Updating Risk Identification Checklists and Response Plans

Have you ever tried to follow a plan only to find that the plan wasn't up-to-date and contained inaccuracies? For a plan to be effective, it must be kept current. New information, changes, and corrections have to be made in a timely manner to prevent inappropriate actions being taken on inaccurate or outdated information.

When monitoring and controlling risks, documentation is especially important because project managers and teams use risk documentation to:

• track risks
• to identify new risks
• to plan additional risk responses
• to record any actions taken to control risks

If the information being acted on is not current, a new risk is introduced—the risk of acting on inaccurate or outdated information. To avoid this confusion, you must strive to keep all documents up to date.

Two of the most important documents to keep current are the risk identification checklist and risk response plan.

Risk identification checklists
Risk identification checklists describe the criteria used to identify new risks. Project team members should use the experience gained during their projects to update the checklists. This will make the checklists more effective for use in the risk management of future projects.

Risk response plans
The risk response plan is a document that describes in detail what actions should be taken in response to specific risks. Since the risk response plan acts as a guide to risk monitoring and control, the project team should update it regularly to keep everyone equally informed.

There are many elements that you can include in updates to risk response plans. Usually updates are the product of an action or event that changes the risk situation of the project. In some cases, the fact that an action was not taken leads to the need for an update. Some of the common elements included in updates to a risk response plan are:

• Implementing risk controls - The implementation of risk controls may reduce the impact or probability of identified risks. Documenting the implemented risk controls will provide the project team with the information it needs to change its future expectations for particular risks.
  
  
• Changing risk rankings - Risk rankings change throughout the project's life cycle. You should document these changes so you and your team can properly control higher ranking risks.
  
  
• Closing risks - Risks that do not occur and that are no longer considered a threat should be documented and closed in the risk response plan.

Updating documentation can help avoid confusion and keep everyone on the project equally informed. The information added to the documentation will help you prepare for similar risks that may occur in future projects.

Two Indicators of Additional Risk Planning

When you build a house, many factors can cause construction to veer off track. Similarly, in project management, there are many risks that can affect the progress of a project. The risk monitoring and control process watches for signs that a project is going off track so project managers can do additional planning to regain control of the risk.

Two signs that may indicate the need for additional risk response planning are: the occurrence of an unanticipated risk and a risk having a greater effect on a project than expected.

• the occurrence of an unanticipated risk
  When an unanticipated risk occurs, you must do additional risk response planning. Since unanticipated risks are not covered in the initial risk response plan, the project team will now have to decide on a strategy to deal with the risk. The most common risk response strategies include avoidance, transference, mitigation, or acceptance.
  
  
  • Avoidance - is a strategy that requires changing the project plan to eliminate the risk. This is done to protect the project from the potential effects of the risk. A team might reschedule an activity to avoid the risk of having resources spread too thin.
  • Transference - is a strategy that does not eliminate the risk but moves the ownership of the risk to a third party. This third party is then responsible for the management of the risk. A team might transfer a financial risk by paying a premium to insure against the risk.
  • Mitigation - is a strategy that attempts to reduce the risk to a manageable level. Early actions will reduce the probability of the risk occurring. A team might add more time to its schedule to reduce the effects of a risk.
  • Acceptance - is a strategy that indicates that the project team has decided not to take any actions in regards to this risk. For example, a team might decide to accept the effects that an employee strike will have on the project if it occurs.
    

• a risk having a greater effect on a project than expected
  The second sign that additional risk response planning is necessary is a risk that has a greater effect on a project than expected. In this case, the planned response was implemented but was not effective in controlling the risk. If there is no contingency plan in place, the project team must then reevaluate the risk response and decide what changes need to be made to gain control of the risk or to better control the risk in the future.
  

Skilled project managers look for risks that have a greater effect on the project than expected. They also look for unanticipated risks. Learning to recognize these signs that additional risk response planning is necessary will help you gain control of project risks and increase your chances of achieving your project objectives.

Components of Risk Management and Risk Response Plans

H. Stanley Judd, author, film producer, and communications consultant, once said, "A good plan is like a road map: it shows the final destination and usually the best way to get there." Like a good roadmap, a good project plan points out potential risks and includes strategies for managing and responding to those risks. The plan accomplishes this with a risk management plan and a risk response plan, two important aspects of project risk monitoring and control.

Risk management plan
The risk management plan, created during the risk management planning process, is a document that focuses on how to plan for and deal with all risks associated with a project. It describes how risk monitoring and control will be carried out during the project's life cycle. It does not look at the specific responses that will be implemented if a risk occurs.

The risk management plan has several components that are inputs to risk monitoring and control.

• Methodology - outlines the approaches, tools, and resources that can be used to carry out risk monitoring and control. The methodology used will depend upon the information available and the current project phase.
• Roles and responsibilities - is the designation of risk monitoring and control actions to specific individuals or groups. External risk monitoring and control teams are able to provide independent, unbiased risk analyses.
• Budgeting - requires a specific amount of funds to be allocated to the risk monitoring and control process of a given project.
• Timing - is how often risk monitoring and control processes will occur during the project's life cycle. Results must be reviewed periodically so they can be used in decision making.
• Scoring and interpretation - are methods used to score risks and assign them a rank. This risk-ranking process will indicate which risks need constant, close monitoring in order to control their impact on important project objectives.
• The acceptable threshold - is the set limit that the project team members will use to decide when they will implement a control.
• Reporting formats - describe what is in the risk response plan and how it is formatted. It also identifies how the outcomes of risk monitoring and control will be documented, analyzed, and communicated to team members and stakeholders.
• Tracking - is the documentation process that records information about risk monitoring and control activities. The tracking process saves the information so you can use it for the current project, or for future projects.

Risk response plan
The risk response plan is a document that addresses the specific responses to individual project risks.

The project manager and project team create the risk response plan during the risk response planning process. The plan provides project team members with the details they need when a risk occurs. The information in the risk response plan allows team members to take specific actions to control risks.

The risk response plan has several components that project teams use during the risk monitoring and control process.

• Identified risks - The risk response plan lists the identified project risks. The project team will monitor and control the identified risks throughout the project's life cycle.
• Risk owners and responsibilities - The risk response plan identifies risk owners and the details of their responsibilities. The risk monitoring and control process examines and documents the effectiveness of the risk owner.
• Agreed responses - The risk response plan clearly states the agreed responses for each identified risk. These responses may include avoidance, transference, mitigation, or acceptance. Once the project team implements a response, the response will be monitored to determine if further action is necessary.
• Specific actions - The risk response plan not only describes the response strategy for each risk, but also describes the specific actions that will be necessary to carry out each strategy. Risk monitoring and control determines if these actions are adequate.
• Residual risk - The risk response plan outlines the expected residual risk. Residual risks are the risk effects that remain after the implementation of a risk response. These residual risks must be monitored and controlled.
• Contingency and fallback plans - The risk response plan will outline any potential contingency or fallback plans. The project team will monitor the use of these contingency and fallback plans and take action if the plans are deemed inadequate.

The risk management and risk response plans provide you with the processes and actions required to prevent, reduce, recognize, and deal with risks. Using these plans as inputs will help lead your project along the path of success.

Primary Risk Response Planning Outputs

As a project manager, you will often face sudden or unexpected risks—risks that were not identified or prepared for during risk response planning. The best way to respond to these kinds of risks is to monitor and try to control them by examining the primary risk response planning outputs.

In addition to the risk response plan, there are four primary risk response planning outputs that you can use to ensure successful project completion: residual risks, secondary risks, contractual agreements, and contingency reserve amounts.

• residual risks
  The first output that will result from your project's risk response planning process is residual risks. These are the risks that remain after avoidance, transference, and mitigation responses have been implemented.
  
