Message to Som Gollakota

Please Enter All Requested Information Below
Your Name
Email Address
Leave this Blank:
Hyderabad, India
Risk Management - Risk Response and Strategies
February 2, 2010
...process of developing options and actions to enhance opportunities and to reduce threats to project objectives.
-Plan Risk Responses, PMBOK 4
ll the groundwork we have done so far, in identifying, analyzing and documenting risks, would be a waste of our time and that of others involved in the process, if we do not either respond to them appropriately or do not know how to or what is the appropriate respond. Planning for an appropriate response (and responding in a timely manner) is at the heart of effective risk management. Equally important is identifying "who" would "own" the risk, so as for all the parties involved to know and understand the one who responds to the risk.
Risk Response Strategies (Planning Response Strategies):
Soon after (or even while) analyzing a risk, the next step is to formulate (or plan) a response strategy. It involves asking one basic question - what do we do with this risk or how do we handle it? Since a risk can be positive or a negative risk (opportunity or a threat), the type of risk dictates the response strategy as well.
Positive Risk (Opportunity) Response Strategies:
  1. Exploit: It involves taking necessary (additional) steps by the organization to ensure the positive affects (impacts) of a risk are realized. For example, you are implementing a new mobile telecom plan targeting sub-prime customers in the current markets. However, it also opens up new and uncharted markets due to local demographic limitations. Therefore, your company may choose to exploit the opportunity by running aggressive marketing campaigns, promotions and price plans that suit the specific demographics to ensure opening of new markets and regions.
  2. Share: It involves sharing (or transferring) some or all of the ownership of the opportunity to a 3rd party that would benefit (or is able to maximize the benefit) from the opportunity. In the previous example (from Exploit), combining the new service plan with special mobile handsets for one or more of the demographics would maximize the market penetration. Therefore, the company may choose to partner with a handset manufacturer to bring special handsets to such demographics, giving them a share in profits (or helping them create new markets for their handsets.
  3. Enhance: It involves taking steps/measures to increase the probability of occurrence and/or the impact of an opportunity, thereby maximizing the advantages. For example, you are implementing improvements to a Point of Sale system aimed at ease of use for the company's retail store representatives. You come to know about another initiative aimed at increasing customer information security at the Point of Sale. Since both initiatives involve making changes to the backend Point of Sale systems, combining the efforts may reduce costs, increase resource utilization and cut delivery time. Therefore, you may choose to enhance the opportunity by proactively meeting with the other team to identify ways to find common areas, shared scope and resources, rearrange scheduled tasks etc., to maximize the probability of occurrence and impact of the opportunity.
  4. Accept: It involves... actually nothing. Once you identify an opportunity and assess/analyze it, you make a decision to not do anything about it - If it occurs, we reap the benefits, if it doesn't occur, we won't. Other than that, we don't want to take any particular action to either exploit, share or enhance the opportunity. This strategy is typically implemented for such low/marginal yield opportunities where the cost of any other strategy would outweigh the benefit of the yield.
Negative Risk (Threat) Response Strategies:
  1. Avoid: It involves making necessary course corrections such that the risk is avoided. It comes from the realization that the threat is immanent if we do not make necessary adjustments. For example, while analyzing our holiday travel plans from Seattle to Spokane via Interstate 90, we realize that the heavy snow on the passes are causing delays and road closures. Analyzing the risk of getting stranded on the freeway or worse (being involved in an accident or avalanche), our response strategy would be avoidance. We either take a different (less risky) route, or postpone our journey until the roads are cleared of snow, or we may change our objective from "Holiday travel to Spokane" to "Holiday travel to Portland". In essence, responding by avoidance means altering plans, extending schedule, or changing the objectives to avoid the risk.
  2. Transfer: It involves transferring the risk and its ownership (including handling it) to someone else. You are not mitigating the risk, nor is it going away. You are simply making someone else outside the team deal with it. For example, you are delivering a new line of online products (including 3rd party hardware) to your company's customers on a highly crunched timeline cutting many corners. You are imposed to do so by your key stakeholders. By doing so, you run the risk of customers buying incompletely tested products (or insufficient supply of hardware) that may not work resulting loss of brand image, loss of customers and potential law suits. Since your stakeholders don't budge, you may want to transfer the risk (and its potential impacts) to company's hardware vendors, Branding division, Customer Retention, and Legal departments. Your vendors may choose to start mass production ahead of time (or double the output on demand), Branding division may want to inform customers to stay away from the products for a while (or ignore it), Customer Retention may want to give away free products or money to keep the customers happy (and live with the problems in the near term), and legal department may want to devise a strategy to handle any potential law suits (or put their foot down and say "you are not deploying!").
  3. Mitigate: It involves taking steps to either reduce the probability of the risk occurrence, or reduce the impact when the risk occurs, or both. These steps are taken early on in the process such that if the risk occurs, the impact is reduced to absolute minimum. For example, you are delivering a new payroll system in your company that would replace the existing payroll system. Once delivered, there is no going back, nor is there a possibility of running the old and new systems in parallel, with no chance of running a pilot. If the new payroll system doesn't work upon deployment, no one in the company gets paid. Therefore, you devise a two-pronged strategy. First, you put in extensive multi-layered test strategy to ensure the system is well tested. This would reduce the probability of a post-delivery failure. Secondly, you put in a manual payroll process where, in the event of a failure, all the managers across the country would fax timesheets to the corporate payroll department. The payroll department would then manually process all the timesheets, generate paychecks and mail them to individual employees. However, it requires additional staff to manually process the payroll. Therefore, you layout staffing plans, assess risk budget to execute the response, and alert the senior management about a possible emergency budget approval need. This would reduce the impact of the failure, if it occurs.
  4. Accept: When no other strategy can be effectively applied to a risk, and there is no way the risk is "going away", the team may choose to "accept" the risk and deal with it when it occurs. The team may take a passive "document and do nothing" until it occurs, or actively setup contingency plans, timelines, budgets, resources, and monitor situation to take any suitable action as appropriate. For example, you are running a project that is a Priority #10 in the Top-10 list of one business organization in your company with shared resource pool. That means, you are competing with nine other projects of the same business org as well as nine projects from each of the other business orgs in the company, for resource allocation. Any increase in demand for resources from any of the other (higher priority) projects may strap your project for resources and likely delay the delivery. Since all other projects are considered more important, there is no real avoidance, transfer or mitigation to this risk. Therefore, the team and key stakeholders may choose to accept the risk and deal with it when it occurs (by cutting scope, extending timeline, etc.).
Once a strategy is developed and agreed, an array of documents will be updated, depending on the response strategy. Some examples of such documentation would be the risk register, decision log and various management plans including project, risk (if need be), budget, resource, schedule, cost, quality etc. Also updated are the list of assumptions (with any new/changed assumptions) and technical documentation (with any changes to requirements, designs etc).
Conclusion: Developing an appropriate response strategy must involve the team, stakeholders, and all those that are impacted by the response. Further, for responses such as Transfer and Share, it is critical that the receiving parties (3rd party) approve such decisions. It is also important to seek expert judgment to ensure the process is well-rounded. At the end of the day, identifying and analyzing a risk would be nearly worthless without an appropriate response strategy. Without an appropriate response strategy, the risk may very well lead you to failure.