Vous êtes sur la page 1sur 14


Risk Response Strategy (Definitive Guide

with Examples)
How to select a Risk Response Strategy?

Sounds complicated.

But let me simplify it for you in this article.

Here you will find examples of risk responses for both threats and opportunities.

But there’s a catch:

You may have a limited mindset in regards to dealing with risks.

So, I would suggest you review examples of dealing with different risks on a real
project first. Click here to read how I managed different kinds of threats.

Project Risk Management Overview

Definition of Risk Response Strategies
Here is what you need to know:

Risk Response Strategy or Risk Response Plan is not something from an

enterprise world.

(By the way, you can use terms interchangeably.)

Risk Response Planning is a process of identifying what will you do with all the
risks in your Risk Register.
By PMBOK® Guide the process is called Plan Risk Responses.
Should You Create Risk Response Plans for All
Known Risks?
Should we really do something with each risk?

No, you cannot eliminate all the risks. It is barely possible, and for sure it is

You do need to operate within your constraints of budget, time, and scope.

You may have a specific budget for risk management.

What is a Risk Response in Your Project Management

You need to understand this:

Your risk management efforts are a part of your project.

It is not something standalone.

Risk Response Plans may require:

1. Updating Project Scope: adding or removing deliverables, work packages,

2. Updating Project Budget: adding reserves, allocating money for additional
work, resources, expertise.
3. Updating Schedule: starting work on specific dates, adding reserves of time
to critical tasks.
4. Introduce new processes and workflows.
5. Hiring a particular expert, consultants.
6. Outsourcing part of the Project Scope to a third party.

Here’s the catch:

You plan risk responses later during project planning.


So, you do need to update the required areas of the Project Management
Plan with the planned responses.

It should be clearly depicted in your plan.

Every Risk Response Has Consequences

Here is another important concept. Every action has consequences. Therefore,
by eliminating one risk quite often, you can introduce new ones.

There are two types of risks you need to be aware of:

1. Secondary Risks – any new risks created by the implementation of a risk

response plan.
2. Residual Risks – these are the risks that remain after implementation of all
risk response plans. They should be appropriately documented and
communicated to stakeholders. Since you will do nothing with these risks.

What Can You Do With a Risk?

In fact, there are not many options here. You can:

 You can do something to avoid risk.

 You can do something to reduce Impact and/or Probability of a threat.
 You can do nothing and let the risk happen but use the reserves to minimize
the negative impact.
 You can do nothing and accept the risk and its effects.

What are the best risk responses?

Responses must be timely.
They should eliminate or mitigate risk before it happens.

You need to be proactive.

Waiting for a risk to happen and only then mitigating the negative impact is a bad


It’s firefighting. It’s not efficient. And it might happen so that the risk occurs when
you don’t have available resources to address it.

Or it may stack with other risks or critical activities on the project.

The outcome becomes less predictable.

Responses should be appropriate to the level of a

threat or opportunity.
It merely means that you shouldn’t waste $10000 to save $2000 of possible
impact. Even $10000 effect might not be worth it if the probability is low.

So, you need to assess the costs and benefits of your risks strategies.

“When a risk occurs, with some ingenuity, this may open up an opportunity, and
conversely when pursuing an opportunity there will be associated risks. Risks are
generally deemed acceptable if the possible gains exceed the possible losses.” –
Rory Burke
They should be developed with the team and

The best risk responses are generated in close collaboration with as many
experts as practical.
That’s the trick:

Quite often your clients can eliminate a severe risk by making a decision that is
beyond your authority.
You may come up with some solution. But will it be worth it?

Likewise, subject matter experts have experience in certain areas of the project.
They faced all possible risks.

Why going into the same pitfalls? Just ask them for a solution.

It’s OK if one Risk Response Strategy Acts upon

Several Risks.
Ideally, you want to address the root cause of a risk. You need to identify
the sources of major threats and fix them.

So, for example, low accuracy of estimates may come from lack of Scope

You can put more time to do the estimates and check them with team members.

But adding a Work Breakdown Structure into your project plan may have a
profound and permanent effect.
Pin it
to your project management board.
How Does it Happen?
First of all, you need to identify the top risks that warrant a response.

Next, you need to work with your team and stakeholders to develop possible
options for risk responses for each risk.

It means that each risk will require either some extra work, some action or
decision, or reserves of time and money.

It will help you to know risk tolerance and thresholds to develop the most
appropriate responses.