  Residual risks also include any minor risks that have been accepted and addressed during risk response planning through the addition of contingency amounts to the project budget or schedule.
  
  
• secondary risks
  The second output that will result from your project's risk response planning process is secondary risks. These are risks that arise as a direct result of implementing a risk response.
  
  Secondary types of risks should be identified as soon as possible so that appropriate and effective risk responses can be planned. For example, due to the complexity and detail involved in most projects, it is possible that adding personnel resources to address one identified risk may result in a risk of cost or schedule overruns in another project phase.
  
  
• contractual agreements
  Another risk response planning output that is useful in promoting project success is contractual agreements. These types of agreements help to ensure that all parties involved in a project's development are aware of their responsibilities and bound by law to fulfill all agreed-upon commitments.
  
  A contract is typically defined as a mutually binding agreement that obligates a seller to provide a specified product and requires a buyer to pay for it. As a result, contractual agreements are essential to risk management.
  
  Contractual agreements are also used to help specify each party's responsibility for specific risks. For example, a contract between an insurance provider and a company will detail the insurance provider's responsibility to pay out a certain amount of money to the company in the event that an insured risk occurs. Contractual agreements, as an output of risk response planning, will help you be confident that specific identified risks will be responded to in a timely and efficient manner.
  
  
• contingency reserve amounts
  The final output that results from your project's risk response planning process is contingency reserve amounts. These reserve amounts are over and above the estimated amount of time and resources allotted for a particular project. These additional resources are set aside to help reduce the risk of overruns to project objectives as a result of risk.
  
  Contingency reserve amounts will help you lower potential overruns to a level that is acceptable to your project stakeholders.
  
  Contingency reserve amounts are usually determined by the project manager with the aid of the project's established risk thresholds and probabilistic analyses. These analyses are used to forecast potential project schedule and cost results.
  

As a project manager, it is important to remember that almost every risk response will have a corresponding effect. Most risk responses involve expenditures of additional time, cost or resources and therefore require changes to the project plan. The results of the risk response planning process must be incorporated into the project plan to ensure that agreed actions are implemented and monitored as part of the ongoing project.

Other risk response planning outputs contribute to project success. You will want to use them to ensure that your project is protected from threatening project risks and prepared for the risk monitoring and control process.

Determining the Most Appropriate Risk Response

As a project manager, you can use a risk response plan to ensure that you meet your project objectives. A risk response plan is a document that details an identified risk, its cause, probability of occurrence, potential impact, and proposed responses. An effective risk response plan will help you enhance risk opportunities and reduce risk threats.

A risk response plan, which is sometimes called a risk register, is comprised of a number of different components. A typical project's risk response plan includes the following components:

• a detailed list of all identified project risks
• the risk owners responsible for formulating and implementing one or more risk responses
• the results from the project's qualitative and quantitative risk analyses
• the established responses for each identified risk
• the expected level of residual risk
• the specific actions required to implement the chosen response
• the budget and timing for all risk responses
• a description of any contingency or fallback plans.

One of the most important components of a risk response plan is "the established responses for each identified risk." As a project manager, it is your job to select the most appropriate and effective response for managing that risk. Once this selection is made, the agreed-upon risk response is entered into the project's risk response plan.

How do you determine which risk response will be the most appropriate and effective for an identified project risk? There are three important questions that you should ask yourself when making this critical decision.

1. What are the potential risk responses?
   The first question that you should ask yourself when determining the most appropriate risk response for one of your identified project risks is: What are the potential risk responses? You should apply the four risk response strategies to your risk, discard those strategies that are either impossible or impractical to use, and formulate potential responses from the strategies that remain.
   
   
   • Avoidance - should be used when the level of risk is unacceptable, when the means for controlling the risk are not feasible or when there is a potential for harm. This risk response strategy involves changing the project plan to eliminate the risk or the condition causing the risk.
     
