Every project carries an element of risk, especially as it becomes more complex and involves cross-functional teams, managers, and stakeholders. Project managers must develop effective risk response strategies to tackle anticipated risks and prepare for unpredictable outcomes.
This article will teach you how to create a risk response plan with positive and negative risk response strategies. We'll break down the four main risk response categories and share examples to help you create dependable risk response plans for your new projects.
What is a risk response strategy?
A risk response strategy is an essential part of a project plan. It outlines how you can gain control and maintain progress on a project if a risk arises.
To begin creating a risk response strategy, identify and quantify potential risks in each project. Calculate the probability of their occurrence and the impact they may have on the project. In doing so, you’ll outline the severity of the potential risks and determine what is manageable and what must be avoided.
Your risk response plan may influence the project in several ways, including:
- Requiring you to update the project scope by altering specific tasks and deliverables
- Requiring you to modify the project schedule based on the additional activities needed to confront identified risks
- Necessitating the hiring of a specialist or professional service provider to help with specific areas of risk
- Introducing new workflows and processes into the project
With this in mind, it's wise to develop the project plan and risk response plan simultaneously at the start of project planning. Treating the risk response strategy as a separate task may lead to the creation of ineffectual plans or last-minute changes.
Why do projects need a risk response plan?
There are two main reasons why we need risk strategies in project management. The first is to identify and mitigate predictable project risks. Using risk response plans, project managers can forecast and eliminate anticipated threats and uncertainties.
The second is to identify opportunities within your project scope. Using risk response plans, project managers can find new approaches to executing a project by creating alternative ways to tackle risks and project limitations.
Risk response plans help project managers identify and pursue any risks with substantial rewards that may be worth taking.
What are the four risk response categories?
There are four main risk response categories your strategy can fall under. The category you decide to use depends on several factors, including the types of risk you may face in your project and the appetite for risk within your team and organization.
Note that your risk response strategy may change over time, especially if the project requirements evolve or new managers and project owners are included. Switch to a new risk response category if your initial category is no longer suitable for your project.
The four main risk response categories
With this strategy, you aim to avoid the risk altogether. This may mean you choose not to begin a project because it's too risky, or you decide to remove specific tasks from the project to avoid the accompanying complications.
This risk response strategy ensures the identified risk has no chance of threatening the project. As such, it's the go-to strategy for risks that could get the company in legal trouble, result in injury to employees, or have little benefit compared to their cost.
Avoiding risk is considered one of the negative risk response strategies. It is not always advisable, especially if taking the risk could lead to significant rewards for the team and project. As such, project managers must look at all sides of the risk and consider it thoughtfully before avoiding it altogether. Use a risk assessment matrix to determine the severity of the potential risks.
This risk response plan does not mitigate or eliminate the risk from the project. Instead, responsibility for the risk is transferred over to a third party.
Purchasing business insurance is an excellent example. Committing to an insurance plan doesn't negate the risk that something may go wrong in your project, company, or premises. However, the insurance company takes on the risk of dealing with the problem if it occurs.
The Transfer risk response category aims to ensure your project or company comes out relatively unscathed if the identified risk occurs.
Unfortunately, you can only use the Transfer strategy for certain types of risk. Risks related to your company's brand, reputation, and talent cannot be transferred. Furthermore, this risk response strategy only kicks in once the identified event occurs.
This category involves investing money and resources into a solution to reduce the inherent risk in a project. A good example comes from companies working on international projects.
In such cases, exchange rate fluctuations could cause the company to spend more than intended on labor and materials. The business may invest in a guaranteed exchange rate to limit how much the business is affected by currency-based uncertainty.
The Mitigate risk response strategy includes any action to reduce inherent risks in a project. Contracting a third-party authority to examine technical plans or a project proposal is a form of mitigation. So too is assigning high-risk tasks to vendors and experts who have proven they're capable of completing those tasks.
Risk mitigation does not eliminate the risk from the project entirely, but it reduces the possibility of it occurring.
Of all of the risk response categories, this requires the least amount of effort. Sometimes, you will identify risks that have a low probability of occurring or minimal impact should they occur.
In these cases, the risk is defined as being well within your tolerance for the project. You may also find that the cost of doing something about the risk is prohibitive compared to the risk's severity.
In this case, you can choose to accept the risk and do nothing. This does not always have to be a passive approach. For example, you may accept the risk and search for ways to share it, perhaps by partnering with another company.
Positive risk response strategies vs. negative risk response strategies
We can loosely split risk response categories into positive and negative risk response strategies.
Negative risk response strategies are those you employ so you don't have to confront the risk directly. For example, the Avoid strategy is negative because you're making no attempt to do anything about the risk. This does not mean the strategy is incorrect. Some risks are so severe it is wise to avoid them. However, taking the avoidance approach at all times means that you may miss opportunities to learn, grow, and enhance a project.
