So, lets get started!!!
Planning Risk Response
Depending on the project, the nature of risks, and the experience of the team, risk response planning can start after risk identification, qualitative risk analysis, or quantitative risk analysis. But if qualitative risk analysis and quantitative risk analysis are performed on the risk, then the response planning must come after completing these two analysis tasks. If you remember, risks can include threats (negative risks) and opportunities (positive risks).
Accordingly, the central task in risk response planning is to develop actions and options to meet the following two goals:
• Minimize threats to meeting project objectives
• Maximize opportunities
Risk Response is planned using the plan risk response process. It is explained in the picture below:
Input to Risk Response Planning
The two input items for risk response planning are the risk register and the risk management plan.
Risk register - The risk register contains the results from risk identification, qualitative risk analysis, and quantitative risk analysis. The following elements of the risk register are especially useful for risk response planning:
• List of identified risks
• Root causes of risks
• Prioritized list of risks
• List of risks that need immediate attention
• Trends in analysis results
Risk management plan - The elements of the risk management plan that can be useful for risk response planning include:
• Organizations’ and stakeholders’ thresholds for low, moderate, and high risks to sort out those risks for which response is needed.
• Roles and responsibilities that specify the positions and functions for each position involved in risk management. These roles are assigned to members of the risk management team, which might include members from inside or outside the project team.
• Timing and a schedule that specifies how often the risk management processes will be performed and which risk management activities will be included in the project schedule.
Because there is a wide spectrum of risks that can occur, there are a multitude of tools and techniques available to plan responses for these risks.
Tools and Techniques for Risk Response Planning
Risk, as you have already seen & learnt, can come in two categories: negative risks, which pose threats to meeting the project objectives, and positive risks, which offer opportunities. The goal here is to minimize the threats and maximize the opportunities.
In project management, there are three kinds of possible responses to risks:
1. Take an action or
2. Take no action or
3. Take a conditional action.
When you want to take an action, different response strategies for negative and positive risks need to be planned. Accordingly, there are three kinds of strategies available to handle three kinds of scenarios:
• Strategies to respond to negative risks (threats) when action is required
• Strategies to respond to positive risks (opportunities) when action is required
• Strategies that can be used to respond to both negative and positive risks when no action or a conditional action is taken
Response Strategies for Threats
There are only three ways to take an action against a potential problem & this is basically common sense:
1. Get out of harm’s way or
2. Pass it to someone else or
3. Confront it to minimize the damage.
In project management, these three strategies are called avoid, transfer, and mitigate; the ATM approach.
Avoid - You avoid risk by changing your project management plan in such a way that the risk is eliminated. Depending upon the situation, this can be accomplished in various ways, including:
• Obtaining information and clarifying requirements for risks based on misunderstanding or miscommunication. This answers two questions: Do we really have this risk, and, if yes, how can we avoid it?
• Acquiring expertise for risks that exist due to a lack of expertise.
• Isolating the project objectives from the risk whenever possible.
• Relaxing the objective that is under threat, such as extending the project schedule.
Transfer - Risk transfer means you shift the responsibility for responding to the risk (the ownership of the risk), the negative impact of the risk, or both to another party. Note that transferring the risk transfers the responsibility for risk management and does not necessarily eliminate the risk. Risk transfer almost always involves making payment of a risk premium to the party to which the risk has been transferred. Some examples include buying an insurance policy and contracting out the tasks involving risk.
Mitigate - Mitigation in general means taking action to reduce or prevent the impact of a disaster that is expected to occur. Risk mitigation means reducing the probability of risk occurrence, reducing the impact of the risk if it does occur, or both. A good mitigation strategy is to take action early on to first reduce the probability of the risk happening, and then to plan for reducing its impact if it does occur, rather than letting it occur and then trying to reduce the impact or repair the damage. Following are some examples of mitigation:
• Adopting less complex processes
• Conducting more tests on the product or service of the project
• Choosing a more stable supplier for the project supplies
• Designing redundancy into a system so that if one part fails, the redundant part takes over and the system keeps working
Each of these three strategies has a counter-strategy to deal with the opportunities.
Response Strategies for Opportunities
Just like in the case of threats, you have three strategies to deal with opportunities. Not surprisingly, each response strategy to deal with an opportunity is a counterpart of a response strategy to deal with a threat; a one-to-one correspondence:
• Share corresponds to transfer
• Exploit corresponds to avoid
• Enhance corresponds to mitigate
You use the SEE (Share, Exploit, Enhance) approach to deal with opportunities presented by the positive risks.
Note: As per the PMBOK Accept is also a strategy to handle Opportunities which means you just do nothing about the opportunity. If I were a PM and know that an opportunity is going to present itself, you should do something to take advantage of it. That is why we will concentrate on only Share, Exploit and Enhance.
