The Benefits of a Risk Database

William Pollard, a businessman and author, once said, "Information is a source of learning. But unless it's organized, processed, and available to the right people in a format for decision making, it is a burden, not a benefit."

A risk database is a repository that can organize, process, and format the information that is collected and used in the risk management processes. The use of a risk database throughout a project's life cycle will make documented information easily accessible for important decision-making purposes.

Project risk information that you may need to store in a database could include agreements, current priorities, specifications, project plan changes, instructions, results, and other information depending on the nature of the project.

You must enter information into the database on a regular basis so that this information is up to date.

You can use a risk database not only for storing and retrieving data, but also for analysis. A database can sort information into categories and generate reports based on what you need to know.

The database can perform complicated calculations in seconds, which provides information that may help decision makers avoid mistakes. You can analyze project information for risks and alert team members about any emerging risks.

Over time, your company will gain experience in keeping track of project risks in a risk database. This documentation can be compiled for a single project or across similar projects, and be used as lessons learned for future projects. Prior to planning new projects, team members can search through the lessons learned to avoid making similar mistakes.

You can use a risk database to help you avoid mistakes and plan effectively for future projects. A risk database can organize and format information so that it is a learning source to help you make important project decisions.

Updating Risk Identification Checklists and Response Plans

Have you ever tried to follow a plan only to find that the plan wasn't up-to-date and contained inaccuracies? For a plan to be effective, it must be kept current. New information, changes, and corrections have to be made in a timely manner to prevent inappropriate actions being taken on inaccurate or outdated information.

When monitoring and controlling risks, documentation is especially important because project managers and teams use risk documentation to:

• track risks
• to identify new risks
• to plan additional risk responses
• to record any actions taken to control risks

If the information being acted on is not current, a new risk is introduced—the risk of acting on inaccurate or outdated information. To avoid this confusion, you must strive to keep all documents up to date.

Two of the most important documents to keep current are the risk identification checklist and risk response plan.

Risk identification checklists
Risk identification checklists describe the criteria used to identify new risks. Project team members should use the experience gained during their projects to update the checklists. This will make the checklists more effective for use in the risk management of future projects.

Risk response plans
The risk response plan is a document that describes in detail what actions should be taken in response to specific risks. Since the risk response plan acts as a guide to risk monitoring and control, the project team should update it regularly to keep everyone equally informed.

There are many elements that you can include in updates to risk response plans. Usually updates are the product of an action or event that changes the risk situation of the project. In some cases, the fact that an action was not taken leads to the need for an update. Some of the common elements included in updates to a risk response plan are:

• Implementing risk controls - The implementation of risk controls may reduce the impact or probability of identified risks. Documenting the implemented risk controls will provide the project team with the information it needs to change its future expectations for particular risks.
  
  
• Changing risk rankings - Risk rankings change throughout the project's life cycle. You should document these changes so you and your team can properly control higher ranking risks.
  
  
• Closing risks - Risks that do not occur and that are no longer considered a threat should be documented and closed in the risk response plan.

Updating documentation can help avoid confusion and keep everyone on the project equally informed. The information added to the documentation will help you prepare for similar risks that may occur in future projects.

Managing Risk with Contingency Plans and Workarounds

Eleanor Roosevelt once said, "What you don't do can be a destructive force." This is especially true in terms of risks. Leaving risks to run their course without taking action can be very destructive to your project.

When a risk occurs, you must take corrective action to harness the risk and lead it down the least destructive path. In project risk monitoring and control, two of the most helpful forms of corrective action are contingency plans and workarounds.

Contingency plans
Contingency plans are management plans that identify alternative strategies project teams can use to ensure project success if specified risk events occur. They are developed before the risk occurs and are used if the original risk response is not effective. Contingency plans go beyond the original risk response to address "what if" scenarios that may further complicate risk control efforts. Risks that pose a significant threat to the project should have a contingency plan.

Contingency plans should contain information such as the plan's objective, criteria for implementation, roles and responsibilities, and the details for implementation.

Untouchable Tires is producing winter tires to stock its retail outlets. During this project, the company has encountered a major risk. The employees have gone on a strike that has lasted longer than the company had originally anticipated. The original response was to negotiate with the employees to get them back on the job as soon as possible.

To ensure that production deadlines are met and that retail orders can be filled, the company reassigned the work that would be done at this factory to other factories nearby. It will make production more expensive, but it will help meet the deadlines.

Workarounds
Another type of corrective action is a workaround. Workarounds are unplanned responses to emerging risks that weren't accepted or identified. Workarounds give you a way to "work around" the problem and as a result, reduce the effects that the risk has on the project. Workarounds should not be applied without documentation. Since using workarounds may have a positive or negative effect on the project, you need to incorporate them into the project plan and risk response plan.

Corrective action is any action taken to bring expected future project performance in line with the project plan. Implementing corrective actions such as contingency plans and workarounds will help your company keep its project performance in line with the project plan.

Two Indicators of Additional Risk Planning

When you build a house, many factors can cause construction to veer off track. Similarly, in project management, there are many risks that can affect the progress of a project. The risk monitoring and control process watches for signs that a project is going off track so project managers can do additional planning to regain control of the risk.

Two signs that may indicate the need for additional risk response planning are: the occurrence of an unanticipated risk and a risk having a greater effect on a project than expected.

• the occurrence of an unanticipated risk
  When an unanticipated risk occurs, you must do additional risk response planning. Since unanticipated risks are not covered in the initial risk response plan, the project team will now have to decide on a strategy to deal with the risk. The most common risk response strategies include avoidance, transference, mitigation, or acceptance.
  
  
  • Avoidance - is a strategy that requires changing the project plan to eliminate the risk. This is done to protect the project from the potential effects of the risk. A team might reschedule an activity to avoid the risk of having resources spread too thin.
  • Transference - is a strategy that does not eliminate the risk but moves the ownership of the risk to a third party. This third party is then responsible for the management of the risk. A team might transfer a financial risk by paying a premium to insure against the risk.
  • Mitigation - is a strategy that attempts to reduce the risk to a manageable level. Early actions will reduce the probability of the risk occurring. A team might add more time to its schedule to reduce the effects of a risk.
  • Acceptance - is a strategy that indicates that the project team has decided not to take any actions in regards to this risk. For example, a team might decide to accept the effects that an employee strike will have on the project if it occurs.
    

• a risk having a greater effect on a project than expected
  The second sign that additional risk response planning is necessary is a risk that has a greater effect on a project than expected. In this case, the planned response was implemented but was not effective in controlling the risk. If there is no contingency plan in place, the project team must then reevaluate the risk response and decide what changes need to be made to gain control of the risk or to better control the risk in the future.
  

