Module 4. Mitigation and contingency risk plan

A risk response strategy outlines both the mitigation and contingency risk plans and forms a key component of the overall risk management plan. The PMBOK refers to a risk response strategy which is undertaken by a project team or manager. This plan aims to decrease the probability of a risk occurring, and/or lessening the consequence or impact of a risk (PMI 2021). As outlined in previous chapters, there are numerous steps that make up the risk response plan, including identifying, evaluating and analysing risks, and creating treatment plans. However, the overarching aim of each of these steps is to decrease the levels of exposure or likelihood of a risk and its overall consequence.

Information collected and documented within the risk register is used to develop a risk response plan. Each identified risk and opportunity is outlined, along with the level of likelihood and consequence and the project risk tolerance threshold. Understanding this information, the project manager and project team are responsible for determining appropriate risk responses.

Treatment options need to be developed and actions need to be implemented to enhance opportunities and decrease the impact of risks on project objectives. Therefore, a response plan fits within the project plan and outlines actions required. This plan increases the likelihood and outcome of the identified opportunities, while decreasing the impacts of risks.

The response plan is a strategy used to consider proactive actions, whereby risk responses are about preventing risk rather than cancelling the project all together. Within the PMBOK, there are 2 types of risk response plans: contingency and mitigation.

Contingency plan

The contingency response plan outlines the responses and actions to be implemented if or when a risk occurs (Heimann 2000). Triggers are defined as the cues to execute contingency risk plans. It is mandatory to track and define the risk triggers to develop the risk contingency responses. As different triggers occur in the environment, the reserves can be used.

Both opportunities and risks should be planned for within contingency plans (Heimann 2000). This includes any event which poses a risk or a threat to the project – defined as a negative risk. Whereas any event which offers an opportunity for the project is defined as a positive risk. Across both these events, the response planning is in place to ensure that the most is made out of any opportunity and to provide a strategy to respond to and overcome risks.

Steps for creating the contingency plan:

  1. Identify specific events which could trigger the implementation of the contingency plan.
  2. Document the roles and responsibilities, timeframes or processes, where the plan occurs and how it will be implemented.
  3. Outline guidelines to report and communicate processes. Document how stakeholders will be engaged, who will send the information, how frequently, and how soon after risks occur the communication needs to be shared.
  4. Monitor and report the contingency plan, ensuring it is up-to-date with all potential risks.

There are 6 primary components of a contingency plan:

  1. Triggers: the ‘things’ that happen which require the implementation of the plan.
  2. Response plan: outlines what will be done in response to the trigger.
  3. Stakeholder engagement: sharing the risk occurrence and the implementation of the plan with key or primary stakeholders.
  4. Timeframes: consideration of how soon after the trigger or the risk a response action will be taken.
  5. Likelihood: how likely it is it that the risk will occur.
  6. Consequence: the level of consequence or effect of the risk occurring.

A primary tool that can be used to develop a contingency plan is the reserve or contingency budget and schedule analysis. This tool assists the project manager and team to determine how much contingency is required for both budget and schedule, based on the risk register. The contingency or reserve is used to respond to risks as they occur. The project manager and team need to ensure that the remaining contingency (both budget and schedule) are sufficient throughout the project life cycle. Where there is less contingency left compared to the number of risks, the project risk manager may need to seek additional funding and/or resources or complete a mitigation plan.

Implementing a contingency plan requires effective project management to ensure that all the strategies, risks and deliverables are managed appropriately. This includes the role of the project team members, who need to be aware of the risks within the register. They need to be entrusted to respond when needed and be empowered to implement strategies. In addition, the project team needs to be comfortable with the overarching risk management process, ensuring that they are comfortable developing risk mitigation and implementing contingency plans when identified risks occur. The project manager also needs to hold project team meetings frequently and encourage the project team members to be involved.

There are 4 common challenges that project managers and project teams face when trying to use contingency planning for risks:

Risk mitigation plans

The risk mitigation plan outlines actions to be taken in advance of a risk occurring or pre-emptively in response to a risk trigger occurring (Becker 2004). The process for creating the risk mitigation plan includes identifying, analysing, planning, implementing, and monitoring and controlling, as outlined in Figure 5. A primary component of the mitigation process is an iterative risk management process.

Figure 5. Risk mitigation plan process, by Carmen Reaiche, Samantha Papavasiliou and Frank Anglani, licensed under CC BY (Attribution) 4.0

Figure 5. Outlines the risk mitigation process: 1. Risk identification: potential risks are identified and their relationships are defined. 2. Risk analysis and evaluation: the likelihoods and <a href=consequences of risks are assessed. Consequences can include budget, schedule, technical, performance impacts and functionality. 3. Risk prioritisation: all identified risks are prioritised and ranked by the most critical to the least. 4. Risk mitigation planning, implementation, and monitoring and controlling: risks that have been analysed and ranked as high or medium criticality have mitigation planning conducted. 5. Risk tracking: throughout the project, the risks are identified and added to the register." width="1280" height="720" />

  1. Risk identification: potential risks are identified and their relationships are defined.
  2. Risk analysis and evaluation: the likelihoods and consequences of risks are assessed. Consequences can include budget, schedule, technical, performance impacts and functionality.
  3. Risk prioritisation: all identified risks are prioritised and ranked by the most critical to the least.
  4. Risk mitigation planning, implementation, and monitoring and controlling: risks that have been analysed and ranked as high or medium criticality have mitigation planning conducted.
  5. Risk tracking: throughout the project, the risks are identified and added to the register.

As outlined in the previous chapter, there are many options for responding to the specific risks within the mitigation process, including accepting, avoiding, controlling, transferring, monitoring and watching risks.

Mitigation plan content should include: