Risk responses

From apppm
Jump to: navigation, search

Developed by David Baldursson

There is a difference in definition of risk and uncertainty, as uncertainty is the absence of information required to make a decision. In order to manage risk and uncertainty it is important to understand four elements of the risk management process of identifying, assess, respond and control of the risk events and their sources. After undergoing the steps of identifying and assess the risks at hand during the project, it is the process of developing a strategic response that enables the proper action for the uncertainty of the outcome, whether the risk poses a threat to the project that has to be mitigated or if it is an opportunity to exploit. This article will give an overview of the planning, strategies and tools for the risk response process. The project benefits of addressing risks by their priority, inserting resources and activities into the budget, schedule and project management plan as needed [1].


Plan risk responses

Steps of plan risk responses

In order to fully understand risk responses and strategies to deal with threats or turn chances into opportunities, it is vital to be familiar with the concept of risk management. Risk management is the overall response to an event that has an outcome, either positive and in favor of the project or negative thus posing threat to the project objectives such as scope, schedule, cost or quality[1]. According to the Project Management Institute (2013) the definition of Risk management in projects is: “to identify and prioritize risks in advance of their occurrence and provide action-oriented information to project managers. Risk has a source, and its origins can be traced to the uncertainty that is present on all projects[1]. There is a difference in definition of risk and uncertainty, as uncertainty is the absence of information required to make a decision. Risk in theory could be described as the variation from an expected value, negative or positive. We can talk about risks as if the risk event happens, the uncertainty perishes. If the risk was a threat, it becomes an existing problem and if the risk was an opportunity it becomes a benefit. Decisions are made to eliminate risks and with sufficient knowledge of possible risks turn them into chances, thus introducing risk management. In order to be able to respond appropriately to the risk at hand the risk source must be known and the probability of an event to happen.

Identify risks

Identifying the risks is generally considered to be the first step in the process of the planning of the risk responses. It is obvious that no action can be taken on a risk that has not been identified. From a stakeholder’s point of view, the identification of risks can be done by stakeholders, contractors, consultants and other representatives of the project but should be explicitly be handled by all project management personnel and project team members, and should be documented as[2]:

  • Statement of work (SOW)
  • Work breakdown structure (WBS)
  • Budget
  • Schedule
  • Acquisition plan
  • Execution plan

The identification process of possible risks is iterative, that is it will repeat itself throughout the whole project lifetime. Few common techniques to gather possible risks could be[3]:

  • Historical review: with experience and review of the past, similar organizations and projects risks can be expected and identified with e.g. checklists.
  • Current assessment: The current project is analyzed and possible risks are identified based on examination and e.g. assumptions analysis.
  • Creativity techniques: methods where the capability of the personnel to think of possible risks with methods like brainstorming of ideas and SWOT analysis.

Risk register

After the identification progress, it is vital to register the risks that have been identified. The risks are put into a document called the risk register. That is a vital baseline for the risk management process. It contains both identified risks and potential responses to that risks. The risk register is a part of the risk identification process and risks must be put forth in a detailed and described manner and will be used in the risk response planning[3].


With the risk register taking shape, it is necessary to assess the risks that have been identified in order to evaluate their impact on the project. By assessing the risks it is possible to prioritize them based on their characteristics. Two form of assessments are used to analyze risks[1]:

  • Qualitative risk assessment: is used to prioritize the risks identified by combining their probability of occurrence and impact on the project. Risk probability and impact can be assessed in interviews with experts or persons familiar with the risk. Common methods to use to apply on risks to categorize their possible threats is to use the probability and impact matrix. With the probability and impact matrix it is possible to guide the project management to what extent the risk response and monitoring is appropriate.
  • Quantitative risk assessment: is used to numerically estimate the effect of the risk it has on the overall project goals. After prioritizing the risks with qualitative methods, the quantitative risk assessment is made. It can be desirable to make such a numerical estimation of the identified risk to quantify the risk effect of the project[1]. This estimation can be a basis for decision making and response planning such as if the project is feasible to execute, for setting contingency and priorities for risk mitigation[2] . Example of quantitative methods are; e.g. Sensitivity analysis, Expected Monetary Value analysis and Monte Carlo Simulations.