Skilled project managers look for risks that have a greater effect on the project than expected. They also look for unanticipated risks. Learning to recognize these signs that additional risk response planning is necessary will help you gain control of project risks and increase your chances of achieving your project objectives.

Using TPM Analysis to Identify Technical Risks

Marcus, a project manager at Playerz Gaming, Limited, is working on the development of a new search and destroy mission-oriented game. The game is projected to hit store shelves within the next nine months. There is still much work to be done before the project enters the final testing stages.

Recently, Marcus discovered that a technical component of the game is not yet functional. This upset Marcus because it could mean a project delay of up to six months. How could this risk have been monitored and controlled sooner?

Technical performance measurement (TPM) is an analysis and control technique that can help identify technical risks so that action can be taken sooner rather than later. TPM compares technical accomplishments during the project to the expected accomplishments in the project plan. TPMs provide an early warning of deviations from the project plan. For example, a deviation could be a technical parameter that does not demonstrate functionality as planned. Uncontrolled deviations can affect project success.

TPMs include a variety of performance measures depending on the project's content. Performance measurements that are common to all projects include cost and schedule variances and performance indices.

There are three basic steps involved in TPM analysis.

• Step 1: Choose technical performance parameters.
  The first step is to choose your technical performance parameters (TPP). You should choose TPPs to measure based on the risk areas of your project. More parameters should be chosen from project areas that are considered high risk than from other areas. This will ensure that these areas are being measured effectively.
  
  Choosing TPPs is not always an easy task. You must be careful to choose parameters that your project team can measure, but also monitor over a period. For example, the survivability of a product under adverse conditions may be a product requirement. Survivability itself is not particularly measurable, but there may be other TPPs—like product speed, weight, and power—that your team could measure to indicate the survivability of the product.
  
  
• Step 2: Record actual performance.
  The second step of TPM is to record actual performance. The actual performance of the TPPs will be measured at specific intervals over the life of the project and will be recorded in the form of a graph. TPPs are generally measured in units such as speed, weight, size, power, or number of units completed. The risk management plan will state when you should measure the parameters and how to record the measurements.
  
  
• Step 3: Compare actual versus expected performance.
  The third step for TPM is to compare actual versus expected performance. In order to monitor and control the technical risks, you must compare the results from the actual performance measurements to the expected results and graph the results for each TPP separately.
  
  To monitor the progress of TPPs, you should perform this comparison of actual versus expected performance periodically. This will allow you to take steps to control any TPPs that are deviating significantly from the expected performance.
  

How can you tell when a TPP is a risk? You must look at where the achieve-to-date line falls on the graph. Lines that are outside of the tolerance band are already considered risks. Lines that are inside of the tolerance band, but are moving away from the planned value line toward the outside of the tolerance band, are potential risks. Lines that are steadily within the tolerance band or are moving toward the planned value line are not considered risks.

Knowing how to interpret TPM results can help you monitor and control technical risks. This will allow you to be proactive and implement controls sooner rather than later.

Using EV Analysis to Monitor and Control Risk

Did you know that you can use earned value analysis to monitor and control risks? Earned value analysis is traditionally used to monitor overall project performance against a baseline plan and to identify any deviations from the plan. In keeping track of these deviations, you will also help your company to monitor and control project risks, which increases your chances of a successful project.

Earned value analysis calculates whether the work for a given period is accomplished as planned. This type of analysis uses three key values: earned value, actual cost, and planned value.

• earned value (EV) - EV is the budgeted value of work actually completed in a given period of time. It answers the question: "How much work is done and what was the original budget to complete that work?"
  
  
• actual cost (AC) - AC is the total of costs incurred in accomplishing work on an activity during a given period of time. It answers the question: "How much has it cost to complete the work that has been done so far?"
  
  
• planned value (PV) - PV is the portion of the approved cost estimate budgeted for an activity during a given time. It answers the questions: "What should the work planned for this period cost?" and "How much work should be done by now?"

The formula for calculating earned value is:

EV = PV x % Work Complete

EV is the PV of your project multiplied by the percent of work complete. The PV is in the project budget and you can determine the PC by dividing the amount of work completed by the total amount of work that is expected to be completed during this time period.
With a good basic understanding of these key values, you can move on to performing the calculations used in earned value analysis. A careful interpretation of the results will help you determine if additional risk identification and analysis is required.

To determine whether your project requires additional risk identification and analysis, you must calculate four performance measurements.

1. cost variance (CV)
2. schedule variance (SV)
3. cost performance index (CPI)
4. schedule performance index (SPI).

CV is the difference between the budgeted value of work actually completed and the total of costs incurred to complete that work in a given period of time. The formula is:

CV = [(EV - AC) / EV] x 100

SV is the difference between the budgeted value of work actually completed and the amount the company planned to spend to complete the work during a given period of time. The formula is:

SV = [(EV - PV) / PV] x 100

The last two performance measurements are ratio expressions of CV and SV. CV and SV tell you the percent that your project varies from the baseline, while the CPI and SPI tell you how efficiently the work has been performed.

CPI is the cost efficiency ratio of earned value to actual costs. The formula is:

CPI = EV / AC

SPI is the schedule efficiency ratio of earned value accomplished against planned value. The formula is:

SPI = EV / PV

Once you have calculated the results for CV, SV, CPI, and SPI, they must be interpreted. This is the information the company needs to decide whether additional risk identification and analysis is necessary.

When analyzing the CV and SV for a project, you must look at how close to zero the results are. A result that is equal to zero indicates that the project or activity is performing as estimated. A result that is greater than zero indicates the project or activity is ahead of the estimates. A result of less than zero indicates that the project or activity is behind the estimates. When the result varies significantly above or below zero, additional risk identification and analysis may be necessary.

When analyzing CPI and SPI for a project, you must look at how close to one the result is. A result that is equal to one indicates that the project or activity is performing as estimated. A result that is greater than one indicates that the project is performing ahead of the estimates. A result of less than one indicates that the project is performing behind the estimates. When the result varies above or below one and exceeds the company's predetermined acceptable range, additional risk identification and analysis is necessary.

Earned value analysis can help you determine when additional risk identification and analysis is necessary. Being able to perform the calculations and interpret the results will help you handle and control project risks properly.

Two Risk Monitoring and Control Techniques

Professional consultant Gary Blair says that "Thoughtless risks are destructive, of course, but perhaps even more wasteful is thoughtless caution which prompts inaction and promotes failure to seize opportunity."

The thoughtful caution of risk monitoring and control helps you seize project opportunities and avoid destructive risks. By learning how to monitor and control these opportunities, you can boost their potential for success.

Two risk monitoring and control techniques can help you learn how to handle and control risks, increasing your chances of a successful project. The techniques are:

1. project risk response audits
2. periodic project risk reviews

To determine whether a risk owner has taken appropriate action to prevent a risk from occurring, you can use a project risk response audit. Risk response audits examine and document the effectiveness of the risk response and the risk owner. Risk response audits verify that those responsible conduct the responses as planned. You perform these audits throughout the project's life cycle to help control risk.

Companies must decide when they want to conduct risk response audits and under what circumstances. A company may decide to conduct an audit on risks with a potential cost to the project over a certain amount. This amount will vary from project to project, but will be set out at the beginning of the project.

To avoid biased results, you must have an objective third party conduct your risk response audits. Your company may have a risk specialist or internal audit department, otherwise it will have to hire an external auditor.

The second risk monitoring and control technique that can help you learn how to handle and control risks is periodic project risk reviews. Periodic project risk reviews are regularly scheduled examinations of potential risks. Since project risks are always changing, they should be an agenda item at all team meetings.

Depending on the phase of the project's life cycle, risk ratings and prioritization may change. If team members decide to change the risk rating or prioritization of a risk, they may have to perform additional qualitative or quantitative risk analyses.

Project risk response audits and periodic risk reviews keep track of project risks and how your team responds to them. This helps you handle and control risks properly and increases your chances of managing a successful project.

Managing Additional Risks and Scope Changes

Since you never know when a situation will arise that will cause you to reevaluate your project risks, you should prepare for unanticipated situations by knowing what to do when they occur.

There are two ways to recognize new risks. The first is identifying additional risks during project management processes. The second is identifying new risks caused by changes to the project scope. Your initial risk management plan and risk response plan will not account for these new risks, which is why additional risks and scope changes are important inputs to the risk monitoring and control process.

As the project team members go through their normal project management processes like weekly meetings or status reporting, they may identify additional risks. You must add these additional risks to the risk log. The risks listed in the risk log are inputs to the risk monitoring and control process.

Once a project scope change has been approved, the change log becomes the input. The project team will then review the approved changes to see if any new risks emerged as a result of the scope change.

To identify priorities and triggers and to plan responses, you must input the information about additional risks and the approved scope change into the cycle of risk management processes. There are six main risk processes.

1. risk management planning
2. risk identification
3. qualitative risk analysis
4. quantitative risk analysis
5. risk response planning
6. risk monitoring and control

As you implement the six processes, you will find that often the information from one process is needed to drive the next process. For example, you must complete risk management planning before risk identification can occur.

Risk management planning addresses how the additional risks and scope changes will be approached in regards to risk management. Depending on the magnitude of the risk or scope change, it may or may not affect how you conduct risk management for the project as a whole. For example, a new risk or scope change may be important enough that the budget for risk management of the project is increased.

A project team should consider any changes that may need to be made to the risk management plan before moving on to risk identification.

Risk identification determines which risks are most likely to affect the project. The project team will examine scope changes to identify any new risks that may threaten the project. The team will then take these new risks, or the additional risks that were already identified, and document their details and characteristics. From this point on, new risks will refer to both additional risks and risks identified from scope changes.

After examining the risk management plan and identifying new risks, the next logical step is to find out the potential impact of each risk and how likely it is that each new risk will occur. To do this, you must implement the next two risk management processes: qualitative and quantitative risk analysis.

Qualitative risk analysis assesses the potential impact of new risks and determines the likelihood that each will occur. Qualitative risk analysis prioritizes the new risks based on their potential impact on project objectives. This helps determine which risks are most likely to threaten the project.

Quantitative risk analysis is a numerical analysis that determines the probability that the new risk will occur. It also explores the consequences that the new risk will have on project objectives and on the project as a whole.

The first four processes direct the project team to the risks that are most likely to threaten the project. Risk response planning is the process where specific actions are planned in response to these new, threatening project risks. During this process, project managers assign individuals or groups ownership of particular risks. Common risk responses include avoidance, transference, mitigation, and acceptance.

Risk management planning and risk response planning will help you monitor and control risks effectively. The risk management plan and the risk response plan provide the details that a project team needs to carry out the risk monitoring and control process.

By inputting additional risks and scope changes into the cycle of the risk management process, you will be able to identify priorities and triggers and plan responses. This will help you monitor and control your project effectively.

Using Project Communication Documents to Control Risk

Often, team members spend time sharing information that may provide clues to potential project risks. How can this valuable information be incorporated into the risk monitoring and control process?

Project managers and project team members can monitor risks through project communication. Generally, these are documents that provide information on project performance and risks throughout the project's life cycle. As project performance is being monitored, so are project risks. Performance that is lower than expected may indicate that a project risk is emerging, or if performance improves, this may indicate that a risk has been brought under control.

The most obvious communication documents to use in monitoring risks are the work results, project records, and project reports.

Work results
Work results are the outcomes of a project and may include results such as information on the completion status of project deliverables, acquired or allocated costs and resources, and whether project quality standards have been met. It is important to gather reliable and consistent work results, as they are useful for performance reporting and monitoring project risks.

Project records
Project records contain other project information that you should consider when assessing project performance and risks. Project records may include correspondence, memos, and documents describing portions of the project. Project team members may even keep personal records in a project notebook.

Project reports
Project reports are a type of formal documentation that you and your project team can use for risk monitoring and control. Some of the most commonly used reports are:

• issue logs keep track of issues that are risks and issues that could lead to risks. Issue logs contain information such as the date, time, details of the issue, responses implemented, and person reporting the issue.
• action-item lists record information regarding responses to risks. These lists often include a description of the action, the name of the person assigned the action, when it is due, and its status.
• jeopardy warnings are reports that warn project team members that a risk may be about to occur. This information gives the team a chance to prepare its response.
• escalation notices are reports that inform decision makers that a risk has escalated to a higher level. With this information, decision makers can determine the best way to respond.

You and your project team can extract important clues for risk monitoring and control from project communication documents such as work results, project records, and project reports.

Components of Risk Management and Risk Response Plans

H. Stanley Judd, author, film producer, and communications consultant, once said, "A good plan is like a road map: it shows the final destination and usually the best way to get there." Like a good roadmap, a good project plan points out potential risks and includes strategies for managing and responding to those risks. The plan accomplishes this with a risk management plan and a risk response plan, two important aspects of project risk monitoring and control.

Risk management plan
The risk management plan, created during the risk management planning process, is a document that focuses on how to plan for and deal with all risks associated with a project. It describes how risk monitoring and control will be carried out during the project's life cycle. It does not look at the specific responses that will be implemented if a risk occurs.

The risk management plan has several components that are inputs to risk monitoring and control.