     
   • Transference - should be used when there is a potential for significant financial exposure. Risks can be transferred through insurance, performance bonds, warranties, and contracts. This strategy shifts the consequences of a risk to a third party, such as an insurance company.
     
     
   • Mitigation - should be used when there is an opportunity to significantly reduce the probability or consequences of an identified risk. Throughout a project's life cycle, it may be possible to perform risk mitigation by reducing both the risk probability and the risk consequences.
     
     
   • Acceptance - should be used when the probability and consequences of an identified risk are low. This strategy results in no changes to the project plan. It involves leaving a project team to deal with a risk when it occurs or forming a contingency plan to deal with the risk if it occurs.
     
     
2. What are the project constraints?
   The second question that you should ask yourself when determining an appropriate and effective risk response for an identified risk is: What are the project constraints? The PMBOK Guide defines a constraint as an "applicable restriction that will affect the performance of a project." No project is completely free of constraints. As a result, you will need to keep this in mind when selecting an appropriate risk response. Constraints will limit the choices available to you during risk response planning.
   
   For example, you may initially decide that avoiding a risk by changing the project scope is an appropriate response for a given risk. However, a careful examination of the constraints facing your project may indicate that avoidance is not possible or that it is unwise given your circumstances.
   
   During the life cycles of your projects, you may encounter many different types of constraints. However, there are some constraints that you will face more frequently than others. A few of these constraints are listed below.
   
   
   • An established project budget - An established project budget is one constraint that can affect your selection of risk responses. For example, if your project is restricted by a tight budget, any responses that require a vast amount of funding to implement will be deemed unwise and detrimental to project success.
     
     
   • A defined project schedule - A defined project schedule can also act as a constraint when determining the most appropriate response for an identified risk. For example, if your project's sponsors have established an inflexible schedule, the responses that will add time or cause delays to the project schedule will have to be rejected.
     
     
   • Contractual obligations - Another constraint is contractual obligations. Risk responses may need to be discarded if they have the potential to deviate from a signed contract. For example, you cannot reduce the risk of cost overruns by paying your contractor less than the amount agreed upon in the project contract.
     
     
   • Product specifications - The final constraint that can affect your selection of risk responses is product specifications. If project sponsors are expecting a particular product, they may be unwilling to approve any changes to the project scope. This decision can limit your options when responding to risk.
     
     
3. Which risk response will be the most appropriate for managing the risk?
   The final question that you need to ask yourself when determining an appropriate risk response for an identified project risk is: Which risk response will be the most appropriate for managing the risk? Once you have decided what the potential risk responses are and what constraints are facing your project, you can then determine the most appropriate and effective risk responses for your project risks.
   
   By eliminating those responses that are not feasible for your project or those that cannot be achieved due to certain constraints, you will be left with only the responses that are appropriate for the chosen risk. These responses will serve to protect the project from the risk's potential impact.
   

As a project manager, you can determine the most appropriate risk response for a given project risk by answering the following questions: what are the potential risk responses, what are the project constraints, and which risk response will be the most appropriate for managing the risk?

Once this determination is made, you can include your chosen risk response into your risk response plan. This plan will help you enhance risk opportunities and reduce risk threats to project objectives and overall project outcomes.

Accepting Risks with a Contingency Plan

In addition to avoidance, transference, and mitigation, acceptance is also an important strategy for effective risk response planning. Acceptance is a strategy that indicates that a project manager and a project team have decided not to change the established project plan in order to deal with an identified risk. Acceptance may also be performed if a project manager is unable to identify any other suitable risk response strategy to effectively handle the identified risk.

If you choose to accept a project risk, you need to develop a contingency plan that can be implemented should the risk occur. Developing a contingency plan in advance can greatly reduce the cost of future risk responses.

Every contingency plan contains specific details that are only relevant to the identified risk and the project at hand. However, all contingency plans should contain the following components: the plan objective, implementation criteria, roles and responsibilities, resource requirements, operation procedures, and discontinuation criteria.

