Risk Response Planning
Learning Objectives
By the end of this chapter, you will be able to:
• Establish a process to conduct risk response planning for your project or organization.
• Analyze a proposed risk response for residual and secondary risk considerations.
• Determine when multi-stage risk responses are desirable or appropriate.
• Define three strategies for managing threat risk.
• Define three strategies for managing opportunity risk.
• Define two strategies for risk acceptance.
• Develop action steps for a risk response and place them in the project plan or in other project documentation.
Estimated timing for this chapter:
| Reading | 45 minutes |
| Exercises | 45 minutes |
| Review Questions | 10 minutes |
| Total Time | 1 hour 40 minutes |
ORGANIZING FOR RISK RESPONSE PLANNING
Effective risk response planning rests on a foundation of good information:, the output of the risk analysis processes that you decide to use. It’s worth repeating that not all risks (or projects) demand the sort of comprehensive analysis that we’ve been covering, but at least some risks and some projects require that much or even more. You must always adjust the scope and level of your risk analysis based on the actual risk exposure.
Six Tips for Risk Response Planning
1. Establish teams of more than one person to work out risk solutions. Not every person on your project need be on every team, but each risk deserves more than one point of view.
2. Do not be satisfied with a single risk response; come up with several before choosing the best one.
3. A risk solution is worthless without a plan for its implementation. Define the steps necessary for each risk response and document them on the Risk Information Sheet (see Exhibit 4-6) and elsewhere as necessary.
4. Always examine potential risk responses for side effects (secondary risk) and remaining risk exposure (residual risk) before settling on a strategy.
5. There’s no rule that limits you to one solution per risk. If you can’t find a single solution, consider multiple strategies to nibble away at the total risk.
6. Consider opportunities as well as threats in building risk responses. Making a good outcome more likely or better can be as desirable as making a bad outcome less likely or less bad.
7. Keep a file of risks and responses for use on future projects. Recycling isn’t only good for the environment, it can be a great risk management tool as well.
When you have completed your analysis, you’re ready to take appropriate action. Consider the best practices in Exhibit 9-1 in organizing your risk response planning efforts.
Exercise 9-1
Risk Response Planning
Identify five risks, either ones you have used in previous chapters of this book, or ones relating to a project you are managing or have managed in the past. For each risk, list a proposed risk response: what you will do to manage the risk.
1. Risk:
2. Risk:
Response:
3. Risk:
Response:
4. Risk:
Response:
5. Risk:
Response:
RESIDUAL AND SECONDARY RISK
Proposed solutions to risks are seldom perfect. Whether we’re discussing opportunity or threat, our risk responses are subject to two additional factors: residual risk and secondary risk. If these are not taken into consideration, the response to the primary risk may not deliver the desired outcome.
Residual Risk
Residual risk is the risk left over after your proposed solution has been implemented. Automobile insurance, for example, protects you against the financial impact of being in an accident—but not against all of it. If you have, say, a $500 deductible, you carry the residual risk of having to pay up to $500 in the event of an accident. That amount is residual risk.
There’s more residual risk: the policy normally excludes certain events from its coverage. If your accident falls into a non-covered category, you have no insurance protection. In addition, there is the risk that the insurer may go out of business or otherwise be unable to pay the claim.
If the residual risk is small enough, you may decide to accept it. If the risk is large, you may want to modify your proposed solution, add additional risk responses to address the residual risk, or in some cases throw out that solution and move to a different one.
Secondary Risk
Secondary risk is new risk created by your proposed response to the original risk. Smoking is extremely hazardous to your health, but obesity is even worse—and giving up smoking in some cases promotes weight gain. That doesn’t mean you shouldn’t give up smoking, but it does imply that you need to be prepared to deal with potential weight gain as a secondary risk.
During the incident at the Three Mile Island nuclear plant, safety systems reported problems—110 separate alarms with flashing lights and sounds all going off at the same time. The resulting cacophony made it difficult to sort out the potentially catastrophic factors from minor ones, caused confusion in the relaying of orders and directives, and generally made the problem harder to solve, not easier—the opposite of what the alarms were supposed to provide. (Chiles, 58)
Managing secondary risk doesn’t mean throwing out the primary risk. Clearly, we want our nuclear reactors equipped with alarms that tell us when something has gone wrong. However, one of the responses to the Three Mile Island incident was to deal aggressively with the issue of control room design, making it easier for operators to receive, interpret, and act on information in an emergency.
