Defining Risk Management – Part 6: Risk Response

Posted by Brad Egeland

What started as a five-part series became a seven-part series and now with the potential length of the Risk Response article – if published in full here – looks it may become an eight or nine-part series. Risk response strategies include acceptance, avoidance, transfer, and mitigation. In this article and the next couple of articles, we’ll look at each of these deeper.

The following is a modified excerpt from the book “The Project Management Question and Answer Book” which has a great section on Risk Management.

What are Risk Response Strategies?

Risk response strategies are the approaches we can make to dealing with the risks we have identified and quantified. In the section on risk quantification we discussed evaluating the risk in terms of its impact and probability in such a way that we would be able to rank risks in their order of importance. This is what we called severity, the combination of impact and probability.

Risk response strategy is really based on risk tolerance, which has been discussed. Risk tolerance in terms of severity is the point above which a risk is not acceptable and below which the risk is acceptable.

Several strategies are available for dealing with risks. These are avoidance, acceptance, transfer, and mitigation.

There are many reasons for selecting one risk strategy over another, and all of these factors must be considered. Cost and schedule are the most likely reasons for a given risk to have a high severity. Other factors may affect our choice of risk strategy. For example, if a schedule risk is identified for a task in the project, and if this task has many other tasks depending on it, its severity may be calculated as being lower than is apparent, and the severity should be adjusted even though the schedule impact due to the disruption may be difficult to judge. The strategy should be appropriate for the risk it is intended for.

The following four strategies comprise the strategies that are normally used for risk:

Acceptance. Acceptance of a risk means that the severity of the risk is low enough that we will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance level. If this were not the case, it would not make sense to accept the risk. Once the risk occurs, we will fix the problem and move on. The risk is acceptable because the severity of the risk is lower than our risk tolerance. Accepting a risk does not mean that we will not do something about the risk when and if it occurs; it means that we will do something about it only if it occurs. Many of the project risks will fall into this category. It is the category where the many insignificant risks are put. Many of these risks cost less to fix when they occur than it would cost to investigate and plan for them.

There are two kinds of acceptance, active and passive. Acceptance is active when a risk is identified as being acceptable but we decide to make a plan for what to do when and if the risk occurs. It is much more effective to have a plan in place when these types of risk occur rather than trying to deal with the risk when there is little time and lots of hysterics. There is also another risk involved: the wrong thing can be done to solve the problem because its solution was not clearly thought out under pressure in the heat of the moment.

Acceptance is passive when nothing at all is done to plan for the risk occurrence. Many of the identified risks in the project will be passively accepted. These risks are simply too small to be of concern. The cost of developing a plan and documenting it can be higher than the cost of dealing with the risk without preparation.

An example of risk acceptance is the risk that off-the-shelf software that was purchased for the project will be defective. There is a probability of 2 percent that this will occur. That is, that the CD the software is delivered on will not work and will have to be replaced with a new CD. This causes a delay of five days to a task that has twenty-five days of free float. Passive acceptance will probably be used in dealing with this risk. It is probably not worth the effort to anticipate the problem and do something about it. It is simpler to wait and see if something is wrong with the CD and take corrective action. Of course, it would be foolish to receive the CD and not test it until it was needed.

In the next article, we’ll look the risk strategies of transfer, avoidance, and mitigation.

Tags: , , , , , , ,

4 Comments to “Defining Risk Management – Part 6: Risk Response”

  • Hi there,
    Ugh, I liked! So clear and positively.

  • Hey Just what is needed and nothing more.

  • Thanks!
    Helpful insight.

  • this is just more than fantastic exactly what you need

Post comment