• The plan objective
  For a contingency plan to be effective, a project manager must first ensure that there is an established plan objective. This objective should clearly detail the risk of failure that prompted the creation of the contingency plan.
  
  A project manager must also decide what the desired outcome of implementing the plan will be: to continue normal operations, to continue operations in a degraded mode or to abort a project area as quickly and as safely as possible. The plan objective should also outline the potential impact, in terms of financial costs, on the organization.
  
  
• Implementation criteria
  In addition to establishing a plan objective, a project manager must ensure that an effective contingency plan contains well-defined implementation criteria.
  
  You and your project team must understand when your contingency plan should be implemented. In addition, this criteria outlines the specific failure, or risk trigger, that necessitates the start up of your project's contingency plan. For example, the contingency plan will be implemented in the event of a network failure.
  
  
• Roles and responsibilities
  The third essential component of an effective contingency plan is the designation of roles and responsibilities. A project manager must decide who will be responsible for making implementation decisions, such as implementing the contingency plan or informing the team that the project is operating in contingency mode.
  
  The roles and responsibilities component clearly outlines who is responsible for plan implementation. For example, the technical engineer on duty will be in charge of activating the contingency plan in case of a network failure.
  
  
• Resource requirements
  The resource requirements component details the equipment, supplies, funding, and overtime estimates needed to activate the planned response. To create a list of required resources, you need to ask yourself the following questions.
  
  • What equipment will be needed to implement the contingency plan? What equipment will be required once the plan is activated and in full operation?
  
  
  • What types of materials or supplies will be needed to implement and operate the contingency plan? What quantity of materials and supplies will be required?
    
    
  • How much should your contingency plan budget be in order to effectively fund the contingency mode operations?
    
    
  • How much overtime will employees be expected to undertake in order to keep the project on track during contingency mode?
  
  Having a list of resource requirements available before an emergency arises allows you to move quickly and easily into contingency mode to meet the plan objective.
  

• Operation procedures
  Operation procedures outline plan implementation instructions so that everyone will know what to do in an emergency. For example, in case of a network failure, Sarah will switch the network to backup mode in order to save important data.
  
  The procedures must also describe how project personnel will be informed that the plan is being implemented. Operation procedures should also define how records will be managed and data security ensured.
  

• Discontinuation criteria
  Discontinuation criteria describe how to determine when a project should move from contingency mode back to normal operating mode. This criteria will outline the conditions or events and the timing that make it possible to discontinue the contingency plan. For example, the network has to be fully tested and be 100 percent operational before returning to normal mode.
  

The development of an effective contingency plan, as part of acceptance, will help you create options and potential actions that will serve to reduce threats to critical project objectives and to promote project success.

Avoiding a Project's Most Threatening Risks

Have you ever deviated from your regular driving route because excessive traffic or road construction may have put you at risk of being late for an important appointment?

In everyday life, people often modify their personal plans or schedules in order to avoid the unwanted consequences of potential risks. In the same way, project managers are often forced to change or modify their project plans in order to eliminate threatening project risks.

As a project manager, you will encounter various risks throughout your project's development. Although you can never prevent every project risk, you should make every attempt to eliminate as many as possible.

One risk response strategy that you can use to help you achieve a successful project completion is avoidance. Avoidance involves changing your project plan to eliminate an identified risk or the condition that causes the risk. This risk response strategy also involves protecting your project objectives from the impact of identified risks.

As a project manager, you can often respond to some risks that arise early in the life cycle of a project by clarifying requirements, obtaining information, improving communication or acquiring expertise. However, there are other types of project risks that you will need to avoid in order to promote a successful project completion. These types of risks include those that have a high probability of negatively impacting project objectives and those that have the ability to cause complete project failure.

