PMI-RMP Plan Risk Responses Tutorial

9.1 Plan Risk Responses

Hello and welcome to the Project Management Institute’s Risk Management Professional Certification Preparatory Course offered by Simplilearn. In this lesson, we will focus on “Plan Risk Responses”. After the risk management plan is prepared and risks are identified, each identified risk needs to be analyzed. Two types of methods used for risk analysis are qualitative risk analysis and quantitative risk analysis. Once the analysis is completed, a response is planned on the basis of positive or negative risk. However, not every identified risk gets a response. Low level risks are placed on the watch list. Let us start with the objectives of this lesson in next screen.

9.2 Objectives

After completing this lesson, you will be able to: Explain the purposes and objectives Identify the critical success factors List the inputs, tools and techniques, and outputs Define contingency plan List the different forms of contingency reserves Let us discuss the purposes and objectives of Plan Risk Responses process in the next screen.

9.3 Purposes and Objectives

Plan risk responses process determines the effective responses that are appropriate to the priority of individual risks and overall project risk. While deciding the risk response, it is important to consider the stakeholders’ attitude, conventions, assumptions, and constraints. The objective of the plan risk responses process is to determine the set of actions which enhances the chances of project’s success while complying with organizational and project constraints. In the next screen, we will look into the important activities and roles to be carried out as a part of the plan risk responses process.

9.4 Activities and Roles

As you know, a risk can be positive or negative. Accordingly, the response plan should be developed based on the threats or the opportunities it offers. When planning for risk response, the actions taken should be agreed upon by considering the potential changes to budget, schedule (Read as ske – jule), and scope of the project. The implementation of response can have potential effects on project objectives and can generate additional risks called secondary risk. The secondary risk should also be analyzed and their responses should be planned in the same way as primary risks. In the next screen, we will continue looking into a few other important activities and roles.

9.5 Activities and Roles (contd.)

A few other important activities and roles are as follows: In spite of addressing all primary and secondary risks, there can be some risks remaining and they are known as residual risks. These residual risks should be identified, analyzed, documented, and communicated to the stakeholders. If the risk response plan does not work, a backup plan, which includes contingent risk response actions needs to be executed at the optimum time. In the next screen, we will look at the interfaces that should be considered for plan risk responses process.

9.6 Interfaces

All approved and unconditional actions due to risk response planning should be integrated within the project management plan. The corresponding organizational and project management rules should be invoked including: project change management and configuration control; project planning, budgeting, and scheduling (ske–juling); resource management; and project communication planning. In the following screen, we will look into the critical success factors or CSFs for plan risk responses process.

9.7 Critical Success Factors

To ensure the success of plan risk responses process, you need to have people, planning, and analysis. Click each factor to learn more. In case of ‘people’, communication and defining roles and responsibilities play a key part. Communicating to different stakeholders: Communication is an important factor for any successful project. Communication should be open and appropriate. The risk responses should ensure acceptance among the stakeholders. Moreover, organizational factors like culture, attitudes, or disagreements should be addressed openly; and if required, the senior management should be involved. Defining roles and responsibilities: When defining the roles and responsibilities, first of all, key roles in project risk management should be assigned to the risk owner and risk action owner. Secondly, the team should understand what is expected of them. The stakeholders should understand and accept the need and authority. And finally, the senior management should approve and track whether the contingency reserve needs to be used. For planning risk responses, timing needs to be specified; and on that basis, adequate resources, budget, and schedule (Read as ske – jule) should be negotiated and planned. Specify response timing: Specifying the timing of risk response means that the agreed-upon responses should be integrated into the project management plan. Also, the responses should be scheduled and assigned for execution. Provide resources, budget, and schedule: To provide resources, budget, and schedule for responses, an approval from the management for resources, costs, and duration needs to be obtained. The role of management is important in supporting the project manager to develop and authorize the response. Additionally, commitment from risk owners and risk action owners needs to be obtained. Address the interaction of risks and responses: When analyzing the risks, the interaction of risks and responses needs to be addressed. This can be done by controlling the potential effects of strategy developed for treating the original risk. If it is not considered properly, the existing threat may increase and the existing opportunities can be compromised. Ensure appropriate, timely, effective, and agreed-upon responses: The risk response plan needs to be assessed against consistency with organizational values, project objectives, and stakeholders’ expectations. It should also be assessed against the technical feasibility, ability of the project team and the risk owners, as well as the capability to balance the project objectives and improve the risk situation. Analyze the threats and opportunities: While developing a risk response strategy, it is imperative to address each threat or opportunity. If threats or opportunities are not addressed fully, the combined response strategy will be incomplete and may be invalid. In other words, failure to address even a single threat or opportunity might render the risk response strategy ineffective, if threat or opportunity occurs during the project lifecycle. Develop strategies to address tactical responses: The risk response strategy should be carried out at a general, strategic level; and the strategy should be validated and agreed upon before going for the detailed tactical approach. The planned responses carried out at a strategic level should be expanded at a tactical level and integrated into the overall project management plan. Let us move on to the next screen, where we will discuss the inputs, tools and techniques, and outputs of plan risk responses process.

9.8 Inputs, Tools and Techniques, and Outputs

The inputs of the plan risk responses process are risk register and risk management plan. The various tools and techniques used in the process are: strategies for negative risks or threats; strategies for positive risks or opportunities; contingent response strategies; and expert judgment. The outputs are project management plan updates and project document updates. In the next screen, we will look into the inputs of Plan Risk Responses process.

9.9 Inputs

Risk register and risk management plan are required to plan the risk response process. The risk register contains the prioritized lists of project risks, root causes of risk, lists of potential responses, risk ranking, lists of near-term and long-term risks, trend in qualitative risk analysis, categorized risks, and a watch-list of low-priority risks. The risk management plan contains the guidelines, methodology, templates, and formats necessary to perform all risk management processes including plan risk responses. Let us look at an example for updating the risk register in the next screen.

9.10 Updating the risk register—Example

While finalizing risk responses on a high visibility project that is set to begin in another country, you review your available choices for risk responses. There is a set of risks that is related to using company employees in that region of the world, they are: Company employees are not versed in the local cultural norms They do not even speak the language These shortcomings could potentially result in major problems when dealing with local politicians, construction workers and in various other situations and as a result of this option, the risk to the project will increase. Let us continue looking at the example in the next screen.