• Methodology - outlines the approaches, tools, and resources that can be used to carry out risk monitoring and control. The methodology used will depend upon the information available and the current project phase.
• Roles and responsibilities - is the designation of risk monitoring and control actions to specific individuals or groups. External risk monitoring and control teams are able to provide independent, unbiased risk analyses.
• Budgeting - requires a specific amount of funds to be allocated to the risk monitoring and control process of a given project.
• Timing - is how often risk monitoring and control processes will occur during the project's life cycle. Results must be reviewed periodically so they can be used in decision making.
• Scoring and interpretation - are methods used to score risks and assign them a rank. This risk-ranking process will indicate which risks need constant, close monitoring in order to control their impact on important project objectives.
• The acceptable threshold - is the set limit that the project team members will use to decide when they will implement a control.
• Reporting formats - describe what is in the risk response plan and how it is formatted. It also identifies how the outcomes of risk monitoring and control will be documented, analyzed, and communicated to team members and stakeholders.
• Tracking - is the documentation process that records information about risk monitoring and control activities. The tracking process saves the information so you can use it for the current project, or for future projects.

Risk response plan
The risk response plan is a document that addresses the specific responses to individual project risks.

The project manager and project team create the risk response plan during the risk response planning process. The plan provides project team members with the details they need when a risk occurs. The information in the risk response plan allows team members to take specific actions to control risks.

The risk response plan has several components that project teams use during the risk monitoring and control process.

• Identified risks - The risk response plan lists the identified project risks. The project team will monitor and control the identified risks throughout the project's life cycle.
• Risk owners and responsibilities - The risk response plan identifies risk owners and the details of their responsibilities. The risk monitoring and control process examines and documents the effectiveness of the risk owner.
• Agreed responses - The risk response plan clearly states the agreed responses for each identified risk. These responses may include avoidance, transference, mitigation, or acceptance. Once the project team implements a response, the response will be monitored to determine if further action is necessary.
• Specific actions - The risk response plan not only describes the response strategy for each risk, but also describes the specific actions that will be necessary to carry out each strategy. Risk monitoring and control determines if these actions are adequate.
• Residual risk - The risk response plan outlines the expected residual risk. Residual risks are the risk effects that remain after the implementation of a risk response. These residual risks must be monitored and controlled.
• Contingency and fallback plans - The risk response plan will outline any potential contingency or fallback plans. The project team will monitor the use of these contingency and fallback plans and take action if the plans are deemed inadequate.

The risk management and risk response plans provide you with the processes and actions required to prevent, reduce, recognize, and deal with risks. Using these plans as inputs will help lead your project along the path of success.

Primary Risk Response Planning Outputs

As a project manager, you will often face sudden or unexpected risks—risks that were not identified or prepared for during risk response planning. The best way to respond to these kinds of risks is to monitor and try to control them by examining the primary risk response planning outputs.

In addition to the risk response plan, there are four primary risk response planning outputs that you can use to ensure successful project completion: residual risks, secondary risks, contractual agreements, and contingency reserve amounts.

• residual risks
  The first output that will result from your project's risk response planning process is residual risks. These are the risks that remain after avoidance, transference, and mitigation responses have been implemented.
  
  Residual risks also include any minor risks that have been accepted and addressed during risk response planning through the addition of contingency amounts to the project budget or schedule.
  
  
• secondary risks
  The second output that will result from your project's risk response planning process is secondary risks. These are risks that arise as a direct result of implementing a risk response.
  
  Secondary types of risks should be identified as soon as possible so that appropriate and effective risk responses can be planned. For example, due to the complexity and detail involved in most projects, it is possible that adding personnel resources to address one identified risk may result in a risk of cost or schedule overruns in another project phase.
  
  
• contractual agreements
  Another risk response planning output that is useful in promoting project success is contractual agreements. These types of agreements help to ensure that all parties involved in a project's development are aware of their responsibilities and bound by law to fulfill all agreed-upon commitments.
  
  A contract is typically defined as a mutually binding agreement that obligates a seller to provide a specified product and requires a buyer to pay for it. As a result, contractual agreements are essential to risk management.
  
  Contractual agreements are also used to help specify each party's responsibility for specific risks. For example, a contract between an insurance provider and a company will detail the insurance provider's responsibility to pay out a certain amount of money to the company in the event that an insured risk occurs. Contractual agreements, as an output of risk response planning, will help you be confident that specific identified risks will be responded to in a timely and efficient manner.
  
  
• contingency reserve amounts
  The final output that results from your project's risk response planning process is contingency reserve amounts. These reserve amounts are over and above the estimated amount of time and resources allotted for a particular project. These additional resources are set aside to help reduce the risk of overruns to project objectives as a result of risk.
  
  Contingency reserve amounts will help you lower potential overruns to a level that is acceptable to your project stakeholders.
  
  Contingency reserve amounts are usually determined by the project manager with the aid of the project's established risk thresholds and probabilistic analyses. These analyses are used to forecast potential project schedule and cost results.
  

As a project manager, it is important to remember that almost every risk response will have a corresponding effect. Most risk responses involve expenditures of additional time, cost or resources and therefore require changes to the project plan. The results of the risk response planning process must be incorporated into the project plan to ensure that agreed actions are implemented and monitored as part of the ongoing project.

Other risk response planning outputs contribute to project success. You will want to use them to ensure that your project is protected from threatening project risks and prepared for the risk monitoring and control process.

Determining the Most Appropriate Risk Response

As a project manager, you can use a risk response plan to ensure that you meet your project objectives. A risk response plan is a document that details an identified risk, its cause, probability of occurrence, potential impact, and proposed responses. An effective risk response plan will help you enhance risk opportunities and reduce risk threats.

A risk response plan, which is sometimes called a risk register, is comprised of a number of different components. A typical project's risk response plan includes the following components:

• a detailed list of all identified project risks
• the risk owners responsible for formulating and implementing one or more risk responses
• the results from the project's qualitative and quantitative risk analyses
• the established responses for each identified risk
• the expected level of residual risk
• the specific actions required to implement the chosen response
• the budget and timing for all risk responses
• a description of any contingency or fallback plans.

One of the most important components of a risk response plan is "the established responses for each identified risk." As a project manager, it is your job to select the most appropriate and effective response for managing that risk. Once this selection is made, the agreed-upon risk response is entered into the project's risk response plan.

How do you determine which risk response will be the most appropriate and effective for an identified project risk? There are three important questions that you should ask yourself when making this critical decision.

1. What are the potential risk responses?
   The first question that you should ask yourself when determining the most appropriate risk response for one of your identified project risks is: What are the potential risk responses? You should apply the four risk response strategies to your risk, discard those strategies that are either impossible or impractical to use, and formulate potential responses from the strategies that remain.
   
