Making Sure Projects Succeed With Project Risk Response Planning
Risk Response Planning in a Nutshell
You know what could go wrong. Now, what are you going do to about it?
Understanding Risk Response Options
The goal of Project Risk Management is to ensure the success of the project. We do this by first identifying risks, then assessing, analyzing, and prioritizing the risks we found. Having taken those first two steps, we have a prioritized project risk list.
Our example, created in the article Prioritizing Project Risk: Qualitative Risk Analysis & Assessment, is of a family vacation. We identified and described the six risks shown in Table #1, The Family Vacation Risk Register.
Alone, knowing what could go wrong does not ensure success. Our next step is to plan how to ensure the success of the project by deciding how to deal with each risk event before it happens. This is proactive risk management.
Our first step is to accept each risk. After that, we can choose one or more of three additional options: We mitigate, avoid, or transfer the risk. Or, we might choose to do none of those three, and simply keep an eye out for the risk, and be ready when it happens. Read on to understand these steps of Risk Response Planning.
Table #1: The Family Vacation Risk Register
#
| Risk Name
| Trigger
| Consequence
| Likelihood
| Significance
| Risk Factor
| Risk Rating
|
|---|---|---|---|---|---|---|---|
1
| Dad gets sick
| Sleeplessness
| Trip cancelled
| 0.7
| 1
| 0.70
| RED
|
2
| Kid gets sick
| Sneezing
| Trip cancelled
| 0.3
| 1
| 0.30
| RED
|
4
| Bugs eat us alive
| We arrive at camp site
| No fun
| 0.7
| 0.3
| 0.21
| YELLOW
|
3
| Car breaks down
| We get in the car
| Lost day
| 0.3
| 0.5
| 0.15
| YELLOW
|
5
| Injury while hiking
| We go hiking
| No fun
| 0.2
| 0.7
| 0.14
| YELLOW
|
6
| Boulder crushes cabin
| Landslide
| Death
| 0.1
| 1
| 0.10
| GREEN
|
Remember the Titanic
One reason that the Titanic sank in 1912 might be that she was called "unsinkable." Or, more precisely "designed to be unsinkable." Well, clearly, she wasn't, and we can learn a lot from that. The Titanic hit an iceberg and sank. Well-planned, well-funded projects can hit unexpected events and sink, too. One value of accepting the list of risks for the project is that we don't become arrogant and inattentive. Let's know that a risk event can sink our project, accept the risks, plan responses, and keep an eye out so we're ready when the iceberg suddenly appears.
The Titanic: Before and After
Accepting the Risks
Accepting a risk means that we see it on the risk list, we say "that risk is here, and we will take responsibility for dealing with it." And then we keep it on the list. That's all.
Why even talk about accepting a risk? First of all, once in a while, we choose not to accept the risk. For example, if, in the Proactive Worry brainstorming session, one of my sons says, "What if Mom is kidnapped by space aliens!" and his twin brother responds, "That would be cool!" but their little sister starts to cry and says, "I don't want Mommy to be kidnapped by space aliens!", then it probably makes sense for Super Mom to say, "Kids, no space alien is going to get me. I'll whup their butts! Let's just not worry about it!" Our little girl starts giggling because Mommy said the b-word, and we cross that one off the list. We don't accept that risk into our management plan.
Secondly, in accepting this risk, we take it under management. Either the project manager commits to keep an eye on the risk, or he assigns someone else to do it. To see why this is important, see the sidebar, Remember the Titanic.
Thirdly, some project managers use the term "accept the risk" in a different way. They mean accepting the risk, and then not also mitigating it, avoiding it, or transferring it. So we've introduced the idea, and now we've accepted the risks. If we choose to do nothing else, we've met the minimum requirement of project management, which is to accept the risk.
Accepting the risk is good, but we can do more to ensure project success. Let's take a look at our other options: mitigation; avoidance, and transference.
Understanding the Management Options for Each Risk
Once a risk has been accepted, we consider doing three more things:
- Risk Mitigation. Mitigation is action we take before the risk happens. Mitigation can either reduce the likelihood of the risk happening, or reduce the consequence if it does happen. Both are worth doing.