9.10 Updating the risk register—Example

While finalizing risk responses on a high visibility project that is set to begin in another country, you review your available choices for risk responses. There is a set of risks that is related to using company employees in that region of the world, they are: Company employees are not versed in the local cultural norms They do not even speak the language These shortcomings could potentially result in major problems when dealing with local politicians, construction workers and in various other situations and as a result of this option, the risk to the project will increase. Let us continue looking at the example in the next screen.

9.11 Updating the risk register—Example (contd.)

On the other hand, you have the option of only using local workers. The benefits are as follows: While less skilled, they are from this region of the world. They should be able to increase their performance quickly. It will not cause any problems with the local customs and people. Local resources would not cause the same problems as the employees might. Due to the higher risk and expense associated with using company employees, you decide to use local resources and completely avoid problems that might arise from not understanding the local customs, language and traditions. You update the risk register and begin making the arrangements immediately. Let us focus on the Tools and Techniques of Plan Risk Responses process in the next screen.

9.11 Updating the risk register—Example (contd.)

On the other hand, you have the option of only using local workers. The benefits are as follows: While less skilled, they are from this region of the world. They should be able to increase their performance quickly. It will not cause any problems with the local customs and people. Local resources would not cause the same problems as the employees might. Due to the higher risk and expense associated with using company employees, you decide to use local resources and completely avoid problems that might arise from not understanding the local customs, language and traditions. You update the risk register and begin making the arrangements immediately. Let us focus on the Tools and Techniques of Plan Risk Responses process in the next screen.

9.12 Tools and Techniques

The tools and techniques of Plan Risk Responses process are Strategies for negative risks or threats, Strategies for positive risks, Contingent response strategies, and Expert judgment. Click each tab on the screen to learn more. The three strategies for negative risks or threats are avoid, transfer, and mitigate. These strategies deal with threats or risks that may have negative impacts on project objectives. There is another risk strategy or response called accept. In fact, accept can be used for both positive and negative risks. The three strategies for positive risks are exploit, share, and enhance and the fourth strategy is accept. As you know, accept is used even for negative risk. Contingency response strategy is used when risk occurs. It is similar to a fall-back plan or plan B. Expert judgement is used to get inputs from the subject matter experts to take required actions on specific and defined risk. Let us discuss the strategies for threats in the next screen.

9.13 Strategies for Threats

Four strategies which address threats are as follows: Avoid: ‘Avoid’ is considered to be a negative risk strategy. It helps changing the project plan to prevent a potentially detrimental risk event from happening. For example, a critical meeting to be held could be threatened by air travel disruption. To avoid this, the project manager chooses to hold the meeting by conference call instead. Transfer: ‘Transfer’ is a negative risk strategy. It results in shifting the impact of a risk event and ownership of the risk response to a third party. An example of risk transference is, a prototype which may get damaged in transit. Hence, to reduce the financial impact, the prototype can be insured. Mitigate: Mitigating threat is a negative risk strategy. It attempts to reduce the probability or impact of a potential risk event to an acceptable level. For example, to reduce the likelihood of users not using a product, the number of training events is increased. Accept a Threat: Accepting a threat is considered to be a negative risk strategy. It takes into consideration the fact that the risk exists and needs to be accepted. This acceptance may be passive or active. Let us discuss an example of accepting a threat in the next screen.

9.14 Accepting a Threat—Example

Suppose, there is a threat, that a competitor may launch a rival product first. This affects the expected market share for the product. To overcome this threat, the project can be accelerated by increasing the resources and reducing the product’s scope, so that it can be launched earlier. Alternatively, action need not be taken to re-schedule (Read as: re-ske-jule) the launch to an earlier date. Accelerating the project may lead to product quality issues and reducing the scope can make the product less appealing. Therefore, in this case, the risk is simply accepted and no action is taken to overcome it. The next screen deals with the Strategies for Opportunities.

9.14 Accepting a Threat—Example

Suppose, there is a threat, that a competitor may launch a rival product first. This affects the expected market share for the product. To overcome this threat, the project can be accelerated by increasing the resources and reducing the product’s scope, so that it can be launched earlier. Alternatively, action need not be taken to re-schedule (Read as: re-ske-jule) the launch to an earlier date. Accelerating the project may lead to product quality issues and reducing the scope can make the product less appealing. Therefore, in this case, the risk is simply accepted and no action is taken to overcome it. The next screen deals with the Strategies for Opportunities.

9.15 Strategies for Opportunities

Four strategies which address opportunities are as follows: Exploit: Exploit is considered to be a positive risk strategy, and is often used when a project team wants to make sure that a positive risk is fully realized. For example, there is a risk that a project will be delayed. To avoid the delay, a later version of software could be implemented, which would reduce the ongoing maintenance. The Project Board or Senior Management agrees to change the project timescale and scope, enabling the later version of the software to be bought and implemented. Share: Share is considered to be a positive risk strategy. It entails partnering up with another party, in an effort to give a project team the best chance of seizing an opportunity. For example, the cost of a project could be adversely affected, due to fluctuations in the cost of oil. So, the customer and the supplier agree to share the cost of price increase, or the savings from price reductions equally from a midpoint fixed at the time of signing the contract. Enhance: Enhance is a positive risk response. It attempts to increase the probability that an opportunity will occur. Let us consider an example of risk enhancement. It is possible that a product completes user acceptance testing in a single test cycle, instead of the scheduled (Read as ske – juled) two test cycles. This enables the product to be delivered early and prior to a competitor’s rival product. The Project Board then decides to hold a test rehearsal to increase the likelihood that the product will pass its first user acceptance test. This helps them to prepare for an earlier launch of the product. Accept an opportunity: Accepting an opportunity is a positive risk strategy. It involves accepting the risk and actively responding to it as and when it occurs, but not through the pursuit. Let us look at an example of Exploit Strategy in the next screen.

9.16 Exploit Strategy—Example

As a project manager for a housing development project, you are constantly concerned with the cost of housing materials such as lumber, drywall, carpeting and tile. The prices of these products are constantly fluctuating and causing you to review your budget for available funds. After finishing a previously contentious project, you decide to try something different on an upcoming block of houses that are set to begin building shortly. Determined to control the cost of materials, you decide to meet your suppliers and negotiate for better pricing. Your suppliers are willing to negotiate but only if you buy in bulk, which is equal to two blocks worth of houses. Let us continue with the example of Exploit Strategy in the next screen.

9.16 Exploit Strategy—Example

As a project manager for a housing development project, you are constantly concerned with the cost of housing materials such as lumber, drywall, carpeting and tile. The prices of these products are constantly fluctuating and causing you to review your budget for available funds. After finishing a previously contentious project, you decide to try something different on an upcoming block of houses that are set to begin building shortly. Determined to control the cost of materials, you decide to meet your suppliers and negotiate for better pricing. Your suppliers are willing to negotiate but only if you buy in bulk, which is equal to two blocks worth of houses. Let us continue with the example of Exploit Strategy in the next screen.

9.17 Exploit Strategy Example—(contd.)

After the discussion with the suppliers, you perform the following actions: You take this pricing to your investors who approve the idea and ask if there is a way to keep the pricing on the remaining six blocks. You meet your suppliers again and present the idea of a fixed price on a much larger order, to which they agree. After finalizing negotiations and signing all the necessary paperwork, you return to your office and update the risk register. You notify your investors that you have taken full advantage of the material price opportunity, which is also known as the exploit strategy. Pricing is much less of a problem after this response strategy. In the next screen, we will look into the categories of tools and techniques for the plan risk responses process.

9.17 Exploit Strategy Example—(contd.)

After the discussion with the suppliers, you perform the following actions: You take this pricing to your investors who approve the idea and ask if there is a way to keep the pricing on the remaining six blocks. You meet your suppliers again and present the idea of a fixed price on a much larger order, to which they agree. After finalizing negotiations and signing all the necessary paperwork, you return to your office and update the risk register. You notify your investors that you have taken full advantage of the material price opportunity, which is also known as the exploit strategy. Pricing is much less of a problem after this response strategy. In the next screen, we will look into the categories of tools and techniques for the plan risk responses process.

9.18 Tools and Techniques-Categories

There are four categories of tools and techniques and these are:- first, creativity tools to identify the potential responses; second, decision support tools for determining the optimal potential response; third, strategy implementation techniques designed to turn a strategy into action; and fourth, tools to transfer control to the control risk process. These categories of tools can be used respectively to identify potential responses, select the most appropriate response, translate strategy into planning, and assign the corresponding actions. Let us discuss the Steps Involved in Planning Risk Responses Process in the following screen.

9.19 Steps Involved in Planning Risk Responses Process

Let us take a look at the flowchart given on this screen to understand the steps involved in planning risk responses process. The first step is to identify the responses. Second, select the most appropriate response. The third step is to check whether all risks have been addressed. If not, repeat the process of identifying responses. Once all the risks have been addressed, the next step is to plan and resource actions. Post this, as shown in the flowchart, the risk register need to be updated. The next step is to review the predicted residual exposure. If the exposure level is not acceptable, you must go back to identifying the responses. If the exposure level is acceptable, proceed to the next step, which is updating the project management plan. We will find out how to apply the risk response strategies in the next screen.

9.20 Applying Risk Response Strategies to Overall Project Risk

The four risk response strategies that are applied to individual risks can also be applied to address the overall project risk in the following manner: firstly, construct a strategy where the customer and the supplier share the risk. This is the sharing strategy. Secondly, re-plan the project or change the scope. Thirdly, pursue the project in spite of exceeding the desired level. Finally, you can cancel the project if the overall level of risk is unacceptable. The next screen deals with response identification.

9.21 Response Identification

Response identification is based on the information available on potential risk. It aims to determine the optimal set of responses. As a result, it should involve subject matter experts and employ creativity techniques to explore all the options. Project planning and execution techniques are used to evaluate the potential effects on the project objectives. Now, let us move on to response selection in the next screen.

9.22 Response Selection

Potential responses are identified using a decision-support technique. Cost of the response, impact on project objective, uncertainty of outcomes, and possible secondary and residual risks should be taken into account during the response selection process. This ultimately helps in reducing the overall risk to a pre-defined threshold. Let us move on to the next screen, where we will discuss risk addressing.

9.23 Risk Addressing

Risk addressing includes the following: Action Planning: Once the actions are planned, project planning tools are used to implement actions and to integrate them into the existing plan. Ownership and Responsibility Assignment: First, the responsibility assignment has to be created by identifying the risk owner and the risk action owner. Second, every contingency response should include a trigger condition. Third, monitoring of these conditions should be assigned in plan risk responses process, and they should be managed in the control risks process. In the next screen, we will find out what are the outputs of this process.

9.24 Outputs

The outputs of plan risk responses process are project management plan updates and project document updates. Project management plan updates include subsidiary management plans and their various requirements needed for the plan risk responses process. Whereas, project document updates contain assumptions, log updates, and technical documentation updates. Apart from these, risks register updates and risk-related contract decisions are also updated as a part of project document update. In the next screen we will discuss contingency plan.

9.25 Contingency Plan

Let us start with the definition of contingency plan. A contingency plan is a plan developed in anticipation of the occurrence of a risk, to be executed only if specific, predetermined trigger conditions arise. . A residual risk is a risk that remains after risk responses have been implemented . This plan is used in the event when identified risks become reality. The next screen deals with Risk Tolerance.

9.26 Risk Tolerance

Risk tolerance refers to the level of risk acceptability of a project manager, an organization, or a key stakeholder when the investment needed to manage the risks is compared to the potential payoff. Let us move on to business continuity plan in the following screen.

9.27 Business Continuity Plan

A Business Continuity Plan or BCP is a logistical risk response plan that documents the restoration and recovery methods of an organization during crisis. It involves tested solutions to enhance the chances of continuing operations, during or after disasters. A BCP contains details on the recovery timeline methods, procedures and tested action plans, and any alternate recovery resources, including facilities. In the next screen, we will look into contingency reserves.

9.28 Contingency Reserves

In a contingency reserve, a pre-determined amount is set aside. Contingency reserves are reserves in the form of additional time, money, or resources set aside to deal with risks on the project. These reserves are utilized when the known risks become a reality. Let us focus on Critical Chain Project Management (CCPM) in the next screen.

