Risk Response Plan
Contents |
Abstract
Risks and opportunities in project management refer to potential events or uncertainties that could impact the successful completion of a project. Risks can come from a variety of sources, including internal factors (such as project team performance), external factors (such as changes in the market or regulatory environment), and technical factors (such as changes in technology or equipment). Effective risk management is an important part of project management and involves identifying potential risks, assessing their likelihood and impact, developing response plans, and monitoring and adjusting the response plans as needed. By proactively addressing risks and opportunities, project managers can improve the chances of project success and minimize the impact of risks on the project.
Introduction
Risks and Opportunities
“Risk is exposure to the consequences of uncertainty.“
In order to go through and define project risk management, firstly it is necessary to understand what risks and opportunities stand for within the scope of project management. These two concepts are described by at least three basic characteristics: an uncertain event, a probability of occurrence and potential impacts on the project’s objectives (time, cost, quality, scope or performance). What differentiates risks and opportunities is the type of impact they have on the project, in case one of these occurs. In a general point of view, risks may cause a negative impact on one project (recognized possible loss), as opportunities may positively impact it (recognized possible gain). As so, there is a level of uncertainty associated with the occurrence of a risk or opportunity event (probability < 1), it is possible to identify what event is it (known events) and its impact on the organization can be quantified.
Importance of Risk Planning in Project Management
“50% of all projects fail due to a lack of proper risk management, and a whopping 85% are delayed because risks were not identified in time.” (1)
Risks can have significant negative impacts on project timelines, budgets, and outcomes, and therefore, it is essential to have a plan in place to manage them effectively. Project risk management processes should be conducted in order to increase the likelihood and impact of positive events and mitigate negative events in a project. Murphy’s Law plays an important role when talking about the importance of managing risks in a project. It is a basic observation that states that “anything that can go wrong, will go wrong”, so it is better to acknowledge what can possibly go wrong and define actions to minimize the impacts it could cause, before they become major problems. In addition, by well-managing risks and by effectively assessing the likelihood and impact of potential risks before they happen, it is possible to make informed decisions about how best to proceed, significantly increasing the likelihood of project success.
Project risk management includes the processes of:
- Plan Risk Management – The process of defining how to conduct risk management activities for a project.
- Identify Risks – The process of determining which risks may affect the project and documenting their characteristics.
- Perform Qualitative Risk Analysis – The process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
- Perform Quantitative Risk Analysis – Perform numerically analyzing the effect of identified risks on overall project objectives.
- Plan Risk Responses – The process of developing options and actions to enhance opportunities and to reduce threats to project objectives.
- Control Risks – The process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness throughout the project.
Steps to develop a Risk Response Plan
One of the essential activities in project risk management is to plan risk responses, which involves identifying potential risks, assessing their impact, and developing strategies, options and actions to manage or mitigate them. The risk response plan outlines the steps to be taken in the event of a risk occurring, and it is designed to enhance opportunities and to reduce threats to the project’s objectives. Known risks are those that have been identified and analyzed, making it possible to plan responses for them.
The inputs, tools and techniques, and outputs of this process are depicted in figure bellow:
Every process of project risk management should start by delineating the Risk Management Plan, and the risk response plan must be compatible with it. This document outlines how the next steps are going to be conducted, providing a framework for the project team to execute risk management activities for a project. This plan comprises various components, including:
- The methodology, which outlines the approaches, tools, and data sources that will be employed to manage project risks.
- The roles and responsibilities section, that identifies the team members who will be responsible for leading, supporting, and managing risk management, and clarifies their respective responsibilities.
- The budgeting, used to estimate the funds required based on the resources allocated, and establishes the protocols for the application of contingency and management reserves.
- The timing, which specifies when and how often risk management activities will be conducted throughout the project life cycle.
- The risk categories, referring to the grouping of risks based on their common characteristics and providing a structured approach for risk identification.
- Definitions of risk probability and impact.
- Probability and impact matrix, in order to map the probability of risk occurrence against its potential impact on project objectives. The organization typically sets the specific thresholds for determining whether a risk is rated as having a “high”, “moderate”, or “low” level of importance based on the combinations of probability and impact.
- Revised stakeholders’ tolerances. This component outlines the tolerance levels of stakeholders to different risks and provides guidelines for assessing their comfort levels with different risk levels.
- Reporting formats, which refer to the way in which the results of the risk management process are recorded, evaluated, and conveyed. It outlines the structure and presentation of the risk register, as well as any other reports related to risk that may be needed.
- Tracking, that specifies the procedures and tools to be used to monitor risks and how the information will be communicated to the relevant stakeholders.
Identify Risks
Ref test[1]
The first step to take is the process of determining which risk may affect the project and documenting their characteristics, providing the project team the knowledge and ability to anticipate events. Identify risks is an iterative process, because new risks may evolve or become known as the project progresses through its life cycle. There are several tools and techniques that may be used in this step:
- Documentation Reviews
- Information gathering techniques: Brainstorming, Delphi technique, Interviewing, Root cause analysis
- Checklist analysis
- Assumptions Analysis
- Diagramming techniques: Cause and effect diagrams, System or process flow charts, Influence diagrams
- SWOT analysis
- Expert judgment
Output: This step should result in the development of the Risk Register. This document is essential for the next steps, providing a central repository for all the information related to project risks that shall include the following: risk description, the person or team responsible for managing that risk, the reason or cause of the risk, its probability and level of impact, category and a list of potential responses and strategies to mitigate it.
