risk response plans

All projects have risks, but you can manage these risks using risk response plans.

Risk response plans contain the strategy to manage each risk. These risk response strategies are a vital part of the risk management plan, and the risk management plan is a subsidiary plan to the project management plan.

Plan risk response process is the key to successful project completion.

Before we delve deeper, let us understand risk and risk management.

A risk is an unplanned event that, if it occurs, can positively or negatively affect one or more project objectives.

Risk management helps you manage risk and complete the project with minimal obstructions.

Risk management requires five processes as follows:

  1. Risk Identification
  2. Risk Analysis
  3. Response Strategy Development
  4. Risk Response Implementation
  5. Risk Monitoring and Control

Read my blog post on the five risk management steps to learn more about it.

Risk Response Plans

Risk response is a process of managing a risk when it occurs. The response is defined in the risk response plans.

Risk response plans include a detailed strategy to manage risks. It includes strategies and specific actions to mitigate or avoid negative risks and to realize positive ones.

While developing the risk response plans, you will focus more on high impact or high probability risks. You will keep the low probability or low impact risk on the watchlist.

A risk response plan is a key process in risk management and a part of a risk management plan.

A risk response plan is the same as a risk response strategy, and it depends on the risk tolerance or risk attitude of your project stakeholders.

Types of Risk Response Plans

A risk response plan can be a contingency plan or a fallback plan.

You can use a contingency plan when a risk occurs. If this plan fails to manage the risk, then you can implement the fallback plan.

Note that the contingency reserve is for identified risks; you will use the management reserve if any unidentified risk occurs.

Risk responses are different for negative and positive risks. Negative risks are known as threats or hazards, and positive risks are known as opportunities.

The strategy for threats is to avoid or mitigate the impact or probability of a risk occurring. The strategy for opportunities is to increase the impact or probabilities of opportunities so they can be realized.

The five strategies to manage negative risks are as follows:

  1. Avoid
  2. Mitigation
  3. Transfer
  4. Accept
  5. Escalate

Avoid

In this risk response strategy, you remove the risk by any means. This may require a change in the project plan or scope as the risk can be too detrimental to the project.

By avoiding the risk, you prevent potential negative consequences of the risk.

While avoiding risks is an effective strategy, it is not always practical for a project team to use this response. In some cases, risks are inherent, and you cannot eliminate them.

Example of an Avoidance Risk Response Plan

Risk: The supply chain can disrupt due to over-reliance on a single source supplier for a critical component.

Avoidance Strategy: The project manager modifies the component’s specification to purchase it from multiple sources to avoid this risk. Afterward, the project manager contacts several suppliers to provide the component in case the primary supplier fails to deliver it.

This avoids the impact of possible disruption.

Mitigation

A mitigation risk response strategy is a proactive approach to reduce the impact of the risk or its probability of occurring.

Instead of eliminating risks, you implement measures to minimize the likelihood of risks occurring or to lessen their potential negative consequences. 

Risk mitigation does not eliminate risks but reduces their likelihood or impact.

Example of a Mitigation Risk Response Plan

Risk: Cybersecurity threat and data theft for an IT company

Mitigation Strategy: The project manager decides to install a robust firewall, antivirus, and anti-hacking software to mitigate the impact of risk.

Transfer

Here you transfer the responsibility to manage the risk to a third party. Once the risk occurs, the third party will take care of it.

This strategy reduces your project’s exposure to risk by sharing or outsourcing it to another entity better equipped to deal with the risk.

While risk transfer is an effective strategy, it does not eliminate the risk. It only shifts the responsibility or financial burden associated with the risk to another party. You must carefully assess the terms and conditions of the transfer, such as insurance coverage limits, deductibles, and the financial stability of the third party involved.

Some examples of transfer risk response strategies are insurance, performance bank guarantees, performance bonds, contracts, guarantees, and warranties.

Example of a Transfer Risk Response Plan

Risk: Chance of flood

Transfer Strategy: There is only a remote chance of flood; however, it will greatly impact the project if it occurs. Therefore, the project manager decides to contact an insurance company and buy insurance coverage for the flood risk. If the risk occurs, the insurance company will handle it.

Accept

In an accept risk response plan, you will document the risk in the risk register but won’t act upon it; instead, you will accept the risk. This risk response strategy is used for low-level risks. Once the risk occurs, you manage it by using a workaround.

You can choose this strategy in one of two instances: (1) when the cost or effort required to address the risk outweighs the impact; or (2) when the risk is within its acceptable threshold.

Risk acceptance is not ignoring or neglecting risks. It is a decision based on a thorough understanding of the risks and their impact. You must assess the implications of accepting risk and have appropriate mechanisms in place to monitor and respond to any adverse events that may occur.

Risk acceptance can be either active acceptance or passive acceptance.

In active acceptance, you record the risk and set aside a reserve to manage the risk. For passive acceptance, you record the risks on the risk register and take no further action.

Example of Accept Risk Response Plan

Risk: Delay in product launch due to delay in client approval

Accept Strategy: The risk of client approval delay is very low because the longer the client delays approval, the worse the outcome will be for them. Therefore, with an acceptance strategy, all you must do is make a note of the risk in the risk register.

Escalate

Sometimes a project manager can’t manage the risk as it is outside their expertise, authority, or scope of work. In this case, they will ask higher authorities such as PMO to take care of the risk.

This risk response strategy involves raising the awareness and attention of higher-level management or relevant project stakeholders regarding a particular risk.

The escalate risk response strategy is useful for risks that pose significant threats or have wide-ranging impacts beyond your capabilities. By raising the risks to higher management, you can ensure that risks receive the necessary attention and resources for effective mitigation.

Example of Escalate Risk Response Plan

Risk: A major quality issue in the approved project management process

Escalate Strategy: Since the management has already approved the process, you cannot amend it. Therefore, you must escalate the issue to management so that they can amend the process to avoid quality issues.

Five strategies to manage positive risks are as follows:

  1. Enhance
  2. Exploit
  3. Share
  4. Accept
  5. Escalate

Enhance

Here you increase the impact of risk or its chance of occurring. You are trying to realize the opportunity.

This strategy involves taking proactive actions to increase the probability of positive outcomes to get the benefit of risks. Instead of simply accepting or passively responding to risks, you actively seek to capitalize on positive risks.

Before implementing this strategy, you should carefully evaluate the risks, benefits, and available resources.

Example of Enhance Risk Response Plan

Risk: If you complete the project early, you will get another project

Enhance Strategy: To complete the project early, you can use fast tracking and run some tasks in parallel to shorten the schedule. Here, you are only trying to realize the opportunity.

Exploit

Here to add all your resources to ensure to realize the opportunity. 

Instead of merely accepting or passively responding to positive risks, you proactively take action to get this opportunity for strategic advantage.

Since you are using additional resources to ensure opportunity realization, you must properly evaluate the benefits of risks and resource requirements before implementing this strategy.

Example of an Exploit Risk Response Plan

Risk: If you complete the project early, you will get another project

Exploit Strategy: To complete the project early, you can use the crashing technique to run some tasks in parallel, work overtime, and bring in more resources.

Share

The sharing strategy involves collaborating with a second party to share a joint opportunity if you can’t realize the opportunity on your own.

In this strategy, you team up with another party to jointly share the opportunities. Usually, the other party belongs to a different niche or industry than you, and they do not possess your skills or expertise in your niche or industry either. Thus, you learn from each other.

It is a win-win situation for both parties.

Example of Share Risk Response Plan

Risk: You will get a better discount if you buy a consumable in huge quantity.

Share Strategy: If you cannot afford to buy a huge quantity of consumables on your own, you can team up with another partner and place a joint order for the consumables to get the discount.

Accept

In this risk response plan, you document the risk in the risk register but won’t act. You accept the risk. Once the risk occurs, you will realize the benefits.

You would choose the acceptance strategy when the cost or effort required to address the risk outweighs the impact.

You must assess the impact of risk acceptance and have suitable plans to monitor and respond to any adverse events that may occur.