Risk respond strategies

With the risk register documenting all the possible risk that have been identified and assessed, it is appropriate to develop the action of responding to the risks. The management has then to decide, with the range of responses available, what level of risk is acceptable for the project[4]. But whether the risk is a threat or an opportunity it must be considered strategically so that is does not become a problem or a missed benefit. The project manager should be responsible for developing the strategic development of the risk but include the stakeholders for agreement of the response. The Project Management Institute (2013) suggests the following four strategies for the risk responses of threats and opportunities on the project:

Table 1: Risk response strategies
For threats For opportunities
Avoid: Risk can be avoided by eliminating the threat from the project or changing the project management plan so that the project reaches its goals. This could include change of schedule or resources. Even though this is not applicable to every risk situation, because of time consumption or other reasons, it should be considered the first strategic option. Exploit: It is a strategy to exploit risks that have positive impacts on the project. By eliminating the uncertainty that is associated with the risk the opportunity becomes clear. Adding work or changing the scope of the project. Example would be exploiting technological options in the benefit of the project.
Transfer: It is a strategic plan to transfer the risk to a third-party. Finding another party who is willing to take the risk with a payment of a premium. This does not eliminate the risk but transfers the responsibility and ownership of the risk to someone that is able to handle it effectively. Share: A risk is shared through a mutual agreement to maximize the benefits of the opportunity in the benefits of the project. Allocating the ownership of an opportunity to a third-party. Examples would be forming joint ventures or risk-sharing partnerships. It is similar to the transfer of threats where the benefits of a third-party is used.
Mitigate: Certain risks cannot be eliminated. With early interference of a risk it is possible to lower the risk probability to an acceptable threshold for the project. Taking early action instead of keeping the possibility of the risk. Enhance: This response is the increasing of the probability, or the impact, of the opportunity at hand and thus maximizing the benefit for the project. Has similarities to mitigating a risk.
Acceptance: This strategy is applied when there is no other strategy applicable. No action is taken until the risk occurs. This means that the project team has decided not to change the project management plan since it is not possible to change the impact or is unable to identify another strategy. This can lead to contingency plans being initiated. Accepting an opportunity simply means that the project management is willing to accept the benefit of it without having to pursue it.

Contingency plans can be activated if a certain risk event occurs. There is an appropriate response plan that would only be executed under specific conditions if the situation suggests there is sufficient warning to implement the plan[1].

Expert judgement can include seeking advice and consultancy from experts or knowledgeable parties on actions taken on a certain risk event. It is frequently used to support the decision making in different areas. It can raise question about the quality and accuracy of the results obtained. In situations where little or no information is accessible, expert judgement can be the only source of good and valuable information to base the assessment of action[5].

Another important strategy would be to delay the important decision. With time the available knowledge and information would increase.

Inputs and outputs of plan risk responses

Tools for risk responses

For the use of the strategies and implementations of the actions of the response, there are four categories of tools and techniques mentioned in the Project Management Institute guide (2009)

  • Creativity tools to identify potential responses.
  • Decision-support tools for determining the optimal potential response.
  • Strategy implementation techniques designed to turn a strategy into action.
  • Tools to transfer control to the Monitor and Control Risks process.

Using the sets of tools available to the project manager can be used to select the proper response and implement the strategy to turn it into action. Using the following procedures as recommended by the Project Management Institute (2013):

Identify the proper response: Risk response planning is based on information available and should be subjected to expert opinions to decide the optimal response. Using available creativity techniques should be considered to evaluate all possible options. Techniques of project planning and execution should be used to evaluate the outcome and effects of the selected response.

Response selection: After identifying the proper responses to the risk, more than one possibility can be available. Some decision support techniques can be applied in order to select the optimal response from the set of possibilities. Thought has to go in the cost of the procedure and the effects it could have on the future of the project. There is uncertainty attached to the outcome and with help of the identification of risk process and quantitative methods that should be applied to the selected strategy, the iterative process continues until all identified risks are under an acceptable threshold.

Action planning: Using the tools available to the project manager of project planning, the selected strategy is turned into action with the corresponding change of the project management plan. The plans could be either unconditioned or conditioned to some certain warnings that could trigger a contingency plan.

Ownership and responsibility: The identified risk and the response should be attached to an owner for monitoring purposes. This ensures that the risk response is carried out in effective manner.

After undergoing the procedures of the risk response planning, it is vital to update all documents regarding the project management plan. The risk register should be updated, and information provided in details. The corresponding responses have effects on the project management plan regarding costs, resources, scheduling details and the overall project documentation[3].

Risk response review

The response process, as mentioned above, can in the end be a mix of strategies and actions and are different for each risk. With help of tools such as decision tree analysis the final answer is supported by the decision maker. But as this article has reviewed the uncertainty attached to risks is unpredictable and backup plans such as contingency and fallback plans could be developed to respond to uncontrollable situations. Reviewing the risk response strategy and the implementation is an iterative process. Several strategies are recommended for the process[6]:

Risk reassessment – Should be performed regularly for the ongoing responses and is a part of the monitoring of the risk that could also lead to the identification of new risks.

Risk audits – Is the process of examination of the selected responses and the overall effectiveness of the risk management plan. It is in the responsibility of the project manager to perform the risk audits on the appropriate occasions in a clearly defined manner as included in the risk management plan.

