Risk Response Strategies in Project Management

It is important for you to manage risks proactively to finish your project with minimal obstruction. To do so, you must start to identify risks at the beginning of the project and develop risk response strategies to manage them.

Risks can be divided into two categories: negative risks and positive risks. A negative risk has a negative impact on your project objectives, and a positive risk has a positive impact on your project.

Negative risks are also known as threats, and positive risks as opportunities.

For an effective risk management plan, you will have to manage both types of risks. However, generally, project managers focus on negative risks and avoid managing positive risks.

You should not do this and must instead focus on managing both types of risks.

In this blog post, I will talk about all the strategies you can use to manage both types of risks.

Risk Response Strategies

Risk response strategies can be of two types:

  1. Negative Risk Response Strategies
  2. Positive Risk Response Strategies

Negative Risk Response Strategies

A negative risk can impact your project negatively, so you will want to avoid or decrease the impact if one occurs.

As per the PMBOK Guide, you have the following strategies to manage a negative risk:

  • Avoid
  • Mitigate
  • Transfer
  • Escalate
  • Accept

Avoid

This is the best strategy to manage risk if it is an available option.

Here, you avoid the risk by changing the scope, planning, or schedule. You use this strategy when risk is critical, and management or the client does not want it to happen.

For example:

Elections are imminent, and the government will soon announce the dates. Therefore, you will not want to schedule activities during this period, so you move them ahead to avoid clashing with the election dates.

This is an example of the avoid risk response strategy because you have changed the schedule to keep your project activities from clashing with the election.

Mitigate

In the mitigate risk response strategy, you try to minimize the probability of the risk occurring or its impact.

For example:

You feel you may need a consumable during the peak of your project which might not be easily available, and if available it will be costly. Therefore you contact a few suppliers and ask them to supply the consumable during the execution of the project at a negotiable price if you need it, and they agree.

If the risk occurs, you will get consumables cheaper than you would have gotten without a pre-negotiated deal. Therefore, it is a mitigate risk response strategy.

This risk response strategy only reduces the probability or the impact of the risk. After developing the response there will still be a residual risk. You will analyze and record it in the risk register for future monitoring.

Transfer

The transfer risk response strategy is used when you cannot manage the risk on your own. For example, you are lacking resources and skills, or you are busy with other activities, etc.

Here the management of the risk is transferred to a third party. If the risk occurs, it will be their responsibility to manage it.

Insurance is an example of this risk response strategy.

Please note that this strategy can cause you a secondary risk. For example, though you have asked a third party to manage the risk, you are responsible for the guarantee with the client.

Escalate

This risk response is used when you lack the authority to manage the risk. Here you approach your PMO or management to manage the risk. Once they agree to manage the risk, your responsibility is limited to monitoring it.

For example:

The government is planning regulation, and if it is approved, it could impact your project negatively. You have no legal advisor or other resources to manage this risk, so you will approach management to manage this risk.

You are a project manager, and dealing with this issue is beyond your capability. Here you don’t have access to legal advisors to advise you, and also, you don’t have the power to implement a solution. Therefore, it is an example of the escalate risk response strategy.

Accept

In the accept risk response strategy, you take no action except acknowledge it. You accept it.

This strategy is used for non-critical risks or if the effort involved does not outweigh the benefit.

This risk response strategy can be active or passive. In active acceptance, you keep a contingency reserve to manage it, and in passive acceptance, you do nothing except note it down in the risk register.

For example:

You are constructing a building, and it is designed to withstand earthquakes up to 6 on the Richter scale. Although there is a small chance of an earthquake of 7 or above occurring, you choose to ignore it because the chance of it occurring is low, and the change in design would carry a significant cost.

Since you decided not to take any action, it is an example of the accept risk response strategy.

Sometimes, developing a risk response plan can generate another risk. This risk is called a secondary risk. Keep watching out for these risks and do whatever is necessary to avoid them.

If you are not able to avoid a secondary risk, you will analyze it and develop a risk response plan for this risk as well.

Also, note that you develop risk response plans for identified risks, so you will use the contingency reserve to manage them. You will not use the management reserve here because it is used to manage unidentified risks.

Positive Risk Response Strategies

Since positive risks have a positive impact on your project, you will want them to happen.

Strategies used for positive risks are the opposite of those for negative risks. The purpose of a negative risk response strategy is to either avoid or minimize the impact of a negative risk. On the other hand, the objective of positive risk response strategies is to increase the chance of the risk occurring and realize it if it occurs.