9.29 Critical Chain Project Management

Critical Chain Project Management or CCPM is a method that allows the project team to place “buffers” on any path to account for limited resources and other types of risk. A buffer is a non-work schedule activity with a duration based on the risk for that path. A resource constrained critical path is referred as the critical chain. In the example on the screen, you can see that a project buffer has been placed at the end of the critical chain. This is done to protect the target finish date from being delayed. You can also place “feeding buffers” on paths that feed into the critical chain to protect it. Let us look at Force Field Analysis in the following screen.

9.30 Force Field Analysis

Slide 32: Force Field Analysis Force Field Analysis- This technique is often used when a change is under consideration. There are two sets of variables that are compared; the “driving forces” and the “restraining forces.” An easier way to think of this could be the forces for and against change. In the example shown on the screen, the driving forces are depicted in blue and the restraining forces are depicted in red. One potential plan is to use external employees for a project. The forces for this idea are lower carrying costs, no training costs. They are easily de-scoped as well. The forces against this idea are the lack of authority with external resources, lower company loyalty and the possibility of high turnover during the project. Each variable can be given a weighted score to justify supporting this plan, or not. The scoring depends on stakeholder tolerances. Let us discuss the Industry Knowledge base in the next screen.

9.31 Industry Knowledge base

There are plenty of mature industries that publish lessons learned or scientific data that can be used in your project. This type of data is valuable for benchmarking your project. The biggest concern is getting access to relevant and accurate information. For example, a truck carrying cargo on the highway have numbered placards on its rear end. These are numbers associated with material safety data sheets or MSDS. This information is readily available to the public and also to the first responders in case there is an accident. The next screen we will focus on Interviews.

9.32 Interviews

It may be necessary to have a one on one conversation with stakeholders to gather their feedback. To properly perform an interview the questions must be prepared in advance and the interviewer should have sound questioning skills. Active listening and the ability to build rapport with the stakeholder is also important. Be aware that appropriate time should be allotted for interviews. Be prepared to filter issues and non-risks during the session. For example, you might conduct an interview with a heavy equipment operator who is performing work on site for your project. The operator is the most qualified to identify risks about the equipment! Let us discuss the Multi-criterion Selection Techniques in the next screen.

9.33 Multi-criterion Selection Techniques

This tool uses a weighted approach to compare options against. The stakeholders must agree upon the weights, criteria and scoring results. The example shown on the screen reflects the final scoring of two vendors being compared. Each rating is multiplied by the weight to determine the points for the listed criterion. Once each vendor’s total score is determined, you can decide which vendor will be used. Let us focus on Historical Documentation in the next screen.

9.34 Historical Documentation

One invaluable source of information for a project is any available data on previous projects that were similar to the current one. There are many risks that will reoccur from one project to the next. To capitalize on historical documentation, you will need access and it must be well structured. It is also beneficial to talk to previous project stakeholders who can fill in any gaps in the information. Speaking to the previous project manager would be ideal. Do not be surprised if you find incomplete details as poor strategies are rarely documented. Examples include previous risk plans, risk registers, contracts, project post-mortem documentation, change requests, cost and time estimates, etc. Let us discuss the Quantitative Risk Analysis in the next screen.

9.35 Quantitative Risk Analysis

Quantitative risk analysis may be used to determine which responses are cost effective based on the impact to the project. This is the same idea discussed in the quantitative risk analysis lesson. For example, decision tree analysis might help you determine whether you should purchase a piece of equipment or just rent it during the project. The cost or rental of the equipment, and the impact to the budget might be clearly displayed and the decision supported with a decision tree. Let us discuss the Root Cause Analysis in the next screen.

9.36 Root Cause Analysis

This technique can be used proactively or reactively. In a proactive approach, you could identify independent risks by starting from a single point of failure or process. You could also trace multiple risks back to a common root cause in a reactive manner if required. A commonly used example is the fishbone diagram. If you experience quality defects because of a lack of proper training, low morale among employees, you could determine that the root cause is directly related to the employees. Understanding the root cause can lead to more appropriate responses. Let us move on to Scenario Analysis in the next screen.

9.37 Scenario Analysis

This technique involves planning and assessing the feasibility of multiple responses. This will help you determine which response is the most appropriate, cost effective and causes the least amount of secondary risks. There are normally several ways of dealing with a risk event; and scenario analysis can help you determine the best one. Let us discuss an example of Scenario Analysis in the next screen.

9.38 Scenario Analysis-Example

You are the project manager for a telecommunication’s company and you are reviewing possible scenarios to deal with winter storm outages. Quite often, heavy snowfall causes power services to be disrupted, which then causes your cellular sites to fail after one hour. So, you have several possible responses to deal with this risk. First, you might install a generator onsite with an automatic switch to turn the generator on if the power fails. But, you need to check the time duration for installation. You also need to think about the cost and space to install it. Let us continue discussing the example of Scenario Analysis in the next screen.

9.39 Scenario Analysis-Example (contd.)

In another scenario you might decide to rent a generator and keep it on site. This option will require an employee to go to the site and turn it on if the power fails. So, you need to think about the arrival time and there could be dangerous driving conditions. You also need to check if the employee is qualified for it. Another scenario under consideration is to contract with a generator company to handle the entire response. Once again, you need to think about the cost and the onsite arrival time. Let us move on to residual risk in the next screen.

9.40 Residual Risks

A residual risk is a risk that remains in a project even after the risk response action is implemented. It is essential to add the contingency costs and duration to account these residual risks. In the next screen, we will discuss the guidelines for creating a risk response plan.

9.41 Creating a Risk Response Plan-Guidelines

First, examine each identified risk to determine its causes. Second, brainstorm the possible response strategies for each risk. Third, choose the response strategy that is most likely to be effective. Fourth, develop specific actions for implementing the chosen strategy. Fifth, identify backup strategies for risks with high risk factor scores. Sixth, determine the amount of contingency reserves necessary. Seventh, consult the risk management plan for the description of the content and format of the risk response plan. The next step is to incorporate the risk response plan into the overall project plan. Finally, examine the trends in the results of risk analysis. A key point to be observed is the incorporation of the risk response plan into the overall project plan. Let us understand how to document the results of the process in the following screen.