   
   • Avoidance - should be used when the level of risk is unacceptable, when the means for controlling the risk are not feasible or when there is a potential for harm. This risk response strategy involves changing the project plan to eliminate the risk or the condition causing the risk.
     
     
   • Transference - should be used when there is a potential for significant financial exposure. Risks can be transferred through insurance, performance bonds, warranties, and contracts. This strategy shifts the consequences of a risk to a third party, such as an insurance company.
     
     
   • Mitigation - should be used when there is an opportunity to significantly reduce the probability or consequences of an identified risk. Throughout a project's life cycle, it may be possible to perform risk mitigation by reducing both the risk probability and the risk consequences.
     
     
   • Acceptance - should be used when the probability and consequences of an identified risk are low. This strategy results in no changes to the project plan. It involves leaving a project team to deal with a risk when it occurs or forming a contingency plan to deal with the risk if it occurs.
     
     
2. What are the project constraints?
   The second question that you should ask yourself when determining an appropriate and effective risk response for an identified risk is: What are the project constraints? The PMBOK Guide defines a constraint as an "applicable restriction that will affect the performance of a project." No project is completely free of constraints. As a result, you will need to keep this in mind when selecting an appropriate risk response. Constraints will limit the choices available to you during risk response planning.
   
   For example, you may initially decide that avoiding a risk by changing the project scope is an appropriate response for a given risk. However, a careful examination of the constraints facing your project may indicate that avoidance is not possible or that it is unwise given your circumstances.
   
   During the life cycles of your projects, you may encounter many different types of constraints. However, there are some constraints that you will face more frequently than others. A few of these constraints are listed below.
   
   
   • An established project budget - An established project budget is one constraint that can affect your selection of risk responses. For example, if your project is restricted by a tight budget, any responses that require a vast amount of funding to implement will be deemed unwise and detrimental to project success.
     
     
   • A defined project schedule - A defined project schedule can also act as a constraint when determining the most appropriate response for an identified risk. For example, if your project's sponsors have established an inflexible schedule, the responses that will add time or cause delays to the project schedule will have to be rejected.
     
     
   • Contractual obligations - Another constraint is contractual obligations. Risk responses may need to be discarded if they have the potential to deviate from a signed contract. For example, you cannot reduce the risk of cost overruns by paying your contractor less than the amount agreed upon in the project contract.
     
     
   • Product specifications - The final constraint that can affect your selection of risk responses is product specifications. If project sponsors are expecting a particular product, they may be unwilling to approve any changes to the project scope. This decision can limit your options when responding to risk.
     
     
3. Which risk response will be the most appropriate for managing the risk?
   The final question that you need to ask yourself when determining an appropriate risk response for an identified project risk is: Which risk response will be the most appropriate for managing the risk? Once you have decided what the potential risk responses are and what constraints are facing your project, you can then determine the most appropriate and effective risk responses for your project risks.
   
   By eliminating those responses that are not feasible for your project or those that cannot be achieved due to certain constraints, you will be left with only the responses that are appropriate for the chosen risk. These responses will serve to protect the project from the risk's potential impact.
   

As a project manager, you can determine the most appropriate risk response for a given project risk by answering the following questions: what are the potential risk responses, what are the project constraints, and which risk response will be the most appropriate for managing the risk?

Once this determination is made, you can include your chosen risk response into your risk response plan. This plan will help you enhance risk opportunities and reduce risk threats to project objectives and overall project outcomes.

Accepting Risks with a Contingency Plan

In addition to avoidance, transference, and mitigation, acceptance is also an important strategy for effective risk response planning. Acceptance is a strategy that indicates that a project manager and a project team have decided not to change the established project plan in order to deal with an identified risk. Acceptance may also be performed if a project manager is unable to identify any other suitable risk response strategy to effectively handle the identified risk.

If you choose to accept a project risk, you need to develop a contingency plan that can be implemented should the risk occur. Developing a contingency plan in advance can greatly reduce the cost of future risk responses.

Every contingency plan contains specific details that are only relevant to the identified risk and the project at hand. However, all contingency plans should contain the following components: the plan objective, implementation criteria, roles and responsibilities, resource requirements, operation procedures, and discontinuation criteria.

• The plan objective
  For a contingency plan to be effective, a project manager must first ensure that there is an established plan objective. This objective should clearly detail the risk of failure that prompted the creation of the contingency plan.
  
  A project manager must also decide what the desired outcome of implementing the plan will be: to continue normal operations, to continue operations in a degraded mode or to abort a project area as quickly and as safely as possible. The plan objective should also outline the potential impact, in terms of financial costs, on the organization.
  
  
• Implementation criteria
  In addition to establishing a plan objective, a project manager must ensure that an effective contingency plan contains well-defined implementation criteria.
  
  You and your project team must understand when your contingency plan should be implemented. In addition, this criteria outlines the specific failure, or risk trigger, that necessitates the start up of your project's contingency plan. For example, the contingency plan will be implemented in the event of a network failure.
  
  
• Roles and responsibilities
  The third essential component of an effective contingency plan is the designation of roles and responsibilities. A project manager must decide who will be responsible for making implementation decisions, such as implementing the contingency plan or informing the team that the project is operating in contingency mode.
  
  The roles and responsibilities component clearly outlines who is responsible for plan implementation. For example, the technical engineer on duty will be in charge of activating the contingency plan in case of a network failure.
  
  
• Resource requirements
  The resource requirements component details the equipment, supplies, funding, and overtime estimates needed to activate the planned response. To create a list of required resources, you need to ask yourself the following questions.
  
  • What equipment will be needed to implement the contingency plan? What equipment will be required once the plan is activated and in full operation?
  
  
  • What types of materials or supplies will be needed to implement and operate the contingency plan? What quantity of materials and supplies will be required?
    
    
  • How much should your contingency plan budget be in order to effectively fund the contingency mode operations?
    
    
  • How much overtime will employees be expected to undertake in order to keep the project on track during contingency mode?
  
  Having a list of resource requirements available before an emergency arises allows you to move quickly and easily into contingency mode to meet the plan objective.
  

• Operation procedures
  Operation procedures outline plan implementation instructions so that everyone will know what to do in an emergency. For example, in case of a network failure, Sarah will switch the network to backup mode in order to save important data.
  
  The procedures must also describe how project personnel will be informed that the plan is being implemented. Operation procedures should also define how records will be managed and data security ensured.
  

• Discontinuation criteria
  Discontinuation criteria describe how to determine when a project should move from contingency mode back to normal operating mode. This criteria will outline the conditions or events and the timing that make it possible to discontinue the contingency plan. For example, the network has to be fully tested and be 100 percent operational before returning to normal mode.
  

