Developing a Risk Response Plan – Part 1
The plan risk responses process is the last process in the management of risks, and it decides what actions to take to reduce threats and take advantages of the opportunities discovered during the risk analysis processes.
This process also includes a signing departments or individual staff members the responsibility of carrying out the Risk Response Plans you will outline within this process. Such individuals are known as risk owners.
The more effective your Risk Response Plans are, the better your chances for a successful project. Well-developed and well-written Risk Response Plans will likely decrease overall project risk.
Generally, you will want to develop Risk Response Plans for risks with a combination of high probability of occurrence and significant impact to the project, those ranked high on the probability/impact matrix, or those rent high because of the perform quantitative risk analysis process.
Developing Risk Response Plans for risks of low severity or insignificant impact is not an efficient or good use of the project teams time.
Instead, spend your time planning responses that are appropriate given the impact the risk itself poses, or if an opportunity, the risk presents, and do not spend more time, money, or energy to produce a response than the risk events itself would produce if it occurred.
The inputs you will use to assist you in this process are the risk register and the risk management plan. Several strategies are used in this process to reduce or control risk.
It is important therefore, that you choose the right strategy for each risk so that the risk and its impacts are dealt with effectively.
After deciding on which strategy to use, you will develop an action plan to put this strategy into play should the risk event occur. You might also choose to designate a secondary or backup strategy.
The rank of the risk will dictate the level at which the plan risk responses should be performed. As an example, here, a risk with low severity would not warrant the time it takes to develop a detailed Risk Response Plan.
Risk responses should be cost effective in that, if the cost of the response is more than the consequences of the risk, you might want to exam a different risk response.
Risk responses should also be timely, agreed to by all the project stakeholders, and assigned to an individual risk owner who is responsible for monitoring and carrying out the Risk Response Plan is needed.
Tools and techniques for plan risk responses
The plan risk responses process consists of four tools and techniques, and each one of then the involve the strategy. These tools and techniques are:
- Strategies for negative risks or threats
- Strategies for positive risks or opportunities
- Contingent response strategies
- Expert judgment
Strategies for negative risks or threats
There are four strategies here, avoid, transfer, mitigate, and accept. Accept is a strategy you can use for positive risks or opportunities as well as threats.
To avoid a risk means you will evade it all together by eliminating the cause of the risk event or by changing the project management plan to protect the project objectives from the risk event.
With risk avoidance, you essentially eradicate the risk by eliminating its cause. Risks that occur only in the project might easily be avoided by improving communications, refining requirements, assigning additional resources to project activities, refining the project scope to avoid the risk events, and so on.
The idea behind a risk transfer is to transfer the risk and the consequences of that risk to a third party. The risk has not gone away, but the responsibility for the management of that risk now rests with another party.
Most companies are not willing to take on someone else’s risk without a little cash thrown in for good measure. This strategy will impact the project budget and should be included in the cost estimate exercises if you know you are going to use it.
Transfer of risks can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Another method of risk transfer is contract in as this transfers those specific risks to the vendor, depending on the work required by the contract.
The vendor accepts the responsibility for the cost of failure, but again, this does not come without a price. Contractors charge for their services, and depending on the type of contract you negotiate, the cost might be quite high – particularly for a fixed price contract.
Bear in mind that contract in does not cure everything, you may just be swapping one risk for another. You need to weigh your options in cases like this and determine which side of the risk coin your organization can more readily accept.
Other forms of transference include warranties, guarantees, and performance bonds.
When you mitigate a risk, you attempt to reduce the probability of the risk event occurring or reduce impacts to an acceptable level.
This strategy is a lot like defensive driving. You see an obstacle in the road ahead, survey your options, and take the necessary steps to avoid the obstacle and procedures safely on your journey.
The purpose of mitigation is to reduce the probability that the risk will occur and/or reduce the impact of the risk to a level where you can accept the risk and its outcomes.
It is easier to take actions early on that will reduce the probability of a risk event or its consequences, than it is to fix the damage once the risk event has occurred.
Some examples of risk mitigation include performing more tests, using less complicated process is, creating prototypes, and choosing more reliable vendors.