The Accept approach may also be considered negative, especially if it involves simply throwing up your hands and not bothering to do anything about the risk. However, this is rarely the case. Most teams and managers who accept a risk do so because they've weighed up their options and understand that the risk's severity is not high or impactful enough to compromise the project.
Positive risk response strategies involve a more active focus on tackling the risk. The Mitigate risk response plan is a positive risk strategy because it aims to reduce the impact of the risk to allow the project to continue.
The same is true for the Transfer risk response strategy, as it takes the risk away from the project and team, creating more opportunities in the process.
This focus on creating opportunities is fundamental to a positive risk response strategy. Other examples of a positive approach include:
- Looking for ways to exploit the risk, perhaps by finding ways to finish a project quicker than anticipated
- Taking calculated risks to enhance the project, such as buying equipment before the project starts so you can get it at a cheaper price
- Creating partnerships to spread potential risks while building beneficial industry relationships, sharing resources, and putting your business in a position to benefit from partners' expertise
Though we have used the terms "positive" and "negative" to describe these two tactics, there is no single correct answer for creating a risk response strategy.
The approach you take must depend on the project in question, your organization's appetite for risk, and the actual risks you've identified. In some cases, you may find yourself using a blend of positive and negative approaches to create a comprehensive risk response plan.
Risk response plan examples
There are many risk response plan examples to consider. Below, we share four — one for each risk response category — to give you an idea of what a risk response strategy looks like in action.
Risk response plan example: Avoiding project scope creep
Imagine you begin a project with unclear scope. Risks grow as project requirements pile up and the scope continues to increase. You soon reach a limit in terms of the time, personnel, and budget you can dedicate to the project.
It's only now that you decide to log a risk to let the project owner or senior managers know that any more additions to the project scope may lead to its failure. In doing this, you chose the Avoid risk response strategy and didn't take any action until necessary. You swung into active management only to ensure that the project's scope didn't exceed the organization's means, leading to failure.
Risk response plan example: Transferring via outsourcing
Say you run a brick-and-mortar retail outlet. One day, you decide to create an e-commerce website to sell more of your products. As you have no idea how to build or maintain an online shop, you conduct an IT-based risk assessment and decide that outsourcing the responsibility to a company that knows how to build websites is the most sensible choice. In doing so, you transfer the risk of creating and maintaining your website to an experienced and suitable company.
Risk response plan example: Mitigation via education
There's always the risk that your employees or team members may make errors in their work on a project. While you cannot completely eliminate this risk, you can mitigate it through continuous education and training. Your organization may create employee handbooks and conduct training sessions to minimize human error as a risk response strategy.
Risk response plan example: Accepting mechanical liability
In this scenario, your team may have a piece of expensive machinery that you need to deliver successful projects. Due to high costs or unavailability of the right fit, you choose not to purchase insurance for the machine, passively accepting the risk that it may fail, and you'll have no recourse.
Typically, you would only take this approach if replacing the machine with manual labor is a viable workaround, or you may find yourself held up by bottlenecks if the machine breaks down.
How to create and implement risk strategies in project management
The examples above demonstrate the various risk strategies in project management that you may choose to follow. However, before creating a risk response strategy, you should understand how to implement it effectively.
The following are crucial steps to follow when creating and implementing a risk response plan:
- Dedicate time to conducting a risk analysis that identifies all of the risks that may affect your project. Sort them based on their severity, highlighting those that warrant a priority response from you and your team.
- Collaborate with your team and project stakeholders, along with any essential external collaborators, to determine which category of response you should assign to the risks you've identified. Outline the extra time and resources you can commit to tackling each risk in a risk register.
- Communicate your risk response strategy to your team, collaborators, and stakeholders. Get approval from the relevant individual or organization before moving ahead with the project planning and execution.
- Review the risk response plan to identify any residual risks you may not have identified the first time. Retrace your steps and get expert management feedback to ensure you have covered all your bases, and continue to have scheduled risk analysis checks throughout the project duration to identify any additional risks.
Improve your risk response plans with Wrike
The key to creating the ultimate risk response strategy is to take a balanced approach to the risks you're confronted with. Define their severity and settle on the best risk response category for the issue at hand.
Once you know the best response to a potential risk, the next step is to communicate this with team members, collaborators, and stakeholders. You want to empower each person with adequate know-how and authority to overcome the risks of their responsibilities while driving the entire project forward within the planned schedule.
Wrike provides a secure, centralized portal allowing for open communication and project management within teams, creating a work environment conducive to identifying and tackling risks before they become crippling problems. Get started with a two-week free trial today.