Risk response strategies are the approaches we can make to dealing with the risks we have identified and quantified. In the section on risk quantification we discussed evaluating the risk in terms of its impact and probability in such a way that we would be able to rank risks in their order of importance. This is what we called severity, the combination of impact and probability.
Risk response strategy is really based on risk tolerance, which has been discussed. Risk tolerance in terms of severity is the point above which a risk is not acceptable and below which the risk is acceptable.
Several strategies are available for dealing with risks. These are avoidance, acceptance, transfer, and mitigation (see RISK STRATEGY).
Tell me more …
There are many reasons for selecting one risk strategy over another, and all of these factors must be considered. Cost and schedule are the most likely reasons for a given risk to have a high severity. Other factors may affect our choice of risk strategy. For example, if a schedule risk is identified for a task in the project, and if this task has many other tasks depending on it, its severity may be calculated as being lower than is apparent, and the severity should be adjusted even though the schedule impact due to the disruption may be difficult to judge. The strategy should be appropriate for the risk it is intended for.
The following four strategies comprise the strategies that are normally used for risk:
Acceptance. Acceptance of a risk means that the severity of the risk is low enough that we will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance level. If this were not the case, it would not make sense to accept the risk. Once the risk occurs, we will fix the problem and move on. The risk is acceptable because the severity of the risk is lower than our risk tolerance. Accepting a risk does not mean that we will not do something about the risk when and if it occurs; it means that we will do something about it only if it occurs. Many of the project risks will fall into this category. It is the category where the many insignificant risks are put. Many of these risks cost less to fix when they occur than it would cost to investigate and plan for them.
There are two kinds of acceptance, active and passive. Acceptance is active when a risk is identified as being acceptable but we decide to make a plan for what to do when and if the risk occurs. It is much more effective to have a plan in place when these types of risk occur rather than trying to deal with the risk when there is little time and lots of hysterics. There is also another risk involved: the wrong thing can be done to solve the problem because its solution was not clearly thought out under pressure in the heat of the moment.
Acceptance is passive when nothing at all is done to plan for the risk occurrence. Many of the identified risks in the project will be passively accepted. These risks are simply too small to be of concern. The cost of developing a plan and documenting it can be higher than the cost of dealing with the risk without preparation.
An example of risk acceptance is the risk that off-the-shelf software that was purchased for the project will be defective. There is a probability of 2 percent that this will occur. That is, that the CD the software is delivered on will not work and will have to be replaced with a new CD. This causes a delay of five days to a task that has twenty-five days of free float. Passive acceptance will probably be used in dealing with this risk. It is probably not worth the effort to anticipate the problem and do something about it. It is simpler to wait and see if something is wrong with the CD and take corrective action. Of course, it would be foolish to receive the CD and not test it until it was needed.
Transfer. The transfer strategy in managing risk is to give responsibility for the risk to someone outside the project. The risk does not go away; the responsibility of the risk is simply given to someone else. This can be done a number of ways. One way is to negotiate the refusal of a project deliverable that has a high risk of causing problems and have that risk contracted to another project. The stakeholder simply agrees that the deliverable is not required as part of the project and finds another project that is willing to do it.
Risks can also be transferred to a contractor working for the project. If this is done with a firm fixed price contract, the vendor will be obligated to deliver the agreed product for a fixed price. In this situation the vendor is responsible for any risks that occur while trying to complete the contract. While this may seem like a good solution to risk management problems, the vendors were not born yesterday afternoon. The vendor’s risk strategy may be to increase the selling price to compensate for the risk if it occurs. Of course, if the risk does not occur the vendor will make extra money. If you try to transfer the risk in this way, it may be that you will find that you are paying for the impact of the risk whether it happens or not.
Probably the most common method of transfer is to buy insurance. With insurance you give a relatively small amount of money to an insurance company. This amount of money, called a premium, is usually much smaller than the cost of the risk. If the risk happens, the insurance company pays to have the risk resolved. If the risk does not take place, the insurance company keeps the premium.
It is interesting to note that you can insure against only your own or your company’s loss. Buying insurance on someone else’s life or property, for example, is not allowed in most places unless that person or property represents a loss to you. If this were not true, there would probably be people hanging around hospitals buying policies on people who looked really sick.
PMI held its annual Seminar Symposium in New Orleans in 1995. Much of the revenue to run the organization is generated through the Seminar Symposium, and if it were called off or canceled, PMI would be hard-pressed to recover from the financial loss.
The Seminar Symposium is usually scheduled in the fall of each year. This is also hurricane season in New Orleans and on most of the Gulf Coast. When PMI met with the hurricane experts and realized the severity of the risk of a hurricane or even the severity of the threat of a hurricane, it decided to buy event insurance for the first time.
Risk Avoidance. This strategy is used to make the risk cease to be a possibility. Avoidance is a little different from the other strategies we have discussed. In risk avoidance, we completely eliminate the possibility of the risk.
The simplest way to avoid a risk is to remove it from the project deliverables. If the sponsor of the project agrees to allow a risk-filled deliverable to be removed from the project, the risk is removed along with the deliverable. Of course the price the sponsor is paying for the project will probably be reduced to compensate for the reduction in scope. In avoiding risk in this way, we should remember that profits are often related to the risks we take to complete projects that have risks.
Another way to avoid risks is to design around them. This strategy involves changing the design of the product so that the risk cannot occur.
Suppose we have a project to design and manufacture a new kind of barbecue grill. During testing we discover that the screws that hold the bottom of the grill where the ashes collect rust and deteriorate quickly. A failure of the ash collecting bottom could result in hot charcoal being dumped onto a wooden deck and causing a fire. We decide that this is an unacceptable risk and that our strategy is to avoid the risk.
One way to avoid the risk is to not build and sell the barbecue grill at all and abandon the project. We decide that this is an unnecessarily conservative strategy. Another way is to change the material that the screws are made from. Instead of plain steel screws we decide to redesign and use stainless steel screws. The stainless steel screws will not rust, and the potential problem will be eliminated. This completely eliminates the rusting problem of the screws and avoids the risk of a screw failure causing a fire.
Mitigation. When we discussed risk tolerance, we said that risks that were above the risk tolerance maximum were not acceptable risks and that something had to be done about them. Mitigation is a strategy where some work is done on unacceptable risks to reduce either their probability or their impact to a point where their severity falls below the maximum risk tolerance level.
Using the risk mitigation strategy involves taking some money out of the contingency budget that was the expected value of the risk before mitigation. Some of this money is put into the project’s operating budget to carry out the mitigation strategy. Since the probability or impact will be reduced, the expected value of the risk will be reduced as well, and the contingency budget should be reduced accordingly.
Perhaps it would be a good idea to review how the money is allocated for different risk strategies. Risk avoidance is frequently going to cost some money. The money that we spend to redesign the project so that the risk is eliminated is money that will have to be spent regardless of the probability of the risk. The additional work of doing the redesign and adding more expensive parts will be part of the operating budget. No money needs to be put into the risk reserves if the risk is completely eliminated. If the risk has already been allocated funding in the contingency budget, the increase in the operating budget can be taken from the contingency budget.
Risk acceptance will have money put into the contingency budget if the risk has been identified. If the risk is an unknown risk and has not been identified, the money for it will be roughly estimated and become part of the management reserve. If the risk does happen, the money is taken from the contingency budget or the management reserve and moved into the operating budget when the plan for dealing with the risk is put into place.
Risk mitigation will have money put into the contingency budget to handle the risk if it occurs. There will also have to be money put into the operating budget to take care of the cost of the mitigating activities that are being taken for this risk. The mitigation of the risk will reduce either the probability or the impact of the risk, and the contingency budget should therefore be reduced.
Risk transfer requires money to be put into the operating budget to pay for the additional cost of either subcontracting the risk or buying insurance for it. The money to do the work for the activity affected, not including the risk cost, was put into the operating budget when the task was created. The cost of the transfer, either the additional cost that the supplier will receive or the cost of the insurance premium, must be added to the operating budget. This money can be taken from the contingency budget.
The operating budget of the project, sometimes called the performance budget, is the amount of money needed to do the things that are planned for in the project. This includes all of the work to produce all of the deliverables that were planned for in the project. It is not the total project budget; it includes funding only for the things that are planned for. Subject to limitations in the project policy, this money can be spent freely by the persons responsible for the tasks of the project as long as the expenditures are following the project plan.
The contingency reserve is the money to do the things that may or may not have to be done but that have been identified. This is where the funding for risks that actually take place comes from. When a risk takes place, the project manager authorizes money to be taken from the contingency budget and placed into the operating budget. Generally the project manager must approve money transferred from contingency reserves to operating budgets. In larger projects a subproject manager may approve these funds. The transfer of funds must include any appropriate changes to scope or schedule.
The management reserve is money that is set aside for the risks that have not been identified, the so-called unknown risks. This transfer is made when a risk occurs that has not been identified and money must be spent to solve the effects of the risk. The use of these funds usually has to be approved by a manager one level above the project manager.