The next task that must be done in our risk management system is risk response planning. At this stage we have discovered all of the risks known to date and have an iterative process for discovering new risks as the project progresses. We have evaluated the risks and assessed their impact and probability of occurrence. We have prioritized the risks in their order of importance. We now must decide what to do about them. This is risk response planning.
Risk response planning is the process of developing the procedures and techniques to enhance opportunities and reduce threats to the project's objectives. In this process it will be necessary to assign individuals who will be responsible for each risk and generate a response that can be used for each risk.
Risk Response Strategies
Risk response strategies are the techniques that will be used to reduce the effect or probability of the identified or even the unidentified risks.
Of course, in the case of opportunities we should want to increase the probability and increase the impact. The opportunity can be exploited by adding resources to encourage and maximize the effect. Opportunities can be shared. In the case where our own organization is not able to maximize an opportunity, a partnership or other arrangement with another organization may be made where both organizations benefit in a greater way than one of them can. By enhancing an opportunity we can maximize the drivers that positively impact the risks. Both impact drivers and probability drivers may be enhanced.
In terms of the risk strategy that should be employed, a qualitative or quantitative evaluation of the severity of the risk will be a guideline as to how much time, money, and effort should be spent on the strategy to limit the risk.
Risk avoidance means just what it says. The strategy is to avoid the risk completely. The project plan or the nature of the project is actually changed to make it impossible for the risk to occur.
Some risks, such as the risk of not having a clearly defined set of user requirements, can be avoided by expending the effort to more clearly define the requirements. This may increase the time and effort previously allowed for this activity, but it will have the result of eliminating the risk.
For example, suppose our project is to design a bicycle. Let's say that during the design phase someone identified a risk of corrosion in the frame of the bicycle. If this corrosion were severe enough, it could cause a failure in the bicycle frame. This failure could cause serious injury to the person riding the bicycle at the time of failure.
The strategy exercised by the project team on this project is to redesign the components that are corrosion problems and use a corrosion resistant material such as stainless steel. This avoids the problem of corrosion in the bicycle frame identified as risky.
The avoidance strategy cannot completely eliminate the risk. In this example, even though the bicycle is redesigned in stainless steel, if the bicycle were left outdoors by the ocean for nineteen years, it might still corrode enough to fail, but the probability becomes so small that the risk is, for all practical purposes, eliminated.
Transferring a risk also eliminates the risk from impacting the project. When we transfer a risk, we move the impact of the risk to some other party. When risks are transferred to another party, there is usually some sort of payment involved to induce the third party to take on the risk.
Insurance is a method for transferring risk. In terms of risk management, what we are doing is hiring some third party to take over the impact of the risk. In return for this we pay a premium. For example, in 1995, PMI held its annual meeting in the city of New Orleans. Six months prior to this meeting, the PMI Board of Directors held their quarterly board meeting in New Orleans. The chapter hosted the board for a chapter meeting, and for the program they invited a panel of disaster and emergency management people to discuss hurricane effects on the city.
The discussion at the meeting concerned itself with the possible results of a hurricane hitting New Orleans. The PMI board became somewhat nervous about their meeting, since it would be held in prime hurricane season. PMI recognized that the revenue from their annual meeting was a significant part of their operating budget, and they could not afford to take this loss.
The result of this nervousness was that PMI purchased event insurance for the first time, paying a premium to an insurance company to take the risk. The insurance company agreed to pay PMI in the event of some disaster occurring that would force PMI to cancel their meeting. This was indeed a real risk. Just three years later, a hurricane caused the last-minute cancellation of a similar meeting by the Petroleum Engineers Association, after food and other supplies had already been ordered.
Another way of transferring risk is to contract the risk to an outside vendor. If this is done with a firm fixed-price contract, the risk is effectively transferred to the vendor. Generally, in firm fixed-price contracts the vendor will always raise the price of the service to compensate for the effect of the risk. Warrantees, performance bonds, and guarantees are additional methods for transferring risk.
The acceptance of a risk means that the project team has decided not to change the project in any way to compensate for the risk. The risk will be dealt with if and when it occurs. One way to think of acceptance is to visualize the list of risks that was made. The risks were ranked according to the impact they would have on the project. If we imagine a line going through the list at some point, the items above the line are ones that we will do something about in our risk strategy, and the items below the line are the risks that we will accept. The point at which the line is drawn is the point of risk tolerance.
Passive acceptance is when the project team does nothing at all about the risk. If the risk actually occurs, the project team will develop a way to work around the risk or to correct its effects.
Active acceptance is when the project team develops a plan of action to be taken in anticipation of the risk occurring. This action will result in a contingency plan. The contingency plan can be implemented as soon as triggers indicate the possibility of the risk occurring. In addition to the contingency plan, a fallback plan may be made as well. A fallback plan is an additional contingency plan to use in the event that the first contingency plan fails.
The strategies that we have discussed have either gotten rid of the risk entirely, transferred it to someone else, or accepted the risk, either passively or actively. Risk mitigation is an effort to reduce the probability or impact of the risk to a point where the risk can be accepted. Adding additional tests, hiring duplicate suppliers, adding more expert personnel, designing prototypes, or in other ways changing the conditions under which the risk can occur are ways of mitigating risk.
The important difference in risk mitigation is that it reduces the risk to a level where we can accept it and its consequences. Adding specific work to the project plan employs the mitigation strategy. This work will always be done regardless of whether the risk occurs. The mitigation tasks are specific project tasks that are added to the project plan to reduce the impact or probability of the risk.
It should be clear that an overall risk strategy should be designed to deal with risks by accepting them as they are, avoiding them by eliminating them from being possible, transferring them to another's responsibility, or reducing their impact and/or probability to a level where they can be accepted.
In keeping with the principle that project baselines are definite commitments for the project, the project budget and schedules should be ones that the project is truly expected to meet. That is, the budget is the budget that is really expected to be spent when the project is complete, and the schedule should allow for sufficient time to do the project. This budget and schedule must include the time for managing and overcoming risks. In Chapter 2, Time Management, we looked at dealing with schedule contingency. Here I discuss planning for budget contingency.
Funds that are to be used for mitigation, avoidance, or transfer are budgeted in with the rest of the committed project work. These are actual tasks that must be done, or they are funds that will be spent regardless of whether the risk occurs. But how do we budget for work that must be done only if the risk occurs?
There are two kinds of risks that must be dealt with, known risks and unknown risks. Known risks are the risks that were identified in the identification process of risk management discussed earlier. Unknown risks are the ones that we know will probably occur on this project, because unknown and unexpected risks have occurred before on projects of this type.
Known risks should be handled by the creation of a contingency budget. This money is not assigned to specific project tasks and is set aside and available to fund the work that must be done if and when a risk occurs. This budget should require the approval of the project manager as a means of making certain that the money is truly allocated to solve risk problems. If this money is made available too easily, it will be spent early in the project on problems that might have been solved in the normal course of completing the task.
Unknown risks must be funded as well. In this case the risks are those that could not be identified in the risk identification process. An estimate based on past experience with similar projects can be made. This estimate is used to create a management reserve. The management reserve is similar to the contingency budget in that it is made available to fund unknown risks when they occur. In order to prevent the inappropriate use of this budget, a person at a level above the project manager level must approve the use of these funds.
Was this article helpful?
What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.