What are the four 4 categories of risk response?
|
The Apocalypse. Show
Some of us plan for it. Some of us don't. When running a project, risks can become issues in the blink of an eye and it can feel like the end of the world. This is why it is extremely important to plan ahead. Let's plan together! Now, just as a refresher, below are the definitions of "risk" and "issue".
Let's pretend that you are working on a project and already identified your risks, we will move on to the stage of responding to the risks. There are 4 ways to deal with negative risks: "When you avoid a risk, you stop it happening totally. Worried that a particular feature on your software won’t go down well in the international market? Switch it off. That’s an example of avoiding a risk completely: you put a plan in place to make sure that it could never happen. You can’t do this with all risks, but it’s a handy approach to shutting down trouble before it happens where you can." - Elizabeth Harrin on thebalance.com 2) Transfer"Transferring a risk means shifting the responsibility for it on to someone else. The best example of this is an insurance policy. When you buy an insurance policy, you shift some of the impact of the risk on to the insurance firm, and they would be liable if the risk did happen." - Elizabeth Harrin on thebalance.com 3) MitigateIn this type of risk response strategy, you try to minimize either the probability of the risks happening or the impact. For example, you find that a team member may leave for a certain duration during the peak of your project. Therefore, to minimize the impact of his absence, you identify another employee with similar qualifications from your organization and inform his boss that you may need him for your project for a period of time. - Fahad Usmani on pmstudycircle.com 4) AcceptThis risk response strategy can be used with both kinds of risks, i.e. either positive risks or negative risks. Here you don’t take any action to manage the risk but you do acknowledge it. You can accept the risk either by actively acknowledging it or passively acknowledging it. In active acceptance, you keep a separate contingency reserve to manage the risk if it occurs, and in passive acceptance, you do nothing except note down the risk. - Fahad Usmani on pmstudycircle.com Now that you have the tools to plan negative risk responses, I'm sure you want to know more about mitigating positive risk responses! Stay tuned until next week Thursday! SourcesHarrin, E. (2017, November 13). Here Is a Rundown of Risk Response Strategies for Negative Risks. Retrieved December 15, 2017, from https://www.thebalance.com/negative-risk-response-strategies-2779620 Project Management Institute. (2013). A guide to the project management body of knowledge (PMBOK guide). Newtown Square, Pa: Project Management Institute. Usmani, F. (2017, October 23). Risk Response Strategies for Negative Risks or Threats. Retrieved December 15, 2017, from https://pmstudycircle.com/2015/04/risk-response-strategies-for-negative-risks-or-threats How to select a Risk Response Strategy? How to implement it in your risk management plan? Sounds complicated… But let me simplify it for you in this article. Risk Response Strategy is an action plan on what you will do a Risk on your project. The main risk response strategies for threats are Mitigate, Avoid, Transfer, Actively Accept, Passively Accept, and Escalate a Risk. (Risk Response Strategy or Risk Response Plan is the same thing in essence. You can use terms interchangeably.) Below you will find examples of risk responses for both threats and opportunities. Chapter 1: Risk Response Strategies For ThreatsFirst, you need to identify risks and log them into the Risk Register. Then, you need to conduct a Qualitative Risk Analysis. For the most severe threats, you’ll decide what Risk Response Strategy to select. The main Risk Response Strategies are:
1. Avoid Risk Response StrategyAvoid Risk Response Strategy means you need to do something to eliminate the cause of the threat. #1.1 Example of Risk Avoidance in Scope ManagementClients and other stakeholders provide requirements for the project. Usually, they think that these requirements will help to achieve project’s business objectives. Quite often, these requirements will pile up. Your project scope will bloat up, and you get beyond the constraints of time and budget. When you get far beyond constraints, it’s obvious that you need to descope something or move deadlines. But sometimes you’ll find yourself in a situation when you barely fit into the constraints. That’s when you need to log a risk that you don’t have any free reserves of time or budget (read buffer). If something goes wrong, you may fail to deliver on time. At this point, you can develop a risk response strategy to remove a piece of the project scope. It will happen if, for example, you get behind schedule for more than ten days. As you understand, this will help you control expectations. You warn stakeholders that risk may happen. They accept the action-plan. It will be easier to descope a requirement if something goes wrong.  #1.2 Example of Risk Avoidance in Leadership and Stakeholder ManagementAs a project manager and leader, you need to ensure that your team members are happy, motivated, and engaged in the project. For sure, you can’t always get people who perfectly match with one another. Moreover, constructive conflicts within a team is a good thing. However, sometimes conflicts may get beyond professional behavior. People may feel dissatisfied with the organization in general. The problem is that negative behavior is both destructive and demotivating for other team members. As much as possible, you need to try to mitigate the impact from conflicting team members. But sometimes nothing helps, and you go beyond the point of no return in your relationships. In this case, you want to avoid Risks of further demotivation of the whole team by removing a conflicting person. Likewise, you may have an authoritative stakeholder who conflicts with team members or with you. In this case, you’ll need to take measures to isolate the person as much as possible. In most cases, it means you need to get into internal politics and find leverage through your leadership or policies. #1.3 Example of Risk Avoidance that Impacts the Whole ProjectBefore I become a project manager, I was a sailor. I worked on a big container vessel once. We were unloading in Amsterdam when the rain started. In a few minutes, we heard over the radio that someone fell from the fourth tier container (12 yards) on the deck. Port authorities stopped the unloading. We called a helicopter to get this person to a hospital. In the end, unfortunately, the person died. For sure, if something like this happens on your project, it will be a terrible hit. You must do whatever it takes to avoid such risks. In most cases, delays and extra costs are neglectable compared to the possible impact of a threat. That’s why many industries forbid any work in bad weather to avoid the risk that someone gets hurt. Risk Management Plan Template(For Software Projects)Most software project managers don’t know what goes into a Risk Management Plan.