Variance and trend analysis – Using the information obtained during the response implementation, it is possible to compare the actual results to the planned results to monitor the execution and the trends to it. This can result in variance and forecasting the change in plan from cost and schedule. Reserve analysis – During the contingency plan, the remaining funds should be compared regularly to the possible remaining effect of the risk to determine if the remaining funds cover the actual cost of the event.

Status meeting – During the whole project life cycle, the project manager should have scheduled meetings to review and discuss identified and possible risks as a part of the iterative process of risk management.


The point of planned risk responses, and risk management in general, is to try to expect the unexpected and prepare for different outcomes. Accidents occur no matter how much we prepare for them. Planning the response strategy or action aids the decision making, it doesn’t make the decision. It is up to the decision maker to select the response according to his judgement with the help of the tools and information available to him. Human beings tend to be biased in their nature and decisions that are made are made with prejudice for the available information. Cognitive biases can only add to the uncertainty in a project. Some biases that are worthy to mention are e.g.:

Optimism bias: This is a form of biased judgement when the decision maker is overly optimistic about the outcome of the response and underestimates the possible bad outcome. This is referred to as wishful thinking or overconfidence in decision making[7].

Loss aversion: Is when the project manager is risk averse and thinks more about how to avoid failure rather than concentrate on success. This can refer to the term anchoring, when the first estimate of an outcome is anchored, and new information is used to adjust the first estimation rather than reevaluate[8]. This can be when the project manager anchors to the first estimation of the time and budget on the project.

Confirmation bias: This refers to when the project manager seeks out to interpret information that only confirms his prior perceiving[7]. Selecting the information that suits his believes.

Availability: It is talked about the availability bias as the project manager makes decisions on the future of the project based on his previous experience rather than using the information and probability distribution of the event. Project managers can base their decisions on his recent work even though the outcome of his decision might have been out of pure luck[8].

Risk management plans can be costly to implement and in the end, they could have little or no effect on the impact of the outcome. It is in the project managers role and interest to make use of unclouded judgement and the tools in his disposal to make informed decisions for the benefit of the project.

Further reading

  • Project Management Institute (2013) Project risk management. Project Management Institute, Inc.

Project Risk Management includes the processes of conducting risk management planning, identification, analysis, response planning, and controlling risk on a project. Project Management Institute practice standards are in general guides to the use of a tool, technique, or process identified in Project Management Body of Knowledge ( PMBOK ® Guide – Fifth Edition).

  • Chatzipanos, P. A. & Giotis, T. (2014) Cognitive biases as project & program complexity enhancers: the Astypalea project.

This paper tries to illustrate the role of cognitive biases as complexity enhancers in programs and projects.

  • Strang, K. D., Korstanje, M. E., & Vajjhala, N. (2018) Research, Practices, and Innovations in Global Risk and Contingency Management. Hershey, PA: IGI Global.

This newly released book provides the discussion of risk management and perception. It includes a number of researches and case studies in the field of risk management.

  • Hopkin, P. (2013) Risk Management. Publisher: Kogan Page.

In this book, Paul Hopkin tries to explain the theory of risk management in simplified manner. Chapter 3 focuses solely on different risk responses and their importance.


  1. 1.0 1.1 1.2 1.3 1.4 1.5 Project Management Institute (2013) A Guide to the Project Management Body of Knowledge, Fifth Edition.
  2. 2.0 2.1 NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES. The Owner's Role in Project Risk Management (2005). Washington, D.C.. THE NATIONAL ACADEMIES PRESS
  3. 3.0 3.1 3.2 Project Management Institute (2009) A Guide to the Project Management Body of Knowledge, Fourth Edition.
  4. Hopkin, P. (2013) Risk Management. Publisher: Kogan Page.
  5. Leung, K., Verga, S. (2007) Expert Judgement in Risk Assessment. Defence R&D Canada – CORA
  6. Strang, K. D., Korstanje, M. E., & Vajjhala, N. (2018). Research, Practices, and Innovations in Global Risk and Contingency Management. Hershey, PA: IGI Global.
  7. 7.0 7.1 Chatzipanos, P. A. & Giotis, T. (2014). Cognitive biases as project & program complexity enhancers: the Astypalea project. Paper presented at PMI® Global Congress 2014—EMEA, Dubai, United Arab Emirates. Newtown Square, PA: Project Management Institute. Available at http://www.pmi.org/learning/library/cognitive-biases-complexity-enhancers-projects-1454
  8. 8.0 8.1 Winch, G.M. (2010) Managing Construction Projects: An Information Processing Approach, Second Edition. Oxford: Wiley-Blackwell Publishing
Personal tools