As you should know for the PMP Certification Exam, the risk management plan defines the thresholds and probability and impact combinations that require action. You use this information along with the information in the risk register to begin developing responses.
The four categories for negative risk responses are
Risk avoidance. A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact.
Risk transference. A risk response strategy whereby the project team shifts the impact of a threat to a third party, together with ownership of the response.
Risk mitigation. A risk response strategy whereby the project team acts to reduce the probability of occurrence or impact of a risk.
Risk acceptance. A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.
When avoiding a risk, you’re taking actions that eliminate the threat. For instance, if you have uncertainty associated with a deliverable, you can do more research to eliminate the uncertainty. If you have multiple schedule risks, you can extend the schedule to avoid the schedule constraint putting the delivery date at risk.
Transferring risk usually equates to spending money to give the risk management to another party. This can include insurance and contracts. Consider an insurance policy: You pay an insurer to absorb the financial risk of an uncertain event. If the event occurs, it is still your problem.
The same is true for transferring risk to a vendor, who might be better qualified to manage the risk. If the vendor isn’t effective, though, you’re still on the hook for the result.
Mitigation tries to reduce or eliminate the probability of an event occurring, or the impact if it does. You can do iterative development and prototyping, run additional tests, or have redundant systems to mitigate the probability of an event or the impact of the event.
Acceptance can be passive: In other words, you do nothing. If the event occurs, you deal with it in the moment. Acceptance can also be active: For example, you can have a contingency plan. If the event occurs, you take specified actions.
Opportunity management
There is a completely different set of responses for opportunities.
Opportunity. A risk that will have a positive effect on one or more project objectives.
Identifying opportunities
You can use the same techniques for identifying opportunities as you do for identifying threats. Here are some examples of opportunities:
Because Joanne is being replaced, there is an opportunity to have John work on our project. John has a higher skill set than Joanne, so you can complete the work ten days early.
By combining an order for supplies with other projects and departments in the organization, you can reduce the cost by 15%.
Opportunity analysis
You then list those opportunities in the risk register and perform a probability and impact assessment on them. The impact looks at the objective it affects and the degree of impact. You can use a mirror approach to your probability and impact matrix for risks. When ranking opportunities, look for those opportunities with the highest impact and the highest probability and rank those at the top of the list.
Opportunity responses
Here are the four responses for opportunities, a description of each, and an example of how they can be applied:
Exploit. Take steps to ensure that it’s realized. This is the counterpart to avoiding a risk. If you wanted to exploit the opportunity to save money on supplies, you would approach the other project managers and functional managers to coordinate ordering and purchasing. By taking the initiative and moving ahead, you are ensuring that you will benefit from the opportunity.
Share. You share an opportunity when you don’t have the ability to take advantage of the situation yourself. You find someone to work with to be able to reap the rewards. This is the counterpart to risk transfer.
For example, if your company wanted to bid on a contract because it’s a good fit for the engineering aspect of the contract but weak in the construction aspect, your company could approach a construction firm and offer to partner with it on the bid.
Enhance. Increase the probability that the opportunity will occur, or the benefit (impact) if it does. This is similar to mitigating a risk. Using the earlier hypothetical opportunity of replacing Joanne with John, you could approach John’s manager directly and see about negotiating for him. This proactive approach will improve your chances of obtaining John, although it won’t guarantee them.
Accept. This is the same for opportunities and risks. This is a passive approach. If the opportunity presents itself, you will take advantage of it, but you are not proactively pursuing the opportunity.
More information about risk responses
As you go through the risk register to develop responses and assign an accountable person to manage them, you will discover that you should apply multiple responses to certain risks. For example, you might transfer the search for the director of the childcare center to a staffing agency, or you could post the position internally and on job-search boards. Thus, you are transferring and mitigating.
Using this same example, if the staffing agency doesn’t come through, you’re still in a bind of not having a director. In addition, you might have additional risks associated with outsourcing. For example, if you were initially planning on doing this work inhouse, but you decide to outsource it, you now have more expenses, which equates to a risk for your budget — and that is a secondary risk.
Secondary risk. A risk that arises as a direct result of implementing a risk response.
You have to treat the secondary risk as a new risk and put it through the analysis and response processes. For a situation like this, you would likely accept the residual risk and develop a contingency plan.