The risk response planning process determines effective response actions that are appropriate to the priority of the individual risks and to the overall project risk.
It takes into account the stakeholders’ risk attitudes and the conventions specified in the Risk Management Plan, in addition to any constraints and assumptions that were determined when the risks were identified and analyzed. There are various risk response strategies that can be used to deal with preidentified project risks.
What is Risk Response Planning?
Risk response planning is the process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure, as well as to treat individual project risks.
The key benefit of the risk response planning process is that it identifies appropriate ways to address overall project risk and individual project risks. This process also allocates resources and inserts activities into project documents and the project management plan as needed.
Effective and appropriate risk response plans can minimize individual threats, maximize individual opportunities, and reduce overall project risk exposure. Unsuitable risk responses can have a converse effect.
Once risks have been identified, analyzed, and prioritized, risk response plans should be developed by the nominated risk owner for addressing every individual project risk the project team considers to be sufficiently important, either because of the threat it poses to the project objectives or the opportunity it offers.
The project manager should also consider how to respond appropriately to the current level of overall project risk. Risk response plans should be appropriate for the significance of the risk, cost-effective in meeting the challenge, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person. Selecting the optimal risk response plan from several options is often required.
The risk response strategy or a mix of strategies most likely to be effective should be selected for each risk. Structured decision-making techniques may be used to choose the most appropriate response.
For large or complex projects, it may be appropriate to use a mathematical optimization model or real options analysis as a basis for a more robust economic analysis of alternative risk response plans and strategies.
Specific actions are developed to implement the agreed-upon risk response strategy, including primary and backup strategies, as necessary. A contingency plan (or fallback plan) can be developed for implementation if the selected strategy turns out not to be fully effective or if an accepted risk occurs.
Secondary risks should also be identified. Secondary risks are risks that arise as a direct result of implementing a risk response plan. A contingency reserve is often allocated for time or cost. If developed, it may include the identification of the conditions that trigger its use.
Risk Response Strategies for Threats
The affected stakeholders should be involved in determining the risk response strategies. Once the strategies have been selected, they need to be agreed upon by the entity that approves those strategies.
Five alternative risk response strategies may be considered for dealing with threats, as follows:
Escalate: Escalation is appropriate when the project team or the project sponsor agrees that a threat is outside the scope of the project or that the proposed response would exceed the project manager’s authority.
Escalated risks are managed at the program level, portfolio level, or other relevant parts of the organization, and not on the project level. The project manager determines who should be notified about the threat and communicates the details to that person or part of the organization.
Avoid: Risk avoidance is when the project team acts to eliminate the threat or protect the project from its impact. It may be appropriate for high-priority threats with a high probability of occurrence and a large negative impact.
Avoidance may involve changing some aspect of the project management plan or changing the objective that is in jeopardy in order to eliminate the threat entirely, reducing its probability of occurrence to zero. The risk owner may also take action to isolate the project objectives from the risk’s impact if it were to occur.
Avoid risk response examples
Examples of avoidance actions may include removing the cause of a threat, extending the schedule, changing the project strategy, or reducing scope. Some risks can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise.
Transfer: Transfer involves shifting ownership of a threat to a third party to manage the risk and to bear the impact if the threat occurs. Risk transfer often involves payment of a risk premium to the party taking on the threat.
Transfer can be achieved by a range of actions, which include but are not limited to the use of insurance, performance bonds, warranties, guarantees, etc. Agreements may be used to transfer ownership and liability for specified risks to another party.
Mitigate: In mitigating risk, action is taken to reduce the probability of a threat's occurrence and/or impact. An early risk mitigation plan is often more effective than trying to repair the damage after the threat has occurred. Adopting fewer complex processes, conducting more tests, or choosing a more stable seller are risk mitigation examples
Risk mitigation techniques may involve prototype development to reduce the risk of scaling up from a bench-scale model of a process or product.
