PLAN RISK RESPONSES
The process of Planning Risk Responses is to develop options, and select actions, to increase positive Risks (Opportunities) and decrease negative Risks (Threats).
KNOWNS and UNKNOWNS
In Risk Management we realize many Risks are known. These are the ones discovered in the "Identify Risks" process. What about the unknown Risks? These are the ones that come as a genuine surprise! For unknown Risks, your project budget should contain a Management Reserve Fund, and your schedule should contain a Management Reserve Buffer. These Management Reserves will be administered by a level higher than (you) the Project Manager, such as your boss, or a program governance team. The amounts to put into Management Reserves is usually determined by the higher-level entity based on experience, confidence level, Risk Attitude, and others.
For known (identified) Risks, it is generally better to pro-actively manage them, rather than waiting for them to arise. Determine which ones can be pro-actively managed and take the appropriate response type, which will be either:
Avoid or Exploit
Mitigate or Enhance
Transfer or Share
If the Risk is a Threat, look at Avoid, Mitigate, or Transfer. If the Risk is an Opportunity, look at Exploit, Enhance, or Share. The Risk response type you choose should consider the Risk's probability, impact, and possibly the urgency. REMEMBER: ideally the Risk Responses are enacted at the time of making the Risk Response plan. Early responses usually cost less and are better organized than responses made later in your project. Each of these Risk Responses have varied and unique influences on the risk condition.
Starting with negative risks (Threats), the response types are explained as follows:
This is a good pro-active response for Risks with high Rank (or Severity). For an Avoidance response, the project Team acts to ensure elimination of the threat and protect the project. Options for Risk avoidance include isolating the project objectives from the Risk's impact. This might include not hiring a risky contractor.
Alternately, the Risk can be avoided by changing the project goal in jeopardy, such as requesting more budget funds to cover the risk of an unknown contractor.
A pro-active Risk Mitigation response is aimed at reducing the probability and/or negative impacts of a Threat to bring them within acceptable limits. Typical Mitigation responses include: adopting less complicated processes, conducting more tests, making a prototype, adding redundancy, and enacting a part measure of an avoidance response. This response type for Threats is the most widely applicable and most widely used in Professional Project Management
The pro-active response of Risk Transfer involves shifting the impact of a Threat to a third party, together with ownership of the response. It does not eliminate the Threat. The party accepting the Risk transfer must be fully aware and agreeable to the transfer. Usual Risk transfers are financial in nature and are covered by an insurance-type policy. Typical examples include: performance bonds, warranties, public liability insurance, property damage insurance, and so on.
This is the Risk response where the project team decides to acknowledge the Risk, take no immediate action and wait to see if the Risk actually occurs. This non-pro-active response is adopted for known Risks when it is not possible or cost effective to address the Risk any other way.
Passive Acceptance: This is the 'do nothing' option that exists in every decision making scenario. It requires no further action except to document the Risk and periodically review it.
Active Acceptance: More commonly we actively accept the Risk meaning we prepare a Contingency Plan, and set aside a Contingency Reserve (allowance, amount) of money, time, and other resources to deal with the Risk, should it arise. Each Risk actively accepted should have its own Contingency Plan, and Contingency amount of money, time, and other resources. Two possible active acceptance Responses for the Risk of schedule slippage are: Crashing, and Fast Tracking described here . More information about Contingency is found here . Be careful not to "borrow" from one risk Response to pay for another. You might run out of Contingency Reserve!
Here, then, are the steps for Accepting a Risk:
From your work done on Qualifying and Quantifying the Risks, look at the Rank (or Severity) and determine whether to prepare a Contingent Response Strategy (active response) or to simply accept the Risk passively (do nothing).
Then, if you decide to have an Active response to Accepting the Risk:
Prepare a Contingency Plan with a Trigger. By preparing ahead you will have a better, well thought out plan, instead of reacting in a panic when the risk occurs. Triggers are events that signal a certain Risk is imminent. The Trigger conditions must be clearly defined and carefully tracked. When the Trigger occurs, you enact the Contingency Plan.
Set aside a Contingency Reserve of money (Cost) in your Budget, and a Contingency Reserve of Time in your Schedule, and any other needed resources, to be used if the Risk condition surpasses the Trigger. Remember that Risk generally decreases as your project is executed, so plan likewise to reduce your Contingency Reserve throughout the project life cycle.
For Risks with a particularly high rank (or severity) you might look at making a Fallback Plan. This is the plan you will enact if the Contingency Plan does not produce the required results. The fallback Plan is a "back-up" to your Contingency Plan.
How much money and time to put into your Contingency Reserves? The work done in Quantify Risks will provide numbers to work with.
Looking at positive risks (Opportunities), the response types are explained as follows:
This is the response type to select when you wish to ensure the Opportunity is realized. For this response, usually the opportunity is extremely compelling and cannot be missed. You will work to ensure an increase in the probability and maximization of the positive impact. For example, we might have the Opportunity of increased sales by getting to market before the competition. We can exploit this opportunity by picking the strongest team members to complete the project as early as possible. This response type usually requires an investment which must be weighted against the benefit to determine if it is worthwhile.
The Enhance response type is used to increase the probability and/or the positive impacts of an Opportunity occurrence. It can be suitable for a less compelling Opportunity and might even be a scaled down version of the Exploit response type. One example of this response type is to add resources to the project team to increase the chance of an earlier finish.This response type for Opportunities is the most widely applicable and most widely used in Professional Project Management
One response type is to share the Opportunity. "Why would we want to do that?" you ask. Suppose one of your project deliverables is an invention which you believe you can make money on. But you don't have a factory and you don't have a sales/marketing team. In this example a partnership with other parties, better positioned to address manufacturing and sales, could be your best response. Each party will share the benefits of the Opportunity.
This is the Risk response where the project team decides to acknowledge the Opportunity and wait to see if it occurs. We can passively Accept the Opportunity or actively Accept it. The steps are the same for Opportunities as for Threats, and are described ABOVE .
FINAL NOTE: After careful review of the Project Risks it might be determined that the Threats are beyond the Risk Appetite of the Organization, meaning the project is just too risky for comfort. In this case our response types could be applied to the entire project as follows:
AVOID: Cancel the project.
TRANSFER: Set up a joint-venture with the Customer and the Vendor for the life of
MITIGATE: Re-plan the project by re-defining the scope, time, cost or other project
ACCEPT: Keep going. Recognize that if you are between Risk Appetite
and Risk Tolerance, success is still possible; but once you cross
the Tolerance line, the project is unable to succeed.
A flow diagram for Plan Risk Responses is summarized below.
CHECKLIST for Risk Responses
Ensure that your Risk Responses are:
Owned by one person
Click Button for Tools to
help you Plan Risk Responses