9.42 Documenting the Results

Documenting the results of the Plan Risk Responses process includes the following: Adding risk responses to the risk register, Adding corresponding risk responses to the project management plan, and reviewing and documenting the predicted exposure. Click each tab on the screen to learn more. Adding risk responses to the risk register For each risk, the response should be documented in the risk register and updated regularly. It should also be ensured that the stakeholders are able to access the relevant information to verify and manage their responsibilities according to the response. Adding corresponding risk responses to the project management plan Based on the risk responses, the project related implications are evaluated for project objectives such as cost, time, resource, and changes to the documentation. The risk response planning is complete only when all these changes are approved. Reviewing and documenting the predicted exposure After documenting the results of plan risk responses process, the predicted exposure needs to be reviewed and documented. Once the risk responses have been defined and integrated into the project management plan, the individual and overall risks related to this plan should be evaluated. This is done to determine whether additional response planning is required. The evaluation should provide the expected post-response and the potential improvement, assuming that the proposed responses are effective. This evaluation needs to be documented. Let us move on to the quiz questions to check your understanding of the concepts covered in this lesson.

9.44 Summary

Here is a quick recap of what was covered in this lesson: While deciding the risk response, it is important to consider stakeholders’ attitude, conventions, assumptions, and constraints. The critical factors to ensure the success of plan risk responses process are people, planning, and analysis. The inputs of Plan Risk Responses process are Risk Register and Risk Management Plan. A contingency plan is a plan developed in anticipation of the occurrence of a risk, to be executed only if specific, predetermined trigger conditions arise. The different forms of contingency reserves are additional time, money and resources.

9.45 Conclusion

This concludes, ’Plan Risk Responses.’ The next lesson covers, ‘Control Risks.’

9.1 Plan Risk Responses

Hello and welcome to the Project Management Institute’s Risk Management Professional Certification Preparatory Course offered by Simplilearn. In this lesson, we will focus on “Plan Risk Responses”. After the risk management plan is prepared and risks are identified, each identified risk needs to be analyzed. Two types of methods used for risk analysis are qualitative risk analysis and quantitative risk analysis. Once the analysis is completed, a response is planned on the basis of positive or negative risk. However, not every identified risk gets a response. Low level risks are placed on the watch list. Let us start with the objectives of this lesson in next screen.

9.2 Objectives

After completing this lesson, you will be able to: Explain the purposes and objectives Identify the critical success factors List the inputs, tools and techniques, and outputs Define contingency plan List the different forms of contingency reserves Let us discuss the purposes and objectives of Plan Risk Responses process in the next screen.

9.3 Purposes and Objectives

Plan risk responses process determines the effective responses that are appropriate to the priority of individual risks and overall project risk. While deciding the risk response, it is important to consider the stakeholders’ attitude, conventions, assumptions, and constraints. The objective of the plan risk responses process is to determine the set of actions which enhances the chances of project’s success while complying with organizational and project constraints. In the next screen, we will look into the important activities and roles to be carried out as a part of the plan risk responses process.

9.4 Activities and Roles

As you know, a risk can be positive or negative. Accordingly, the response plan should be developed based on the threats or the opportunities it offers. When planning for risk response, the actions taken should be agreed upon by considering the potential changes to budget, schedule (Read as ske – jule), and scope of the project. The implementation of response can have potential effects on project objectives and can generate additional risks called secondary risk. The secondary risk should also be analyzed and their responses should be planned in the same way as primary risks. In the next screen, we will continue looking into a few other important activities and roles.

9.5 Activities and Roles (contd.)

A few other important activities and roles are as follows: In spite of addressing all primary and secondary risks, there can be some risks remaining and they are known as residual risks. These residual risks should be identified, analyzed, documented, and communicated to the stakeholders. If the risk response plan does not work, a backup plan, which includes contingent risk response actions needs to be executed at the optimum time. In the next screen, we will look at the interfaces that should be considered for plan risk responses process.

9.6 Interfaces

All approved and unconditional actions due to risk response planning should be integrated within the project management plan. The corresponding organizational and project management rules should be invoked including: project change management and configuration control; project planning, budgeting, and scheduling (ske–juling); resource management; and project communication planning. In the following screen, we will look into the critical success factors or CSFs for plan risk responses process.

9.7 Critical Success Factors

To ensure the success of plan risk responses process, you need to have people, planning, and analysis. Click each factor to learn more. In case of ‘people’, communication and defining roles and responsibilities play a key part. Communicating to different stakeholders: Communication is an important factor for any successful project. Communication should be open and appropriate. The risk responses should ensure acceptance among the stakeholders. Moreover, organizational factors like culture, attitudes, or disagreements should be addressed openly; and if required, the senior management should be involved. Defining roles and responsibilities: When defining the roles and responsibilities, first of all, key roles in project risk management should be assigned to the risk owner and risk action owner. Secondly, the team should understand what is expected of them. The stakeholders should understand and accept the need and authority. And finally, the senior management should approve and track whether the contingency reserve needs to be used. For planning risk responses, timing needs to be specified; and on that basis, adequate resources, budget, and schedule (Read as ske – jule) should be negotiated and planned. Specify response timing: Specifying the timing of risk response means that the agreed-upon responses should be integrated into the project management plan. Also, the responses should be scheduled and assigned for execution. Provide resources, budget, and schedule: To provide resources, budget, and schedule for responses, an approval from the management for resources, costs, and duration needs to be obtained. The role of management is important in supporting the project manager to develop and authorize the response. Additionally, commitment from risk owners and risk action owners needs to be obtained. Address the interaction of risks and responses: When analyzing the risks, the interaction of risks and responses needs to be addressed. This can be done by controlling the potential effects of strategy developed for treating the original risk. If it is not considered properly, the existing threat may increase and the existing opportunities can be compromised. Ensure appropriate, timely, effective, and agreed-upon responses: The risk response plan needs to be assessed against consistency with organizational values, project objectives, and stakeholders’ expectations. It should also be assessed against the technical feasibility, ability of the project team and the risk owners, as well as the capability to balance the project objectives and improve the risk situation. Analyze the threats and opportunities: While developing a risk response strategy, it is imperative to address each threat or opportunity. If threats or opportunities are not addressed fully, the combined response strategy will be incomplete and may be invalid. In other words, failure to address even a single threat or opportunity might render the risk response strategy ineffective, if threat or opportunity occurs during the project lifecycle. Develop strategies to address tactical responses: The risk response strategy should be carried out at a general, strategic level; and the strategy should be validated and agreed upon before going for the detailed tactical approach. The planned responses carried out at a strategic level should be expanded at a tactical level and integrated into the overall project management plan. Let us move on to the next screen, where we will discuss the inputs, tools and techniques, and outputs of plan risk responses process.