Assess the Risks
Once risks have been identified, the next step is to assess their likelihood and impact. This involves assigning a probability and severity score to each risk, as well as numerically analyze the effect of identified risks on overall project objectives (schedule, budget, etc). By doing so, and record it in the Risk Register, it is possible to identify the highest priority risks, helping the project team focusing their efforts on the most critical ones. In order to do so, it is necessary to perform a qualitative and a quantitative risk analysis.
In the first technique, usually carried out by the project team or an expert, after the identification of potential risks, a categorization based on their probability of occurrence and potential impact is conducted, as well as the rating of each risk according to the two factors, resulting in a risk matrix. The risk matrix provides a clear visual representation of the relative importance of each risk and allows the team to concentrate on those with the highest potential impact.
The quantitative risk analysis requires more complex mathematical models and calculations, being more time-consuming and expensive, and requiring significant expertise in statistics and data analysis. It provides a more accurate and objective assessment of risk than qualitative analysis, enabling the project team to make more informed decisions about risk response strategies and reducing the project uncertainty.
Select Risk Responses
During this step, were specific methods and techniques are used to deal with known risks and opportunities, it is necessary to identify who is the responsible for a specific risk or opportunity and estimate the resources associated with handling it. Moreover, it is necessary to refine and select the most appropriate response option(s) and specific implementation approach(es) for selected risks (often those with medium or higher risk levels) and opportunities. It is also recommended to develop a fallback plan in case the chosen strategy proves ineffective or a previously accepted risk occurs.
The procedure to develop a risk response strategy is straightforward: first, the most desirable risk response option (of acceptance, avoidance, mitigation, and transfer for risks, and acceptance, enhance, exploit, and share for opportunities) is selected based upon cost, performance, schedule, and risk trade studies; Then the best implementation approach is chosen for the selected option.
Secondary risks, which may arise from the implementation of a risk response, should also be assessed. In this case, similarly, contingent responses can be developed for risks and opportunities where action is taken only if certain predefined conditions occur.
Finally, handling strategies can be developed using a combination of all four risk or opportunity response options, along with an appropriate implementation approach. To evaluate candidate risk response strategies, personnel may use the following criteria as a starting point:
- Feasibility of implementing the strategy while still meeting user needs.
- Expected effectiveness of the response strategy in reducing program risk to an acceptable level.
- Affordability of the strategy in terms of dollars and other resources.
- Availability of time to develop and implement the strategy, and its impact on the overall program schedule
- Impact of the strategy on the system's technical performance.
Strategies for negative risks or threats
Strategies for Positive risks or opportunities
Avoid, Transfer, Mitigate, Accept
Monitor and Control Risks
- Define indicators - Nominate a responsible - Define a time-window for monitoring each risk
Limitations
Even though a risk response plan is a valuable tool for risk management, it is important to recognize and understand its limitations. These limitations include incomplete risk identification, in case the project team fails to identify all potential risks, leading to a risk response plan that may not adequately address all risks that might impact the project. Additionally, this tool is developed in a way that it is typically focused on specific risks or events, not handling other potential project-impacting variables or occurrences (constrained scope). Furthermore, the unpredictability of prospective threats or the resources available to implement the strategies may have an impact on how successful risk response techniques are.
Due to stakeholders' aversion to change, implementing risk response techniques might be difficult. As a result, during the course of the project, it is critical for project teams to be conscious of these constraints and to regularly assess and modify their risk-management strategy as necessary.
Moreover, the selection and development of actions for the risk response plan can be influenced by the subjective opinions and biases of the project team. There are many factors that can influence the plan to be developed:
- Descriptive and measurement uncertainty: related to the amount and quality of information on the event that caused the risk and the magnitude of the damage it may provoke. This is especially important to take into account when conducting the quantitative analysis to ensure that the data used is accurate and reliable, as inaccurate data can lead to incorrect conclusions and ineffective risk response strategies.
- Voluntary risk or opportunity: refers to situations where the project manager willingly chooses to take on a risk or opportunity due to personal benefit to themselves or their organization. However, the risk or opportunity may also be forced upon the project manager.
- Inequitable risks or opportunities: Cost-effective alternatives may exist for some risks or opportunities, making them equitable, while other risks or opportunities may be inequitable due to the presence of only high-cost alternatives or limited options.
- Length of exposure to the risk or time available for the opportunity.
Final Remarks
A well-planned and executed risk response plan is essential for the success of any project. Developing a risk response plan requires careful consideration of various factors, including risk identification, categorization, prioritization, and response strategies. However, it is important to recognize that risk response plans have certain limitations. To mitigate them, project teams must continuously monitor and adjust their risk management approach throughout the project lifecycle. Moreover, it is essential to maintain open and honest communication about risk and its management and develop a consistent approach to risk management for each project. Risk attitudes of individuals and groups can influence their response to potential risks, which can be shaped by factors such as perception, tolerance, and biases. Therefore, it is crucial to identify and address these factors as much as possible.
Proactive and consistent risk management can help project teams to handle potential risks effectively and increase the likelihood of project success. Organizations should commit to identifying and managing potential risks throughout the project lifecycle and take a proactive approach to handle them effectively, developing responses which reflect an organization’s perceived balance between risk taking and risk avoidance.
Project risks can emerge from the start of a project, and ignoring them can lead to further complications arising from unmanaged threats. Therefore, project managers should prioritize the development and implementation of a robust risk response plan to ensure project success.
References
- ↑ Project Management Institute, Inc.. (2021). Guide to the Project Management Body of Knowledge (PMBOK® Guide) (7th Edition). Project Management Institute, Inc. (PMI). Retrieved from https://app-knovel-com.proxy.findit.cvt.dk/kn/resources/kpSPMAGPMP/toc