So, they simply don’t write it out. Unfortunately, this often leads to problems. Get The Template 2. Mitigate Impact/Probability of RisksMitigate Risk Response Strategy means you do something to reduce the impact or the probability of a threat. #2.1 Example of Mitigation of UncertaintyIn the IT industry, we often create solutions that no one did before using technologies no one used this way before. Therefore, there’s a lot of uncertainty in such projects. Is it even feasible to achieve the project’s objectives? You don’t want to start full-blown development to discover that the cornerstone technology can’t provide the required functionality. To mitigate the risk such risk, we begin with a Prototype or a Proof of Concept. It’s a Risk Response Strategy where we do a mini-project to:
This way, we try to guarantee the feasibility of at least 80% of the requirements. It’s a quick and dirty implementation. It’s just a fraction of the budget and resources. And sometimes, we may need to do several POCs to select the most efficient approach. But still, it’s worth the investment. This way we can also get early feedback from clients and adjust the requirement to the capabilities of the technologies we want to use. #2.2 Example of Risk Mitigation in ProcurementWhenever you have a Third Party involved in a project – it’s a RISK. There are many sources of risks here:
And that’s just the tip of the iceberg. You need to mitigate ALL possible risks from their side. But usually, you don’t have direct control over them. That’s why here you need a mitigation Risk Response Strategy that provides you more information from the third party. You can request or even state it in the contract that:
This way, you can get early warnings about problems they have. #2.3 Example of Risk Mitigation via EducationYou can’t identify all the risks. But you should try to mitigate the possibility of an unexpected severe risk in the middle of the project. The most efficient way to achieve it is by educating your project team and stakeholders in proper risk management activities. Also, you need to create an environment where people are not afraid to report new risks as soon as possible even if they committed to finishing the work on time. It’s much easier to avoid or mitigate a risk when you know about it in advance. Not when it already happened. Examples of Negative Risks Responses in a Risk RegisterYou can learn more about Risk Register and get a templated in this in-depth guide: Risk Register Example and All You Need to Know About It (+Template)
3. Transfer Risk Response StrategyTransfer Risk Response Strategy means that you need to take action to make another party responsible for the risk. #3.1 Example of Transferring Risks via OutsourcingImagine you work in a company that produces furniture. Your leadership decides that we need an e-commerce website and mobile applications to sell products. You were assigned to the project. Now you are an IT Project Manager. Right away, there are huge sources of risks:
That is why many companies decide to transfer such risks to vendors with expertise, infrastructure, and human resources. It doesn’t eliminate all related risks and often introduces new types of risks: procurement, third parties, etc. But most probably you have experience dealing with these types of risks. We’ll talk about secondary risks below. #3.2 Example of Transferring Cost RisksSometimes projects depend on a piece of costly machinery. Or you rent some equipment. Or you need to purchase and store lots of materials. The risk is that you can’t afford to buy a new piece of machinery, equipment, or materials if something goes unexpectedly wrong. Like in everyday life, you want to transfer such risks for a relatively small sum and buy insurance or extra technical support. #3.3 Example of Transferring Risks Related to the Lack of ExpertiseSometimes you may get a project that goes into the knowledge domain where neither you nor your organization has enough expertise. It’s not like you need to outsource a big part of the project. But you want to avoid risks related to procurement, accounting, or recruiting, for example. In this case, you can try to transfer these risks to part-time or full-time experts. Hiring freelancers or a web design studio is an example of a transfer risk response strategy. 4. Actively Accept Risk Response StrategyActively Accept Risk Response Strategy means that you need to develop a (contingency) plan and make reserves for a risk. However, you will only act if and when the risk happens. Feel the difference: You don’t actively fight a risk. You react to it if it happens. But still, you prepare in advance. In the real world you apply this type of response plan more often than other types. But here’s the catch:
Why? Thanks to Parkinson’s Law, work will always fill in all allocated time. Moreover, you want to control how accurate your risk analysis is. It may provide you insights into the risks that are yet to come. #4.1 Example of Actively Accepting Risk with Reserve of TimeIf you lead a long project, you always get through cold seasons when people catch a cold more often. If you see that some critical due days fall into such seasons, you want to plan accordingly. The simplest way is to allocate a week or two of time reserve to your schedule. Just put a buffer on the milestone. #4.2 Example of Actively Accepting Risk with Reserves of BudgetSometimes requirements are not clear, and dedicating more time to business analysis doesn’t help. So, if you have ambiguity in requirements but deadlines are set in stone – that’s a risk. In this case, you want to get feedback from clients on want you created as soon as possible. For sure, feedback means changes in the requirements and some rework. You may actively accept such a risk and reserve an additional budget for overtime for the team to make the required changes on time. 5. Passively Accept Risk Response StrategyPassively Accept Risk Response Strategy means you’ll do really nothing. If a risk happens, you will need to decide if there is a workaround. Or you would simply soak up the impact. #5.1 Example of Passively Accepting a Risk and WorkaroundIn the same example, when we have expensive machinery, we can proactively purchase insurance. In the case of passive acceptance, we won’t do that. We may decide that if machinery breaks, we will either try to carry on without it. Yes, it may take more time and some manual labor. But it is possible that’s an acceptable workaround. Likewise, we may decide to find funds to make repairs. It’s additional costs and will delay the work but, again, it might be OK. 6. Escalate Risks as a Risk Response StrategyEscalate Risk Response Strategy means do something to get engagement from a stakeholder who can eliminate or mitigate risk. There is a group of risks that you can’t handle. However, there is a person who relatively easy can. So, you just need to reach him and get some of his attention. Risk Management Plan Template(For Software Projects)Most software project managers don’t know what goes into a Risk Management Plan.
