Locked lesson.

Upgrade

About this lesson

Negative Risk Response is determining what actions the project will take to address risk threats.

Exercise files

Download this lesson’s related exercise files.

Negative Risk Response.docx
60.7 KB Negative Risk Response - Solution.docx
60 KB

Quick reference

Negative Risk Response

Negative Risk Response is determining what actions the project will take to address risk threats.

When to use

Once the risk analysis is complete (both qualitative and quantitative), a risk response is prepared for all of the high (red) risks and many of the medium (yellow) risks.  Typically, no risk response is required for the low (green) risks. 

Whenever a risk changes priority, the risk response should be reassessed.

If a risk response has been implemented in the project plan, but it is later determined to be insufficient to accommodate the risk, additional risk response should be created.

Instructions

Definition

Threat: “A risk that would have a negative effect on or more project objectives.” PMBOK® Guide

There are five approaches to Negative Risk Response.  The characteristics of the organization and unique features of the project will determine which approach to use.

Avoid

Change the project plan so that the risk cannot happen.  This requires a change in tasks or resources so that the risky aspect is no longer part of the project plan.  Many risks cannot be avoided because the risky aspect of the task is a mandatory part of the project.

Mitigate

This is the most common response.  This requires a change in the project plan to reduce the likelihood of the risk or the impact.  The most common form of mitigation is to modify the estimate to preposition the risk response in the task estimate or to preposition a risk response task in the project.   Another mitigation approach is to create a trigger event early in the project which allows a risk response to be started sooner and at lower impact.

Transfer

This requires a contract of some sort.  Either to insure the project against the risk or to have an outside organization conduct part of the tasks, and therefore be responsible for its completion on time and with the proper quality level.

Escalate

In this response, the project team refers the risk to the project stakeholders in order to get adjustment to project boundaries or to get their assistance with eliminating the risk factor.  This approach should not be used until the first three have been considered and either implemented or rejected.

Accept

If you do not select one of the other approaches, you are selecting accept.  This approach is appropriate for very small or unlikely risks.

This definition is taken from the Glossary of the Project Management Institute, A Guide to the Project Management Body of Knowledge, (PMBOK® Guide) – Sixth Edition, Project Management Institute, Inc., 2017.

