How to select a Risk Response Strategy?
Sounds difficult and complex, isn’t it?
But let me simplify it for you in this articles.
Here is what you need to know:
Risk Response Strategy or Risk Response Plan is not something from an enterprise world.
It is just a way to describe and classify actions you can take in regards to a risk. For sure it is not something I recommend to skip.
In fact, there are not many options here. You can:
- Do something to eliminates a risk before it happens.
- Do something to reduce the probability and/or impact of a risk.
- For risks you cannot eliminate or do not want to spend efforts you can try to do something when the risks happen.
What are the best risk responses?
- Responses must be timely. They should eliminate or mitigate a risk before it happens.
- Responses should be appropriate to the level of a threat or opportunity
- They should be developed with the team and stakeholders. The best risk responses are generated in close collaboration with as many experts as practical.
By PMBOK® Guide the process is called Plan Risk Responses.
Risk Response Planning is the process of identifying what you are going to do with each risk.
Should we really do something with each risk?
No, you cannot eliminate all the risks. It is barely possible, and for sure it is unpractical. You do need to operate within your constraints of budget, time, and scope. Alternatively, you may have a specific budget for risk management.
Also, you need to understand this. Your risk management efforts are a part of your project plan. It is not something standalone. Some risk response plans may require modifying your WBS or project schedule.
Here is another important concept. Every action has consequences. Therefore, by eliminating one risk quite often, you can introduce new ones.
There are two types of risks you need to be aware of:
1. Secondary Risks – any new risks created by implementation of a risk response plan.
2. Residual Risks – these are the risks that remain after implementation of all risk response plans. They should be properly documented and communicated to stakeholders. Since you will do nothing with this risks.
How Does it Happen?
First of all, you need to identify top risks that warrant a response.
Next, you need to work with your team and stakeholders to develop possible options for risk responses for each risk. It means that each risk will require either some extra work, some action or decision, or reserves of time and money.
It will help you to know risk tolerance and thresholds to develop the most appropriate responses.
Then you need to communicate these options to sponsor, customer, and some key stakeholders. You may need to get their approval. At least you must inform them.
Once everyone agrees to the suggested risk response plans, make them a part of your project management plan.
“The key benefit of this process is that it addresses the risks by their priority, inserting resources and activities in budget, schedule and project management plan as need.” – PMBOK Guide.
Now you need to review the plan and identify secondary and residual risks. You may need to repeat the whole risk management process several times until you get a satisfactory plan.
Risk Response Strategies
Examples of Responses to Threats
Avoid – It means you need to do something to eliminate the cause of the threat:
- Remove a work package or delivery from WBS to secure delivery of the rest of the project.
- Remove a conflicting team member to stop demotivation in the team.
- Forbid any work in bad weather to avoid the risk that someone will get hurt.
Mitigate – Do something to reduce the impact or the probability of a threat:
- Prototype unclear or risk delivery early on to get early feedback from a customer.
- Plan frequent visits to a vendor to learn about problems as early as possible.
- Train the team in risk management approach.
Transfer – Take action to make another party responsible for the risk:
- Outsource part of a project.
- Buy insurance on the property.
- Employ a part-time legal or procurement expert.
Actively Accept – It means that you need to develop a (contingency) plan and make reserves for a risk. However, you will only act if and when the risk happens.
- If a critical person gets sick – we will get a substitution.
- If work package takes more time, we will work overtime.
- If the equipment breaks, we will buy a new one using reserves.
Passively Accept – Do really nothing. If a risk happens, you will need to decide if there is a workaround.
Examples of Responses for Opportunities
Exploit – Do some extra work or change the project plan to make an opportunity happen:
- Plan risky work packages for the most experienced team members.
- Suggest a better approach to reduce the required efforts.
- Suggest a solution to get a new contract from the client.
- Finish current project earlier to get another project.
Enhance – Do something to increase chances or impact of an opportunity:
- Buy the equipment beforehand when the price is lower.
- Negotiate the transfer of exceptional expert to your team as early as possible.
- Promise incentives to the team to finish a project beforehand to start a new one.
Share – Share benefits with another party for an opportunity to happen for both of you.
- Create a partnership with a third part to achieve your goals.
You can Actively and Passively Accept opportunities as well as threats.
Additional Secret Risk Response Strategy
There is one more risk response strategy. Moreover, I hope it will become official one day.
Escalate – Do something to get engagement from a stakeholder who can eliminate or mitigate a risk.
There is a group of risks that you can’t handle. However, there is a person who relatively easy can. So, you just need to reach him and get some of his attention.
That is all for today. It was not too hard, I believe. This approach gives a limited number of options. Nevertheless, it provides a robust framework to deal with risks. So you don’t need to invent the wheel.