The PMBOK Guide describes five strategies to manage positive risks:

  • Enhance
  • Exploit
  • Escalate
  • Accept
  • Share

Enhance

In this risk response strategy, you increase the chance of the risk happening, so if the risk occurs, you can realize it. The enhance risk response strategy is the opposite of the mitigate risk response strategy, where you reduce the probability of the risk happening or its impact.

For example:

Let’s say your project will be completed in three months. You find out that an organization is about to float a similar project in two months. So, if you can finish your project in two months, you can get this new project.

This is an opportunity for you.

Therefore, you compress the schedule using fast-tracking so the project can be finished ahead of time and you can have a chance to bid for the new project.

Here you are using the enhance risk response strategy because here, you are trying to realize the opportunity.

Exploit

In the exploit risk response strategy, you make sure that the risk is realized. This response strategy is the opposite of the avoid risk response strategy where you ensure the risk does not occur.

For example:

Let’s say your project will be finished in three months. You find out that an organization is about to float a similar project in two months. So, if you can finish your project in two months, you can get this new project.

This is an opportunity for you.

Therefore, you compress the schedule using crashing and fast-tracking so the project can be completed ahead of time and you can have a chance to bid for the new project.

Here you are using the exploit risk response strategy because you are doing everything to realize the opportunity.

Escalate

You use this risk response strategy when there is an opportunity, but you cannot develop a response to realize it as you don’t have the power to do so.

To realize this opportunity, you will approach your management. When they agree to manage the risk, you will not be responsible, though you will note it in the risk register for monitoring.

For example:

If you team up with another project team from a big organization, you can jointly bid for a project. However, you don’t have the authority to contact other organizations and lack the resources to seal the deal. So you will ask your management to approach them and make an arrangement.

This is an example of the escalate risk response strategy because here, you don’t have a communication channel to speak with the head of any organization and also lack experts to negotiate the terms and conditions of the deal. Therefore, you escalate the issue to management, and they can take care of it.

Accept

Accept risk response strategy can be used with both types of risks. Here you take no action, and if a positive risk occurs, you will benefit.

You use this strategy when the cost of the response is high, and there is a small chance of it occurring, or the benefit does not outweigh the effort involved.

For example:

You know a supplier may have spare equipment you can use for your project for a short time at a low price. Since there is no guarantee you will need this equipment, you don’t take any action.

This is an example of the accept risk response strategy because here, you do not take any action to realize the opportunity.

Share

In the share risk response strategy, you will join or invite someone else to realize the opportunity together as you are not able to realize the opportunity on your own.

For example:

Due to a lack of expertise in electrical, plumbing, and painting work, you are not able to bid for a construction project, but your management wants this project to expand their portfolio. Therefore, you team up with another company with experience in these tasks and jointly bid for the project.

Here you are using the share risk response strategy because you are sharing the opportunity with another partner.

Before I conclude this blog post, let’s revise the key points of the risk response strategy:

  • If the negative risk is critical, you will use the avoid risk response strategy.
  • If you are able to decrease the impact of the risk to an acceptable limit, you will use the mitigate risk response strategy.
  • If you cannot manage the risk on your own, you will use the transfer risk response strategy.
  • If managing the risk is beyond your capability, you will use the escalate risk response strategy.
  • You use the accept risk response strategy when a risk is unimportant or too costly to develop a response.
  • If you want to realize an opportunity, you will use the enhance risk response strategy.
  • If you want to make sure that the opportunity is realized, you will use the exploit risk response strategy.
  • If you want to realize the opportunity but cannot do so on your own, you will use the share risk response strategy.

Summary

Every risk response strategy is unique, and you should select the best one based on the risk and situation around it. Ideally, you will always want to avoid negative and exploit positive risks; however, it is not always possible to use these strategies for all risks. Select the risk response strategy wisely.

Effective risk response is necessary for your project’s success, and if you fail to have one, it may affect your project. A proper risk response plan comprises responses to positive and negative risks. You should not ignore positive risks because they can save you a lot of money, time, and effort.

How do you manage risks in your project? Share your experiences through the comments section.

6 thoughts on “Risk Response Strategies in Project Management”

  1. some times i use mitigate i can buy all material one time ,it’s cheaper .
    in positive risk i usually enhance occur and exploit a lot of opportunity.

    Reply
  2. Thank you Fahad for the info, but I am a bit confused because on another blog post you mentioned there are 7 risk strategies (you didn’t mention escalate). Can you please elaborate?

    Reply
  3. Hello Ra, this is then new risk response strategy in the sixth edition of the PMBOK Guide.

    By the way, which blog post you are talking about?

    Reply

Leave a Comment