6th Edition PMBOK® Guide: Process 11.5 Plan Risk Responses: Tools and Techniques (2)

In the last post, I discussed the “generic” tools and techniques used in this planning process.   By “generic” I mean the tools and techniques that are used not just in this planning process, but in many project management planning processes in general, such as expert judgment, data gathering (interview techniques), interpersonal and team skills (facilitation techniques), and decision-making techniques.

In this post I will discuss those tools and techniques used specifically for this process.

There are strategies for threats, that is negative risks, and there are strategies for opportunities, that is positive risks.   Remember that PMI considers “risks” in a wider context than normally used in everyday life.   Risk is an event or condition that can occur that has a positive or negative impact on the outcome of a project.    You obviously want positive risks to occur, and so the strategy for dealing with them is how to exploit them when they do occur, and how to enhance the probability of their occurring.   On the other hand, you do not want negative risks to occur, so the strategy for dealing with them is the mirror opposite of what you do with positive risks:   you try to avoid them to prevent them from occurring altogether, or how to mitigate the probability of their occurring.

There is also the concept of sharing a positive risk with another company, or transferring a portion of a negative risk to another company (like when you buy insurance)  And you can always accept a positive or negative risk that has little probability of occurring.   To these four basic strategies for dealing with risk that were previously discussed in the 5th Edition of the PMBOK® Guide, there is a fifth basic strategy added for the 6th Edition of the Guide, and that is the strategy of escalating a risk.   This means that there is a risk threshold which is set at the beginning of the project.   If a risk response occurs which requires the expenditure of over a set amount of money, the risk threshold, then the project sponsor needs to get involved to get approval of this from management.

This is similar to what happens in many projects with regards to change management.   The project manager has authority to implement changes that go up to a certain threshold in terms of expenditure, but anything over that amount may require approval from the project sponsor.

With that brief introduction, let’s go into more detail regarding the tools and techniques for this process.   (The numbering of the tools and techniques does not start with because the missing numbers are those tools and techniques which were discussed in the last post as “generic”.)  Strategies for Threats (Negative Risks)

  •  Escalate–if a threat is outside the scope of a project or if the proposed risk response would exceed the project manager’s authority.   Escalated risks are dealt with at the program or portfolio level of the organization’s project management structure (whether there is a PMO or not), and are not dealt with further by the project team after escalation, although they may be recorded in the risk register for information purposes.
  • Avoid–This strategy is appropriate for high-probability, high-impact risks.  It may involve the following in order to reduce the probability of occurrence to zero:
    • changing some aspect of the project management plan
    • changing the objective that is in jeopardy or reducing scope
    • removing the cause of the threat
    • clarifying requirements, obtaining information, improving communication
  • Transfer–This strategy is appropriate for low-probability, high-impact risks.   For example, the probability that you will be in a auto accident is low, but the impact could be high (no pun intended), so that is why you must by auto insurance.  Transfer may be achieve by the following means:
    • use of insurance (payment of a risk premium to the party taking on the threat)
    • performance bonds
    • warranties, guarantees
    • agreements to transfer ownership and liability for specific risks to another party

An example of the last bullet point is when I was working for an automobile manufacturing company.   The air bag module is an especially dangerous component to manufacture because it involves an explosive device (which causes the airbag to inflate in such a short period of time).   Our company did not have the expertise to manufacture this component, but another company did and we had them manufacture the air bag module for us to put into our cars.   However, if there was an accident where there was an injury caused by a defective air bag module, then there was an agreement that this company would pay for the cost of the claim or lawsuit if it came to that.   This is a perfect example of a “transfer” strategy when it comes to risk.

  • Mitigate–This strategy is appropriate for high-probability, low-impact risks or if the impact is not high, but moderate.   This reduces the probability of the risk occurring or the impact if it does occur.   You mitigate the risk of it raining by taking along an umbrella.   It won’t do much for the probability of it raining, but it will reduce the impact on your clothes.   Here are some actions that use the mitigation strategy:
    • Prototype development (reduces probability of risk occurring)
    • Designing redundancy into a system (reduces impact if risk occurs)
  • Accept–This strategy is appropriate for low-probability, low-impact risks.   This is where there is no proactive action taken.  It may be appropriate for low-priority threats, or where a risk response is not cost-effective (i.e., it costs more to implement a risk response than the impact of the risk if it occurs).     Some typical acceptance strategies are:
    • Establishing a contingency reserve to handle the threat if it does occur
    • Putting risk on a “watch list” for monitoring periodically  Strategies for Opportunities (Positive Risks)

Remember that these strategies are the mirror opposite of strategies to deal with threats or negative risks.

