Risk Response Planning

Objective

„ Develop options and determine actions

to enhance opportunities and minimize
threats to project objectives.
„ Assign responsibility to individuals or
parties for each risk response.
Criteria for risk response

„ Risk response must be:

‰ Proportional to the severity of the risk.
‰ Cost effective.
‰ Timely.
‰ Realistic.
‰ Accepted by all parties involved.
‰ Owned by a person or a party.
Inputs to Risk Response Planning

1. Risk management plan.

Major elements from the plan needed include roles &
responsibilities, budgets and schedule for risk
management activities, risk categories, definitions of
probability & impact, and the stakeholders’ tolerances.
2. Risk Register
Reference will be made to:
1. List of prioritized risks. from qualitative and quantitative risk
analysis.
2. Probabilistic analysis of the project. from quantitative risk
analysis.
3. Probability of achieving the cost and time objectives.
4. List of potential responses. In the risk identification process,
actions may be identified that respond to individual risks or
categories of risks.
Inputs to Risk Response Planning

5. Risk thresholds. The level of risk that is acceptable to the

organization will influence risk response planning.
6. Risk owners. A list of project stakeholders able to act as owners
of risk responses. Risk owners should be involved in developing
the risk responses.
7. Common risk causes. Several risks may be driven by a common
cause. This situation may reveal opportunities to mitigate two or
more project risks with one generic response.
8. Trends in qualitative and quantitative risk analysis results. Trends
in results can make risk response or further analysis more or less
urgent and important.
9. Watch list of low priority risks.
Tools & Techniques for Response Planning

1. Strategies for negative risks (Threats)

2. Strategies for positive risks (Opportunities)
1. Strategies for negative risks (Threats)

„ Risk Response may be one of several

strategies.
1. Avoid
2. Transfer
3. Mitigate
4. Accept
Risk Avoidance

„ Risk avoidance is done by

‰ changing the project plan to eliminate the
risk or the condition that causes the risk in
order to protect the project objectives from
its impact.
‰ Relaxing the relevant objective (extend the
schedule, reduce specification
requirements, reduce scope)
„ Not all risks can be avoided, but some
may.
Examples of Risk Avoidance

‰ Add resources or time.

‰ Adopt a familiar approach instead of an
innovative one.
‰ Avoid an unfamiliar subcontractor.
‰ Clarify requirements.
‰ Improve communication
‰ Obtain information
‰ Acquire expertise.
‰ Reduce scope to avoid high-risk activities
Risk Transfer
„ Transfer the risk to a third party who will carry the
risk impact and ownership of the response.
„ Risk Transfer is most effective in dealing with
financial risk exposure.
„ Risk transfer nearly always involves payment of a
risk premium to the party acquiring the risk.
Examples of risk transfer are:
‰ The use of insurance, performance bonds,
warranties and guarantees.
‰ Contracts may be used to transfer liability for
specified risks to another party.
„ Use of a fixed price contract may transfer risk to the
seller if the project’s design is stable. A cost
reimbursable contract leaves more of the risk with the
buyer, but it may help reduce cost if there are mid-
project changes.
Risk Mitigation

„ Risk mitigation aims at reducing the probability

and/or impact of a risk to within an
acceptable threshold.
„ The probability/Impact should be mitigated
before the risk takes place. Thus avoiding to
deal with the consequences after the risk had
occurred.
„ Mitigation costs should be appropriate given
the likely impact and probability of the risk.
Examples of Risk mitigation

„ Implementing a new course of action that will reduce the

problem, e.g. adopting less complex processes,
conducting more seismic or engineering tests, or choosing
a more stable supplier.
„ Changing conditions so that the probability of the risk
occurring is reduced, e.g. adding resources or time to the
schedule.
„ Prototype development to reduce the risk of scaling up
from a bench scale model.
„ Where it is not possible to reduce probability, a mitigation
response might address the risk impact by targeting
linkages that determine the impact severity. For example,
designing redundancy into a subsystem may reduce the
impact that results from a failure of the original
component.
Risk Acceptance

Acceptance indicates a decision not to make

any changes to the project plan to deal with a
risk or that a suitable response strategy cannot be
identified. This strategy can be used for both
negative and positive risks
There are two types of acceptance:
‰ Active acceptance: may include developing a
contingency plan to execute should a risk occurs.
‰ Passive acceptance: requires no action. The
project team will deal with the risk as it occurs.
Risk Acceptance

„ A contingency plan is developed in advance to

respond to risks that arise during the project.
Planning would reduce the cost of an action
should the risk occur. Risk triggers, such as missing
intermediate milestones, should be defined and
tracked.
„ The most usual risk acceptance response is to
establish a contingency allowance, or reserve,
including amounts of time, money or resources to
account for known risks. The allowance should be
determined by the impacts, computed at an
acceptable level of risk exposure, for the risks that
have been accepted.
2. Strategies for positive risks (Opportunities)

„ Strategies for positive risks are:

1. Exploit
2. Share
3. enhance
Exploit the opportunity

„ Ensure that the risk event happens by

eliminating the uncertainty. to take
advantage of the opportunity. Examples:
assign qualified personnel, select an
appropriate project delivery, provide
better quality.
Share the risk

„ Allocate ownership to a third party who

has a better chance of achieving the
required results. Examples: joint ventures,
partnerships, rewards.
Enhance

„ Increase the likelihood of occurrence or

the impact of the of the event
‰ Improve chances for the event to happen so
the opportunity becomes more certain
‰ Consider how the impact can be increased
and choose a course of action that in the
increased impact
Accept the risk

„ See slide on Risk Acceptance

Outputs from Risk Response Planning
1. Risk Register Updates
The risk register is updated to reflect the results of the
response planning process. Level of detail of
documenting a risk should be appropriate to the
ranking of the risk (high risks in detail, low risks by
listing)
Risk Register Content
Items in the risk register
‰ Identified risks, their description, the area of the project (e.g. WBS
element) affected, their causes and how they may affect project
objectives.
‰ Risk owners and assigned responsibilities.
‰ Results from the qualitative and quantitative risk analysis processes.
‰ Agreed response strategies
‰ Specific actions to implement the response plan.
‰ Budget and schedule activities for responses.
‰ Symptoms and warning signs for risks’ occurrence
‰ Contingency plans with triggers
‰ Contingency reserves.
‰ Fallback plan for when risk occurs and original response is
inadequate
‰ Residual risks expected to be remaining after the strategy is
implemented and accepted risks
‰ Secondary risks arising directly from implementing a risk response
Results from Risk Response Planning

2. Project Management Plan Updates

The project management plan is updated to
incorporate response activities including
reflecting impact on cost and schedule.
3. Contractual agreements.
Contractual agreements are prepared to
specify each party’s responsibility for specific
risks, should they occur. This include
agreements for insurance, services, and other
items as appropriate in order to avoid or
mitigate threats.