How to select a Risk Response Strategy?
But let me simplify it for you in this article.
Here you will find examples of risk responses for both threats and opportunities.
But there’s a catch:
You may have a limited mindset in regards to dealing with risks.
So, I would suggest you review examples of dealing with different risks on a real project first. Click here to read how I managed different kinds of threats.
Project Risk Management Overview
Definition of Risk Response Strategies
Here is what you need to know:
Risk Response Strategy or Risk Response Plan is not something from an enterprise world.
(By the way, you can use terms interchangeably.)
Risk Response Planning is a process of identifying what will you do with all the risks in your Risk Register.
By PMBOK® Guide the process is called Plan Risk Responses.
Should You Create Risk Response Plans for All Known Risks?
Should we really do something with each risk?
No, you cannot eliminate all the risks. It is barely possible, and for sure it is unpractical.
You do need to operate within your constraints of budget, time, and scope.
You may have a specific budget for risk management.
What is a Risk Response in Your Project Management Plan?
You need to understand this:
Your risk management efforts are a part of your project.
It is not something standalone.
Risk Response Plans may require:
- Updating Project Scope: adding or removing deliverables, work packages, tasks.
- Updating Project Budget: adding reserves, allocating money for additional work, resources, expertise.
- Updating Schedule: starting work on specific dates, adding reserves of time to critical tasks.
- Introduce new processes and workflows.
- Hiring a particular expert, consultants.
- Outsourcing part of the Project Scope to a third party.
Here’s the catch:
You plan risk responses later during project planning.
So, you do need to update the required areas of the Project Management Plan with the planned responses.
It should be clearly depicted in your plan.
Every Risk Response Has Consequences
Here is another important concept. Every action has consequences. Therefore, by eliminating one risk quite often, you can introduce new ones.
There are two types of risks you need to be aware of:
- Secondary Risks – any new risks created by the implementation of a risk response plan.
- Residual Risks – these are the risks that remain after implementation of all risk response plans. They should be appropriately documented and communicated to stakeholders. Since you will do nothing with these risks.
What Can You Do With a Risk?
In fact, there are not many options here. You can:
- You can do something to avoid risk.
- You can do something to reduce Impact and/or Probability of a threat.
- You can do nothing and let the risk happen but use the reserves to minimize the negative impact.
- You can do nothing and accept the risk and its effects.
What are the best risk responses?
Responses must be timely.
They should eliminate or mitigate risk before it happens.
Waiting for a risk to happen and only then mitigating the negative impact is a bad strategy.
It’s firefighting. It’s not efficient. And it might happen so that the risk occurs when you don’t have available resources to address it.
Or it may stack with other risks or critical activities on the project.
The outcome becomes less predictable.
Responses should be appropriate to the level of a threat or opportunity.
It merely means that you shouldn’t waste $10000 to save $2000 of possible impact. Even $10000 effect might not be worth it if the probability is low.
So, you need to assess the costs and benefits of your risks strategies.
“When a risk occurs, with some ingenuity, this may open up an opportunity, and conversely when pursuing an opportunity there will be associated risks. Risks are generally deemed acceptable if the possible gains exceed the possible losses.” – Rory Burke
They should be developed with the team and stakeholders.
The best risk responses are generated in close collaboration with as many experts as practical.
That’s the trick:
Quite often your clients can eliminate a severe risk by making a decision that is beyond your authority.
You may come up with some solution. But will it be worth it?
Likewise, subject matter experts have experience in certain areas of the project. They faced all possible risks.
Why going into the same pitfalls? Just ask them for a solution.
It’s OK if one Risk Response Strategy Acts upon Several Risks.
Ideally, you want to address the root cause of a risk. You need to identify the sources of major threats and fix them.
So, for example, low accuracy of estimates may come from lack of Scope Decomposition.
You can put more time to do the estimates and check them with team members.
But adding a Work Breakdown Structure into your project plan may have a profound and permanent effect.
How Does it Happen?
First of all, you need to identify the top risks that warrant a response.
Next, you need to work with your team and stakeholders to develop possible options for risk responses for each risk.
It means that each risk will require either some extra work, some action or decision, or reserves of time and money.
It will help you to know risk tolerance and thresholds to develop the most appropriate responses.
Then you need to communicate these options to sponsor, customer, and some key stakeholders. You may need to get their approval. At least you must inform them.
Once everyone agrees to the suggested risk response plans, make them a part of your project management plan.
