Once the risks are identified and prioritized by doing qualitative and quantitative analysis, the next step is to plan for possible responses for each of them.
Kathy from earlier Landscaping project example, should think about stuff like –
- what if there is torrential downpour on the day jogging tracks are laid?
- what if large amount of exotic plant saplings die within first 2 weeks due to unfavorable soil or weather condition?
- what if the lone designer on the team quits halfway through the project?
In this process you think of ways to reduce threats and enhance opportunities to project objectives.
Where do we start?
The risk register, obviously. That is where all risks are listed. We also look at the risk management plan, which talks about methods of managing risks, responsibilities for people who handle risks, outlines risk budget, defines risk categories, and identifies probability and impact matrix.
How do we go about planning?
What are Secondary risks and Residual risks?
In few cases applying these strategies can lead to introduction of few other risks – these are called secondary risks.
Secondary risks should also be considered and added to the risk register. Usually project management would include a risk contingency reserve. While listing risk responses you would need to see if any of them may possibly invoke this contingency reserve.
Sometimes few risks remain even after figuring out risk responses. These are called residual risks.
Strategies for negative risks or Threats
We saw this briefly in the lesson on introduction to Risk management knowledge area. There are four ways to deal with threats. Let us look at them with an example.
Part of your Dam building project needs building a foot bridge across a stream that goes to the actual Dam. The villagers think the Dam project harms their fields and so oppose it. Your informer says they may be planning to disrupt the bridge work.
How can one deal with it?
- Escalate – some risks will need to be addressed by a source, usually higher in the hierarchy, outside the project organization. Could be the sponsor, senior management, or someone else that needs to be engaged with by the performing organization.
Escalate to your project sponsor, you decide there is nothing you can do about this life threat to your workers. Let the management handle this issue.
- Avoid – change project plan, adjust one or more project objectives such as reducing scope or changing schedule to avoid a risk.
Think of another way to approach the dam, and avoid the bridge proposal.
- Transfer – transfer some or all of the risk, and ownership of response to a third party.
This comes at a premium however. If it is a work that a third party vendor has expertise in, it is wise to sign a contract and transfer the responsibility and risk of the work.
Subcontract a security firm with the clause that if they allow any damage to the bridge project, they’ll end up assuming the cost of damage.
- Mitigate – is about reducing the probability of risk by taking certain actions in advance. It could be measures like adding more tests around the hi-risk areas, making simpler designs, reducing complexity of components, having development checklists, or assigning best resources for developing risky modules/parts.
Talk to the village head, give him some incentive (in a legal way) so he can ensure villagers don’t interrupt the bridge project.
- Accept – at times there is nothing one can do to avoid risk and project management team decides to deal with it if and when it occurs. Passive acceptance would be doing nothing about it at all. Active acceptance would be allocating specific contingency cost, schedule, resource budget for such risks.
Just don’t do anything about it. Go ahead with bridge construction, if the villagers come to disrupt we’ll see how to solve the issue them.
Strategies for positive risks or Opportunities
Taking most benefit from a positive risk, or opportunity, is as important as dealing with negative risks on a project. From overall project perspective such benefits may negate some of the damage caused by risks that do materialize.
A friend tells you about a piece of real estate available for purchase near an upcoming airport project. The total amount to be invested is out of your reach. If you get to invest in it, the price is expected to be doubled every year for next 3-4 years and it makes for a great investment opportunity right now. What would you do?
- Escalate – some opportunities can be converted favorably by someone with higher authority, access to resources, or decision power from outside the project organization.For our example, if the land is too large to even thinking or investing in, but is available at a bargain price then you may want to pass on the information to a builder in your network who stands to gain a great deal with the opportunity. This may not give you returns immediately, but in the long run because the builder owes you a favor now.
- Exploit – plan in such a way that you remove all uncertainties and make sure that this risk happens for sure. Example of exploiting a risk on project could be creating vacancy for getting that star performer who is just coming out of another project.
For our example, take all your savings even take up a loan if necessary. Go for the investment.
- Share – share with a third party and get some of the benefits of this opportunity.
For our example, team up with the friend who can invest partially and two of you together buy that piece of land.
- Enhance – doing all that is possible to increase likelihood of this risk materialization.
For our example, go for aggressive bargain, if possible offer all-cash-deal to get it.
- Accept – just like one of the responses for negative risk, this is just not doing anything actively to pursue the opportunity but being prepared to take the benefit if it materializes.
For our example, show interest but don’t do anything actively. If the seller comes around for your price you will quickly complete the deal before seller changes mind.
What’ll we plan out?
Project plan is updated since risks impact project objectives, risk mitigation strategies may have an impact on these objectives. Hence cost, schedule, quality, procurement, human resource management subsidiary plans might be updated to accommodate risk responses. Cost, Scope and Schedule baselines also might be updated. In some cases updates to work breakdown structure is possible.
Any changes to plans need to go through change control process. Hence after risk planning you may need to call for a meeting with change control board presenting all these changes.
Several documents can possibly be updated including –
- Risk register – all potential responses identified for each risk are added to the risk register. Secondary risks – ones introduced due to application of a risk response – are also added. Residual risks – ones remaining even after applying risk responses – are added too. Risk response owners, their responsibilities, categories, priorities are other data added to the risk register.
- Assumption logs – risk responses will bring in clarity on some of the earlier assumptions
- Change requests – as mentioned earlier changes to project plan or baselines need change requests to be raised and run through change control process
A sample risk registered might look like the one below at this stage –
Figure: Updated Risk Register
Planning responses for risks is the last an exhaustive one. Spending as much time and effort as required on this process would yield rich returns for the project. Knowing that you have all the bases covered, would also give you that much more confidence as a project manager.