Planning a risk response strategy that is flexible enough to address the major issues that may face your project is essential for ensuring that you are prepared for whatever may arise during the project’s course. Like so many elements of project management, the key to high-quality risk assessment and creating an effective response strategy lies in the preparation.
Identifying the Risk
The first step in creating the risk strategy for your project occurs during the planning phase, when risks are initially identified. This is usually done through the joint brainstorming of the PM, the project team and relevant stakeholders who have experience of similar projects, such as a project sponsor. A document is created, the Risk Register, to track the risks that have been uncovered.
Analyzing and Ranking Risk
During the project risk assessment process, after the risks have been identified, there are two major factors to consider for each risk: the probability/impact matrix and the risk response. The first of these involves establishing how likely a risk is to occur and, if it does occur, what effect it will have on the project. This can effectively be split into a box or matrix, with Probability on one axis and Impact on the other, resulting in the following:
- High Impact/Low Probability
- High Impact/High Probability
- Low Impact/Low Probability
- Low Impact/High Probability
The next part of the project risk assessment process is deciding how to deal with the risks that have been identified. There are five risk response strategies as laid out in the 6th Edition of the PMBOK:
- Escalate: This is where you believe the risk is above your job title, such as dealing with national or international regulatory bodies, so the action is to inform a relevant senior executive and get their agreement to handle the risk.
- Mitigate: This is where you attempt to minimize the impact the risk will have upon your project, for example spreading your transport requirements across a few firms rather than just relying on one.
- Transfer: A common form of risk response, this is where you place the risk on a third party or vendor, for example by taking out insurance against a certain risk happening.
- Avoid: This involves attempting to surgically remove the risk by cutting out the parts of the project that are most vulnerable to it, such as not using certain hardware if there’s a chance it might become impossible to import it. This strategy can require major structural changes to the project scope and be difficult to implement.
- Accept: This is the most passive risk response. It requires simply acknowledging the presence of the risk without preparing a response plan. It is usually only used for very low probability risks.
Once you have established what the risks facing your project are, performed a risk assessment to establish how likely they are to occur and what impact they will have if they do, along with deciding on your risk response strategy, your risk register will constitute an effective and important project document. It can be altered as the project progresses, to either add new risks or to alter the variables of the initially identified ones, but throughout the project it will remain a key element, not only for your own project planning but also for both internal and external compliance.