Avoidance is one strategy that you can use to help you deal with these types of risks. Such things as reducing scope to avoid high-risk activities, adding resources or time, adopting a familiar approach instead of an innovative one or avoiding an unfamiliar contractor are all ways in which you can eliminate threatening project risks.

The first type of risk that you should avoid during the life cycle of your projects is unacceptable risks. These types of risks have a high probability of occurrence and an extreme or very high level of potential impact.

You should also avoid uncontrollable risks. These risks cannot be absorbed by the project's available resources or existing contingency reserves. They are also risks that do not have mitigation or transference strategies available.

The last type of risk that you should avoid throughout your project's development is potentially harmful risks. These risks are especially threatening to project success because they have the potential to harm a project's personnel.

As a project manager, there are three key questions that you can ask in order to determine if an identified project risk should be avoided. If you can answer "yes" to even one of these questions, the risk that you are examining should be flagged for avoidance. The three questions include:

• Is the level of risk unacceptable?
• Are the means for controlling the risk unfeasible?
• Is there a potential for harm?

As a project manager, how do you determine whether the level of an identified risk is unacceptable to your project and its outcomes? One of the best ways to answer this question is to examine the prioritized list of quantified risks that resulted from your project's quantitative risk analysis process.

This list indicates which risks pose the greatest threat or present the greatest opportunity to your project objectives and overall outcomes. This prioritized list of quantified risks also includes a measure of potential risk impact.

You should examine your project's prioritized list of quantified risks and set aside those risks that have an extreme or very high level of potential impact. Once this is done, you should make every effort to modify your current project plan in order to avoid these types of risks. Typically, project managers classify risks with an extreme or very high level of potential impact as unacceptable because of the possible danger they pose to the success of overall project outcomes.

Another element to consider when trying to determine whether the level of an identified project risk is unacceptable is the risk thresholds for the project. Risk thresholds, which are established in a project's risk management plan, indicate the level of risk that is acceptable to individual project stakeholders. If you have identified a project risk that has the potential to greatly exceed one or more of the established risk thresholds for your project, this is a risk to avoid because it threatens the successful completion of your project.

Another question to consider when trying to determine if an identified project risk should be avoided is: are the means for controlling the risk unfeasible? All projects are subject to such things as cost and time constraints. As a result, some project risks may be too expensive to control.

In addition, most projects are allotted a limited amount of contingency reserves. These reserves are the amount of money or time needed to reduce the impact of cost and schedule overruns on critical project objectives and outcomes.

If you find that the means for controlling one of your identified risks is not feasible and cannot be absorbed by your project's available contingency reserves, this is a risk that you should avoid. A careful examination of such things as your project budget, schedule, and personnel and material resources will help you decide whether your project has the means to reduce or eliminate the risk's potential impact or whether it would be more beneficial to avoid the risk altogether.

The third and final question that project managers can ask in order to determine whether an identified project risk should be avoided is: Is there a potential for harm? In most cases, a risk is considered harmful if it involves the presence of dangerous materials or conditions at the project site.

Project managers must be able to identify any risks that have the potential to harm their project team members or stakeholders. These risks may include such things as faulty machinery or unsafe working conditions.

More examples of harmful project risks are listed below. As a project manager, you should immediately flag these types of risks for avoidance. These risks include:

• tasks that involve handling, storage or disposal of hazardous materials
• major construction work in locations vulnerable to seismic activity
• other potentially damaging natural events.

It is important to remember that unforeseen risks will continue to arise as a project progresses. As a project manager, it is your responsibility to analyze these unexpected risks, as well as all identified project risks, in order to determine if they should be avoided. Once this decision is made, you can then modify your project plan to avoid the selected risks. This will help you ensure that your project remains on a progressive track and heads toward a successful completion.

Avoidance is sometimes the best response. As a project manager, you can use avoidance to eliminate some of your project's most threatening risks and their potential impact. This risk response strategy is a key contributor to overall project success.