Share - Sharing a positive risk that presents an opportunity means transferring ownership of the risk to another party that is better equipped to capitalize on the opportunity. Some examples of sharing are:
• Forming risk-sharing partnerships
• Starting a joint venture with the purpose of capitalizing on an opportunity
• Forming teams or special-purpose companies to exploit opportunities presented by positive risks
Exploit - Exploiting an opportunity means ensuring that the opportunity is realized; that is, the positive risk that presents the opportunity does occur. This is accomplished by eliminating or minimizing the uncertainty associated with the risk occurrence. An example of exploiting is assigning more talented resources to the project to reduce the completion time and therefore to be the first to market. Another example could be to provide better quality than planned to beat a competitor. Whereas exploiting refers to ensuring that the positive risk occurs.
Enhance - This strategy means increasing the size of the opportunity by increasing the probability, impact, or both. You can increase the probability by maximizing the key drivers of the positive risks or by strengthening the causes of the risks. Similarly, you can increase the impact by increasing the project’s susceptibility to the positive risk.
The responses for threats & opportunities are different only if you intend on taking an action to handle it. If you intend to take no action or a conditional action, then the response planning strategies for both negative and positive risks are the same.
Response Strategies for Both Threats and Opportunities
There are two response strategies that you need to plan for the risks for which you need to take either a conditional action or no action.
Acceptance - Acceptance of a risk means letting it be. Generally, it is not possible to take action against all risks. Depending upon their probabilities and impacts, some risks will simply be accepted. There are two kinds of acceptance:
• Passive acceptance that requires no action
• Active acceptance that requires a conditional action, called a contingent response
Contingency - Generally speaking, contingency means a future event or condition that is possible but cannot be predicted with certainty. So, your action will be contingent upon the condition; that is, it will be executed only if the condition happens. In risk management, a contingent response is a response that is executed only if certain predefined conditions (or events) happen. These events trigger the contingency response. Some examples of such triggers are missing a milestone or escalating the priority of a feature by the customer. The events that can trigger contingency response must be clearly defined and tracked.
Trivia: While designing a response to a risk, also design a backup plan to fall back on in case the response does not work. Also, think through and plan for responding to the risks that the response to the original (primary) risk may cause. These risks are called secondary risks.
Output of Risk Response Planning
The output of risk response planning includes:
Risk register updates - The appropriate risk responses planned and agreed upon by the risk management team are included in the risk register. The responses to high and moderate risks are entered in detail, while the low-priority risks can be put on a watch list for monitoring. After the risk register is updated, it includes the following main elements:
• A list of identified risks, descriptions of the risks, root causes of the risks, WBS elements affected by the risks and impacts of the risks on the project objectives.
• Roles and responsibilities in managing the risks; that is, risk owners and the responsibilities assigned to them.
• Results from qualitative and quantitative risk analysis, including a prioritized list of risks, a probabilistic analysis of the project objectives, and a list of risks with time urgency.
• Planned and agreed upon risk response strategies and specific actions to implement each strategy.
• Symptoms and warning signs of risk occurrences, contingency plans, and triggers for contingency risks.
• Budget and schedule requirements to implement the planned responses, including the contingency reserve, which is the amount of funds, time, or both needed in addition to the estimates in order to meet the organization’s and stakeholders? risk tolerances and thresholds.
• Fallback plans in case the planned responses prove to be inadequate
• A list of risks to remain, which include the following:
o Passive, accepted risks• A list of secondary risks that will arise as a result of implementing the responses. You must plan for these risks like any other risk.
o Residual risks that will remain after planned responses have been performed
Updates to the project management plan - Risk response planning is a very involved and serious process. It may affect many components of the project management plan. You should go back and modify those components accordingly. For example, a risk response plan may require a change in the schedule, and therefore you will need to update the schedule management plan. Similarly, changes in budget and tolerance level as a result of planning a response would trigger updates to the cost management plan and quality management plan. Other plans that may be affected by risk response planning include the procurement management plan and the human resource management plan. These changes may also include or trigger changes in the cost baseline, the schedule baseline, and the WBS.
A residual risk is the remains of a risk on which a response has been performed, whereas a secondary risk is a risk that is expected to arise as a result of implementing a risk response; therefore, a response for a secondary risk must be planned.
Risk-related contract decisions - The decisions for risk-related contractual agreements might result, for example, from the decisions of transferring risks. Mitigating the risks may also have an option to contract it out, and hence a contract will be necessary. A positive risk can also be contracted out to maximize the opportunity it offers and share the resulting benefit with the vendor to which it is contracted out.
Updates to project documents - In addition to the risk register and project management plan, risk response planning may also cause updates to other project documents. For example, new information that becomes available during risk planning may change an assumption. This will require an update of the project scope statement (if it contains that assumption) or the assumption document, such as the assumption log, if you are keeping assumptions separate from the scope statement. You may also need to change some technical documents due to changes in the technical approach as a result of risk response plans.
Prev: Quantitative Analysis
Next: Big Picture of Quality & Risk Management