How to select a Risk Response Strategy? Sounds complicated…
But let me simplify it for you in this article.
Risk Response Planning is a process of identifying what you will do with all the risks in your Risk Register. The main risk response strategies for threats are Mitigate, Avoid, Transfer, Actively Accept, Passively Accept, and Escalate a Risk.
Below you will find examples of risk responses for both threats and opportunities.
But there’s a catch:
Your risk management efforts are as good as each separate component. That’s why I’m also going to share my Special Resource Guide in this article.
Here is what you need to know:
Risk Response Strategy or Risk Response Plan is not something from an enterprise world.
(By the way, you can use terms interchangeably.)
It’s just an action plan to tackle a known risk. Usually, it’s a short description of what we are going to do.
5 Main Risk Response Strategies
For of all let’s review the response plans for the risks. Then, we will do the same for opportunities.
Examples of Valid Negative Risks (Threats) Responses
|Risk Register Column||Entry|
|Description||Resources for mobile development are limited and on high demand.|
|Effects||Unavailability of developers may cause delays. Quality may suffer due to multitasking.|
|Owner||Jane K. (Recruiter)|
|Response Plan||Recruiters will prioritize our openings starting next week.
Develop a cross-project HR plan together with Ann Smith and Ron Nagle.
Secure required resources from other projects.
Avoid – It means you need to do something to eliminate the cause of the threat:
- Remove a work package or delivery from WBS to secure delivery of the rest of the project.
- Remove a conflicting team member to stop demotivation in the team.
- Forbid any work in bad weather to avoid the risk that someone will get hurt.
Mitigate – Do something to reduce the impact or the probability of a threat:
- Prototype unclear or risk delivery early on to get early feedback from a customer.
- Plan frequent visits to a vendor to learn about problems as early as possible.
- Train the team in risk management approach.
Transfer – Take action to make another party responsible for the risk:
- Outsource part of a project.
- Buy insurance on the property.
- Employ a part-time legal or procurement expert.
Actively Accept – It means that you need to develop a (contingency) plan and make reserves for a risk. However, you will only act if and when the risk happens.
- If a critical person gets sick – we will get a substitution.
- If a work package takes more time, we will work overtime.
- If the equipment breaks, we will buy a new one using reserves.
Passively Accept – Do really nothing. If a risk happens, you will need to decide if there is a workaround.
Examples of Positive Risk Response Strategies (Opportunities)
|Risk Register Column||Entry|
|Description||Purchasing “Photo Grid” module may reduce project duration and costs|
|Effects||A ready-made solution can be used for the Portfolio Feature. It reduces the duration from 2 months to 1 week. It saves about $10000 of the project budget.|
|Response Plan||Added as WBS Element 1.6.1 – Research Results of Available ModulesMake a POC on the integration of the module with the app.
Check copyrights of the premium version.
Acquire approval and budget for the purchase.
Exploit – Do some extra work or change the project plan to make an opportunity happen:
- Plan risky work packages for the most experienced team members.
- Suggest a better approach to reduce the required efforts.
- Suggest a solution to get a new contract from the client.
- Finish the current project earlier to get another project.
Enhance – Do something to increase the chances or impact of an opportunity:
- Buy the equipment beforehand when the price is lower.
- Negotiate the transfer of exceptional expert to your team as early as possible.
- Promise incentives to the team to finish a project beforehand to start a new one.
Share – Share benefits with another party for an opportunity to happen for both of you.
- Create a partnership with a third party to achieve your goals.
You can Actively and Passively Accept opportunities as well as threats.
Escalate Risks as a Risk Response Strategy
Escalate – Do something to get engagement from a stakeholder who can eliminate or mitigate risk.
There is a group of risks that you can’t handle.
However, there is a person who relatively easy can. So, you just need to reach him and get some of his attention.
Should You Create Risk Response Plans for All Known Risks?
Should we really do something with each risk?
No, you cannot eliminate all the risks. It is barely possible, and for sure it is unpractical.
You do need to operate within your constraints of budget, time, and scope.
You may have a specific budget for risk management.
What is a Risk Response in Your Project Management Plan?
You need to understand this:
Your risk management efforts are a part of your project.
It is not something standalone.
Risk Response Plans may require:
- Updating Project Scope: adding or removing deliverables, work packages, tasks.
- Updating Project Budget: adding reserves, allocating money for additional work, resources, expertise.
- Updating Schedule: starting work on specific dates, adding reserves of time to critical tasks.
- Introduce new processes and workflows.
- Hiring a particular expert, consultants.
- Outsourcing part of the Project Scope to a third party.
Here’s the catch:
You plan risk responses later during project planning.
So, you do need to update the required areas of the Project Management Plan with the planned responses.
It should be clearly depicted in your plan.
Every Risk Response Has Consequences
Here is another important concept. Every action has consequences. Therefore, by eliminating one risk quite often, you can introduce new ones.
There are two types of risks you need to be aware of:
- Secondary Risks – any new risks created by the implementation of a risk response plan.
- Residual Risks – these are the risks that remain after implementation of all risk response plans. They should be appropriately documented and communicated to stakeholders. Since you will do nothing with these risks.
How to Implement a Risk Response Strategy?
First of all, you need to identify the top risks that warrant a response.
Next, you need to work with your team and stakeholders to develop possible options for risk responses for each risk.
It means that each risk will require either some extra work, some action or decision, or reserves of time and money.
It will help you to know risk tolerance and thresholds to develop the most appropriate responses.
Then you need to communicate these options to sponsor, customer, and some key stakeholders. You may need to get their approval. At least you must inform them.
Once everyone agrees to the suggested risk response plans, make them a part of your project management plan.
“The key benefit of this process is that it addresses the risks by their priority, inserting resources and activities in budget, schedule and project management plan as need.” – PMBOK Guide.
Now you need to review the plan and identify secondary and residual risks.
You may need to repeat the whole risk management process several times until you get a satisfactory plan.
What is a Risk Owner’s Role in the Risk Response Plan?
You don’t control all Risk Response Plans personally.
You must assign an Owner to each risk.
You actually put the owner’s name (and contacts) into the Risk Register.
This person should monitor the risk.
Sometimes the risk may start impacting your project sooner than you anticipated. Sometimes you may underestimate the risk in general.
When the time comes, the owner implements or controls the implementation of a Risk Response Plan. To some degree, you do it as well – but on a higher level.
He or she also controls and reports to you the efficiency of the strategy. If something goes wrong, these problems should be escalated to you.
It’s totally fine if one person owns several risks. But ensure that all those risks don’t happen at the same time. Otherwise, the person will be overwhelmed.
Project Risk Management Overview
Check this video to learn the place of Risk Responses in the overall Risk Management Process.
That is all for today. It was not too hard, I believe.
This approach gives a limited number of options. Nevertheless, it provides a robust framework to deal with risks. So you don’t need to invent the wheel.
I Also Recommend Reading:
- Featured Article: How to Become an IT Project Manager Without Experience
- Next in the series: How to Identify Risks in Project Management (a practical guide)
- Previous in the series: How to Perform Qualitative Risk Analysis for the First Time
Test Your Risk Management Knowledge
Do you think you know enough about Project Risk Management?
Take this short quiz and identify gaps in your knowledge.
In the end, I provide correct answers and explanations.