  • Escalate–if an opportunity is outside the scope of a project or the opportunity would exceed the project manager’s authority.   Escalated opportuities are dealt with at the program or portfolio level of the organization’s project management structure (whether there is a PMO or not), and are not dealt with further by the project team after escalation, although they may be recorded in the risk register for information purposes.
  • Exploit–This is a strategy for dealing with high-priority opportunities where the organization wants to ensure (i.e., make the probability 100%) that the opportunity is realized.   Examples of this strategy are:
    • Assigning an organization’s most talented resources to the project
    • Using new technologies or new technology upgrades to reduce cost and duration of a project
  • Share–This is a strategy for transferring ownership to a third party so that it shares some of the benefit if the opportunity occurs, especially if that third party has expertise to best be able to capture the opportunity for the benefit of the project.  Examples of this strategy are:
    • Payment of a risk premium to the party taking on the opportunity
    • Forming risk-sharing partnerships or joint ventures
  • Enhance–This is a strategy for increasing the probability and/or impact of an opportunity.   Early action taken to enhance the probability of an occurrence of an opportunity may be more effective than trying to improve the benefit of an opportunity after it has occurred.   Examples of this strategy are:
    • Adding more resources to an activity to finish early
    • Taking advantage of a sale of needed resources that occurs before they are actually used on a project
  • Accept–just like its counterpart for negative risks, this is where no proactive action is taken, but simply acknowledging the existence of an opportunity.  Examples of this strategy are:
    • Establishing a contingency reserve to take advantage of the opportunity if it occurs (active strategy)
    • Putting the risk on a “watch list” and reviewing it periodically to ensure that it does not change significantly in terms of probability or impact (passive strategy).  Contingent Response Strategies

Certain risk responses are implemented only if certain events occur.   A risk response can be implemented in this case if there is sufficient warning that the risk may be triggered.    Risk responses so identified are called contingency plans, and include the triggering events that set the plans in effect.   Examples of such contingent risk responses

  • Dealing with missing intermediate milestones
  • Gaining higher priority with a seller  Strategies for Overall Project Risk

As you may recall from previous posts, Qualitative Risk Analysis focuses on individual project risks, but in projects of sufficient size and/or complexity, Quantitative Risk Analysis may calculate the overall project risk taken by summing the product of probability times potential impact for all of the individual project risks.

Risk responses should be planned for individual project risks (see paragraphs Strategies for Threats and Strategies for Opportunities), but this paragraph deals with risk responses to the overall project risk.

  • Avoid–if the overall project risk is significantly negative or outside the agreed-upon risk thresholds for the project, an avoid strategy may be adopted.   If it is not possible to bring the project back within the thresholds, then the project may be cancelled.   This is the obviously the most extreme degree of risk avoidance.   Example of this strategy:
    • Removal of high-risk elements of scope from the project
  • Exploit/share–if the overall project risk is significantly positive and outside the agreed-upon risk thresholds for the project, then an exploit strategy may be adopted (this is obviously the mirror opposite of the “avoid” strategy listed above).  Example of this strategy:
    • Addition of high-benefit elements of scope to the project (to add value or benefits to stakeholders).
    • Modification of risk thresholds to the project may be modified with the agreement of key stakeholders in order to embrace the opportunity
  • Transfer/share–if the overall project risk is high but the organization is unable to address it effectively by itself, a third party may be involved to manage the risk on behalf of the organization.   Where overall project risk is negative, a transfer strategy is required; where overall project risk is positive, a shared ownership strategy is required.   Examples of this strategy include:
    • Setting up a collaborative business structure in which the buyer and the seller share the overall project risk
    • Launching a joint venture or special-purpose company
    • Subcontracting key elements of the project
  • Mitigate/enhance–if the overall project risk needs to be changed in order to achieve the project’s objectives.   Mitigation strategy is used if the overall project risk is negative; enhancement strategy is used if the overall project risk is positive.  Examples of this strategy include:
    • Replanning the project
    • Changing the scope and boundaries of the project
    • Modifying project priority
    • Changing resource allocations
    • Adjusting delivery times
  • Accept–where no proactive risk response strategy is possible to address overall project risk, the organization may choose to continue with the project as currently defined.   Examples of this strategy include:
    • Establishing an overall contingency reserve for the project to be used if the project exceeds its risk thresholds (active strategy)
    • Review of the level of overall project risk to ensure that it does not change significantly (passive strategy)   Data Analysis

  • Alternatives analysis–if there is more than one risk response strategy identified to deal with individual project risks, alternatives analysis can help choose the most appropriate option.
  • Cost-benefit analysis–if the impact of an individual project risk can be quantified in monetary terms using Earned Monetary Value (equal to the estimated probability of the risk occurring times the dollar amount of the potential impact on the objectives if the risk occurs), then the cost-effectiveness of alternative risk response strategies can be determined using cost-benefit analysis.   The effectiveness of the risk response strategy can be measured by the ratio of the change in impact level measured by EMV divided by the cost of the implementation of the risk response strategy.   For example, if the implementation of doing a prototype of a design reduces the risk of failure from 25% to 5%, the cost in the potential impact (the change of 20% in the probability of the risk of failure times the cost of such a failure) divided by the cost of doing the prototype would be a concrete example of such a calculation.   The higher the ratio, the more effective the risk response would be.

This concludes this section on risk response strategies.   It is the most complicated of the planning processes for risk management, but it is the heart of what risk management is about:   doing what you can to reduce risk during the project.   The next two risk management processes implement these risk response strategies that were developed during the planning phase of the project and then monitor & control them throughout the cost of the project.

But before we go on to those processes, let’s discuss the outputs of this process 11.5 Risk Responses.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: