Risk Response Plan

Abstract

Risks and opportunities in project management refer to potential events or uncertainties that could impact the successful completion of a project. Risks can come from a variety of sources, including internal factors (such as project team performance), external factors (such as changes in the market or regulatory environment), and technical factors (such as changes in technology or equipment) ^[1]. Effective risk management is an important part of project management and involves identifying potential risks, assessing their likelihood and impact, developing response plans, and monitoring and adjusting the response plans as needed. By proactively addressing risks and opportunities, project managers can improve the chances of project success and minimize the impact of risks on the project.

Introduction

Risks and Opportunities

“Risk is exposure to the consequences of uncertainty.“ ^[2]

In order to go through and define project risk management, firstly it is necessary to understand what risks and opportunities stand for within the scope of project management. These two concepts are described by at least three basic characteristics: an uncertain event, a probability of occurrence and potential impacts on the project’s objectives (time, cost, quality, scope or performance). What differentiates risks and opportunities is the type of impact they have on the project, in case one of these occurs. In a general point of view, risks may cause a negative impact on one project (recognized possible loss), as opportunities may positively impact it (recognized possible gain). As so, there is a level of uncertainty associated with the occurrence of a risk or opportunity event (probability < 1), it is possible to identify what event is it (known events) and its impact on the organization can be quantified.

Importance of Risk Planning in Project Management

“50% of all projects fail due to a lack of proper risk management, and a whopping 85% are delayed because risks were not identified in time.” ^[3]

Risks can have significant negative impacts on project timelines, budgets, and outcomes, and therefore, it is essential to have a plan in place to manage them effectively. Project risk management processes should be conducted in order to increase the likelihood and impact of positive events and mitigate negative events in a project. Murphy’s Law plays an important role when talking about the importance of managing risks in a project. It is a basic observation that states that “anything that can go wrong, will go wrong”, so it is better to acknowledge what can possibly go wrong and define actions to minimize the impacts it could cause, before they become major problems. In addition, by well-managing risks and by effectively assessing the likelihood and impact of potential risks before they happen, it is possible to make informed decisions about how best to proceed, significantly increasing the likelihood of project success.

Figure 1: Types of events in Project Management Source: Author

Project risk management includes the processes of ^[4]:

• Plan Risk Management – The process of defining how to conduct risk management activities for a project.
• Identify Risks – The process of determining which risks may affect the project and documenting their characteristics.
• Perform Qualitative Risk Analysis – The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
• Perform Quantitative Risk Analysis – Perform numerically analyzing the effect of identified risks on overall project objectives.
• Plan Risk Responses – The process of developing options and actions to enhance opportunities and to reduce threats to project objectives.
• Control Risks – The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.

Steps to develop a Risk Response Plan

One of the essential activities in project risk management is to plan risk responses, which involves identifying potential risks, assessing their impact, and developing strategies, options and actions to manage or mitigate them. The risk response plan outlines the steps to be taken in the event of a risk occurring, and it is designed to enhance opportunities and to reduce threats to the project’s objectives. Known risks are those that have been identified and analyzed, making it possible to plan responses for them.

The inputs, tools and techniques, and outputs of this process are depicted in figure bellow:

Figure 2: Inputs, tools and techniques, and outputs of a Risk Response Planning Source: ^[4]

Every process of project risk management should start by delineating the Risk Management Plan, and the risk response plan must be compatible with it. This document outlines how the next steps are going to be conducted, providing a framework for the project team to execute risk management activities for a project. This plan comprises various components, including ^[5]:

• The methodology, which outlines the approaches, tools, and data sources that will be employed to manage project risks.
• The roles and responsibilities section, that identifies the team members who will be responsible for leading, supporting, and managing risk management, and clarifies their respective responsibilities.
• The budgeting, used to estimate the funds required based on the resources allocated, and establishes the protocols for the application of contingency and management reserves.
• The timing, which specifies when and how often risk management activities will be conducted throughout the project life cycle.
• The risk categories, referring to the grouping of risks based on their common characteristics and providing a structured approach for risk identification.
• Definitions of risk probability and impact.
• Probability and impact matrix, in order to map the probability of risk occurrence against its potential impact on project objectives. The organization typically sets the specific thresholds for determining whether a risk is rated as having a “high”, “moderate”, or “low” level of importance based on the combinations of probability and impact.
• Revised stakeholders’ tolerances. This component outlines the tolerance levels of stakeholders to different risks and provides guidelines for assessing their comfort levels with different risk levels.
• Reporting formats, which refer to the way in which the results of the risk management process are recorded, evaluated, and conveyed. It outlines the structure and presentation of the risk register, as well as any other reports related to risk that may be needed.
• Tracking, that specifies the procedures and tools to be used to monitor risks and how the information will be communicated to the relevant stakeholders.

Identify Risks

The first step to take is the process of determining which risk may affect the project and documenting their characteristics, providing the project team the knowledge and ability to anticipate events. Identify risks is an iterative process, because new risks may evolve or become known as the project progresses through its life cycle. There are several tools and techniques that may be used in this step^[4]:

• Documentation Reviews
• Information gathering techniques: Brainstorming, Delphi technique, Interviewing, Root cause analysis
• Checklist analysis
• Assumptions Analysis
• Diagramming techniques: Cause and effect diagrams, System or process flow charts, Influence diagrams
• SWOT analysis
• Expert judgment

Output: This step should result in the development of the Risk Register. This document is essential for the next steps, providing a central repository for all the information related to project risks that shall include the following: risk description, the person or team responsible for managing that risk, the reason or cause of the risk, its probability and level of impact, category and a list of potential responses and strategies to mitigate it.

Assess the Risks

Once risks have been identified, the next step is to assess their likelihood and impact. This involves assigning a probability and severity score to each risk, as well as numerically analyze the effect of identified risks on overall project objectives (schedule, budget, etc). By doing so, and record it in the Risk Register, it is possible to identify the highest priority risks, helping the project team focusing their efforts on the most critical ones. In order to do so, it is necessary to perform a qualitative and a quantitative risk analysis.

In the first technique, usually carried out by the project team or an expert, after the identification of potential risks, a categorization based on their probability of occurrence and potential impact is conducted, as well as the rating of each risk according to the two factors, resulting in a risk matrix^[6]. The risk matrix provides a clear visual representation of the relative importance of each risk and allows the team to concentrate on those with the highest potential impact.

The quantitative risk analysis requires more complex mathematical models and calculations, being more time-consuming and expensive, and requiring significant expertise in statistics and data analysis. It provides a more accurate and objective assessment of risk than qualitative analysis, enabling the project team to make more informed decisions about risk response strategies and reducing the project uncertainty.

Select Risk Responses

During this step, were specific methods and techniques are used to deal with known risks and opportunities, it is necessary to identify who is the responsible for a specific risk or opportunity and estimate the resources associated with handling it. Moreover, it is necessary to refine and select the most appropriate response option(s) and specific implementation approach(es) for selected risks (often those with medium or higher risk levels) and opportunities. It is also recommended to develop a fallback plan in case the chosen strategy proves ineffective or a previously accepted risk occurs.

The procedure to develop a risk response strategy is straightforward: first, the most desirable risk response option (of acceptance, avoidance, mitigation, and transfer for risks, and acceptance, enhance, exploit, and share for opportunities) is selected based upon cost, performance, schedule, and risk trade studies; Then the best implementation approach is chosen for the selected option.

Secondary risks, which may arise from the implementation of a risk response, should also be assessed. In this case, similarly, contingent responses can be developed for risks and opportunities where action is taken only if certain predefined conditions occur.

Finally, handling strategies can be developed using a combination of all four risk or opportunity response options, along with an appropriate implementation approach. To evaluate candidate risk response strategies, personnel may use the following criteria as a starting point^[7]:

• Feasibility of implementing the strategy while still meeting user needs.
• Expected effectiveness of the response strategy in reducing program risk to an acceptable level.
• Affordability of the strategy in terms of dollars and other resources.
• Availability of time to develop and implement the strategy, and its impact on the overall program schedule
• Impact of the strategy on the system's technical performance.

Strategies for negative risks or threats ^[4]

• Risk Avoidance: This strategy involves avoiding the risk entirely by eliminating the cause of the risk or changing the project plan to circumvent the risk. The most radical avoidance strategy is to shut down the project entirely. Risk avoidance approach is appropriate for risks with high negative impact potential or those that are not worth taking.

• Risk Transfer: This strategy involves transferring the risk to a third party, such as an insurance company or another entity, that is better equipped to handle the risk. By doing this the risk is not eliminated, transferring the risk inly gives another party responsibility for its management. This approach is appropriate for risks that cannot be avoided or mitigated within the project team.

• Risk Mitigation: This strategy involves taking actions to reduce the probability or impact of the risk. Mitigation actions, such as adopting simpler processes, conducting additional tests, or selecting a more reliable supplier, can be implemented to reduce the likelihood and/or consequences of a project risk. Early risk management actions are frequently more efficient than attempting to repair the damage after the risk has occurred. This approach is suitable for risks that are worth taking but need to be reduced to an acceptable level.

• Risk Acceptance: This strategy involves accepting the risk and its potential consequences without taking any action. The risk response strategy can be categorized as either passive or active: passive acceptance involves documenting the strategy without taking any action, leaving the project team to address the risks as they arise, and periodically reviewing the threat to ensure that it has not significantly changed. The most prevalent form of active acceptance is creating a contingency reserve that includes time, money, or resources to manage the risks. Risk acceptance approach is suitable for risks with low potential impact or those that are not worth the cost of mitigation or avoidance.

Strategies for Positive risks or opportunities ^[4]:

• Exploit: This strategy aims to remove the uncertainty related to a specific upside risk by guaranteeing that the opportunity will certainly occur, and it shall be chosen when an organization desires to ensure that a positive impact risk is fully realized. This may involve allocating additional resources, increasing the scope of the project, or accelerating the project schedule to exploit the opportunity.

• Enhance: This strategy involves enhancing the probability and/or the positive impact of an opportunity. This may involve increasing the quality of a deliverable, increasing the performance of a project team member to enhance the chances of the opportunity occurring or adding more resources to an activity to finish early.

• Share: This strategy involves sharing the opportunity (allocating some or all of the ownership of the opportunity) with a third party to take advantage of their expertise or resources. This may involve partnering with another organization or hiring a consultant to help exploit the opportunity.

• Accept: This strategy involves accepting the opportunity without taking any specific action to exploit or enhance it. In this case the organization may be willing to take advantage of the opportunity if it arises, but not actively persuit it. This may be appropriate if the opportunity has a low impact on project objectives or if the cost of exploiting the opportunity outweighs the potential benefits.

Outputs

Figure 3: Example of the Risk Response Plan document Source: Author

As a result of risk planning, the project management team may need to redo some parts of the plan such as include new tasks, redefine the tasks sequence, change duration estimates or predict different resources. As so, several documents might have to be updated after the risk response plan is developed:

• Project Management Plan updates: Schedule management plan; Cost management plan; Quality management plan; Procurement management plan; Human resource management plan; Scope baseline; Schedule baseline; Cost baseline.
• Project Documents updates: for example, updates to the risk register, including any changes to the probability and impact of identified risks, as well as the status of risk response actions.
• Technical Documentation: needs to be updated as new information becomes available through the implementation of risk response strategies. This is necessary to reflect any changes to technical approaches or physical deliverables resulting from the application of risk responses.
• Change requests: As part of planning for potential risk responses, it is common to suggest modifications to resources, activities, cost estimates, and other elements previously identified in planning. These proposals can lead to change requests that require processing through the Perform Integrated Change Control process.

Monitor and Control Risks ^[8]

The Monitor and Control Risks process involves implementing risk response plans and ensure that it is being executed as planned, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating the effectiveness of risk strategies throughout the project. in this step it is necessary to define indicators, dominate a responsible and define a time-window for monitoring each risk. The main outputs of this process include updates to risk register and risk response plan, change requests, work performance information, and project management plan updates.

Monitoring and controlling risks is a continuous process that should be performed throughout the project's lifecycle to ensure that new risks are identified and that risk response plans are updated accordingly. The effectiveness of risk response plans should also be assessed regularly to ensure that they are still appropriate and effective in reducing risk.

Limitations

Even though a risk response plan is a valuable tool for risk management, it is important to recognize and understand its limitations. These limitations include incomplete risk identification, in case the project team fails to identify all potential risks, leading to a risk response plan that may not adequately address all risks that might impact the project. Additionally, this tool is developed in a way that it is typically focused on specific risks or events, not handling other potential project-impacting variables or occurrences (constrained scope). Furthermore, the unpredictability of prospective threats or the resources available to implement the strategies may have an impact on how successful risk response techniques are.

