There is a difference in definition of risk and uncertainty, as uncertainty is the absence of information required to make a decision. In order to manage risk and uncertainty it is important to understand four elements of the risk management process of identifying, assess, respond and control of the risk events and their sources. After undergoing the steps of identifying and assess the risks at hand during the project, it is the process of developing a strategic response that enables the proper action for the uncertainty of the outcome, whether the risk poses a threat to the project that has to be mitigated or if it is an opportunity to exploit. This article will give an overview of the planning, strategies and tools for the risk response process. The project benefits of addressing risks by their priority, inserting resources and activities into the budget, schedule and project management plan as needed ^[1].

Plan risk responses

In order to fully understand risk responses and strategies to deal with threats or turn chances into opportunities, it is vital to be familiar with the concept of risk management. Risk management is the overall response to an event that has an outcome, either positive and in favor of the project or negative thus posing threat to the project objectives such as scope, schedule, cost or quality^[1]. According to the Project Management Institute (2013) the definition of Risk management in projects is: “to identify and prioritize risks in advance of their occurrence and provide action-oriented information to project managers. Risk has a source, and its origins can be traced to the uncertainty that is present on all projects^[1]. There is a difference in definition of risk and uncertainty, as uncertainty is the absence of information required to make a decision. Risk in theory could be described as the variation from an expected value, negative or positive. We can talk about risks as if the risk event happens, the uncertainty perishes. If the risk was a threat, it becomes an existing problem and if the risk was an opportunity it becomes a benefit. Decisions are made to eliminate risks and with sufficient knowledge of possible risks turn them into chances, thus introducing risk management. In order to be able to respond appropriately to the risk at hand the risk source must be known and the probability of an event to happen.

Identify risks

Identifying the risks is generally considered to be the first step in the process of the planning of the risk responses. It is obvious that no action can be taken on a risk that has not been identified. From a stakeholder’s point of view, the identification of risks can be done by stakeholders, contractors, consultants and other representatives of the project but should be explicitly be handled by all project management personnel and project team members, and should be documented as^[2]:

Statement of work (SOW)
Work breakdown structure (WBS)
Budget
Schedule
Acquisition plan
Execution plan

The identification process of possible risks is iterative, that is it will repeat itself throughout the whole project lifetime. Few common techniques to gather possible risks could be^[3]:

Historical review: with experience and review of the past, similar organizations and projects risks can be expected and identified with e.g. checklists.
Current assessment: The current project is analyzed and possible risks are identified based on examination and e.g. assumptions analysis.
Creativity techniques: methods where the capability of the personnel to think of possible risks with methods like brainstorming of ideas and SWOT analysis.

Risk register

After the identification progress, it is vital to register the risks that have been identified. The risks are put into a document called the risk register. That is a vital baseline for the risk management process. It contains both identified risks and potential responses to that risks. The risk register is a part of the risk identification process and risks must be put forth in a detailed and described manner and will be used in the risk response planning^[3].

Assessment

With the risk register taking shape, it is necessary to assess the risks that have been identified in order to evaluate their impact on the project. By assessing the risks it is possible to prioritize them based on their characteristics. Two form of assessments are used to analyze risks^[1]:

Qualitative risk assessment: is used to prioritize the risks identified by combining their probability of occurrence and impact on the project. Risk probability and impact can be assessed in interviews with experts or persons familiar with the risk. Common methods to use to apply on risks to categorize their possible threats is to use the probability and impact matrix. With the probability and impact matrix it is possible to guide the project management to what extent the risk response and monitoring is appropriate.
Quantitative risk assessment: is used to numerically estimate the effect of the risk it has on the overall project goals. After prioritizing the risks with qualitative methods, the quantitative risk assessment is made. It can be desirable to make such a numerical estimation of the identified risk to quantify the risk effect of the project^[1]. This estimation can be a basis for decision making and response planning such as if the project is feasible to execute, for setting contingency and priorities for risk mitigation^[2] . Example of quantitative methods are; e.g. Sensitivity analysis, Expected Monetary Value analysis and Monte Carlo Simulations.

Risk respond strategies

With the risk register documenting all the possible risk that have been identified and assessed, it is appropriate to develop the action of responding to the risks. The management has then to decide, with the range of responses available, what level of risk is acceptable for the project^[4]. But whether the risk is a threat or an opportunity it must be considered strategically so that is does not become a problem or a missed benefit. The project manager should be responsible for developing the strategic development of the risk but include the stakeholders for agreement of the response. The Project Management Institute (2013) suggests the following four strategies for the risk responses of threats and opportunities on the project:

