How to select a Risk Response Strategy? How to implement it in your risk management plan? Sounds complicated…
But let me simplify it for you in this article.
Risk Response Strategy is an action plan on what you will do a Risk on your project. The main risk response strategies for threats are Mitigate, Avoid, Transfer, Actively Accept, Passively Accept, and Escalate a Risk.
(Risk Response Strategy or Risk Response Plan is the same thing in essence. You can use terms interchangeably.)
Below, you will find examples of risk responses for both threats and opportunities.
Chapter 1: Risk Response Strategies For Threats
First, you need to identify risks and log them into the Risk Register. Then, you need to conduct a Qualitative Risk Analysis. For the most severe threats, you’ll decide what Risk Response Strategy to select.
The main Risk Response Strategies are:
- Avoid Risk
- Mitigate Impact/Probability of a Risk
- Transfer Risk
- Actively Accept Risk
- Passively Accept Risk
- Escalate Risk
1. Avoid Risk Response Strategy
Avoid Risk Response Strategy means you need to do something to eliminate the cause of the threat.
#1.1 Example of Risk Avoidance in Scope Management
Clients and other stakeholders provide requirements for the project. Usually, they think that these requirements will help to achieve the project’s business objectives.
Quite often, these requirements will pile up. Your project scope will bloat up, and you get beyond the constraints of time and budget.
When you get far beyond constraints, it’s obvious that you need to descope something or move deadlines. But sometimes, you’ll find yourself in a situation where you barely fit into the constraints.
That’s when you need to log a risk that you don’t have any free reserves of time or budget (read buffer). If something goes wrong, you may fail to deliver on time.
At this point, you can develop a risk response strategy to remove a piece of the project scope. It will happen if, for example, you get behind schedule for more than ten days.
As you understand, this will help you control expectations. You warn stakeholders that risk may happen. They accept the action plan. It will be easier to descope a requirement if something goes wrong.
#1.2 Example of Risk Avoidance in Leadership and Stakeholder Management
As a project manager and leader, you need to ensure that your team members are happy, motivated, and engaged in the project.
For sure, you can’t always get people who perfectly match with one another. Moreover, constructive conflicts within a team is a good thing.
However, sometimes conflicts may get beyond professional behavior. People may feel dissatisfied with the organization in general.
The problem is that negative behavior is both destructive and demotivating for other team members.
As much as possible, you need to try to mitigate the impact from conflicting team members. But sometimes, nothing helps, and you go beyond the point of no return in your relationships.
In this case, you want to avoid Risks of further demotivation of the whole team by removing a conflicting person.
Likewise, you may have an authoritative stakeholder who conflicts with team members or with you. In this case, you’ll need to take measures to isolate the person as much as possible.
In most cases, it means you need to get into internal politics and find leverage through your leadership or policies.
#1.3 Example of Risk Avoidance that Impacts the Whole Project
Before I became a project manager, I was a sailor. I worked on a big container vessel once.
We were unloading in Amsterdam when the rain started. In a few minutes, we heard over the radio that someone fell from the fourth-tier container (12 yards) on the deck.
Port authorities stopped the unloading. We called a helicopter to get this person to a hospital. In the end, unfortunately, the person died.
For sure, if something like this happens on your project, it will be a terrible hit. You must do whatever it takes to avoid such risks. In most cases, delays and extra costs are neglectable compared to the possible impact of a threat.
That’s why many industries forbid any work in bad weather to avoid the risk that someone gets hurt.
2. Mitigate Impact/Probability of Risks
Mitigate Risk Response Strategy means you do something to reduce the impact or the probability of a threat.
#2.1 Example of Mitigation of Uncertainty
In the IT industry, we often create solutions that no one did before using technologies no one used this way before. Therefore, there’s a lot of uncertainty in such projects.
Is it even feasible to achieve the project’s objectives?
You don’t want to start full-blown development to discover that the cornerstone technology can’t provide the required functionality. To mitigate the risk such risk, we begin with a Prototype or a Proof of Concept.
It’s a Risk Response Strategy where we do a mini-project to:
- Create a minimal viable product.
- To test out the compatibility of different solutions.
- Check the capabilities of new technologies.
This way, we try to guarantee the feasibility of at least 80% of the requirements.
It’s a quick and dirty implementation. It’s just a fraction of the budget and resources. And sometimes, we may need to do several POCs to select the most efficient approach. But still, it’s worth the investment.
This way, we can also get early feedback from clients and adjust the requirements to the capabilities of the technologies we want to use.
“Risk Management has a cost. You need to have a budget for all risk management activities.”
– Dmytro Nizhebetskyi
#2.2 Example of Risk Mitigation in Procurement
Whenever you have a Third Party involved in a project – it’s a RISK.
There are many sources of risks here:
- The third party has a different project management approach.
- They have different quality standards.
- Their team is not in sync with your team.
- There’s a hard dependency on their deliverables.
And that’s just the tip of the iceberg.
You need to mitigate ALL possible risks from their side. But usually, you don’t have direct control over them.