Due to stakeholders' aversion to change, implementing risk response techniques might be difficult. As a result, during the course of the project, it is critical for project teams to be conscious of these constraints and to regularly assess and modify their risk-management strategy as necessary.

Moreover, the selection and development of actions for the risk response plan can be influenced by the subjective opinions and biases of the project team. There are many factors that can influence the plan to be developed^[7]:

• Descriptive and measurement uncertainty: related to the amount and quality of information on the event that caused the risk and the magnitude of the damage it may provoke. This is especially important to take into account when conducting the quantitative analysis to ensure that the data used is accurate and reliable, as inaccurate data can lead to incorrect conclusions and ineffective risk response strategies.
• Voluntary risk or opportunity: refers to situations where the project manager willingly chooses to take on a risk or opportunity due to personal benefit to themselves or their organization. However, the risk or opportunity may also be forced upon the project manager.
• Inequitable risks or opportunities: Cost-effective alternatives may exist for some risks or opportunities, making them equitable, while other risks or opportunities may be inequitable due to the presence of only high-cost alternatives or limited options.
• Length of exposure to the risk or time available for the opportunity.

Final Remarks

A well-planned and executed risk response plan is essential for the success of any project. Developing a risk response plan requires careful consideration of various factors, including risk identification, categorization, prioritization, and response strategies. However, it is important to recognize that risk response plans have certain limitations. To mitigate them, project teams must continuously monitor and adjust their risk management approach throughout the project lifecycle. Moreover, it is essential to maintain open and honest communication about risk and its management and develop a consistent approach to risk management for each project. Risk attitudes of individuals and groups can influence their response to potential risks, which can be shaped by factors such as perception, tolerance, and biases. Therefore, it is crucial to identify and address these factors as much as possible.

Proactive and consistent risk management can help project teams to handle potential risks effectively and increase the likelihood of project success. Organizations should commit to identifying and managing potential risks throughout the project lifecycle and take a proactive approach to handle them effectively, developing responses which reflect an organization’s perceived balance between risk taking and risk avoidance.

Project risks can emerge from the start of a project, and ignoring them can lead to further complications arising from unmanaged threats. Therefore, project managers should prioritize the development and implementation of a robust risk response plan to ensure project success.

References

1. ↑ Project Management Institute, Inc. (PMI). (2019). Standard for Risk Management in Portfolios, Programs, and Projects. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpSRMPPP01/standard-risk-management/standard-risk-management
2. ↑ The Notion and Definition of Risk. (n.d.). Retrieved from https://2012books.lardbucket.org/books/enterprise-and-individual-risk-management/s05-02-the-notion-and-definition-of-r.html
3. ↑ Ekai, C. (2023, April 11). Importance Of Risk Management In Projects. Risk Publishing. Retrieved from https://riskpublishing.com/importance-of-risk-management-in-projects/?utm_content=cmp-true
4. ↑ ^{4.0 4.1 4.2 4.3 4.4} Project Management Institute, Inc.. (2017). Guide to the Project Management Body of Knowledge (PMBOK® Guide) (6th Edition). Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpGPMBKP02/guide-project-management/guide-project-management
5. ↑ Scavetta, A. (2023, March 6). How to Make a Risk Management Plan. ProjectManager. Retrieved from https://www.projectmanager.com/blog/risk-management-plan
6. ↑ Bissonette, Michael M.. (2016). Project Risk Management - A Practical Implementation Approach. Project Management Institute, Inc. (PMI). Retrieved from https://app.knovel.com/hotlink/toc/id:kpINFNB0D1/project-risk-management/project-risk-management
7. ↑ ^{7.0 7.1} Kerzner, Harold. (2017). Project Management - A Systems Approach to Planning, Scheduling, and Controlling (12th Edition). John Wiley & Sons. Retrieved from https://app.knovel.com/hotlink/toc/id:kpPMASAPSC/project-management-systems/project-management-systems
8. ↑ Hodgson, L. (2022). Safety – Risk monitoring and control. Sitemate. Retrieved from https://sitemate.com/da/resources/articles/safety/risk-monitoring-and-control/