Example of Accept Risk Response Plan

Risk: A proposed change in government regulation can allow you to use cheaper materials for your project

Accept Strategy: Since the proposal is in the government’s hands, there is nothing you can do except note the changed regulation in the risk register.

Escalate

Sometimes, a project manager can’t manage risk, as it is outside their authority or scope of work. In this case, they will ask higher authorities (e.g., the PMO) to take care of the risk instead.

The escalation risk response strategy makes upper management aware of a particular risk.

The escalate risk response strategy is useful for risks that provide significant benefits or have wide-ranging positive impacts beyond the capabilities of the risk management team. By raising the risks to higher management, you can ensure that risks receive the necessary attention.

Example of Escalate Risk Response Plan

Risk: A change in quality management procedure can save money

Escalate Strategy: Since the quality procedure is organization-wide and has already been approved by the management, you cannot make any changes yourself. Therefore, you must approach management to amend the procedure and realize the benefits.

The Importance of Risk Response Plans in Project Management

A risk response plan is essential for managing risks. If any risk occurs and you don’t have the plan to manage it, the impact of the risk can be severe, and planning response after occurring the risk will affect your project baseline and other project objectives.

It can affect your project timeline, project budget, employee morale, etc.

A risk response plan monitors trigger conditions and eliminates or mitigates risks when they occur. It does not affect your baseline because the response has already been factored into the project plan.

The risk response plan includes contingency and fallback plans to manage risk at all costs.

Also, a response plan can help uncover more risks not identified during the risk identification process.

A risk response plan also helps determine the contingency and management reserves that help you develop a robust cost and schedule baseline.

How to Develop a Risk Response Plan

After identifying project risks, you will analyze them qualitatively and quantitatively and prioritize them.

You should develop risk response plans for mid-tier risks and monitor low-tier risks using the risk register. If the low-tier risks become mid-tier or high-tier, you can develop a risk response plan at that time. Otherwise, you will manage them using a workaround if they occur.

For low-level risks, you will usually use the accept risk response strategy.

If the risks are too critical and severely affect your project objectives, you will try to avoid them. If impossible, you can go for insurance or mitigate risk response strategy.

If you want to realize positive risks, you will go for enhance, but if you must realize it, you will go for exploit risk response strategy.

However, if realizing the responsibility is beyond your capability, you will share it will a third party to collectively realize it.

You will use escalate risk response plan if you lack the authority to manage the risk.

Consequences of Risk Response Plans

Risk response plans often do not avoid or mitigate the risk completely. There are some side effects.

If a risk remains even after implementing the risk response plan, it is called a residual risk. You will develop a risk response plan if a residual risk exceeds the threshold. However, you will record them in the risk register under the watch list if they are below the threshold. 

Sometimes a response plan causes another risk. These risks are called secondary risks. You will again qualify this risk and develop a risk response plan if required.

Implementing Risk Response Plans

Every risk has a risk response plan and an assigned risk owner. This risk owner will keep watching for risk triggers, and once it occurs, they will implement the risk response plan. 

For larger projects, you can have a risk-action owner. In this case, once the trigger occurs, the risk owner will inform to risk action owner, who will implement the risk response plan and update the risk owner, and then the risk owner will update the risk register.

The risk owner will update the risk register if any identified risk does not occur.

Summary

A risk response plan is a vital part of a risk management plan. A systematic approach can help you minimize negative impacts and capitalize on opportunities.

By using a risk response plan, organizations can make informed decisions, allocate resources efficiently, and prioritize their efforts to address high-priority risks. Risk response plans ensure that risks are identified, acknowledged, and managed to protect the project objectives.

Risk response plans are dynamic and require regular updates and refinements, according to current and new information. You can enhance your risk management capabilities by continuously improving the risk response plan based on feedback and new information.

Share
Tweet
Share
Pin
Fahad Usmani, PMP

I am Mohammad Fahad Usmani, B.E. PMP, PMI-RMP. I have been blogging on project management topics since 2011. To date, thousands of professionals have passed the PMP exam using my resources.