is, therefore, not specific to any industry or sector.

This standard describes risk as the effect of uncertainty on objectives. Uncertainty is defined as a deficiency of information, understanding or knowledge of an event, its consequence, or likelihood.

Risk management includes the coordinated activities to direct and control an organization with regard to risk. It is based on a risk management framework, the purpose of which is to integrate the process for managing risk into the organization’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.

The standard describes the relationship among: a set of principles that need to be satisfied to make risk management effective; the project management framework; and the risk management processes displayed in Figure 3 and defined below.

Communication and consultation with external and internal stakeholders should take place during all stages of risk management. They should address the risks, their causes and consequences, and the measures taken to treat them. Stakeholders make judgements based on their perceptions of risk.

Establishing the context enables the organization to articulate its objectives, risk management parameters and the scope and risk criteria for the remaining process. This is similar to the PMI’s plan risk management process.

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. Each one of these processes is described below:

Risk identification is very similar to the PMI’s identify risks process described above.

Risk analysis involves developing an understanding of the risk in order to provide an input to risk evaluation. It is similar to the PMI’s qualitative and quantitative analysis processes.

Risk evaluation aims to assist in making decisions based on the outcomes of risk analysis, defining which risks need treatment and the prioritization of treatment implementation.

Risk treatment involves selecting one or more options for modifying risks and implementing those options. It is similar to PMI’s plan risk responses process.

Monitoring and review is similar to PMI’s control risk process.

Risk management in
the language industry

Both the PMI and the ISO 31000 provide generic, high level frameworks that should be adapted to the realities of each organization. This is usually done by project managers and, in some organizations, by a project management office (PMO).

Several factors conspire against the organization-level implementation in the language industry, starting with the small average size of the actors (many small companies and even more freelancers). Smaller organizations have fewer resources to dedicate toward the professional management of risks.

A second factor is the role of the project manager. While in other industries project managers are trained and empowered to plan and manage areas such as scope, scheduling, cost, risk and stakeholders, project managers in the language industry have little time for planning, and spend a significant part of their time in activities such as finding (and tracking) vendors, reviewing, desktop publishing and putting out proverbial fires. Moreover, the flat structure of most small organizations provides little in terms of career path, with the corresponding impact on staff rotation and the associated loss of learned skills.

A third obstacle is the relative small size and short duration of the average language-related project, leaving fewer resources and less time to dedicate to planning in general and to risk management in particular. Short projects also mean less time to recover from problems.

All these factors become extreme in the case of the freelancer, who must include risk management among the many activities performed by his or her one-person company.

On the bright side, the projects performed tend to be similar, thus enabling the use of risk management templates that can be improved with experience and briefly reviewed for validation at the beginning of each project. This reuse means a lighter impact on each project.

Another factor to be explored is cooperation. You don’t need to go it alone, as attested by the exchange of information and advice found at and other similar sites. Fraud prevention and credit-risk management are two hot areas, but a lot more should be done by professional associations and language-related communities.

A simple six-step program

The following approach to risk management should be solid and simple enough for a freelancer to implement, yet comprehensive enough to benefit a small language service organization.

1 Understand and communicate risk management. Make it part of your processes and thoughts. Train your people to become proactive risk managers. Don’t do it alone: share and ask, teach and learn from others. Share vertically with clients and service providers. Give that “stitch in time.” Get (and remain) ready.

2 Identify your risks. List your critical activities in two broad categories: projects (work with a beginning and an end) and processes (everyday work). For each activity create a list of risks that could affect it. Be creative and inclusive at this stage. Ask others.

3 Qualify each of your identified risks by assessing their probability and impact, to help you select the risks that will be managed and those that will be recorded and accepted.

4 Create a risk response plan by defining and recording a response for each of the risks you decided to manage. This can include additional checks, the setting of contingency reserves of time, money or resources, modified procedures and so on.

5 Control your risks. Include risk control in every aspect of your professional activities. Modify procedures to avoid risk; for instance, by getting verified contact information to prevent the risk of being scammed, or by getting an automated backup system to prevent the loss of project data. Include checklists in your projects to include, for example, a list of issues to be considered at the time of defining their scope.

6 Learn and apply lessons. Consider all of the above as a work in progress. Each error or problem found should be considered a lesson learned, and should be documented in such a way that benefits the whole organization. Encourage your people to suggest new ways to resolve issues that arise, and move back to step 1 to make your risk management get even better.

Some practical examples

A few concrete cases are included here as examples of risks to be found, as well as their possible remedies. Nonlinguistic examples have been selected, as experience shows that people in the language industry tend to overemphasize the linguistic aspects of life.

Area: Commercial/marketing

Risk: A new client request comes from a scammer.

Remedy: Scams are a typical case for avoidance. Check the fraud-prevention information available at for comprehensive coverage, but in a nutshell you should possess a general knowledge on how scammers work, always request verifiable contact information from any possible client or provider, and take steps to verify those details yourself.

Area: Commercial/marketing

Risk: A key client goes bankrupt, damaging your business.

Remedy: To reduce the probability, keep an eye on signs of impending problems within the customer (comments from the client, news, social media comments) or lack of client satisfaction (client wants some service you do not provide, comments about your service, quality or prices). To reduce the impact, no single client should represent more than 25% of your work.

Area: Commercial/marketing

Risk: “Feast or famine” market fluctuations can severely affect normal operation.

Remedy: Keep money reserves or a line of credit for dry periods. Develop a network of trusted providers to outsource extraordinary peaks of demand. Consider collaborating with colleagues (if you can turn a competitor into an ally, they may also share their own overflows with you).

Area: Infrastructure/technology

Risk: Catastrophic infrastructure failure affecting work and deliveries.

Remedy: Create redundancy in your infrastructure. Contact an additional internet provider. Keep an active policy of information backups. Define contingency procedures in advance and train your people to follow them.

Area: Infrastructure/technology

Risk: Hostile hacker steals confidential information belonging to your organization or your clients.

Remedy: Hire a consultant to devise the technological and procedural tools needed to ensure information security. Train your staff in the corresponding procedures and monitor them.

Area: Project management

Risk: Some critical requirement from the client was not recorded in the scope definition of a project, resulting in low customer satisfaction, rework and negative impact on the time and cost objectives.

Remedy: Scope management is your responsibility. Even if the client failed to communicate a project parameter, you (the language service professional) should have asked about it. Develop a checklist with the elements to consider in all projects (tool requirements, CAT tool analysis, input and output formats, language register, expected audience, requirements for partial deliveries, cultural considerations and so on).

Area: Project management

Risk: Provider fails to deliver.

Remedy: Rely on trusted translators. Keep a strong vendor management policy. Maintain good communication channels with them in order to detect problems as soon as possible. Provide and request feedback. Have backup providers to activate them if the designated one drops from the project.


Risk management can be used to proactively manage the uncertain nature of life and work, and it should be part of the toolbox of any organization. Consider the simple approach suggested here, or create and deliver your own. Risk awareness and preparation, sensible processes and a focus on learning lessons from errors and problems should be part of any definition of professionalism.