Risk Owners and Risk Thresholds

Author H. Stanley Judd once said, "A good plan is like a road map; it shows the final destination and usually the best way to get there."

As a project manager, you need to have an effective risk management plan in place before beginning risk response planning. A risk management plan can act as a guide to help you identify, analyze, and respond to various project risks and their potential consequences. This plan, which is created during the risk identification and planning process, details how the risk management processes will be structured and performed. It ensures that risks are properly managed throughout a project's life cycle.

The risk management plan has two important components that will be used in risk response planning: 1. a list of risk owners; and 2. risk thresholds.

A list of risk owners
One risk management plan component that will be used as an input to risk response planning is a list of risk owners. Risk owners include those project stakeholders who are responsible for the development, implementation, and execution of one or more risk responses. This risk management plan component is essential as a risk response planning input because it helps to ensure that everyone involved in the risk response planning process has clearly defined roles and responsibilities.

Typically, project managers are responsible for assigning the various risk owners within a project. These risk owners may be chosen from within the project team or from available subject matter experts. During risk response planning, risk owners may decide to develop risk responses as a group or divide the responses among the team members, based on their expertise.

Risk thresholds
Another component of the risk management plan that can act as an important input to risk response planning is risk thresholds. Risk thresholds are the levels of risk that are acceptable to individual project stakeholders, such as the project team members, customers or sponsors.

It is important to remember that project owners, customers, and sponsors may all have different risk thresholds for a given project, depending on their individual needs and interests.

The acceptable risk threshold for each project stakeholder forms the target against which the project team will measure the effectiveness of the risk response plan execution.

Liam, from Northern Pulp & Paper, is studying his company's established risk threshold for his current project. He wants to know how the risk threshold will influence his risk response planning process. Liam finds that the company will not tolerate a total project cost overrun of more than $5,000. He realizes that such things as purchasing additional materials or increasing staff may not be viable risk response options when handling identified project risks. Liam will keep this in mind as he progresses through the risk response planning process.

Equipped with a clear and accurate understanding of these two components, you will be able to ensure that potential project risks are dealt with effectively and in a timely manner.

Creating a List of Potential Risk Responses

How do you deal with risks throughout the life cycle of your projects? How do you formulate appropriate and effective responses to identified project risks?

During the risk identification process, project managers identify any risks that have the potential to negatively impact project objectives and overall project outcomes. These risks are then subjected to a qualitative and a quantitative risk analysis in order to produce a list of prioritized risks that can be dealt with in the risk response planning process.

When project managers, stakeholders, and subject matter experts are involved in identifying project risks, they often formulate a tentative list of potential responses to address these risks. These potential responses are strategies that are designed to enhance risk opportunities and reduce risk threats to project objectives. Although any action may be classified as a response, this list of potential responses created during risk identification is always specific to the project needs and the characteristics of the identified risk.

Specific details concerning the accuracy or effectiveness of these potential responses are not necessary during risk identification since that is the focus of the risk response planning process.

As a result of a project's risk identification process, you will have a list of potential responses that you can either accept, modify, reject, or add to during risk response planning.

It is important to remember that the list of potential responses created during risk identification is not a comprehensive or exhaustive list. It is simply a list of proposed suggestions that can be used to help address those risks that can have a negative impact on the success of a project. As a project manager, you will take this list of potential responses into consideration when deciding on an appropriate and effective risk response for identified and quantified project risks.

These potential responses are only suggested methods of dealing with these types of risks. Selecting the most effective and accurate response will occur later in the risk response planning process.

The following are some examples of common project risks and corresponding potential responses.

Common Project Risks
overly optimistic schedules
lack of adherence to quality procedures
unclear or vague project goals
inappropriate vendor or technology selection
budget cuts

Potential Responses
Review and monitor schedules at regular intervals.
Implement a quality management program.
Ensure that each goal is well-researched and realistic.
Perform a decision tree analysis for each major decision.
Reallocate project resources.