That’s why here you need a mitigation Risk Response Strategy that provides you with more information from the third party. You can request or even state it in the contract that:
- They need to provide a weekly progress report.
- Managers should participate in daily or weekly sync-up meetings.
- You can visit them at any time to audit the work.
This way, you can get early warnings about problems they have.
#2.3 Example of Risk Mitigation via Education
You can’t identify all the risks. But you should try to mitigate the possibility of an unexpected severe risk in the middle of the project.
The most efficient way to achieve it is by educating your project team and stakeholders in proper risk management activities.
Also, you need to create an environment where people are not afraid to report new risks as soon as possible, even if they committed to finishing the work on time.
It’s much easier to avoid or mitigate a risk when you know about it in advance. Not when it already happened.
Examples of Negative Risk Responses in a Risk Register
You can learn more about Risk Register and get templated in this in-depth guide:
|RISK REGISTER COLUMN||ENTRY|
|Description||Resources for mobile development are limited and on high demand.|
|Effects||Unavailability of developers may cause delays. Quality may suffer due to multitasking.|
|Owner||Jane K. (Recruiter)|
|Response Plan||Recruiters will prioritize our openings starting next week.|
Develop a cross-project HR plan together with Ann Smith and Ron Nagle.
Secure required resources from other projects.
3. Transfer Risk Response Strategy
Transfer Risk Response Strategy means that you need to take action to make another party responsible for the risk.
#3.1 Example of Transferring Risks via Outsourcing
Imagine you work in a company that produces furniture. Your leadership has decided that we need an e-commerce website and mobile applications to sell products. You were assigned to the project.
Now you are an IT Project Manager. Right away, there are huge sources of risks:
- You don’t have the expertise and engineers to start the project.
- There’s no infrastructure and practices to run a software development project.
- Your recruiters don’t have expertise in hiring developers, QAs, etc.
That is why many companies decide to transfer such risks to vendors with expertise, infrastructure, and human resources.
It doesn’t eliminate all related risks and often introduces new types of risks: procurement, third parties, etc. But most probably, you have experience dealing with these types of risks.
We’ll talk about secondary risks below.
#3.2 Example of Transferring Cost Risks
Sometimes, projects depend on a piece of costly machinery. Or you can rent some equipment. Or you need to purchase and store lots of materials.
The risk is that you can’t afford to buy a new piece of machinery, equipment, or materials if something goes unexpectedly wrong.
Like in everyday life, you want to transfer such risks for a relatively small sum and buy insurance or extra technical support.
“Include project stakeholders into Risk Management activities. The more – the better.”
#3.3 Example of Transferring Risks Related to the Lack of Expertise
Sometimes, you may get a project that goes into the knowledge domain where neither you nor your organization has enough expertise.
It’s not like you need to outsource a big part of the project. But you want to avoid risks related to procurement, accounting, or recruiting, for example.
In this case, you can try to transfer these risks to part-time or full-time experts. Hiring freelancers or a web design studio is an example of a transfer risk response strategy.
4. Actively Accept Risk Response Strategy
Actively Accept Risk Response Strategy means that you need to develop a (contingency) plan and make reserves for a risk. However, you will only act if and when the risk happens.
Feel the difference:
You don’t actively fight a risk. You react to it if it happens. But still, you prepare in advance.
In the real world, you apply this type of response plan more often than other types.
But here’s the catch:
You can use the allocated reserves of time or money ONLY if the dedicated risk happens. If the risk doesn’t happen, you need to release the reserves and switch to the next set of tasks.
Thanks to Parkinson’s Law, work will always fill in all allocated time. Moreover, you want to control how accurate your risk analysis is. It may provide you with insights into the risks that are yet to come.
#4.1 Example of Actively Accepting Risk with Reserve of Time
If you lead a long project, you always get through cold seasons when people catch a cold more often.
If you see that some critical due days fall into such seasons, you want to plan accordingly.
The simplest way is to allocate a week or two of time reserve to your schedule. Just put a buffer on the milestone.
#4.2 Example of Actively Accepting Risk with Reserves of Budget
Sometimes, requirements are not clear, and dedicating more time to business analysis doesn’t help. So, if you have ambiguity in requirements, but deadlines are set in stone – that’s a risk.
In this case, you want to get feedback from clients on want you created as soon as possible. For sure, feedback means changes in the requirements and some rework.
You may actively accept such a risk and reserve an additional budget for overtime for the team to make the required changes on time.
5. Passively Accept Risk Response Strategy
Passively Accept Risk Response Strategy means you’ll do really nothing. If a risk happens, you will need to decide if there is a workaround. Or you would simply soak up the impact.
#5.1 Example of Passively Accepting a Risk and Workaround
In the same example, when we have expensive machinery, we can proactively purchase insurance. In the case of passive acceptance, we won’t do that.
We may decide that if machinery breaks, we will either try to carry on without it. Yes, it may take more time and some manual labor. But it is possible that’s an acceptable workaround.
Likewise, we may decide to find funds to make repairs. It’s additional costs and will delay the work but, again, it might be OK.
