Risk Mitigation and Response Planning

Risk Planning

Risk Mitigation and Risk Response are plan that are put in place to either minimize the probability that a risk will occur and the impact if it does occur. Together they make a part of the risk planning process. The risk planning process occurs after risks have been identified and analyzed and provides an answer to the question of “What are we going to do about it?”  In other words, once we know what project risks could occur (identify) and their expected impact (analyze), the next step is to put in place plans or strategies to minimize the project’s exposure to these risks in the most cost efficient manner possible. PMI would describe this as setting your strategy for each risk, which can be Avoid, Transfer, Mitigate, or Accept.

Each of these strategies should be subject to a cost/benefit analysis. For example, avoiding a risk often means making changes to the project scope. This could mean that your do not deliver the capability that your customers require or miss some other important deliverable.  Transferring risk requires that you can find someone else to accept the risk. For example, you may ask a vendor for a fixed cost bid to minimize your cost risk; however, research shows that these types of contracts include a risk premium above what a cost plus contract would incur. Accepting a risk means that you think that it is probably less expensive to accept the risk than spend time and money to minimize it, with the caveat that your assessment of possible impacts could be overly optimistic. Mitigation as a strategy is generally the last resort, as most organizations would prefer to avoid or transfer risk, unless they have a higher risk tolerance with expectation of higher reward.

Mitigation Planning

Mitigation planning is putting together a plan to “buy down” the risk. This entails activities that can have duration, cost, start and finish dates, and a manager or person responsible for the plan. A Mitigation plan can consist of one or more sub plans each with a cost, finish time etc. Normally a mitigation plan is a series of timed activities that will gradually minimize the risk exposure either by minimizing risk probability or impact. Common examples of risk mitigation plans are tests. A series of tests are planned on certain deliverables that if completed successfully will indicate both that the risk of failure is decreasing and probability of delivering on schedule and budget is increasing. If the tests are late or unsuccessful, this indicates that the probability of the risk occurring is increasing along with overall risk to your project.

Risk Response

Risk responses are contingency plans. What are you going to do if the risk is realized? A risk response to a failed test might be that the project plan will switch to another more mature technology. This change in plan will have cost, schedule and technical implications that should be accounted for when you are generating expected values for your important project objectives: cost, schedule, capabilities, etc.

Defining Risk Response Plan
Defining Risk Response Plan

Risk Mitigation and Response Planning in RiskyProject

RiskyProject includes a comprehensive risk planning and control capability that includes mitigation and response plans. Mitigation plans are composed of a few different features: the Mitigation and Response View, the Mitigation Waterfall Diagram, History and a Cost of Risk analysis. To create a mitigation plan, you first need to add it to the Mitigation and Response Plan view. A mitigation plan includes a unique name, cost, planned reductions in probability and impact, manager. Once you have created a mitigation plan, you can assign it to a risk in the Waterfall Diagram. In the Waterfall Diagram, you add the mitigation plan but also a planned finish date (e.g. scheduled test). Most mitigation plans will have multiple steps that will occur, each time with the level of risk lowering in each one. The Waterfall Diagram will provide a total cost of the risk mitigation as well show where the risk sits on pre and post mitigated risk cubes.

In the Risk Form, there is a cost of risk calculation that takes into account the expected cost of the risk (probability * cost) minus the cost of mitigation and residual risk. The simple calculation provides quick cost/benefit analysis of your plan.

In addition, using the Risk History, you can plot this against the planned mitigation activities on the Waterfall Diagram. This visualizes the efficacy of your risk mitigation efforts by plotting planned vs actual changes to the risk over time.

Risk responses are similar to risk outcomes in that they can be an outcome of a risk during Monte Carlo simulation. However, risk responses can have both a cost and schedule impact; however, they can be assigned to more than one risk. Therefore, risk responses are useful to account for how a single plan could be used to respond to two or more correlated or otherwise related risks.    To create a response plan, in the Mitigation and Response view add the plan with a cost and manager. The next step is to assign the response plan to one or more risks. In the Risk Register, select the risk to which you want to assign the response plan and click Risk Form on the ribbon. Near the bottom of the Risk Form, locate the Response Plan drop-down list. This includes a list of all of the response plans in your risk register. Select the plan you want to assign to the risk and click OK. The last step occurs when you are assigning the risk tasks or resources. After you have entered a probability, from the Outcome Type drop-down list, select “Execute risk response plan”. When you run a Monte Carlo simulation, the response plan will be executed probabilistically and accounted for as part of the schedule and cost analysis.

Mitigation Waterfall Diagram in RiskyProject
Mitigation Waterfall Diagram in RiskyProject