“The key benefit of this process is that it addresses the risks by their priority, inserting resources and activities in budget, schedule and project management plan as need.” – PMBOK Guide.
Now you need to review the plan and identify secondary and residual risks.
You may need to repeat the whole risk management process several times until you get a satisfactory plan.
5 Risk Response Strategies
For of all let’s review the response plans for the risks. Then, we will do the same for opportunities.
Examples of Valid Negative Risks (Threats) Responses
|Risk Register Column||Entry|
|Description||Resources for mobile development are limited and on high demand.|
|Effects||Unavailability of developers may cause delays. Quality may suffer due to multitasking.|
|Owner||Jane K. (Recruiter)|
|Response Plan||Recruiters will prioritize our openings starting next week.
Develop a cross-project HR plan together with Ann Smith and Ron Nagle.
Secure required resources from other projects.
Avoid – It means you need to do something to eliminate the cause of the threat:
- Remove a work package or delivery from WBS to secure delivery of the rest of the project.
- Remove a conflicting team member to stop demotivation in the team.
- Forbid any work in bad weather to avoid the risk that someone will get hurt.
Mitigate – Do something to reduce the impact or the probability of a threat:
- Prototype unclear or risk delivery early on to get early feedback from a customer.
- Plan frequent visits to a vendor to learn about problems as early as possible.
- Train the team in risk management approach.
Transfer – Take action to make another party responsible for the risk:
- Outsource part of a project.
- Buy insurance on the property.
- Employ a part-time legal or procurement expert.
Actively Accept – It means that you need to develop a (contingency) plan and make reserves for a risk. However, you will only act if and when the risk happens.
- If a critical person gets sick – we will get a substitution.
- If a work package takes more time, we will work overtime.
- If the equipment breaks, we will buy a new one using reserves.
Passively Accept – Do really nothing. If a risk happens, you will need to decide if there is a workaround.
Examples of Positive Risk Response Strategies (Opportunities)
|Risk Register Column||Entry|
|Description||Purchasing “Photo Grid” module may reduce project duration and costs|
|Effects||A ready-made solution can be used for the Portfolio Feature. It reduces the duration from 2 months to 1 week. It saves about $10000 of the project budget.|
|Response Plan||Added as WBS Element 1.6.1 – Research Results of Available ModulesMake a POC on the integration of the module with the app.
Check copyrights of the premium version.
Acquire approval and budget for the purchase.
Exploit – Do some extra work or change the project plan to make an opportunity happen:
- Plan risky work packages for the most experienced team members.
- Suggest a better approach to reduce the required efforts.
- Suggest a solution to get a new contract from the client.
- Finish current project earlier to get another project.
Enhance – Do something to increase the chances or impact of an opportunity:
- Buy the equipment beforehand when the price is lower.
- Negotiate the transfer of exceptional expert to your team as early as possible.
- Promise incentives to the team to finish a project beforehand to start a new one.
Share – Share benefits with another party for an opportunity to happen for both of you.
- Create a partnership with a third party to achieve your goals.
You can Actively and Passively Accept opportunities as well as threats.
Escalate Risks as a Risk Response Strategy
Escalate – Do something to get engagement from a stakeholder who can eliminate or mitigate risk.
There is a group of risks that you can’t handle.
However, there is a person who relatively easy can. So, you just need to reach him and get some of his attention.
What is a Risk Owner’s Role in the Risk Response Plan?
You don’t control all Risk Response Plans personally.
You must assign an Owner to each risk.
You actually put the owner’s name (and contacts) into the Risk Register.
This person should monitor the risk.
Sometimes the risk may start impacting your project sooner than you anticipated. Sometimes you may underestimate the risk in general.
When the time comes, the owner implements or controls the implementation of a Risk Response Plan. To some degree, you do it as well – but on a higher level.
He or she also controls and reports to you the efficiency of the strategy. If something goes wrong, these problems should be escalated to you.
It’s totally fine if one person owns several risks. But ensure that all those risks don’t happen at the same time. Otherwise, the person will be overwhelmed.
That is all for today. It was not too hard, I believe.
This approach gives a limited number of options. Nevertheless, it provides a robust framework to deal with risks. So you don’t need to invent the wheel.
I Also Recommend Reading:
- Next in the series: How to Identify Risks in Project Management (a practical guide)
- Previous in the series: How to Perform Qualitative Risk Analysis for the First Time
- Overview of Risk Management: Full Guide to Risk Management Process in Project Management
- PDF: Complete Guide to the Basics of Project Risk Management