So, they simply don’t write it out. Unfortunately, this often leads to problems. Get The Template Chapter 2: Examples of Positive Risk Response Strategies (Opportunities)Exploit – Do some extra work or change the project plan to make an opportunity happen:
Enhance – Do something to increase the chances or impact of an opportunity:
Share – Share benefits with another party for an opportunity to happen for both of you.
You can Actively and Passively Accept opportunities as well as threats.
Chapter 3: All You Need to Know About Risk Responses on a ProjectShould You Create Risk Response Plans for All Known Risks?Should we really do something with each risk? No, you cannot eliminate all the risks. It is barely possible, and for sure it is unpractical. You do need to operate within your constraints of budget, time, and scope. You may have a specific budget for risk management. What is a Risk Response in Your Project Management Plan?You need to understand this: Your risk management efforts are a part of your project. It is not something standalone. Risk Response Plans may require:
Here’s the catch: You plan risk responses later during project planning. But! So, you do need to update the required areas of the Project Management Plan with the planned responses. It should be clearly depicted in your plan. Every Risk Response Has ConsequencesHere is another important concept. Every action has consequences. Therefore, by eliminating one risk quite often, you can introduce new ones. There are two types of risks you need to be aware of:
How to Implement a Risk Response Strategy?First of all, you need to identify the top risks that warrant a response. Next, you need to work with your team and stakeholders to develop possible options for risk responses for each risk. It means that each risk will require either some extra work, some action or decision, or reserves of time and money. It will help you to know risk tolerance and thresholds to develop the most appropriate responses. Then you need to communicate these options to sponsor, customer, and some key stakeholders. You may need to get their approval. At least you must inform them. Once everyone agrees to the suggested risk response plans, make them a part of your project management plan.
Now you need to review the plan and identify secondary and residual risks. You may need to repeat the whole risk management process several times until you get a satisfactory plan. What is a Risk Owner’s Role in the Risk Response Plan?Remember this:
You must assign an Owner to each risk. You actually put the owner’s name (and contacts) into the Risk Register. This person should monitor the risk. Sometimes the risk may start impacting your project sooner than you anticipated. Sometimes you may underestimate the risk in general. So, the owner keeps the assigned risk at the top of the mind. When the time comes, the owner implements or controls the implementation of a Risk Response Plan. To some degree, you do it as well – but on a higher level. He or she also controls and reports to you the efficiency of the strategy. If something goes wrong, these problems should be escalated to you. It’s totally fine if one person owns several risks. But ensure that all those risks don’t happen at the same time. Otherwise, the person will be overwhelmed. ConclusionThat is all for today. It was not too hard, I believe. This approach gives a limited number of options. Nevertheless, it provides a robust framework to deal with risks. So you don’t need to invent the wheel. I Also Recommend Reading:
Risk Management Plan Template(For Software Projects)Most software project managers don’t know what goes into a Risk Management Plan.
So, they simply don’t write it out. Unfortunately, this often leads to problems. Get The Template What are the four risk categories?Risk categories help project managers understand and plan for what parts of a project could go wrong.. Technical risks. ... . External risks. ... . Organizational risks. ... . Project management risks.. What are the categories of risk response?Definition of Risk Response. Avoidance - eliminate the conditions that allow the risk to exist.. Reduction/mitigation - minimize the probability of the risk occurring and/or the likelihood that it will occur.. Sharing - transfer the risk.. Acceptance - acknowledge the existence of the risk but take no action.. Which are the four categories of risk treatment?Risk treatment measures can include avoiding, optimizing, transferring or retaining risk. The measures (i.e. security measurements) can be selected out of sets of security measurements that are used within the Information Security Management System (ISMS) of the organization.
What are four 4 response strategies to negative risk?The five basic strategies to deal with negative risks or threats are Escalate, Avoid, Transfer, Mitigate and Accept.
|