6. Escalate Risks as a Risk Response Strategy
Escalate Risk Response Strategy means to do something to get engagement from a stakeholder who can eliminate or mitigate risk.
There is a group of risks that you can’t handle.
However, there is a person who relatively easily can. So, you just need to reach him and get some of his attention.
Chapter 2: Examples of Positive Risk Response Strategies (Opportunities)
Exploit – Do some extra work or change the project plan to make an opportunity happen:
- Plan risky work packages for the most experienced team members.
- Suggest a better approach to reduce the required efforts.
- Suggest a solution to get a new contract from the client.
- Finish the current project earlier to get another project.
Enhance – Do something to increase the chances or impact of an opportunity:
- Buy the equipment beforehand when the price is lower.
- Negotiate the transfer of exceptional experts to your team as early as possible.
- Promise incentives to the team to finish a project beforehand to start a new one.
Share – Share benefits with another party for an opportunity to happen for both of you.
- Create a partnership with a third party to achieve your goals.
You can Actively and Passively Accept opportunities as well as threats.
|RISK REGISTER COLUMN||ENTRY|
|Description||Added as WBS Element 1.6.1 – Research Results of Available Modules. Perform a POC on the integration of the module with the app.|
Check the copyrights of the premium version.
Acquire approval and budget for the purchase.
|Effects||A ready-made solution can be used for the Portfolio Feature. It reduces the duration from 2 months to 1 week. It saves about $10000 of the project budget.|
|Response Plan||Added as WBS Element 1.6.1 – Research Results of Available Modules. Perform a POC on the integration of the module with the app.|
Check copyrights of the premium version.
Acquire approval and budget for the purchase.
Chapter 3: All You Need to Know About Risk Responses on a Project
Should You Create Risk Response Plans for All Known Risks?
Should we really do something with each risk?
No, you cannot eliminate all the risks. It is barely possible, and for sure, it is impractical.
You do need to operate within your constraints of budget, time, and scope.
You may have a specific budget for risk management.
What is a Risk Response in Your Project Management Plan?
You need to understand this:
Your risk management efforts are a part of your project.
It is not something standalone.
Risk Response Plans may require:
- Updating Project Scope: adding or removing deliverables, work packages, and tasks.
- Updating Project Budget: adding reserves, allocating money for additional work, resources, and expertise.
- Updating Schedule: starting work on specific dates, adding time reserves to critical tasks.
- Introduce new processes and workflows.
- Hiring a particular expert or consultant.
- Outsourcing part of the Project Scope to a third party.
Here’s the catch:
You plan risk responses later during project planning.
So, you do need to update the required areas of the Project Management Plan with the planned responses.
It should be clearly depicted in your plan.
Every Risk Response Has Consequences
Here is another important concept. Every action has consequences. Therefore, by eliminating one risk quite often, you can introduce new ones.
There are two types of risks you need to be aware of:
- Secondary Risks – any new risks created by the implementation of a risk response plan.
- Residual Risks – these are the risks that remain after implementation of all risk response plans. They should be appropriately documented and communicated to stakeholders. Since you will do nothing with these risks.
How to Implement a Risk Response Strategy?
First of all, you need to identify the top risks that warrant a response.
Next, you need to work with your team and stakeholders to develop possible options for risk responses for each risk.
It means that each risk will require either some extra work, some action or decision, or reserves of time and money.
It will help you to know risk tolerance and thresholds to develop the most appropriate responses.
Then, you need to communicate these options to sponsor, customer, and some key stakeholders. You may need to get their approval. At least you must inform them.
Once everyone agrees to the suggested risk response plans, make them a part of your project management plan.
“The key benefit of this process is that it addresses the risks by their priority, inserting resources and activities in budget, schedule and project management plan as need.”
– PMBOK Guide.
Now, you need to review the plan and identify secondary and residual risks.
You may need to repeat the whole risk management process several times until you get a satisfactory plan.
What is a Risk Owner’s Role in the Risk Response Plan?
You don’t control all Risk Response Plans personally.
You must assign an Owner to each risk.
You actually put the owner’s name (and contacts) into the Risk Register.
This person should monitor the risk.
Sometimes, the risk may start impacting your project sooner than you anticipated. Sometimes, you may underestimate the risk in general.
So, the owner keeps the assigned risk at the top of the mind.
When the time comes, the owner implements or controls the implementation of a Risk Response Plan. To some degree, you do it as well – but on a higher level.
He or she also controls and reports to you the efficiency of the strategy. If something goes wrong, these problems should be escalated to you.
It’s totally fine if one person owns several risks. But ensure that all those risks don’t happen at the same time. Otherwise, the person will be overwhelmed.
Unfortunately, this article was just one piece of a complex project risk management framework: Many other processes happen before and after this one.
If one part doesn’t work, the whole system breaks.
My Risk Management Plan Template connects all processes and tools into one cohesive system. It also provides access to other articles and videos on risk management.
Don’t put your projects and reputation at risk. Ensure you know how risk management works in the real world.
All successful project managers know it’s better to learn from someone else’s experience (aka lessons learned). Tap into my 12 years of practical IT experience and get the Risk Management Plan Template.