Now that we’ve prioritized all our risks and performed a deeper analysis of the risks that could potentially have a major impact, we can start planning how to respond to them. PMI’s Project Management Body of Knowledge offers succinct advice for keeping your risk responses pragmatic:
Project teams should consistently identify potential risk responses with the following characteristics in mind:
- Appropriate and timely to the significance of the risk,
- Cost effective,
- Realistic within the project context,
- Agreed to by relevant stakeholders, and
- Owned by a responsible person
Like our other risk planning exercises, response planning should be performed with your project team members and relevant subject matter experts. Starting with the highest priority risks (per your P*I score), your goal is to determine how (or if) you will respond to each risk.
Risk responses typically fall into one of four categories:
| Response Strategy | Description |
| Avoid | Typically the best option. Adjust your project in a way that the risk is no longer a factor. |
| Mitigate | The most common approach. Take steps to reduce the probability and/or impact of a risk. |
| Transfer | Less common. Make the risk someone else’s problem by transferring responsibility and the impacts to someone else. |
| Accept | Best for minor risks. Yeah, it could happen, so let’s just budget some reserve in case it does. |
Whatever strategy your team selects, the resulting activities should feed back into your plan. This forms a loop where we identify and assess risks, determine our responses and adjust our plan accordingly, then repeat. Ideally, you will track the progress of those response tasks not just in your project plan or backlog, but also in your RAID log so you can see the status of the response activities in the context of each Risk.
Communicating the big ones
Although your RAID log should be transparent and available to your stakeholders, this isn’t always enough. Sometimes you need to highlight a key risk and provide more detail than can be easily tracked in a RAID log. In these cases it can be a good idea to create a separate detailed Risk Report.
A Risk Report is simply a separate document which provides additional detail on the risk and the remediation plan. This additional focus on detail can help drive discussion and action around this one risk, and also provide a vehicle for your stakeholders and sponsors to communicate the risk higher in the organization when necessary.
Residual risk – Optional
Once you determine the response plans for your risks, you can revisit the probability and impact for each risk, adjusting them to reflect new values considering the the selected response strategies.
This is an effective method for demonstrating the effectiveness of your risk response. I once demonstrated to the CIO of a Fortune 50 enterprise how our experts could reduce the risk of their engagement, and illustrated with a before and after diagram.
That said, for typical RAID management, it is more useful to keep the original P*I values, regardless of the response strategies. Doing so lets you prioritize the risk responses using the original Risk P*I score, keeping the response strategies for the most potentially impactful risks at the top of your list.