Login to download
  • 00:04 Hi, I'm Ray Sheen.
  • 00:06 Let's talk about how to respond to threats, negative risks on your project.
  • 00:10 The project management body of knowledge, the PMBOK Guide, defines the threat
  • 00:15 risk as a risk that would have a negative effect on one or more project objectives.
  • 00:20 There are five different approaches that you can take, escalate, avoid,
  • 00:24 mitigate, transfer, and accept.
  • 00:27 Which approach you'd take will depend upon a number of different factors associated
  • 00:30 with your project in the business.
  • 00:32 For instance, the type of project, project phase, resources, time and
  • 00:36 money that are available, even the rational and
  • 00:39 management commitment to the project can impact which risk response you choose.
  • 00:44 Let's look at each of the five response types in more detail.
  • 00:48 The first response strategy is escalate.
  • 00:50 Now that doesn't mean that this should be your first response.
  • 00:53 Actually, this is the last response if none of the others will control the risk.
  • 00:58 This strategy leads to a rebaseline of the project,
  • 01:01 often to go down a totally different path which avoids or neutralizes the risk.
  • 01:06 The magnitude of this risk is one that is beyond the ability of the project team to
  • 01:10 address.
  • 01:11 So they bring it back to the stakeholders with a request to change the goal or
  • 01:14 boundaries.
  • 01:15 The risk is bigger than the team's ability to take an appropriate action on it.
  • 01:20 One thing the stakeholders may choose to do is to subtract scope.
  • 01:24 Another thing is to change the product schedule boundary,
  • 01:26 like moving the project to a different fiscal year.
  • 01:29 Or the stakeholders could change the project total budget, adding more money or
  • 01:33 moving money between capital funds and expense funds.
  • 01:36 Keep in mind that the stakeholders may also say that they need to find
  • 01:40 a different project team.
  • 01:41 The remaining four strategies are all strategies that the team can apply without
  • 01:45 asking permission from the other stakeholders,
  • 01:48 because the rest of the techniques do not change the project boundaries.
  • 01:52 Let's look at the strategy avoid.
  • 01:54 This strategy removes the risk threats so that they can not happen.
  • 01:57 This is a preventive action strategy.
  • 02:00 The project has changed in such a way that the risk cannot occur.
  • 02:03 One way to do this is to change the scope so as to eliminate the task with the risk
  • 02:07 in it, or change how the task is accomplished and controlled.
  • 02:11 Another way to do this is to change the schedule so
  • 02:13 that the tasks happen at a different time when they are not susceptible to the risk.
  • 02:19 Or we could change resources by using a different resource pool within the project
  • 02:23 team's control, or changing the roles and responsibilities among team members.
  • 02:27 One caution when using this approach, the change may eliminate one risk but
  • 02:32 there is normally risk associated with the changed approach.
  • 02:35 Be sure to add this new risk to your risk analysis.
  • 02:39 One other point, some risk just can't be avoided.
  • 02:42 So this is not always an option.
  • 02:44 The next risk response strategy is mitigate.
  • 02:46 Instead of a preventive action plan, we are taking an early corrective action.
  • 02:51 Again, we changed the project plan, but
  • 02:53 instead of avoiding the threat, we prepare for it.
  • 02:56 We make allowance for it within our project plan.
  • 02:58 It could still happen but it won't hurt as much.
  • 03:01 We often to this by again changing our scope or our deliverables.
  • 03:04 In particular, the definition of done to a different standard.
  • 03:08 I often mitigate risk by changing the cost or schedule estimates.
  • 03:12 I'll build in to my estimate a risk response so I'm ready for
  • 03:15 the problem when it occurs.
  • 03:17 This can insulate the rest of the project from the problem,
  • 03:19 isolating the impact to just that one task.
  • 03:23 Another way to mitigate the risk is to create an early warning signal.
  • 03:26 The sooner you know that a risk will occur, the sooner you can take action.
  • 03:29 And generally, taking an action early in the project will be less expensive and
  • 03:33 disruptive than waiting until late in the project.
  • 03:37 Finally, you can preposition risk response capacity at the point where a risk could
  • 03:41 impact the project.
  • 03:43 I often do this by adding a risk mitigation task.
  • 03:46 An example of this is adding a task for
  • 03:48 software bug fixing in a software development project.
  • 03:52 This prepositions time and resources to take care of the risk.
  • 03:56 The next response strategy is to transfer the risk.
  • 03:59 To transfer risk, use some organisation that is not part of your organisation,
  • 04:04 letting them assume some aspect of the risk.
  • 04:07 It requires a contract with that other organization, clarifying the liability and
  • 04:11 the exposure.
  • 04:11 For instance, some risk can be insured for.
  • 04:14 Typically, these will be things like natural disasters or
  • 04:17 damages of some types.
  • 04:18 Insurances does not present the risk but
  • 04:20 it provides resources you can recover from the risk.
  • 04:24 We can also transfer risk through contract terms with suppliers such as bonds and
  • 04:28 guarantees or using service level agreements with suppliers.
  • 04:32 Even the contract type can transfer risk.
  • 04:34 A fixed price contract transfers the risk of an overrun to the supplier.
  • 04:39 You can also transfer schedule and quality risk through penalty and
  • 04:42 incentive clauses.
  • 04:44 The last strategy to use is the acceptance approach.
  • 04:47 If you haven't done one of the other approaches, you are doing acceptance.
  • 04:51 With this strategy, there is no immediate action.
  • 04:55 The project plan remains unchanged.
  • 04:57 Either the threat is so small or it's so uncertain, you accept it for now.
  • 05:01 Even though I accept the risk, I'll still create a trigger.
  • 05:04 That is some type of warning that this risk has grown in magnitude or
  • 05:08 has gone from being very unlikely to become likely.
  • 05:11 If this happens, the acceptance strategy is changed to one of the others.
  • 05:16 If you have many risks that are in this acceptance category,
  • 05:19 you should establish reserves to handle them.
  • 05:21 This is a small amount of resource or
  • 05:23 time that can be applied to those irritating small risks.
  • 05:27 One final point about the accept strategy, by definition accept is not
  • 05:31 a good strategy for a red risk, that risk is likely to happen and it's a big deal.
  • 05:37 You can't just close your eyes and accept it.
  • 05:40 When you have a threat risk in your project,
  • 05:42 you need to plan an appropriate response.
  • 05:45 Now whether it's escalate, avoid, mitigate, transfer, or accept,
  • 05:49 select a response strategy and then implement it.

Lesson notes are only available for subscribers.

PMI, PMP, CAPM and PMBOK are registered marks of the Project Management Institute, Inc.

Gift this course