As with residual risk, if the secondary risk is small enough, you may decide to accept it. If the risk is large, you may want to modify your proposed solution, add additional risk responses to address the secondary risk, or in some cases throw out that solution and move to a different one.
Residual and Secondary Risk
For the risk responses you developed in Exercise 9-1, are there important considerations of residual or secondary risk that need to be addressed? What will you do about these?
1.
2.
3.
4.
5.
MULTI-STAGE SOLUTIONS
One particularly tough category of risks contains those that are low in probability but potentially catastrophic in outcome.
Thousands of small meteors hit the earth every day. Most are the size of grains of sand, and we know them only from the streak of bright light that marks their passing. Slightly larger meteors (5-10 meters in diameter) hit us about once a year, releasing as much energy as the Hiroshima atomic bomb. These generally go unnoticed because they tend to go off at high altitude and thus do little damage. However, there were observed events in South Africa (2009), Peru (2007), Norway (2006), and the Yukon (2000).
Every thousand years or so, a larger one (over 50 meters in diameter) hits with an energy release equivalent to 1,000 Hiroshima bombs. The last such, the Tunguska event in 1908, flattened 80 million trees over 830 square miles. Larger impacts, of course, also happen. Approximately 65 million years ago, an asteroid at least 10 kilometers in diameter struck the Yucatán Peninsula, triggering the Cretaceous–Paleogene (or K–Pg) mass extinction event.
Clearly, a big asteroid impact would be a very bad thing, but the probability appears to be approximately 1/65,000,000. What, if anything, should we do?
We could do nothing at all and bet that we’ll stay lucky as a species. We could spend trillions of dollars to put a nuclear-armed space armada into orbit to shoot down any marauding asteroids that happened to come by.
We can also consider a multi-stage solution. In the case of the hypothetical killer asteroid, we can divide the risk into two questions. First, is a killer asteroid actually on its way? Second, what should we do if it is?
The first question is relatively inexpensive to answer, and has a dramatic bearing on the second question. A comprehensive survey of near-Earth asteroids (known as Spaceguard) is at the time of writing about 80 percent complete. Using known equations of orbital mechanics, the future positions of these objects can be charted, and eventually we’ll know exactly what might hit us and when.
Changes in knowledge change our understanding of probability. A generic 1/65,000,000 probability may look a lot different when we consider a given asteroid. The 99942 Apophis asteroid, for example, has a chance of colliding with the Earth in the year 2036. NASA’s Near-Earth Object Program Office estimates the probability as 1/250,000. In absolute terms, the risk is still small, but it’s a lot greater than 1/65,000,000.
A 1/250,000 chance of impact probably doesn’t warrant building that space armada, but it does justify continued study. As more accurate measurements are made, the probability of collision will change—it will either appear increasingly probable that a collision will happen, or it will appear increasingly improbable. At some point, if the degree of confidence is high enough, expensive action may be warranted. If the decision to act is made early enough, a slight shove may be all that’s needed to adjust the asteroid orbit enough to avert a collision. If the decision is made too late, that space armada may not be enough to accomplish the job.
“Watch and wait” is a perfectly legitimate risk response in many situation involving low probability/high impact events. The potential action is a backup strategy, to be implemented if and only if indicators warrant.
MANAGING THREATS
Whether the risk response is a single-stage or multi-stage action, you still have to develop it. Different strategies exist for both threats and opportunities. Be sure to consider multiple possibilities before settling on a response, and remember that you can combine solutions if necessary. In the case of a business risk, it’s important to consider both sides of the risk equation (threat and opportunity) in developing your strategy.
The three basic strategies for managing a threat are avoidance (changing the project so the risk event cannot happen or the project is completely protected from its effects), transference (moving the ownership and impact of the risk to another entity), and mitigation (reducing some combination of probability and impact, but not eliminating the risk altogether).
Avoidance
Avoiding a risk completely often requires a change in the way you do things. If a project has a high risk of failure, you can avoid the failure by cancelling the project. This may be entirely sensible.
You can potentially change many other factors that involve risk, from deadline to budget to performance criteria. You can change the process with which you do the work, the tools you use, whether you do the work in-house or out-of-house, whether you provide a specific functionality or hit a specific numerical target.
An avoidance strategy by its very definition means that there is no residual risk. However, secondary risk is almost certainly present. If the risk of doing it is so high that it’s not a good idea, we still have the reason we thought about doing the project in the first place. If we change deadline or budget or performance criteria, we may be swapping one set of risks for another.
Occasionally, the secondary risk can provide opportunity as well as threat. Whatever we think of to replace the project as originally conceived might turn out to be better for us. The cost of contracting out the work (and some of the risk) may turn out to be less than the cost of doing it in-house. Check all possibilities.
Transfer
Risk transference moves the ownership of a risk from one party to another. We’ve already seen several ways this can be done. In qualitative risk analysis, we classified some risks as owned by someone else. When we move the risk to its proper owner, we’ve transferred at least some of it.
Insurance is another common method of risk transfer. Some people make their money by taking over other peoples’ risks for a fee. Every contract involves some risk transfer. If a vendor charges a firm, fixed price for products or services, the vendor owns the risk of cost overruns. If a vendor charges by the hour or on a cost-plus basis, the buyer owns the risk of cost overruns. Contract details often spell out who has the financial liability for specific risks.
Risk transfer often leaves residual risk and can create secondary risk as well. Earlier in this chapter, we identified residual risks in buying insurance, for example. When transferring risks administratively, the risk may have a new owner, but residual risks often remain.
Mitigation
A mitigation strategy reduces some combination of probability and impact, lowering the risk but leaving at least some residual risk. Mitigation strategies may also create secondary risk.
Examples of mitigation strategies include:
• Testing. Tests identify problems in performance and quality before they reach the customer.
• Redundancy. Having more than is necessary helps ensure you’ll have at least enough.
• Additional resources. Adding cost, time, and personnel can reduce the risk of failing to meet one or more key objective.
• Skill or process improvements. Improving the skills of team members or the way in which the work is done reduces risk.
MANAGING OPPORTUNITIES
Opportunities can be found in stand-alone form and in the form of business risk, and are often matched with corresponding threats. The three basic strategies are to exploit the opportunity (cash in the benefit and use it), enhance the opportunity (make it better or more probable), and share the opportunity (give the benefit to someone else either for goodwill or in trade).
Exploit
The obvious thing to do with an opportunity is to take advantage of it, and that may indeed be the best thing to do. If your stock market investment increases in value, you can sell it. If your successful management of the current project makes you the front-runner for the next job, grab it.
As in the case of threat risks, opportunity risks carry the possibility of residual and secondary risk. If you sell the stock too soon, you may make less of a profit than you would make if you held on to it a bit longer—the residual risk is the value of what you’re leaving on the table. At the same time, the secondary risk is a threat: that the stock will tank, leaving you worse off than you would have been had you sold it on time.
When you choose to take business risk in managing your project, exploitation of the potential benefits is, after all, the usual reason for undertaking it.
Enhance
In the case of the stock market investment, we exploit the opportunity if we cash it in: sell the stock, pay the capital gains tax, and pocket the rest. If we choose to keep the stock because we believe it is likely to increase in value, we are pursuing an enhancement strategy instead.
If your outstanding work on the current project positions you well for new business, you could enhance the opportunity by raising your rates. The benefit is greater profit; the secondary risk is losing the business. The residual risk, again, is the potential amount you’re leaving on the table.
Share
Although exploitation is the obvious strategy, sharing may often represent the best available response. The benefit from a particular opportunity may not apply to you, and giving (or trading) the benefit to someone who would truly find it valuable can pay tremendous dividends in goodwill and support.
A powerful and frequently overlooked technique to improve project and organizational effectiveness is to look at your project for ways it can incidentally provide benefit to others. For example, your project budget might not support buying the latest and greatest equipment, but if the equipment could benefit enough other projects and activities, the combined result might make it profitable.
If you solve a problem, can you solve it for everyone and not merely for your own project? If your project success makes it easier for another part of your company to win business, can you help move that opportunity to the appropriate department or group? Can what you do benefit the customer in ways over and above the contract? Can the work of the project provide extra benefits to team members, such as improved education and skills that may help them in years to come?
MANAGING ACCEPTANCE
Acceptance strategies basically involve doing nothing—at least not until the problem appears imminent. We normally identify a number of project risks not worth the time, effort, or expense to mitigate. We accept those risks, perhaps allowing some contingency reserve to cover them. For risks that have high cost solutions, we may develop a different kind of contingency—a contingency plan or response.
Contingent Responses
Unlike other risk management strategies, a contingent risk response is not implemented until the risk has actually occurred or has passed some threshold or event point that makes us believe that has become extremely likely to occur. In our asteroid example, it makes no sense to spend a huge amount of money on a response unless we have reason to believe that the collision is likely to happen in the near future. We make the response contingent on actual evidence that an asteroid is indeed heading our way. So far, our risk has jumped from 1/65,000,000 to 1/250,000, but that’s not yet enough to activate a risk trigger, a threshold at which a decision is necessary.
Some contingent responses need to be worked out well in advance. With others, it’s sufficient to have a general idea of what we might do, and make the detailed plan if the risk is triggered.
Acceptance
For risks with a minor impact, simple acceptance—we won’t do anything, and will cope with the effects as best we can if the risk occurs—is often sufficient. Some risks are accepted because they are subsumed by larger programs. For example, a shop safety program is aimed not at a single risk nor at a single project, but rather at a category of risks.
“Watch and wait” strategies, as in our Spaceguard example, are another subdivision of acceptance. We spend a small amount of time, effort, and resources on monitoring, and defer any substantial action until—or unless—the risk event appears imminent or grows so much in probability that action is warranted.
Exercise 9-3
Types of Risk Response
Look at the risk responses you developed in Exercise 9-1 and classify them according to the categories mentioned in this chapter. Are there any alternate solutions you want to consider instead?
1.
2.
3.
4.
5.
IMPLEMENTING RISK RESPONSE STRATEGIES
Risk responses require actions. If you need insurance, you have to go buy insurance. If you need safety goggles, you need to stop in the shop office and pick up a pair. If you need to test components, you need a testing plan. The effort involved in turning a risk response strategy from an idea into action can in some cases be substantial.
It is important to document what you decide to do about a risk. The Risk Information Sheet (Exhibit 4-6) has a space in which to write the risk response, but the real work may be done elsewhere. In many cases, the best place to put a risk response is into the project plan itself, either as a work package or as requirements. If, for example, testing is part of your risk response to potential lapses in quality, you probably want to have a work package labeled “Testing.” Depending on the level and sophistication of the tests, there may be multiple steps involved. Tests have testing requirements. Which tests should be run? What constitutes a satisfactory outcome? What defines failure?
Exhibit 9-2 contains a list of questions to consider in developing and implementing your risk response. Space is provided for you to consider how these questions apply to the risk responses you have worked on in this chapter.
xhibit 9-2
Questions That Shape Risk Responses
For each proposed response to a given risk, consider the following questions.
Appropriateness
1. Is the risk response proportional?
2. Is the risk response actionable?
3. How does this risk response compare to doing nothing at all?
These questions establish whether the potential risk response can be considered further. If the solution is not proportional to the risk (that is, substantially higher than the risk score and not justified by other reasons), or if we can’t actually do what’s required, then the solution is a non-starter.
If none of the risk responses are particularly attractive, do consider the potential consequences of doing nothing. They may be greater—or less—than you imagine.
4. How much and what kind of residual risk will remain?
5. Is the remaining level of residual risk acceptable?
6. Can we reduce the residual risk any further?
7. Is any of the residual risk positive in nature?
We not only need to define the level and nature of any residual risk, but also need to establish whether the residual risk is still too high. If it is, we need a better solution or an additional solution—which gets run through this same process as a new risk response.
Secondary Risk
8. Will the risk response create any secondary risks, either threats or opportunities?
9. Are the secondary risks acceptable?
10. If not, can we modify them so they are acceptable?
11. Are the secondary risks greater than the risks of doing nothing at all?
Secondary threats and opportunities are frequently overlooked in risk response planning. Be sure to consider indirect benefits to the organization, customers, or end users along with benefits to you and your project in evaluating these options.
Staged Response
12. Must we act now, or can this response wait on further information?
13. Will the risk response be better if it is implemented early, or if it is implemented closer to the risk event?
14. Are secondary and residual risks affected by the timing of the response?
Acting early isn’t always or necessarily the best thing to do. Strategic delay can be a very effective part of risk response planning.
Action Steps
15. What are the action steps, tasks, or work packages we have to perform in order to implement this risk response?
16. Can these action steps be placed into the regular project workflow?
17. What resources must be allocated to make these action steps happen?
18. Are any action steps contingent on other project events?
The best place for risk response activities is in the project plan itself. If the risk response is contingent (depending on other events), this may not be possible. In that case, where will you put the information? How will you make sure the risk responses is triggered if necessary?
Metrics
19. What circumstances, events, or measurements will tell you that the risk has occurred or is about to occur?
20. How and when will you know if your risk response is working as anticipated?
21. How will you know if the risk is not going to happen?
22. What will tell you if you need to modify or change your planned risk response?
Without risk metrics—some way to measure what’s going on—it’s very difficult to figure out whether a risk has occurred or whether your proposed solution is working as intended. Establishing metrics is a valuable tool in almost every project management situation.
Backup Strategy
23. What will you do if the planned risk response is not working adequately?
24. How will you document and record the backup strategy, if any?
25. How will you measure the success or failure of the backup strategy?
Backup strategies and contingency plans aren’t necessary in all cases, but it’s usually worthwhile to ask the question: Is there a chance the response won’t work, and if so, what are you going to do about it?
Closing Criteria
26. How will we decide when this risk is no longer active and should be closed?
27. How will we record the outcome of this risk event?
28. What can we learn from this risk event (whether it happened or not) and how will that knowledge be used?
There’s usually a point at which a risk can no longer happen, or a point at which a risk that has happened has done all the damage (or provided all the benefit) it’s able to do. Closing a risk moves it from the active list to the inactive list, and should always be done consciously and deliberately.
Risk response planning is the process of deciding what to do about specific project risks. Establish a formal process for developing risk responses as a team, consider more than one potential solution before settling on an answer, and document the risk response on the Risk Information Sheet, in the project plan, and elsewhere as appropriate.
Consider residual risk and secondary risk issues before deciding on a risk response. If residual and secondary risk levels are excessive, modify the risk response or abandon it and choose a different one. If the risk response is expensive, consider multi-stage solutions that defer expensive action unless absolutely necessary.
The three basic strategies for managing a threat are avoidance (changing the project so the risk event cannot happen or the project is completely protected from its effects), transference (moving the ownership and impact of the risk to another entity), and mitigation (reducing some combination of probability and impact, but not eliminating the risk altogether).
Opportunities can be found in stand-alone form and in the form of business risk, and are often matched with corresponding threats. The three basic strategies are to exploit the opportunity (cash in the benefit and use it), enhance the opportunity (make it better or more probable), and share the opportunity (give the benefit to someone else either for goodwill or in trade).
Risk acceptance has two categories: passive acceptance (we do nothing unless the risk occurs, then we cope with it as best as we can) and contingency planning (we create a backup plan but do nothing unless the risk is triggered).
Risk response strategies must be implemented. You need to develop action steps and put them in the project plan or elsewhere. You need to establish metrics that tell you when the action is necessary and whether it’s working. You also need to establish criteria for closing a risk, either because it can no longer happen or because all the consequences of the risk have happened.
Review Questions1. A proposed risk response must always be:
(a) free of secondary or residual risk.
(b) structured as a multi-stage solution.
(c) proportional and actionable.
(d) paired with a backup strategy.
1. (c)
2. In managing opportunity, which strategy is most appropriate if the benefit is not usable by you or your team?
(a) Sharing
(b) Mitigation
(c) Enhancement
(d) Acceptance
2. (a)
3. Which of the following is a strategy for managing threat risk?
(a) Exploitation
(b) Sharing
(c) Mitigation
(d) Enhancement
3. (c)
4. If the proposed risk response will not eliminate all the consequences of the risk, the part that is not eliminated is known as:
(a) secondary risk.
(b) residual risk.
(c) contingency risk.
(d) multi-stage solution risk.
4. (b)
5. If a proposed risk response has an unacceptable secondary risk, you should:
(a) modify the proposed response or select a different one.
(b) change the project so that the initial risk cannot occur.
(c) provide contingency allowance for the additional risk.
(d) establish a multi-stage solution.
5. (a)