- Risk Avoidance. Sometimes - but not often - we can completely avoid a risk. This means creating a situation where the risk event simply can't happen at all.
- Risk Transfer. We might be able to set things up so that, if the risk event happens, someone else pays the price.
Now that we've defined the options, let's take a closer look at what it means to do each one.
Choosing Options for Each Risk
Let's take a look at the risk management options, and how we would execute each one.
Mitigate the Likelihood of a Risk
This means that we take action before the risk event occurs so that it is less likely to happen. Here are mitigation strategies for each of the risks rated red and yellow on our list.
- Dad gets sick. Before the trip, I get more rest, get a massage for relaxation, eat healthy food and take extra Vitamin C.
- Kids get sick. We check the kids every night to see how they are feeling. We encourage them to cut down on junk food. Our family doesn't do flu shots, but maybe yours does.
- Car breaks down. We take the car in for a tune-up and safety check, and do whatever the mechanic recommends.
- Bugs eat us alive. We pack bug spray, and use it. We bring extra screening to fix broken screens on the cabin. We bring citronella candles for the campfire, and use them.
- Injury while hiking. We review safe hiking habits with the kids. We make sure everyone has good hiking boots. We agree not to do any rock-climbing except when we join a group with a guide and approved equipment.
Each of these actions reduces the chances, the likelihood, that the risk event will occur.
Mitigate the Consequences of a Risk
We can also consider ways of making sure that, even if a risk event does happen, it will do less harm to our trip. Here are some examples:
- Car breaks down. We make sure our AAA membership is up to date. We check the spare tire and pack a roadside emergency repair kit.
- Injury while hiking. We pack a hiking first aid kit. We practice bandaging wounds and other basic first aid before we go. We take cell phones with us when we hike - many national parks have good cell phone coverage these days just for emergencies like this. We agree to hike as a group. We write a contingency plan - who will take what action if someone gets hurt, and have each person commit to do that job. We tell park rangers which trail we will be on, and when we expect to be back.
Risk Avoidance
Risk avoidance is rarely possible. If by "Car Breaks Down," we mean "our car, which is an old clunker, might break down," then we could avoid that risk by renting a car for the trip. Or, I suppose, to be thorough, we could hire a helicopter to pick us up at home and fly us straight to the campsite - no car needed!
A more realistic example might be in planning a wedding. Suppose a couple really wants an outdoor wedding, but is afraid of being rained out. If the couple decided to change their mind and have an indoor wedding, that would eliminate the risk of the wedding being rained out.
Risk Transfer
To transfer a risk means to make someone else pay for the consequences of a risk. That can be useful to the company (or family) engaging in the project, but it is actually not a big help in terms of the success of the project itself. For example, if we have medical insurance, then the cost of a hiking injury is born by the insurance, and doesn't come out of the family bank account. But the vacation's value is still reduced because someone got hurt, and maybe we had to cut the vacation short.
The Titanic, Lesson Learned
If I were captain of the Titanic, I wouldn't believe all that hype about "unsinkable." Sure, I'm glad my ship was designed well. But I'm owning responsibility for the safety of my crew and passengers, and the success of my maiden voyage, and all the rest.
"Keep a lookout for icebergs" would be on my risk plan. Evacuation training for the crew would be, as well. And there would be more than enough lifeboats for everyone.
In fact, many new laws and regulations increasing safety at sea were enacted from the lessons of the Titanic. But let's not rely on regulatory compliance. Let's own our projects, commit to success, and do good risk management to get where we're going in one piece!
Choosing More than One Action for Each Risk
We can choose more than one option for managing each risk. That is, we can reduce likelihood, reduce consequence, and transfer risk all for the same risk. Let's see how this works for a hiking injury:
- Reduce likelihood. Train the kids in safe hiking techniques.
- Reduce consequences. Carry a first aid kit; have a contingency plan in place for what to do if someone gets injured; tell the rangers what trail we're on and when we expect to be back.
- Transfer. Have health insurance to cover the cost of the injury.
With this in mind, we choose what we will actually do in relation to each risk.
Recalculating Risk Priorities
When we take action in relation to a risk, we change it's rating in both likelihood and significance, and therefore, we change it's risk factor.