Table 1: Risk response strategies
For threats	For opportunities
Avoid: Risk can be avoided by eliminating the threat from the project or changing the project management plan so that the project reaches its goals. This could include change of schedule or resources. Even though this is not applicable to every risk situation, because of time consumption or other reasons, it should be considered the first strategic option.	Exploit: It is a strategy to exploit risks that have positive impacts on the project. By eliminating the uncertainty that is associated with the risk the opportunity becomes clear. Adding work or changing the scope of the project. Example would be exploiting technological options in the benefit of the project.
Transfer: It is a strategic plan to transfer the risk to a third-party. Finding another party who is willing to take the risk with a payment of a premium. This does not eliminate the risk but transfers the responsibility and ownership of the risk to someone that is able to handle it effectively.	Share: A risk is shared through a mutual agreement to maximize the benefits of the opportunity in the benefits of the project. Allocating the ownership of an opportunity to a third-party. Examples would be forming joint ventures or risk-sharing partnerships. It is similar to the transfer of threats where the benefits of a third-party is used.
Mitigate: Certain risks cannot be eliminated. With early interference of a risk it is possible to lower the risk probability to an acceptable threshold for the project. Taking early action instead of keeping the possibility of the risk.	Enhance: This response is the increasing of the probability, or the impact, of the opportunity at hand and thus maximizing the benefit for the project. Has similarities to mitigating a risk.
Acceptance: This strategy is applied when there is no other strategy applicable. No action is taken until the risk occurs. This means that the project team has decided not to change the project management plan since it is not possible to change the impact or is unable to identify another strategy. This can lead to contingency plans being initiated. Accepting an opportunity simply means that the project management is willing to accept the benefit of it without having to pursue it.

Contingency plans can be activated if a certain risk event occurs. There is an appropriate response plan that would only be executed under specific conditions if the situation suggests there is sufficient warning to implement the plan^[1].

Expert judgement can include seeking advice and consultancy from experts or knowledgeable parties on actions taken on a certain risk event. It is frequently used to support the decision making in different areas. It can raise question about the quality and accuracy of the results obtained. In situations where little or no information is accessible, expert judgement can be the only source of good and valuable information to base the assessment of action^[5].

Another important strategy would be to delay the important decision. With time the available knowledge and information would increase.

Tools for risk responses

For the use of the strategies and implementations of the actions of the response, there are four categories of tools and techniques mentioned in the Project Management Institute guide (2009)

Creativity tools to identify potential responses.
Decision-support tools for determining the optimal potential response.
Strategy implementation techniques designed to turn a strategy into action.
Tools to transfer control to the Monitor and Control Risks process.

Using the sets of tools available to the project manager can be used to select the proper response and implement the strategy to turn it into action. Using the following procedures as recommended by the Project Management Institute (2013):

Identify the proper response: Risk response planning is based on information available and should be subjected to expert opinions to decide the optimal response. Using available creativity techniques should be considered to evaluate all possible options. Techniques of project planning and execution should be used to evaluate the outcome and effects of the selected response.

Response selection: After identifying the proper responses to the risk, more than one possibility can be available. Some decision support techniques can be applied in order to select the optimal response from the set of possibilities. Thought has to go in the cost of the procedure and the effects it could have on the future of the project. There is uncertainty attached to the outcome and with help of the identification of risk process and quantitative methods that should be applied to the selected strategy, the iterative process continues until all identified risks are under an acceptable threshold.

Action planning: Using the tools available to the project manager of project planning, the selected strategy is turned into action with the corresponding change of the project management plan. The plans could be either unconditioned or conditioned to some certain warnings that could trigger a contingency plan.

Ownership and responsibility: The identified risk and the response should be attached to an owner for monitoring purposes. This ensures that the risk response is carried out in effective manner.

After undergoing the procedures of the risk response planning, it is vital to update all documents regarding the project management plan. The risk register should be updated, and information provided in details. The corresponding responses have effects on the project management plan regarding costs, resources, scheduling details and the overall project documentation .

Limitations

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 Project Management Institute (2013) A Guide to the Project Management Body of Knowledge, Fifth Edition.
↑ ^2.0 ^2.1 NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES. The Owner's Role in Project Risk Management (2005). Washington, D.C.. THE NATIONAL ACADEMIES PRESS
↑ ^3.0 ^3.1 Project Management Institute (2009) A Guide to the Project Management Body of Knowledge, Fourth Edition.
↑ Hopkin, P. (2013) Risk Management. Publisher: Kogan Page.
↑ Leung, K., Verga, S. (2007) Expert Judgement in Risk Assessment. Defence R&D Canada – CORA

[PMI-0] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 Project Management Institute (2013) A Guide to the Project Management Body of Knowledge, Fifth Edition.

[NAT-1] 2.0 ^2.1 NATIONAL RESEARCH COUNCIL OF THE NATIONAL ACADEMIES. The Owner's Role in Project Risk Management (2005). Washington, D.C.. THE NATIONAL ACADEMIES PRESS

[PMI2-2] 3.0 ^3.1 Project Management Institute (2009) A Guide to the Project Management Body of Knowledge, Fourth Edition.

[HOP-3] Hopkin, P. (2013) Risk Management. Publisher: Kogan Page.

[LEUNG-4] Leung, K., Verga, S. (2007) Expert Judgement in Risk Assessment. Defence R&D Canada – CORA

[1]

[2]

[3]

[4]

[5]

Risk responses

Contents

Plan risk responses

Identify risks

Risk register

Assessment

Risk respond strategies

Tools for risk responses

Limitations

Further reading

References

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Toolbox