As a project manager, it is important to remember that your project's list of potential responses, developed during risk identification, is a valuable input to the risk response planning process. This list will help you develop specific actions that you can use to minimize or prevent threatening risks from occurring, as well as to maximize potential opportunities.

Identifying Risks that Require an Immediate Risk Response

Bruce, a project manager for Precision Technologies, performed a qualitative and a quantitative risk analysis on his last project. He found these analyses very useful because they helped him identify project risks that had the potential to adversely affect his project's success.

As a project manager, you will find that the outputs from other risk management processes can be extremely useful when performing risk response planning. Two such processes include qualitative risk analysis and quantitative risk analysis. Both of these processes attempt to assess and analyze the probability and impact of potential project risks. As a result, qualitative and quantitative risk analysis outputs can serve as effective inputs to a project's risk response planning process.

A qualitative risk analysis attempts to assess the impact and likelihood of identified project risks. It also prioritizes risks according to their potential effect on project objectives and overall project outcomes. A quantitative risk analysis aims to numerically analyze the probability of each risk and its consequences on project objectives, as well as the extent of overall project risk.

As a result of both a qualitative and a quantitative risk analysis, you will receive a list of risks, together with a measure of their potential impact, that will need to be addressed in the risk response planning process.

The qualitative and quantitative risk analysis outputs that may be useful as inputs to risk response planning include:

• list of prioritized risks
• risk ranking of the project
• prioritized list of quantified risks
• probabilistic analysis of the project
• probability of achieving project objectives
• qualitative and quantitative risk analysis trend results

One qualitative risk analysis output that acts as a valuable input to risk response planning is a list of prioritized risks. During the qualitative risk analysis process, risks are prioritized using a number of criteria. Risks may be assigned a rank of high, medium or low, depending on their potential severity of impact. Risks may also be grouped by those that require an immediate response and those that can be handled at a later date. Prioritized risks usually include risks that affect project cost, schedule, scope, and quality.

As a project manager, you can use this list of prioritized risks during risk response planning to help you decide which risks require your immediate attention. This list will also help you formulate responses for those risks that have the potential to negatively impact critical project objectives.

Another qualitative risk analysis output that you can use as an effective input to risk response planning is a risk ranking of the project. This ranking will indicate the overall risk position of a project relative to other projects by comparing the risk scores.

A risk ranking can also be used to assign resources to projects with different risk rankings, make a benefit-cost analysis decision about the project, or support a recommendation for project initiation, continuation or cancellation.

A risk ranking will help you decide which projects have the greatest needs and which projects will produce the greatest overall benefit. This will allow you to plan effectively for those projects that require immediate risk responses.

As a project manager, you can also use quantitative risk analysis outputs when preparing for risk response planning. These outputs can help you identify sensitive risk areas and formulate potential responses to threatening project risks.

A prioritized list of quantified risks will detail which risks pose the greatest threat or present the greatest opportunity to your project, together with a measure of their impact. This will help you identify risks that require an immediate risk response.

A probabilistic analysis of the project will forecast potential project costs and completion dates. This analysis will help you determine the type of risk response that is required to address threatening cost and scheduling risks.

An estimate of the probability of achieving project objectives under the current plan will indicate whether the project is progressing as planned, or whether it requires immediate risk response action in order to be completed successfully.

The last qualitative and quantitative risk analysis output that is useful as a risk response planning input is qualitative and quantitative risk analysis trend results. Trends can be defined as patterns of results that track in a particular direction. Once you've performed multiple risk analyses on your project, a trend of results may become apparent. This trend of results will indicate the level of urgency and the importance of the risk response.

As a project manager, you can use qualitative and quantitative risk analysis trend results to help you focus on those areas that would benefit from an immediate risk response the most.

Qualitative and quantitative risk analysis outputs will help you identify risks that require an immediate risk response so that you can reduce or eliminate their impact on project objectives and increase your project's chance of success.