Let's say that we take all the actions suggested above. Now, Dad or a kid getting sick is less likely, but would still ruin the trip. The car is less likely to break down, and with a roadside safety kit and AAA ready, we might lose only half a day, instead of a full day. We're well protected against bugs, and hiking injuries are both less likely and create less of a problem if they do happen.
What if a boulder crushes the cabin? Well, we'll just let that one be. The revised results are shown in Table #2, The Family Vacation Risk Register After Risk Response Planning. Note that the risk factors are all lower. The table is sorted by risk factor, so the order of items has changed. The table is sortable, and you can compare the two tables by sorting both by risk number (#).
Table #2, The Family Vacation Risk Register After Risk Response Planning
#
| Risk Name
| Trigger
| Consequence
| Likelihood
| Significance
| Risk Factor
| Risk Rating
|
|---|---|---|---|---|---|---|---|
1
| Dad gets sick
| Sleeplessness
| Trip cancelled
| 0.4
| 1
| 0.40
| RED
|
2
| Kid gets sick
| Sneezing
| Trip cancelled
| 0.2
| 1
| 0.20
| YELLOW
|
6
| Boulder crushes cabin
| Landslide
| Death
| 0.1
| 1
| 0.10
| GREEN
|
4
| Bugs eat us alive
| We arrive at camp site
| No fun
| 0.2
| 0.3
| 0.06
| GREEN
|
5
| Injury while hiking
| We go hiking
| No fun
| 0.1
| 0.5
| 0.05
| GREEN
|
3
| Car breaks down
| We get in the car
| Lost day
| 0.1
| 0.3
| 0.03
| GREEN
|
We're much more likely to have a great vacation. Only one item is red, instead of two; One is yellow, and four are green.
Completing the Risk Plan
Our list of activities that will mitigate the likelihood or consequence of a risk; avoid a risk; or transfer a risk is work to be done. And someone must take responsibility for that work.
The Family Vacation Risk Plan
For our family vacation, we might agree:
- Dad will get more rest.
- Dad will pick up some Vitamin C, and check in every night on how the kids are feeling.
- Mom will train the kids in first aid, have them practicing bandaging one another, and teach them safe hiking techniques.
- Dad will take the car in for it's checkup and confirm AAA membership.
- The twins - each of them - will make sure that the park rangers know what trail we're on, and when we expect to return.
A Business Project Risk Plan
A business project risk plan would look similar. It would be a set of activities, each one assigned to one person, that are added to the project task list and scheduled with due dates.
- The IT manager will install and run diagnostic, security, and virus prevention software on all project computers.
- The project manager will ensure that we have a contract with an IT vendor for repair or replacement of all computer equipment available every business work day, with 4 hour repair time, or 24 hour replacement time.
- The IT manager will ensure continuous backup of all data on to the network server, and from there, to a secure backup system, and test all data restoration methods and write instructions so that anyone can restore lost data as needed.
- The logistics manager will ensure all shipping is with insured carriers, and that each shipment is sent with the proper tracking and insurance
- The project manager will work with Legal Services to design a required contract that transfers liability for errors made by sub-contractors to the sub-contractors, protecting the company from the costs of their errors.
- Each team leader will ensure that the new contract is signed by each sub-contractor.
Acting Now, and Moving Forward
Some actions in the project risk plan can be taken immediately. For example, I can take the car in for it's checkup and call AAA right away. Other actions need to be taken during the project. For example, each time we go on a day hike, one of the twins tells the park ranger where we're going, and when we'll be back. Other actions are only taken if a risk event actually happens. For example, if someone falls and gets a cut on the trail, we'll bandage the wound.
Generally, we take each action as soon as we can. The sooner a risk event is mitigated, the less likely, and the less costly it will be. We also make sure that we do take the actions. We have status meetings where we go through the list of actions and check off what we've done. And we create checklist. For example, we'll have a packing checklist to make sure that the citronella candles, roadside emergency kit, first aid kits, and everything else are with us when we pull out of the driveway.
We've done everything we can to plan a safe vacation. Now, let's make sure it happens by Managing Risk to Project Success With Risk Monitoring & Control.