Where it is not possible to reduce the probability, a risk mitigation plan might reduce the impact by targeting factors that drive the severity. For example, designing redundancy into a system may reduce the impact of a failure of the original component.
Accept. Risk acceptance acknowledges the existence of a threat, but no proactive action is taken. This strategy may be appropriate for low-priority threats and may also be adopted where it is not possible or cost-effective to address a threat in any other way. Acceptance can be either active or passive. The most common active acceptance strategy is to establish a contingency reserve, including amounts of time, money, or resources to handle the threat if it occurs. Passive acceptance involves no proactive action apart from a periodic review of the threat to ensure that it does not change significantly.
Risk Response Strategies for Opportunities
Five alternative risk response strategies may be considered for dealing with opportunities, as follows:
Escalate. This risk response strategy is appropriate when the project team or the project sponsor agrees that an opportunity is outside the scope of the project or that the proposed response would exceed the project manager’s authority.
Exploit: The exploit risk response strategy may be selected for high-priority opportunities where the organization wants to ensure that the opportunity is realized. This risk response strategy seeks to capture the benefit associated with a particular opportunity by ensuring that it definitely happens, increasing the probability of occurrence to 100%.
Exploit risk response examples
Examples of exploiting risk response plans may include assigning an organization’s most talented resources to the project to reduce the time to completion or using new technologies or technology upgrades to reduce cost and duration.
Share. Sharing involves transferring ownership of an opportunity to a third party so that it shares some of the benefits if the opportunity occurs. It is important to select the new owner of a shared opportunity carefully so they are best able to capture the opportunity for the benefit of the project. Risk sharing often involves payment of a risk premium to the party taking on the opportunity.
Sharing risk response examples
Examples of sharing actions include forming risk-sharing partnerships, teams, special-purpose companies, or joint ventures.
Enhance. The enhanced strategy is used to increase the probability and/or impact of an opportunity. Early enhancement action is often more effective than trying to improve the benefit after the opportunity has occurred.
The probability of occurrence of an opportunity may be increased by focusing attention on its causes. Where it is impossible to increase the probability, an enhancement response might increase the impact by targeting factors that drive the size of the potential benefit. Examples of enhancing opportunities include adding more resources to an activity to finish early.
Accept. Accepting an opportunity acknowledges its existence but no proactive action is taken. This strategy may be appropriate for low-priority opportunities and may also be adopted where it is not possible or cost-effective to address an opportunity in any other way. Acceptance can be either active or passive.
Implement Risk Responses
Implement Risk Responses is the process of implementing agreed-upon risk response plans. The key benefit of this process is that it ensures that agreed-upon risk responses are executed as planned in order to address overall project risk exposure, minimize individual project threats, and maximize individual project opportunities.
Proper attention to the Implement Risk Responses process will ensure that agreed-upon risk responses are actually executed.
A common problem with Project Risk Management is that project teams spend effort in identifying and analyzing risks and developing risk responses, then risk responses are agreed upon and documented in the risk register and risk report, but no action is taken to manage the risk.
Risk response planning builds on the available information about the potential risks and aims to determine the optimal set of risk response plans.
For this reason, it should involve subject matter experts and employ creativity techniques in order to explore all of the options. Project planning and execution techniques are then required to evaluate the potential effects of the various options on the project’s objectives.
The strategic definition of risk response plans should include measurable criteria for the success of the response. Risk action owners should monitor their assigned risks, take agreed-upon actions as required, and provide the risk owners with relevant information on the status or changes to the risk characteristics.
Risk owners should assess the effectiveness of any actions, decide whether additional actions are required, and keep the project manager informed of the situation.
If what we explained in this article is part of your day-to-day job, or if you are interested in improving your knowledge in the risk management field, we highly recommend you read about the PMI RMP certification exam through the link here. Also, you can have a look at the curriculum of our PMI RMP exam perpetration workshop through the link here.