9.8 Inputs, Tools and Techniques, and Outputs

The inputs of the plan risk responses process are risk register and risk management plan. The various tools and techniques used in the process are: strategies for negative risks or threats; strategies for positive risks or opportunities; contingent response strategies; and expert judgment. The outputs are project management plan updates and project document updates. In the next screen, we will look into the inputs of Plan Risk Responses process.

9.9 Inputs

Risk register and risk management plan are required to plan the risk response process. The risk register contains the prioritized lists of project risks, root causes of risk, lists of potential responses, risk ranking, lists of near-term and long-term risks, trend in qualitative risk analysis, categorized risks, and a watch-list of low-priority risks. The risk management plan contains the guidelines, methodology, templates, and formats necessary to perform all risk management processes including plan risk responses. Let us look at an example for updating the risk register in the next screen.

9.10 Updating the risk register—Example

While finalizing risk responses on a high visibility project that is set to begin in another country, you review your available choices for risk responses. There is a set of risks that is related to using company employees in that region of the world, they are: Company employees are not versed in the local cultural norms They do not even speak the language These shortcomings could potentially result in major problems when dealing with local politicians, construction workers and in various other situations and as a result of this option, the risk to the project will increase. Let us continue looking at the example in the next screen.

9.11 Updating the risk register—Example (contd.)

On the other hand, you have the option of only using local workers. The benefits are as follows: While less skilled, they are from this region of the world. They should be able to increase their performance quickly. It will not cause any problems with the local customs and people. Local resources would not cause the same problems as the employees might. Due to the higher risk and expense associated with using company employees, you decide to use local resources and completely avoid problems that might arise from not understanding the local customs, language and traditions. You update the risk register and begin making the arrangements immediately. Let us focus on the Tools and Techniques of Plan Risk Responses process in the next screen.

9.12 Tools and Techniques

The tools and techniques of Plan Risk Responses process are Strategies for negative risks or threats, Strategies for positive risks, Contingent response strategies, and Expert judgment. Click each tab on the screen to learn more. The three strategies for negative risks or threats are avoid, transfer, and mitigate. These strategies deal with threats or risks that may have negative impacts on project objectives. There is another risk strategy or response called accept. In fact, accept can be used for both positive and negative risks. The three strategies for positive risks are exploit, share, and enhance and the fourth strategy is accept. As you know, accept is used even for negative risk. Contingency response strategy is used when risk occurs. It is similar to a fall-back plan or plan B. Expert judgement is used to get inputs from the subject matter experts to take required actions on specific and defined risk. Let us discuss the strategies for threats in the next screen.

9.13 Strategies for Threats

Four strategies which address threats are as follows: Avoid: ‘Avoid’ is considered to be a negative risk strategy. It helps changing the project plan to prevent a potentially detrimental risk event from happening. For example, a critical meeting to be held could be threatened by air travel disruption. To avoid this, the project manager chooses to hold the meeting by conference call instead. Transfer: ‘Transfer’ is a negative risk strategy. It results in shifting the impact of a risk event and ownership of the risk response to a third party. An example of risk transference is, a prototype which may get damaged in transit. Hence, to reduce the financial impact, the prototype can be insured. Mitigate: Mitigating threat is a negative risk strategy. It attempts to reduce the probability or impact of a potential risk event to an acceptable level. For example, to reduce the likelihood of users not using a product, the number of training events is increased. Accept a Threat: Accepting a threat is considered to be a negative risk strategy. It takes into consideration the fact that the risk exists and needs to be accepted. This acceptance may be passive or active. Let us discuss an example of accepting a threat in the next screen.

9.14 Accepting a Threat—Example

Suppose, there is a threat, that a competitor may launch a rival product first. This affects the expected market share for the product. To overcome this threat, the project can be accelerated by increasing the resources and reducing the product’s scope, so that it can be launched earlier. Alternatively, action need not be taken to re-schedule (Read as: re-ske-jule) the launch to an earlier date. Accelerating the project may lead to product quality issues and reducing the scope can make the product less appealing. Therefore, in this case, the risk is simply accepted and no action is taken to overcome it. The next screen deals with the Strategies for Opportunities.

9.15 Strategies for Opportunities

Four strategies which address opportunities are as follows: Exploit: Exploit is considered to be a positive risk strategy, and is often used when a project team wants to make sure that a positive risk is fully realized. For example, there is a risk that a project will be delayed. To avoid the delay, a later version of software could be implemented, which would reduce the ongoing maintenance. The Project Board or Senior Management agrees to change the project timescale and scope, enabling the later version of the software to be bought and implemented. Share: Share is considered to be a positive risk strategy. It entails partnering up with another party, in an effort to give a project team the best chance of seizing an opportunity. For example, the cost of a project could be adversely affected, due to fluctuations in the cost of oil. So, the customer and the supplier agree to share the cost of price increase, or the savings from price reductions equally from a midpoint fixed at the time of signing the contract. Enhance: Enhance is a positive risk response. It attempts to increase the probability that an opportunity will occur. Let us consider an example of risk enhancement. It is possible that a product completes user acceptance testing in a single test cycle, instead of the scheduled (Read as ske – juled) two test cycles. This enables the product to be delivered early and prior to a competitor’s rival product. The Project Board then decides to hold a test rehearsal to increase the likelihood that the product will pass its first user acceptance test. This helps them to prepare for an earlier launch of the product. Accept an opportunity: Accepting an opportunity is a positive risk strategy. It involves accepting the risk and actively responding to it as and when it occurs, but not through the pursuit. Let us look at an example of Exploit Strategy in the next screen.

9.16 Exploit Strategy—Example

As a project manager for a housing development project, you are constantly concerned with the cost of housing materials such as lumber, drywall, carpeting and tile. The prices of these products are constantly fluctuating and causing you to review your budget for available funds. After finishing a previously contentious project, you decide to try something different on an upcoming block of houses that are set to begin building shortly. Determined to control the cost of materials, you decide to meet your suppliers and negotiate for better pricing. Your suppliers are willing to negotiate but only if you buy in bulk, which is equal to two blocks worth of houses. Let us continue with the example of Exploit Strategy in the next screen.