The development of an effective contingency plan, as part of acceptance, will help you create options and potential actions that will serve to reduce threats to critical project objectives and to promote project success.

Methods for Mitigating Project Risks

All project managers want to make certain that their projects are on the road to successful project completion. One way for project managers to accomplish this is to use a risk response strategy called mitigation. Mitigation attempts to reduce the probability and consequences of identified project risks to an acceptable threshold.

It is important to remember that taking early action to reduce the probability of a risk's occurrence or its consequences on critical project objectives is often more effective than trying to repair the adverse consequences after the risk has occurred. During the risk response planning process, every effort should be made to prepare for project risks in advance so that a project's completion will not be severely threatened by its identified risks.

Project managers use two primary strategies to mitigate identified risks. The first strategy is to reduce risk probability. The second is to reduce risk consequences.

1. Reduce risk probability.
   Reducing risk probability is a mitigation strategy that attempts to deal with a risk before it gets out of control. Since not every risk can be avoided, reducing its probability of occurrence to the lowest possible percentage may be the most effective and realistic option.
   
   The purpose of reducing the probability of a risk's occurrence is to minimize the potential threat to critical project objectives and outcomes. Examples of reducing risk probability include safety training, improved quality of project materials, cost control systems or marketing a more stable and sellable product.
   
   Reducing risk probability is a preventative approach and its corresponding risk responses are always implemented before a risk actually occurs.
   
   
2. Reduce risk consequences.
   In many instances, there will be no way for you to prevent or significantly reduce the probability of risk occurrence. As a result, reducing risk consequences will be the most effective mitigation strategy to use.
   
   Once you know that you can do little to prevent a risk from occurring, you will want to develop as many options as possible to reduce the consequences of that risk if it does occur.
   
   Developing options to prepare for uncontrollable elements such as weather or environmental disasters, increasing the probability of knowing that a risk is occurring, and formulating options to deal with the risk impact after it occurs are all examples of reducing risk consequences.
   
   While reducing risk probability is seen as more of a preventative approach to mitigation, reducing risk consequences can be described as a backup approach.
   
   Reducing risk consequences aims to minimize the impact of an identified project risk after its occurrence.
   
   Proposed risk responses may be put in place before or after a risk's occurrence.
   

Mitigation is an important strategy in the risk response planning process. Project managers can protect many of their critical project objectives by reducing the probability or consequences of risks identified in the risk identification or risk analysis processes.

As a project manager, you can use mitigation to prevent or minimize the probability and consequences of threatening project risks. This will help you ensure that your project outcomes are completed as planned.

Four Ways to Transfer Risk

As a project manager, it is important for you to understand that the act of sharing can play a valuable role in your project's risk response planning process. Sometimes, the most efficient and effective way of dealing with project risks is to share the responsibility for their response with others.

Transference is a risk response strategy that does just that. It shifts the responsibility of a risk, or part of a risk, to a third party. Transference does not eliminate a risk or its potential consequences. This risk response strategy simply gives another party responsibility for the management of that risk.

Although a project will encounter many different types of risks, transferring risk liability is usually most effective when dealing with financial risk exposure.

Transference often involves the payment of a risk premium to the party taking on the risk. For example, a company will pay a monthly premium to its insurance provider as payment for the provider taking on one or more of the project's risks.

During your project's risk response planning process, you may decide that transference is the most appropriate strategy to use in order to effectively respond to one of your identified project risks. Once you make this decision, you must choose the transference method that will best address that risk. There are four methods available for you to use when transferring the responsibility for an identified risk.

1. Insurance
   Insurance is a transference method that shifts the responsibility of specified risks to an insurance company. Typically, insurance companies provide monetary coverage for losses that result from such things as legal liability, fire damage, theft, or vandalism.
   
   One of the most common methods of transferring risk and its potential consequences is to purchase insurance. As a project manager, you can share the responsibility of some of your project's identified risks by having an insurance company provide financial coverage for potential risk losses. During your project's risk response planning process, you should set aside risks that can be insured and transfer the responsibility for those risks to your company's insurance provider.
   
   Some of the most common insurable project risks are:
   
   • Direct Property Damage - to project equipment, project materials or a contractors' property.
   • Indirect Losses - such as equipment replacement and business interruption.
   • Legal Liability - such as public employee bodily injury, design errors, public property damage, and the failure of a product to perform as specified.
   • Personnel Issues - such as employee replacement costs.
   
   For project managers to transfer a project risk through the method of insurance, two conditions must be met. The first condition is that the potential risk loss must be due to chance. Insurance companies do not want to provide monetary coverage for risks that result from human error or poor project planning.
   
   The second condition that must be met in order for a risk to be eligible for insurance is that the potential risk loss must be measurable. This means that the risk loss must have an assigned monetary value. A project risk cannot be insured if the potential loss is expected to be personal or emotional.
   
   
2. Performance bonds
   Performance bonds shift the financial responsibility for poor performance back to the contractor. These bonds are usually issued by a financial institution, such as a bank, and force contractors to pay out a specified sum of money if their performance is unacceptable.
   
   Project managers obtain performance bonds to guarantee the satisfactory completion of contracted work. These bonds provide monetary compensation to a company if its contractor fails to achieve the proposed project work.
   
   
3. Warranties
   Warranties are written guarantees that purchased project equipment will be of good quality. This transference method shifts the cost and responsibility for repair or replacement of defective parts to the manufacturer.
   
   
4. Contracts
   A contract is a binding and legally enforceable agreement between two or more persons or parties. During risk response planning, project managers can use contracts to help eliminate or minimize the impact of identified project risks.
   
   In most cases, contracts are established between an organization and its contractors at the onset of a project. These contracts contain numerous details and clearly outline the contractor's responsibilities throughout the project. This transference method helps shift the potential cost and consequences of incomplete, tardy, or unsatisfactory work back to the contractor. A contract also protects the contractor, ensuring the company meets its obligations as well. This helps reduce the overall risk impact on the project.
   
   Another benefit of a contract is that you may not have sufficient expert resources within your company to perform all of the various project activities in an efficient and effective manner. Contracting some of your project work out to someone with superior knowledge and expertise in a particular area can reduce the risk of poor performance or unsatisfactory project design.
   

It is important to keep the four transference methods in mind when formulating responses to your project's identified risks. If your project requires a contractor, it is good to obtain a performance bond to ensure that expected performance levels are maintained. In addition, if your project materials are purchased from an external source, it is wise to have a warranty in place to protect your company against material defect risks.

