11.5. Planning for Risk Responses (PMBOK, Section 11.5)
Risk response planning is all about options and actions. It focuses on how to decrease the possibility of risks from adversely affecting the project's objectives and also on how to increase the likelihood of positive risks that can aid the project. Risk response planning assigns responsibilities to people and groups close to the risk event. Risks will increase or decrease based on the effectiveness of risk response planning.
The responses to identified risks must be in balance with the risks themselves. The cost and time invested in a risk must be met with the gains from reducing the risk's impact and probability. In other words, a million-dollar solution for a hundred-dollar problem is unacceptable. The individuals who are assigned to the risk must have the authority to react to the project risk as planned. In most cases, several risk responses may be viable for the risk—the best choice for the identified risk must be documented, agreed upon, and then followed through should the risk come to fruition.
11.5.1. Preparing for Risk Responses
To successfully prepare for risk response, the project manager, project team, and appropriate stakeholders rely on several inputs—many of which stem from qualitative and quantitative risk analyses. The risk management plan is needed during the risk response planning, but the risk register is also needed to provide the following:
A list of prioritized risks
A risk ranking
A prioritized list of quantified risks
A probabilistic analysis of the project
The probability of the project meeting the cost and schedule goals
The list of potential responses decided upon when risks were first identified
Any risk owners who have been identified
A list of risks with common causal factors
Trends from qualitative and quantitative analyses
11.5.2. Creating Risk Responses
There are several tools and techniques that the project team can employ to respond to risks. Each risk should be evaluated to determine which category of risk response is most appropriate. When a category has been selected, the response must then be developed, refined, documented, and readied for use, if needed. In addition, secondary responses may be selected for each risk. The purpose of risk response planning is to bring the overall risk of the project down to an acceptable level. In addition, risk response planning must address any risks that have unacceptably high scores.
Avoiding Negative Risks
Avoidance is simply avoiding the risk. This can be accomplished in many different ways, and generally happens early in the project, when any change will result in fewer consequences than later on in the project plan. Examples of avoidance include the following:
Changing the project plan to eliminate the risk
Clarifying project requirements to avoid discrepancies
Hiring additional project team members who have experience with the technology that the project deals with
Using a proven methodology rather than a new approach
Transferring Negative Risks
Transference is the process of transferring the risk (and the ownership of the risk) to a third party. The risk doesn't disappear—it just becomes someone else's problem. Transference of a risk usually costs a premium for the third party to own and manage. Common examples of risk transference include:
Insurance
Performance bonds
Warrantees
Guarantees
Fixed-priced contracts
Mitigating Negative Risks
Mitigating risks is an effort to reduce the probability and/or impact of an identified risk in the project. Mitigation is done based on the logic before the risk happens. The cost and time to reduce or eliminate the risks is more cost effective than repairing the damage caused by the risk. The risk event may still happen, but hopefully the cost and impact of the risk will both be very low.
Mitigation plans can be created so that they are implemented should an identified risk cross a given threshold. For example, a manufacturing project may have a mitigation plan to reduce the number of units created per hour should the equipment's temperature cross a given threshold. The reduction is the number of units per hour that it may cost the project in time. In addition, the cost of extra labor to run the equipment longer because the machine is now operating at a slower pace may be attributed to the project. However, should the equipment fail, the project would have to replace the equipment and be delayed for weeks while awaiting repairs.
Examples of mitigation include:
Adding activities to the project to reduce the risk probability or impact
Simplifying the processes within the project
Completing more tests on the project work before implementation
Developing prototypes, simulations, and limited releases
11.5.3. Managing the Positive Risk and Opportunities
While most risks have a negative connotation, not all risks are bad. There are instances when a risk may create an opportunity that can help the project, other projects, or the organization as a whole. The type of risk and the organization's willingness to accept the risks will dictate the appropriate response.
Exploiting Positive Risks or Opportunities
When an organization would like to take advantage of a positive risk that will likely happen, it can exploit the risk. Positive risk exploitation can be realized by adding resources to finish faster than was originally planned, increasing quality to recognize sales and customer satisfaction, utilizing a better way of completing the project work, or any other method that creates the positive outcomes of the identified risk.
Sharing Positive Risks
The idea of sharing a positive risk really means sharing a mutually beneficial opportunity between two organizations or projects, or creating a risk-sharing partnership. When a project team can share the positive risk, ownership of the risk is given to the organization that can best capture its benefits.
Enhancing Positive Risks
This risk response seeks to modify the size of the identified opportunity. The goal is to strengthen the cause of the opportunity to ensure that the risk event does happen. Enhancing a project risk looks for solutions, triggers, or other drives to ensure that the risk does come to fruition so that the rewards of the risk can be realized by the performing organization.
11.5.4. Accepting the Risks
Risk acceptance is the process of simply accepting the risks because no other action is feasible or because the risks are deemed to be of small probability, impact, or both and that a formal response is not warranted. Passive acceptance requires no action; the project team deals with the risks as they happen. Active acceptance entails developing a contingency plan should the risk occur. Acceptance may be used for both positive and negative risks.
A contingency plan is a predefined set of actions the project team will take should certain events occur. Events that trigger the contingency plan should be tracked. A fall-back plan is a reaction to a risk that has occurred when the primary response proves to be inadequate.
11.5.5. Updating the Risk Register
Are you noticing a theme here? Every time new information about the project's risks is learned, the risk register has to be updated. Since I'm dealing with risk responses in this section, the updates to the risk register are:
Identified risks and how each one can threaten the project
Risk owners and their responsibilities for the risk events
Risk response strategies and the responses to risk events
Symptoms and warning signs of risk
Budget and schedule impact of the risk response activities
Contingency reserves for time and costs
Contingency plans and triggers to implement the plan
Fallback plans
Residual risks (these are risks that are expected to remain after a risk response)
Secondary risks (these are new risks that are created as a result of a risk response)
11.5.6. Creating Contracts for Risk Response
When multiple entities are involved in a project, contractual agreements may be necessary to identify the responsible parties for identified risks. The contract may be needed for insurance purposes, customer acceptance, or the acknowledgement of responsibilities between the entities completing the project. Transference is an example of contractual agreements for the responsibility of risks within a project.
11.5.7. Justifying Risk Reduction
To reduce risk, additional time or monies are typically needed. The process and logic behind the strategies to reduce the risk should be evaluated to determine if the solution is worth the tradeoffs. For example, a risk may be eliminated by adding $7,500 to a project's budget. However, the likelihood of the risk occurring is relatively low. Should the risk happen, it would cost, at a minimum, $8,000 to correct and the project would be delayed by at least two weeks.
The cost of preventing the risk versus the cost of responding to it must be weighed and justified. If the risk is not eliminated with the $7,500 cost and the project moves forward as planned, it has, theoretically, saved $15,500 because the risk did not happen and the response to the risk did not need to happen.
However, if the risk does happen, the project will lose at least $8,000 and be delayed at least two weeks. The cost inherent in the project delay may be more expensive than the solution to the risk. The judgment of solving the risk to reduce the likelihood of delaying the project may be wiser than ignoring the risk and saving the cost by solving the risk problem.
11.5.8. Updating the Project Plan
The risk reactions, contingency plans, and fallback plans should all be documented and incorporated into the project plan—for example, updating the schedule, budget, and WBS to accommodate additional time, money, and activities for risk responses. The responses to the risks may change the original implementation of the project and should be updated to reflect the project plan and intent of the project team, management, and other stakeholders. A failure to update the project plan and the risk register may cause risk reactions to be missed—and skew performance measurements.