Identifying risks is only the start of the risk management process. If you identify a risk you are obligated to create a risk plan to respond to the risk. You should create a risk response for all “high” risks. There are a number of general options that the project manager should consider for responses.
In this approach, the project manager looks at a high risk and decides to do nothing. This can happen for one of two reasons.
- First, the project manager may feel that cost and effort of managing the risk is more than the impact of the risk event itself. In this case you would rather deal with the costs of the risk occurring that the cost of trying to manage the risk.
- Second, there may not be any reasonable and practical activities available to manage the risk. For instance, it is possible that there is a risk of your sponsor leaving and a new sponsor canceling the project. However, you may not be in a position to do much about it as long as the current sponsor is in place, and you may just need to leave it and see how events play out.
Monitor the risk
In this case, the project manager does not proactively manage the risk, but monitors it to see whether it is more or less likely to occur as time goes on. If it looks more likely to occur later in the project, the team must formulate a different response at a later time. This is a good approach if you have identified a risk that should be managed, but the risk event is far off in the future.
Avoid the risk
Avoiding the risk means that the condition that is causing the problem is eliminated. For example, if you find that a part of the project has high risk associated with it, that whole part of the project can be eliminated. The risks associated with a particular vendor, for instance, might be avoided if another vendor is used instead. This is a very effective way to eliminate risks but obviously can be used only in certain unique circumstances.
Move the risk
In some instances, the responsibility for managing a risk can be removed from the project by assigning the risk to another entity or third party. For instance, you may identify a risk associated with a new technology. Outsourcing the function to a third party might eliminate that risk for the project team. The risk event is still there, but now some other entity is dealing with it.
Mitigate the risk
In most cases, this is the approach to take. Mitigating the risk means that you put in place a set of proactive steps to minimize the likelihood that the risk will occur. If possible you could eliminate the risk by minimizing the likelihood down to zero percent. Another purpose of mitigation is to ensure that if the risk occurs, the negative impact of the risk is minimized. In many cases it may not be possible to totally eliminate a risk event, but given that you have time to prepare, you should be able to minimize the probability of the event occurring, or minimize the impact to the project if the risk event does occur.
These are typical risk responses for negative risks. You can first identify one or more risk strategies and then put the detailed activities in place to effectively manage the risk.