A risk response strategy outlines both the mitigation and contingency risk plans and forms a key component of the overall risk management plan. The PMBOK refers to a risk response strategy which is undertaken by a project team or manager. This plan aims to decrease the probability of a risk occurring, and/or lessening the consequence or impact of a risk (PMI 2021). As outlined in previous chapters, there are numerous steps that make up the risk response plan, including identifying, evaluating and analysing risks, and creating treatment plans. However, the overarching aim of each of these steps is to decrease the levels of exposure or likelihood of a risk and its overall consequence.
Information collected and documented within the risk register is used to develop a risk response plan. Each identified risk and opportunity is outlined, along with the level of likelihood and consequence and the project risk tolerance threshold. Understanding this information, the project manager and project team are responsible for determining appropriate risk responses.
Treatment options need to be developed and actions need to be implemented to enhance opportunities and decrease the impact of risks on project objectives. Therefore, a response plan fits within the project plan and outlines actions required. This plan increases the likelihood and outcome of the identified opportunities, while decreasing the impacts of risks.
The response plan is a strategy used to consider proactive actions, whereby risk responses are about preventing risk rather than cancelling the project all together. Within the PMBOK, there are 2 types of risk response plans: contingency and mitigation.
The contingency response plan outlines the responses and actions to be implemented if or when a risk occurs (Heimann 2000). Triggers are defined as the cues to execute contingency risk plans. It is mandatory to track and define the risk triggers to develop the risk contingency responses. As different triggers occur in the environment, the reserves can be used.
Both opportunities and risks should be planned for within contingency plans (Heimann 2000). This includes any event which poses a risk or a threat to the project – defined as a negative risk. Whereas any event which offers an opportunity for the project is defined as a positive risk. Across both these events, the response planning is in place to ensure that the most is made out of any opportunity and to provide a strategy to respond to and overcome risks.
Steps for creating the contingency plan:
There are 6 primary components of a contingency plan:
A primary tool that can be used to develop a contingency plan is the reserve or contingency budget and schedule analysis. This tool assists the project manager and team to determine how much contingency is required for both budget and schedule, based on the risk register. The contingency or reserve is used to respond to risks as they occur. The project manager and team need to ensure that the remaining contingency (both budget and schedule) are sufficient throughout the project life cycle. Where there is less contingency left compared to the number of risks, the project risk manager may need to seek additional funding and/or resources or complete a mitigation plan.
Implementing a contingency plan requires effective project management to ensure that all the strategies, risks and deliverables are managed appropriately. This includes the role of the project team members, who need to be aware of the risks within the register. They need to be entrusted to respond when needed and be empowered to implement strategies. In addition, the project team needs to be comfortable with the overarching risk management process, ensuring that they are comfortable developing risk mitigation and implementing contingency plans when identified risks occur. The project manager also needs to hold project team meetings frequently and encourage the project team members to be involved.
There are 4 common challenges that project managers and project teams face when trying to use contingency planning for risks:
The risk mitigation plan outlines actions to be taken in advance of a risk occurring or pre-emptively in response to a risk trigger occurring (Becker 2004). The process for creating the risk mitigation plan includes identifying, analysing, planning, implementing, and monitoring and controlling, as outlined in Figure 5. A primary component of the mitigation process is an iterative risk management process.
Figure 5. Risk mitigation plan process, by Carmen Reaiche, Samantha Papavasiliou and Frank Anglani, licensed under CC BY (Attribution) 4.0
consequences of risks are assessed. Consequences can include budget, schedule, technical, performance impacts and functionality. 3. Risk prioritisation: all identified risks are prioritised and ranked by the most critical to the least. 4. Risk mitigation planning, implementation, and monitoring and controlling: risks that have been analysed and ranked as high or medium criticality have mitigation planning conducted. 5. Risk tracking: throughout the project, the risks are identified and added to the register." width="1280" height="720" />
As outlined in the previous chapter, there are many options for responding to the specific risks within the mitigation process, including accepting, avoiding, controlling, transferring, monitoring and watching risks.
Mitigation plan content should include:
The actions required should be completed through one of the processes below:
These processes will help to evaluate the primary decision points to determine when the project risk process needs to move from the mitigation plan to the contingency plan.
Similarities and differences: mitigation versus contingency plans
It is recommended to have both risk contingency and mitigation response plans in place for managing risk management processes within a project and organisation. There are numerous differences which are outlined in Table 15.
Table 15. Risk mitigation versus risk contingency plans
Risk Mitigation Plan | Risk Contingency Plan |
Actions identified to respond to a potential risk occurring, a risk trigger occurring and/or regardless of risk occurrence. | Actions are planned and conditions are monitored for those that could trigger a risk. Actions are taken when warning signs are identified. |
Time and money are spent in advance for a specific risk condition. | Time and money are not spent in advance, but money is set aside to use when or as needed. |
Risk mitigation occurs outside risk thresholds. Applying a mitigation plan can reduce the risk likelihood and consequence. | Contingency plan does not change the likelihood or consequence of risk – the aim is to control the consequence for a risk event that could occur. |
Used as the initial level of defence for high exposure risks. | Used as a fallback plan for high exposure risks. |
In specific situations a proactive action plan is required to reduce the likelihood and consequence of risks. The plan is about supporting the contingency plan. | The contingency reserve is documented in the project management plan to support the budget and/or schedule risk. |
There are numerous factors which need to be considered as part of risk mitigation and contingency plans (Becker 2004), including:
The post-project review should include the risk management process, including learnings from the project, an analysis of how the project went, an evaluation of what occurred during the project, whether there needs to be improvements, and what went well.
Developing the risk response plans (including contingency and mitigation plans), requires developing and implementing a corresponding monitoring and controlling process. In risk management, a monitoring and controlling process is ongoing throughout the project life cycle. This involves developing processes which document information, which in turn assists with making informed decisions, either before, during or after a risk occurrence. These processes include:
There are 2 primary elements within the process for controlling risks within a project:
The monitoring and controlling process occurs throughout the project life cycle; however, there are some primary documents which are used to support the process. These include:
There are many tools which can be used to support monitoring and controlling in the project risk management space. The tools can be either manual or automated. These tools include project risk audits, status reporting and meetings, project risk assessments, change variance, and risk trend analysis.
These processes can be run manually or streamlined to be automated, depending on the size of the project, the complexity and the industry. Regardless of how the monitoring and controlling is completed, the information needs to be collected and displayed in real-time or as close to real-time. This enables project managers, project team members and stakeholders to track risks, and allows the assessment of risk, based on up-to-date information.
Now let’s review our knowledge:
Key Takeaways
References
Becker GM (2004) ‘A practical risk management approach’, paper presented at PMI® Global Congress 2004—North America, Anaheim, CA., Project Management Institute, Newtown Square, PA.
Heimann JF (2000) ‘Contingency planning as a necessity’, paper presented at Project Management Institute Annual Seminars & Symposium, Houston, TX., Project Management Institute, Newtown Square, PA.
Project Management Institute (2021) A guide to the project management body of knowledge (PMBOK® Guide), 7th edn, Project Management Institute, Newtown Square, PA.
Risk Assessment and Quality Project Management Copyright © 2022 by Carmen Reaiche, Samantha Papavasiliou and Frank Anglani is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.