9.17 Exploit Strategy Example—(contd.)

After the discussion with the suppliers, you perform the following actions: You take this pricing to your investors who approve the idea and ask if there is a way to keep the pricing on the remaining six blocks. You meet your suppliers again and present the idea of a fixed price on a much larger order, to which they agree. After finalizing negotiations and signing all the necessary paperwork, you return to your office and update the risk register. You notify your investors that you have taken full advantage of the material price opportunity, which is also known as the exploit strategy. Pricing is much less of a problem after this response strategy. In the next screen, we will look into the categories of tools and techniques for the plan risk responses process.

9.18 Tools and Techniques-Categories

There are four categories of tools and techniques and these are:- first, creativity tools to identify the potential responses; second, decision support tools for determining the optimal potential response; third, strategy implementation techniques designed to turn a strategy into action; and fourth, tools to transfer control to the control risk process. These categories of tools can be used respectively to identify potential responses, select the most appropriate response, translate strategy into planning, and assign the corresponding actions. Let us discuss the Steps Involved in Planning Risk Responses Process in the following screen.

9.19 Steps Involved in Planning Risk Responses Process

Let us take a look at the flowchart given on this screen to understand the steps involved in planning risk responses process. The first step is to identify the responses. Second, select the most appropriate response. The third step is to check whether all risks have been addressed. If not, repeat the process of identifying responses. Once all the risks have been addressed, the next step is to plan and resource actions. Post this, as shown in the flowchart, the risk register need to be updated. The next step is to review the predicted residual exposure. If the exposure level is not acceptable, you must go back to identifying the responses. If the exposure level is acceptable, proceed to the next step, which is updating the project management plan. We will find out how to apply the risk response strategies in the next screen.

9.20 Applying Risk Response Strategies to Overall Project Risk

The four risk response strategies that are applied to individual risks can also be applied to address the overall project risk in the following manner: firstly, construct a strategy where the customer and the supplier share the risk. This is the sharing strategy. Secondly, re-plan the project or change the scope. Thirdly, pursue the project in spite of exceeding the desired level. Finally, you can cancel the project if the overall level of risk is unacceptable. The next screen deals with response identification.

9.21 Response Identification

Response identification is based on the information available on potential risk. It aims to determine the optimal set of responses. As a result, it should involve subject matter experts and employ creativity techniques to explore all the options. Project planning and execution techniques are used to evaluate the potential effects on the project objectives. Now, let us move on to response selection in the next screen.

9.22 Response Selection

Potential responses are identified using a decision-support technique. Cost of the response, impact on project objective, uncertainty of outcomes, and possible secondary and residual risks should be taken into account during the response selection process. This ultimately helps in reducing the overall risk to a pre-defined threshold. Let us move on to the next screen, where we will discuss risk addressing.

9.23 Risk Addressing

Risk addressing includes the following: Action Planning: Once the actions are planned, project planning tools are used to implement actions and to integrate them into the existing plan. Ownership and Responsibility Assignment: First, the responsibility assignment has to be created by identifying the risk owner and the risk action owner. Second, every contingency response should include a trigger condition. Third, monitoring of these conditions should be assigned in plan risk responses process, and they should be managed in the control risks process. In the next screen, we will find out what are the outputs of this process.

9.24 Outputs

The outputs of plan risk responses process are project management plan updates and project document updates. Project management plan updates include subsidiary management plans and their various requirements needed for the plan risk responses process. Whereas, project document updates contain assumptions, log updates, and technical documentation updates. Apart from these, risks register updates and risk-related contract decisions are also updated as a part of project document update. In the next screen we will discuss contingency plan.

9.25 Contingency Plan

Let us start with the definition of contingency plan. A contingency plan is a plan developed in anticipation of the occurrence of a risk, to be executed only if specific, predetermined trigger conditions arise. . A residual risk is a risk that remains after risk responses have been implemented . This plan is used in the event when identified risks become reality. The next screen deals with Risk Tolerance.

9.26 Risk Tolerance

Risk tolerance refers to the level of risk acceptability of a project manager, an organization, or a key stakeholder when the investment needed to manage the risks is compared to the potential payoff. Let us move on to business continuity plan in the following screen.

9.27 Business Continuity Plan

A Business Continuity Plan or BCP is a logistical risk response plan that documents the restoration and recovery methods of an organization during crisis. It involves tested solutions to enhance the chances of continuing operations, during or after disasters. A BCP contains details on the recovery timeline methods, procedures and tested action plans, and any alternate recovery resources, including facilities. In the next screen, we will look into contingency reserves.

9.28 Contingency Reserves

In a contingency reserve, a pre-determined amount is set aside. Contingency reserves are reserves in the form of additional time, money, or resources set aside to deal with risks on the project. These reserves are utilized when the known risks become a reality. Let us focus on Critical Chain Project Management (CCPM) in the next screen.

9.29 Critical Chain Project Management

Critical Chain Project Management or CCPM is a method that allows the project team to place “buffers” on any path to account for limited resources and other types of risk. A buffer is a non-work schedule activity with a duration based on the risk for that path. A resource constrained critical path is referred as the critical chain. In the example on the screen, you can see that a project buffer has been placed at the end of the critical chain. This is done to protect the target finish date from being delayed. You can also place “feeding buffers” on paths that feed into the critical chain to protect it. Let us look at Force Field Analysis in the following screen.

9.30 Force Field Analysis

Slide 32: Force Field Analysis Force Field Analysis- This technique is often used when a change is under consideration. There are two sets of variables that are compared; the “driving forces” and the “restraining forces.” An easier way to think of this could be the forces for and against change. In the example shown on the screen, the driving forces are depicted in blue and the restraining forces are depicted in red. One potential plan is to use external employees for a project. The forces for this idea are lower carrying costs, no training costs. They are easily de-scoped as well. The forces against this idea are the lack of authority with external resources, lower company loyalty and the possibility of high turnover during the project. Each variable can be given a weighted score to justify supporting this plan, or not. The scoring depends on stakeholder tolerances. Let us discuss the Industry Knowledge base in the next screen.

9.31 Industry Knowledge base

There are plenty of mature industries that publish lessons learned or scientific data that can be used in your project. This type of data is valuable for benchmarking your project. The biggest concern is getting access to relevant and accurate information. For example, a truck carrying cargo on the highway have numbered placards on its rear end. These are numbers associated with material safety data sheets or MSDS. This information is readily available to the public and also to the first responders in case there is an accident. The next screen we will focus on Interviews.