Then you need to communicate these options to sponsor, customer, and some
key stakeholders. You may need to get their approval. At least you must inform

Once everyone agrees to the suggested risk response plans, make them a part
of your project management plan.

“The key benefit of this process is that it addresses the risks by their priority,
inserting resources and activities in budget, schedule and project management
plan as need.” – PMBOK Guide.
Now you need to review the plan and identify secondary and residual risks.

You may need to repeat the whole risk management process several times until
you get a satisfactory plan.

5 Risk Response Strategies

For of all let’s review the response plans for the risks. Then, we will do the same
for opportunities.

Examples of Valid Negative Risks (Threats)



Index 0013

WBS Element 1.6.5

Category HR

Description Resources for mobile development are limited and on high demand.

Effects Unavailability of developers may cause delays. Quality may suffer

due to multitasking.

Probability 8

Impact 8
Risk Rank 64

Owner Jane K. (Recruiter)

Response Plan Recruiters will prioritize our openings starting next week.

Develop a cross-project HR plan together with Ann Smith and Ron


Secure required resources from other projects.

Avoid – It means you need to do something to eliminate the cause of the threat:

1. Remove a work package or delivery from WBS to secure delivery of the rest
of the project.
2. Remove a conflicting team member to stop demotivation in the team.
3. Forbid any work in bad weather to avoid the risk that someone will get hurt.

Mitigate – Do something to reduce the impact or the probability of a threat:

1. Prototype unclear or risk delivery early on to get early feedback from a

2. Plan frequent visits to a vendor to learn about problems as early as
3. Train the team in risk management approach.

Transfer – Take action to make another party responsible for the risk:

1. Outsource part of a project.

2. Buy insurance on the property.
3. Employ a part-time legal or procurement expert.
Actively Accept – It means that you need to develop a (contingency) plan and
make reserves for a risk. However, you will only act if and when the risk

1. If a critical person gets sick – we will get a substitution.

2. If a work package takes more time, we will work overtime.
3. If the equipment breaks, we will buy a new one using reserves.

Passively Accept – Do really nothing. If a risk happens, you will need to decide
if there is a workaround.

Examples of Positive Risk Response Strategies



Index 0043

WBS Element 1.6

Category Technical

Description Purchasing “Photo Grid” module may reduce project duration and costs

Effects A ready-made solution can be used for the Portfolio Feature. It reduces the

duration from 2 months to 1 week. It saves about $10000 of the project


Probability 9

Impact 5

Risk Rank 45
Owner Nizhebetskiy D.

Response Plan Added as WBS Element 1.6.1 – Research Results of Available

ModulesMake a POC on the integration of the module with the app.

Check copyrights of the premium version.

Acquire approval and budget for the purchase.

Exploit – Do some extra work or change the project plan to make an opportunity

1. Plan risky work packages for the most experienced team members.
2. Suggest a better approach to reduce the required efforts.
3. Suggest a solution to get a new contract from the client.
4. Finish current project earlier to get another project.

Enhance – Do something to increase the chances or impact of an opportunity:

1. Buy the equipment beforehand when the price is lower.

2. Negotiate the transfer of exceptional expert to your team as early as
3. Promise incentives to the team to finish a project beforehand to start a new

Share – Share benefits with another party for an opportunity to happen for both
of you.

1. Create a partnership with a third party to achieve your goals.

You can Actively and Passively Accept opportunities as well as threats.

Escalate Risks as a Risk Response Strategy

Escalate – Do something to get engagement from a stakeholder who can
eliminate or mitigate risk.

There is a group of risks that you can’t handle.

However, there is a person who relatively easy can. So, you just need to reach
him and get some of his attention.

What is a Risk Owner’s Role in the Risk Response

Remember this:

You don’t control all Risk Response Plans personally.

You must assign an Owner to each risk.

You actually put the owner’s name (and contacts) into the Risk Register.

This person should monitor the risk.

Sometimes the risk may start impacting your project sooner than you anticipated.
Sometimes you may underestimate the risk in general.

So, the owner keeps the assigned risk at the top of the mind.

When the time comes, the owner implements or controls the implementation of a
Risk Response Plan. To some degree, you do it as well – but on a higher level.

He or she also controls and reports to you the efficiency of the strategy. If
something goes wrong, these problems should be escalated to you.

It’s totally fine if one person owns several risks. But ensure that all those risks
don’t happen at the same time. Otherwise, the person will be overwhelmed.

That is all for today. It was not too hard, I believe.

This approach gives a limited number of options. Nevertheless, it provides a

robust framework to deal with risks. So you don’t need to invent the wheel.