Before landing in US federal jail for 150 years, Bernard Lawrence “Bernie” Madoff was a successful investor. On December 2008, it was discovered that the asset management unit of Bernard L. Madoff Investment Securities LLC was a massive Ponzi scheme, which cost investors billions of dollars. In 2009, the FBI arrested two computer programmers Jerome O’Hara and George Perez on criminal charges of conspiracy for falsifying books in Madoff’s company in New York. Computer programing is one of the most secure professions from the liability point of view. Programmers are rarely arrested because of their work. But in this case, O’Hara and Perez developed custom software to deceive investors and regulators and conceal Madoff’s crimes. Their computer code made false customer statements, trade confirmations, and other documents that tricked customers and authorities.
So, when Madoff was planning his scheme, he probably was considering how he would conceal his ill-gotten gains. This concealment was essentially risk management strategy related to the risk “Ponzi scheme is discovered”. Interestingly, this risk, as with most risks related to criminal activities, included both threats and opportunities:

Threat: Conviction and imprisonment
Opportunities: Large amounts of money

The computer program developed by O’Hara and Perez was designed to address both threats and opportunities at the same time. Here are different mitigation potential strategies for threats:

Accept Risk. Madoff could choose to do nothing with regards to the documents they issued to regulators or customers. But in this case, he might be quickly discovered. So, avoiding the threat would not be a viable strategy in this case.
Transfer Risk. Madoff could ask somebody else to deal with risk, at least partially. For example, he could have purchased an insurance policy, except there is no insurance for the fraud. Perhaps this could be a new market for insurers: if a fraud scheme is discovered, the policy would pay the crook’s legal bills.
Avoid Risk. Avoiding risk would mean that Madoff abandon the Ponzi scheme and try to run am honest business. But this probably did not appeal to him.
Mitigate Risk. This is exactly what he did with the custom made computer program. With this program, it was much easier to deceive the authorities and clients and make it very difficult to trace the money. But it was impossible to completely eliminate the risk because the fraud actually took place and there was still a possibility (residual risk) he would be discovered.Now let’s see different management strategies for opportunities.

Accept Opportunity. The same as for threats, this would entail Madoff doing essentially what he did, just running his Ponzi scheme.
Share Opportunity. Sharing opportunities in this case would mean sharing the profit as well. In this case, very few people knew about Madoff Ponzi scheme, and he probably wasn’t willing to give up to much of his profits if he was taking most of the risk.
Exploit Opportunity. This strategy does not work very well in a case of fraud. A good example for exploiting opportunities would be discovering some new investment potential.
Enhance Opportunity. This is exactly what Madoff did. By providing carefully crafted, but false statements Madoff was able get more clients, avoid detection and operate his scheme longer.

If Madoff took his plans even further, he would put in place plans that he could execute in case his schemes were discovered. These plans would cause the least amount of damage in terms of cost, schedule, and perhaps reputation. Here the difference between mitigation and response:

Mitigation plans are executed before a risk occurs; they usually include a list of activities, which are part of project schedule.

Response plans are planned in advance, but executed after a risk occurs. They are often referred to as contingency plans.

Sometimes we call response plans “Plan B”, implying that “Plan B” will be executed if “Plan A” fails. Interestingly, Plan B is a trademark of the morning-after birth control pill by Paladin Labs Inc., which is a risk response-type remedy in case other birth control “evening-before” options either were not used or failed. Because response plans don’t need to be executed in advance and don’t require actual actions, due to optimism bias people tend to put greater emphasis on planning risk responses rather than mitigation. Determining which option to take, mitigation or response depends on cost. In many cases, it is cheaper to execute mitigation plans in advance, rather than response plans after the fact. But in project management is very important to perform detailed analysis of multiple scenarios with mitigation and response plans to choose the most cost effective course of action.