In my last article: Successful Response Planning in Risk Management, you learned the basics of response planning in project risk management. Now you have to define the appropriate risk response strategy for the identified risks. With this strategy, you then react to your risks with effective actions. In this article you will learn about the different risk response strategies, how they work and how to use them best. Read on and learn more!
Which Risk Response Strategy Is the Right One?
After you and the project team have identified the risks of your project, the next step is to determine the most appropriate risk response strategy. Risk response strategy may sound complicated to you. But it is not! The nature of your project risks will be very different. When planning actions, the first step is to determine which risk response strategy is the most appropriate for the risk in question. The risk response strategy defines what you want to achieve with the actions. The following figure shows you the different risk response strategies.
With this strategy, you eliminate the danger of a risk by eliminating the cause of the risk or reducing the probability of the risk occurring to zero. An obvious way to do this is not to perform an activity that carries a risk. This can be achieved by clever rescheduling or, for example, by omitting a functionality of the product that carries a high risk.
Avoiding risks seems to be the best strategy for all risks. However, you should note that avoiding risks may also mean losing potential profits that you would have if you took the risks.
Avoiding risks is not always the best strategy.
Some risks can be avoided at the beginning of the project by clearly defining the project objectives and requirements. Also a comprehensive information gathering, clear communication and involvement of relevant stakeholders helps to eliminate risks.
Other possibilities are: Reduce the project scope to avoid high risk activities, plan additional resources and time or avoid unreliable suppliers. Every eliminated risk is a success!
With this strategy, you take actions that reduce the probability and/or impact of the risk. The actions can either act on the cause of the risk (cause-related risk reduction) or have a direct effect on the risk (effect-related risk reduction).
Cause-related measures include, for example, coaching measures for the project manager or more intensive testing of the software at an earlier stage of the project.
Effect-related risk reduction can be further subdivided into damage limitation and damage precaution. Effect-related measures include, for example, special safety systems that immediately switch off certain parts of the system in an emergency (damage precaution) or sprinkler systems in buildings that limit the damage as far as possible (damage limitation).
Other typical actions to reduce risks are safety belts and airbags in cars. These have the function of preventing or reducing injuries in the event of an accident. However, there are voices that say that this gives drivers a false sense of security. In this case, it is better to take actions so that the drivers do not cause an accident. This means treating the cause rather than the effect (cause-related risk reduction). One action for this would be an anti-skidding course, so that the driver learns to control his vehicle better.
Transferring risks means that you transfer the risk with all possible consequences and the responsibility for mitigation actions to third parties who can manage the risk better than you can. This could be an insurance company or a subcontractor, for example.
Transferring risks makes sense for risks with direct financial consequences. This usually costs a premium. For example, the subcontractor calculates a risk surcharge in his calculation or the insurance company charges an insurance premium.
Risks are also often transferred in contractual clauses, such as in the case of liability or limitation of liability or in the case of guarantees or fixed-price contracts. However, transferring risks to subcontractors can be problematic in certain cases because you are dependent on the subcontractor. If the subcontractor does not have the risk under control, you may suffer as well. Therefore it is often better to have the risks under your own control.
It is often better to have the risks under your own control than to transfer them to others.
“When it happens, it happens”. After a detailed evaluation, the project team decided to accept the risk, i.e. to bear the risk itself and not to take any action. Taking risks yourself is a sensible strategy, for example for small risks—but also for risks where the action (e.g. insurance) would be more expensive than the potential damage would cost if it occurred.
It could also be that actions generate too many secondary risks and are therefore out of the question. Actively accepting means that the project team will still prepare a contingency plan in case the risk occurs. Passive Acceptance means that nothing is done at all. If it happens, we will take the damage.
Contingency Strategy: You will not find this strategy in the figure above. In the case of certain risks, it can be useful for the project team to define actions that are only initiated under certain predefined conditions (triggers) that announce the occurrence of the risk.
The contingency strategy is used, for example, when it is assumed that there is sufficient warning before the action plan is implemented. Here you define events (such as missed interim milestones, passed laws or bad weather forecasts) that you monitor continuously, which then trigger the actions.
This risk management strategy is often referred to as a contingency plan or fallback plan, but in my opinion this is not quite correct. More information about the fallback plan can be found in this article: The Fallback Plan – When Actions for Risks Are Not Effective.
The PMBOK® 6th Edition describes with “Escalating” yet another risk management strategy, which I have not listed so far and which I do not consider as one. However, you should know it anyway.
Escalating: This strategy is used when the project team identifies risks that lie outside the scope of the project or when the defined action is outside the authority of the project manager. Escalated risks are then managed at the program or portfolio level or at another relevant point in the organization.
What Determines Your Risk Response Strategy?
Your risk response strategy depends, among other things, on the nature of the risk, the framework conditions and the restrictions to which your project is exposed—but also on the options available to you. Another important point is your risk appetite and your risk tolerance (or that of your company).
More about Risk Appetite:
If you choose a risk response strategy, it is also useful to examine alternative strategies. The PMBOK® describes the:
Alternative Analysis, in which the characteristics and requirements of alternative risk response strategies are compared with each other—with the aim of deciding on the most suitable strategy.
Cost-Benefit Analysis: If the effects of a risk can be quantified in monetary terms, then the cost-effectiveness of alternative risk response strategies can be determined by means of a cost-benefit analysis. The ratio of (change in impact level) divided by (implementation costs) gives the cost-effectiveness of the response strategy, with a higher ratio indicating a more effective strategy.
Here You Can Find Even More Knowledge
This was an overview about the different risk response strategies. What are your experiences with risk response strategies? Do you agree with my statements in this article or do you have a different opinion? Share your experience with the readers with a commentary so that we all get to know another view. Thank you!
Would you like to learn more about how to make your projects more successful with Project Risk Management? My book Project Risk Management – Practical Guide takes you an important step further!!
Do you know somebody who might be interested in this article? Then simply forward it or share it. Thank you!