11.5 Plan Risk Responses

Description: the process of developing options, selecting strategies, and agreeing on actions to address overall project risk exposure and individual project risks. The process allocates resources and inserts activities into project documents and the project management plan as needed. Unsuitable risk responses can have the converse effect. Once risks have been identified, analyzed, and prioritized, plans should be developed by the nominated risk owner for addressing every individual project risk the project team considers to be sufficiently important, either because of the threat it poses to the project objectives or the opportunity it offers. Risk responses should be appropriate for the significance of the risk, cost-effective in meeting the challenge, realistic within the project context, agreed upon by all parties involved, and owned by a responsible person. Secondary risks should also be identified. Secondary risks are risks that arise as a direct result of implementing a risk response. A contingency reserve is often allocated for time or cost. If developed, it may include identification of the conditions that trigger its use.

Key benefit: it identifies appropriate ways to address overall project risk and individual project risks.

Frequency: throughout the project.

Process / Asset Group	Input	The Process	Output	Process / Asset Group
Project Management Plan	Resource management plan	11.5 Plan Risk Responses	Change requests	4.6 Perform Integrated Change Control
	Risk management plan			Project Management Plan
	Cost baseline		Schedule management plan
Project Documents	Lesson learned register		Cost management plan
	Project schedule		Quality management plan
	Resource breakdown structure		Resource management plan
	Resource calendars		Procurement management plan
	Risk register		Scope baseline
	Risk report		Schedule baseline
	Stakeholder register		Cost baseline
Enterprise / Organization	Enterprise environmental factors		Assumption log	Project Documents
	Organizational process assets		Cost forecasts
			Lesson learned regiaster
			Project schedule
			Project team assignment
			Risk register
			Risk report

10.5.1 Inputs

11.5.1.1 Project Management Plan

• Resource management plan. To help determine how resources allocated to agreed-upon risk responses will be coordinated with other project resources.
• Risk management plan. Risk management roles and responsibilities and risk thresholds.
• Cost baseline. Information on the contingency fund.

11.5.1.2 Project Documents

• Lesson learned register.
• Project schedule. To determine how agreed-upon risk responses will be scheduled alongside other project activities.
• Project team assignments. The resources that can be allocated to agreed-upon risk responses.
• Resource calendars. When potential resources are available to be allocated to agreed-upon risk responses.
• Risk register. Details of individual project risks that have been identified and prioritized, and for which risk responses are required. The priority level for each risk can help to guide the selection of appropriate risk responses. The nominated risk owner for each risk. It may also contain preliminary risk responses identified earlier in the Project Risk Management process.
• Risk report. The current level of overall risk exposure.
• Stakeholder register. Potential owners for risk responses.

11.5.1.3 Enterprise Environmental Factors

The risk appetite and thresholds of key stakeholders.

11.5.1.4 Organizational Process Assets

• Templates for the risk management plan, risk register, and risk report;
• Historical databases; and
• Lessons learned repositories from similar projects.

11.5.2 Tools and Techniques

11.5.2.1 Expert Judgment

• Threat response strategies,
• Opportunity response strategies,
• Contingent response strategies, and
• Overall project risk response strategies.

11.5.2.2 Data Gathering

Interviews.

11.5.2.3 Interpersonal and Team Skills

Facilitation. To understand the risk, identify and compare alternative possible risk response strategies, choose an appropriate response strategy, and identify and overcome sources of bias.

11.5.2.4 Strategies for Threats

1. Escalate. A threat is outside the scope of the project or that the proposed response would exceed the project manager's authority. Escalated risks are managed at the program level, portfolio level, or other relevant part of the organization, and not on the project level. It is important that ownership of escalated threats is accepted by the relevant party in the organization. Escalated threats are not monitored further by the project team after escalation, although they may be recorded in the risk register for information.
2. Avoid. To eliminate the threat or protect the project from its impact. Change the project management plan/objectives => reduce probability of the risk to zero.
   1. Remove the cause of the a threat;
   2. Extend the schedule;
   3. Change the project strategy;
   4. Reduce scope;
   5. Clarify requirements;
   6. Obtain information;
   7. Improve communication;
   8. Acquire expertise.
3. Transfer. Shifting ownership of a threat to a third party to manage the risk and to bear the impact if the threat occurs:
   1. Use of insurance;
   2. Performance bonds;
   3. Warranties;
   4. Guaranties;
   5. Agreements.
4. Mitigate. Reduce the probability of occurrence and/or impact of a threat. Action to mitigate risks, redundancies, others.
5. Accept. No proactive action is taken. Active acceptance - create a contingency reserves. Passive - periodic review only.

11.5.2.5 Strategies for Opportunities

1. Escalate.
2. Exploit.
3. Share.
4. Enhance. Increase the probability and/or impact of an opportunity.
5. Accept.

11.5.2.6 Contingent Response Strategies

For some risks, it is appropriate for the project team to make a response plan that will only be executed under certain predefined conditions, if it is believed that there will be sufficient warning to implement the plan. Events that trigger the contingency response, such as missing intermediate milestones or gaining higher priority with a seller, should be defined and tracked. Risk responses identified using this technique are often called contingency plans or fallback plans and include identified triggering events that set the plans in effect.

11.5.2.7 Strategies for Overall Project Risk

• Escalate.
• Exploit.
• Transfer/Share.
• Mitigate/Enhance.
• Accept.

11.5.2.8 Data Analysis

• Alternatives analysis. A simple comparison of the characteristics and requirements of alternative risk response options.
• Cost-benefit analysis.

11.5.2.9 Decision Making

Multicriteria decision analysis uses a decision matrix to provide a systematic approach for establishing key decision criteria, evaluating and ranking alternatives, and selecting a preferred option. Criteria for risk response selection may include but are not limited to

• Cost of response,
• Likely effectiveness of response in changing probability and/or impact,
• Resource availability,
• Timing constraints (urgency, proximity, and dormancy),
• Level of impact if the risk occurs,
• Effect of response on related risks,
• Introduction of secondary risks,
• Etc.

11.5.3 Outputs

11.5.3.1 Change Requests

11.5.3.2 Project Management Plan Updates

• Schedule management plan. Changes to resource loading and leveling, or updates to the schedule strategy.
• Cost management plan. Changes to cost accounting, tracking, and reports, as well as updates to the budget strategy and how contingency reserves are consumed.
• Quality management plan. Changes to approaches for meeting requirements, quality management approaches, or quality control processes.
• Resource management plan. Changes to resource allocation, as well as updates to the resource strategy.
• Procurement management plan. Alterations in the make-or-buy decision or contract type(s).
• Scope baseline.
• Schedule baseline.
• Cost baseline.

11.5.3.3 Project Documents Updates

• Assumption log. New assumptions and constraints.
• Cost forecasts.
• Lesson learned register.
• Project schedule.
• Project team assignment.
• Risk register.
  • Agreed-upon response strategies.
  • Specific actions to implement the chosen response strategy.
  • Trigger conditions, symptoms, and warning signs of a risk occurrence.
  • Budget and schedule activities required to implement the chosen responses.
  • Contingency plans and risk triggers that call for their execution.
  • Fallback plans for use when a risk that has occurred and the primary response proves to be inadequate.
  • Residual risks that are expected to remain after planned responses have been taken or accepted.
  • Secondary risks that arise as a direct outcome of a risk response.
  
  Link to the original post