9.32 Interviews

It may be necessary to have a one on one conversation with stakeholders to gather their feedback. To properly perform an interview the questions must be prepared in advance and the interviewer should have sound questioning skills. Active listening and the ability to build rapport with the stakeholder is also important. Be aware that appropriate time should be allotted for interviews. Be prepared to filter issues and non-risks during the session. For example, you might conduct an interview with a heavy equipment operator who is performing work on site for your project. The operator is the most qualified to identify risks about the equipment! Let us discuss the Multi-criterion Selection Techniques in the next screen.

9.33 Multi-criterion Selection Techniques

This tool uses a weighted approach to compare options against. The stakeholders must agree upon the weights, criteria and scoring results. The example shown on the screen reflects the final scoring of two vendors being compared. Each rating is multiplied by the weight to determine the points for the listed criterion. Once each vendor’s total score is determined, you can decide which vendor will be used. Let us focus on Historical Documentation in the next screen.

9.34 Historical Documentation

One invaluable source of information for a project is any available data on previous projects that were similar to the current one. There are many risks that will reoccur from one project to the next. To capitalize on historical documentation, you will need access and it must be well structured. It is also beneficial to talk to previous project stakeholders who can fill in any gaps in the information. Speaking to the previous project manager would be ideal. Do not be surprised if you find incomplete details as poor strategies are rarely documented. Examples include previous risk plans, risk registers, contracts, project post-mortem documentation, change requests, cost and time estimates, etc. Let us discuss the Quantitative Risk Analysis in the next screen.

9.35 Quantitative Risk Analysis

Quantitative risk analysis may be used to determine which responses are cost effective based on the impact to the project. This is the same idea discussed in the quantitative risk analysis lesson. For example, decision tree analysis might help you determine whether you should purchase a piece of equipment or just rent it during the project. The cost or rental of the equipment, and the impact to the budget might be clearly displayed and the decision supported with a decision tree. Let us discuss the Root Cause Analysis in the next screen.

9.36 Root Cause Analysis

This technique can be used proactively or reactively. In a proactive approach, you could identify independent risks by starting from a single point of failure or process. You could also trace multiple risks back to a common root cause in a reactive manner if required. A commonly used example is the fishbone diagram. If you experience quality defects because of a lack of proper training, low morale among employees, you could determine that the root cause is directly related to the employees. Understanding the root cause can lead to more appropriate responses. Let us move on to Scenario Analysis in the next screen.

9.37 Scenario Analysis

This technique involves planning and assessing the feasibility of multiple responses. This will help you determine which response is the most appropriate, cost effective and causes the least amount of secondary risks. There are normally several ways of dealing with a risk event; and scenario analysis can help you determine the best one. Let us discuss an example of Scenario Analysis in the next screen.

9.38 Scenario Analysis-Example

You are the project manager for a telecommunication’s company and you are reviewing possible scenarios to deal with winter storm outages. Quite often, heavy snowfall causes power services to be disrupted, which then causes your cellular sites to fail after one hour. So, you have several possible responses to deal with this risk. First, you might install a generator onsite with an automatic switch to turn the generator on if the power fails. But, you need to check the time duration for installation. You also need to think about the cost and space to install it. Let us continue discussing the example of Scenario Analysis in the next screen.

9.39 Scenario Analysis-Example (contd.)

In another scenario you might decide to rent a generator and keep it on site. This option will require an employee to go to the site and turn it on if the power fails. So, you need to think about the arrival time and there could be dangerous driving conditions. You also need to check if the employee is qualified for it. Another scenario under consideration is to contract with a generator company to handle the entire response. Once again, you need to think about the cost and the onsite arrival time. Let us move on to residual risk in the next screen.

9.40 Residual Risks

A residual risk is a risk that remains in a project even after the risk response action is implemented. It is essential to add the contingency costs and duration to account these residual risks. In the next screen, we will discuss the guidelines for creating a risk response plan.

9.41 Creating a Risk Response Plan-Guidelines

First, examine each identified risk to determine its causes. Second, brainstorm the possible response strategies for each risk. Third, choose the response strategy that is most likely to be effective. Fourth, develop specific actions for implementing the chosen strategy. Fifth, identify backup strategies for risks with high risk factor scores. Sixth, determine the amount of contingency reserves necessary. Seventh, consult the risk management plan for the description of the content and format of the risk response plan. The next step is to incorporate the risk response plan into the overall project plan. Finally, examine the trends in the results of risk analysis. A key point to be observed is the incorporation of the risk response plan into the overall project plan. Let us understand how to document the results of the process in the following screen.

9.42 Documenting the Results

Documenting the results of the Plan Risk Responses process includes the following: Adding risk responses to the risk register, Adding corresponding risk responses to the project management plan, and reviewing and documenting the predicted exposure. Click each tab on the screen to learn more. Adding risk responses to the risk register For each risk, the response should be documented in the risk register and updated regularly. It should also be ensured that the stakeholders are able to access the relevant information to verify and manage their responsibilities according to the response. Adding corresponding risk responses to the project management plan Based on the risk responses, the project related implications are evaluated for project objectives such as cost, time, resource, and changes to the documentation. The risk response planning is complete only when all these changes are approved. Reviewing and documenting the predicted exposure After documenting the results of plan risk responses process, the predicted exposure needs to be reviewed and documented. Once the risk responses have been defined and integrated into the project management plan, the individual and overall risks related to this plan should be evaluated. This is done to determine whether additional response planning is required. The evaluation should provide the expected post-response and the potential improvement, assuming that the proposed responses are effective. This evaluation needs to be documented. Let us move on to the quiz questions to check your understanding of the concepts covered in this lesson.

9.44 Summary

Here is a quick recap of what was covered in this lesson: While deciding the risk response, it is important to consider stakeholders’ attitude, conventions, assumptions, and constraints. The critical factors to ensure the success of plan risk responses process are people, planning, and analysis. The inputs of Plan Risk Responses process are Risk Register and Risk Management Plan. A contingency plan is a plan developed in anticipation of the occurrence of a risk, to be executed only if specific, predetermined trigger conditions arise. The different forms of contingency reserves are additional time, money and resources.

9.45 Conclusion

This concludes, ’Plan Risk Responses.’ The next lesson covers, ‘Control Risks.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*