If you decide to respond to some of your identified risks by purchasing insurance, you will be able to protect your company from costly, unexpected, and unpredictable risks, such as legal liability and personnel injuries. If you choose to establish a contract at the onset of your project, you will reduce the risk of project plan deviations and miscommunication. You must carefully consider each transference method and determine which one will be most effective in minimizing the impact of an identified project risk.

Insurance, performance bonds, warranties, and contracts are the four primary methods for transference. During the risk response planning process, project managers can use transference to help them reduce the impact of potential risks to project objectives and overall project outcomes.

As a project manager, you should examine all of your project's identified risks and set aside those that will benefit from transference. This will minimize your project's overall risk impact and promote a successful project completion.

Avoiding a Project's Most Threatening Risks

Have you ever deviated from your regular driving route because excessive traffic or road construction may have put you at risk of being late for an important appointment?

In everyday life, people often modify their personal plans or schedules in order to avoid the unwanted consequences of potential risks. In the same way, project managers are often forced to change or modify their project plans in order to eliminate threatening project risks.

As a project manager, you will encounter various risks throughout your project's development. Although you can never prevent every project risk, you should make every attempt to eliminate as many as possible.

One risk response strategy that you can use to help you achieve a successful project completion is avoidance. Avoidance involves changing your project plan to eliminate an identified risk or the condition that causes the risk. This risk response strategy also involves protecting your project objectives from the impact of identified risks.

As a project manager, you can often respond to some risks that arise early in the life cycle of a project by clarifying requirements, obtaining information, improving communication or acquiring expertise. However, there are other types of project risks that you will need to avoid in order to promote a successful project completion. These types of risks include those that have a high probability of negatively impacting project objectives and those that have the ability to cause complete project failure.

Avoidance is one strategy that you can use to help you deal with these types of risks. Such things as reducing scope to avoid high-risk activities, adding resources or time, adopting a familiar approach instead of an innovative one or avoiding an unfamiliar contractor are all ways in which you can eliminate threatening project risks.

The first type of risk that you should avoid during the life cycle of your projects is unacceptable risks. These types of risks have a high probability of occurrence and an extreme or very high level of potential impact.

You should also avoid uncontrollable risks. These risks cannot be absorbed by the project's available resources or existing contingency reserves. They are also risks that do not have mitigation or transference strategies available.

The last type of risk that you should avoid throughout your project's development is potentially harmful risks. These risks are especially threatening to project success because they have the potential to harm a project's personnel.

As a project manager, there are three key questions that you can ask in order to determine if an identified project risk should be avoided. If you can answer "yes" to even one of these questions, the risk that you are examining should be flagged for avoidance. The three questions include:

• Is the level of risk unacceptable?
• Are the means for controlling the risk unfeasible?
• Is there a potential for harm?

As a project manager, how do you determine whether the level of an identified risk is unacceptable to your project and its outcomes? One of the best ways to answer this question is to examine the prioritized list of quantified risks that resulted from your project's quantitative risk analysis process.

This list indicates which risks pose the greatest threat or present the greatest opportunity to your project objectives and overall outcomes. This prioritized list of quantified risks also includes a measure of potential risk impact.

You should examine your project's prioritized list of quantified risks and set aside those risks that have an extreme or very high level of potential impact. Once this is done, you should make every effort to modify your current project plan in order to avoid these types of risks. Typically, project managers classify risks with an extreme or very high level of potential impact as unacceptable because of the possible danger they pose to the success of overall project outcomes.

Another element to consider when trying to determine whether the level of an identified project risk is unacceptable is the risk thresholds for the project. Risk thresholds, which are established in a project's risk management plan, indicate the level of risk that is acceptable to individual project stakeholders. If you have identified a project risk that has the potential to greatly exceed one or more of the established risk thresholds for your project, this is a risk to avoid because it threatens the successful completion of your project.

Another question to consider when trying to determine if an identified project risk should be avoided is: are the means for controlling the risk unfeasible? All projects are subject to such things as cost and time constraints. As a result, some project risks may be too expensive to control.

In addition, most projects are allotted a limited amount of contingency reserves. These reserves are the amount of money or time needed to reduce the impact of cost and schedule overruns on critical project objectives and outcomes.

If you find that the means for controlling one of your identified risks is not feasible and cannot be absorbed by your project's available contingency reserves, this is a risk that you should avoid. A careful examination of such things as your project budget, schedule, and personnel and material resources will help you decide whether your project has the means to reduce or eliminate the risk's potential impact or whether it would be more beneficial to avoid the risk altogether.

The third and final question that project managers can ask in order to determine whether an identified project risk should be avoided is: Is there a potential for harm? In most cases, a risk is considered harmful if it involves the presence of dangerous materials or conditions at the project site.

Project managers must be able to identify any risks that have the potential to harm their project team members or stakeholders. These risks may include such things as faulty machinery or unsafe working conditions.

More examples of harmful project risks are listed below. As a project manager, you should immediately flag these types of risks for avoidance. These risks include:

• tasks that involve handling, storage or disposal of hazardous materials
• major construction work in locations vulnerable to seismic activity
• other potentially damaging natural events.

It is important to remember that unforeseen risks will continue to arise as a project progresses. As a project manager, it is your responsibility to analyze these unexpected risks, as well as all identified project risks, in order to determine if they should be avoided. Once this decision is made, you can then modify your project plan to avoid the selected risks. This will help you ensure that your project remains on a progressive track and heads toward a successful completion.

Avoidance is sometimes the best response. As a project manager, you can use avoidance to eliminate some of your project's most threatening risks and their potential impact. This risk response strategy is a key contributor to overall project success.

Common Causes of Project Risk

Marina is a project manager for Outback Retailers. Her current project involves the development of a new type of high-speed racing bike. She has learned that there are several identified risks that have the potential to negatively impact her project objectives.

As a result, Marina is trying to develop risk responses that will eliminate or reduce the impact of these identified risks. Do you think it is possible for Marina to address two or more of her project risks with the same response?

Yes! By addressing more than one project risk with the same response, Marina will be able to deal with risk threats and risk opportunities more quickly, which will maximize the likelihood of a successful project completion.

Every project will encounter numerous risks. Many of these risks will be driven by a common risk cause. A common risk cause is an event or situation that produces more than one project risk.

As a project manager, you can identify common risk causes during the risk identification and risk analysis processes. It is important to take advantage of these opportunities whenever and wherever possible.

It is important to remember that every project is unique. Therefore, you cannot expect to identify the same common risk causes in every project that you manage. However, there are some causes that may occur more frequently than others. These common risk causes include:

• unavailability of resources
• inadequate quality standards
• lack of communication
• inadequate tools or technology

One common risk cause that may threaten the successful completion of your project is unavailability of resources. These resources may be people or materials. During the life cycle of your project, many risks may arise if you do not have sufficient personnel or supplies available to complete the project as planned. Such things as excessive cost and schedule overruns are only two of the risks that you may encounter if your project is threatened by a lack of available workers or materials.

Another common risk cause is inadequate quality standards. Identifying this common risk cause early in the course of a project is especially valuable because this risk cause has the potential to create several project risks that can adversely affect the promised consumer deliverable.

As a project manager, it is important to remember that if quality standards are not properly set or are not specific enough, your project will either fall below the expected standard or aim for a standard not required by the client.

Marina, from Outback Retailers, is beginning the risk response planning process for her current project. After studying the results from her project's other risk management processes, she finds that some of the quality procedures that concern the new product are not clearly detailed. In addition, phase three may be short by two people due to a recent staff reduction. Marina hopes that the identification of these two common risk causes up front will help make her risk response planning process more efficient.

A lack of communication is another example of a common risk cause. In daily life, whether at home or at the office, people often suffer the unpleasant consequences of not giving or receiving adequate or accurate information. This is especially true in project management. If clear and open lines of communication are not firmly established, a project may be put in serious jeopardy. Such things as change requests and project plan modifications may not be properly carried out if there is a break in communication.

Inadequate tools or technology is a common risk cause that can severely impact the outcome of a project. It is difficult to develop a product efficiently or according to its established standards if you do not have the adequate tools or technology to complete the product as specified in the project plan.

It is also possible that a project may suffer a complete failure if critical tools are not readily at hand when needed. This common risk cause may also result in project deliverables not meeting widely accepted industry standards.

As a project manager, it is important to remember that some of your project risks may be driven by a common risk cause. As a result, the identification of these common risk causes is a valuable input to risk response planning because it may allow you to address more than one project risk with a single response. This will help eliminate the creation of redundant risk responses and make your risk response planning process more efficient.

Risk Owners and Risk Thresholds

Author H. Stanley Judd once said, "A good plan is like a road map; it shows the final destination and usually the best way to get there."

As a project manager, you need to have an effective risk management plan in place before beginning risk response planning. A risk management plan can act as a guide to help you identify, analyze, and respond to various project risks and their potential consequences. This plan, which is created during the risk identification and planning process, details how the risk management processes will be structured and performed. It ensures that risks are properly managed throughout a project's life cycle.

The risk management plan has two important components that will be used in risk response planning: 1. a list of risk owners; and 2. risk thresholds.

A list of risk owners
One risk management plan component that will be used as an input to risk response planning is a list of risk owners. Risk owners include those project stakeholders who are responsible for the development, implementation, and execution of one or more risk responses. This risk management plan component is essential as a risk response planning input because it helps to ensure that everyone involved in the risk response planning process has clearly defined roles and responsibilities.

Typically, project managers are responsible for assigning the various risk owners within a project. These risk owners may be chosen from within the project team or from available subject matter experts. During risk response planning, risk owners may decide to develop risk responses as a group or divide the responses among the team members, based on their expertise.

Risk thresholds
Another component of the risk management plan that can act as an important input to risk response planning is risk thresholds. Risk thresholds are the levels of risk that are acceptable to individual project stakeholders, such as the project team members, customers or sponsors.

It is important to remember that project owners, customers, and sponsors may all have different risk thresholds for a given project, depending on their individual needs and interests.

The acceptable risk threshold for each project stakeholder forms the target against which the project team will measure the effectiveness of the risk response plan execution.

Liam, from Northern Pulp & Paper, is studying his company's established risk threshold for his current project. He wants to know how the risk threshold will influence his risk response planning process. Liam finds that the company will not tolerate a total project cost overrun of more than $5,000. He realizes that such things as purchasing additional materials or increasing staff may not be viable risk response options when handling identified project risks. Liam will keep this in mind as he progresses through the risk response planning process.

Equipped with a clear and accurate understanding of these two components, you will be able to ensure that potential project risks are dealt with effectively and in a timely manner.

Creating a List of Potential Risk Responses

How do you deal with risks throughout the life cycle of your projects? How do you formulate appropriate and effective responses to identified project risks?

During the risk identification process, project managers identify any risks that have the potential to negatively impact project objectives and overall project outcomes. These risks are then subjected to a qualitative and a quantitative risk analysis in order to produce a list of prioritized risks that can be dealt with in the risk response planning process.

When project managers, stakeholders, and subject matter experts are involved in identifying project risks, they often formulate a tentative list of potential responses to address these risks. These potential responses are strategies that are designed to enhance risk opportunities and reduce risk threats to project objectives. Although any action may be classified as a response, this list of potential responses created during risk identification is always specific to the project needs and the characteristics of the identified risk.

Specific details concerning the accuracy or effectiveness of these potential responses are not necessary during risk identification since that is the focus of the risk response planning process.

As a result of a project's risk identification process, you will have a list of potential responses that you can either accept, modify, reject, or add to during risk response planning.

It is important to remember that the list of potential responses created during risk identification is not a comprehensive or exhaustive list. It is simply a list of proposed suggestions that can be used to help address those risks that can have a negative impact on the success of a project. As a project manager, you will take this list of potential responses into consideration when deciding on an appropriate and effective risk response for identified and quantified project risks.

These potential responses are only suggested methods of dealing with these types of risks. Selecting the most effective and accurate response will occur later in the risk response planning process.

The following are some examples of common project risks and corresponding potential responses.

Common Project Risks
overly optimistic schedules
lack of adherence to quality procedures
unclear or vague project goals
inappropriate vendor or technology selection
budget cuts

Potential Responses
Review and monitor schedules at regular intervals.
Implement a quality management program.
Ensure that each goal is well-researched and realistic.
Perform a decision tree analysis for each major decision.
Reallocate project resources.

As a project manager, it is important to remember that your project's list of potential responses, developed during risk identification, is a valuable input to the risk response planning process. This list will help you develop specific actions that you can use to minimize or prevent threatening risks from occurring, as well as to maximize potential opportunities.

Identifying Risks that Require an Immediate Risk Response

Bruce, a project manager for Precision Technologies, performed a qualitative and a quantitative risk analysis on his last project. He found these analyses very useful because they helped him identify project risks that had the potential to adversely affect his project's success.

As a project manager, you will find that the outputs from other risk management processes can be extremely useful when performing risk response planning. Two such processes include qualitative risk analysis and quantitative risk analysis. Both of these processes attempt to assess and analyze the probability and impact of potential project risks. As a result, qualitative and quantitative risk analysis outputs can serve as effective inputs to a project's risk response planning process.

A qualitative risk analysis attempts to assess the impact and likelihood of identified project risks. It also prioritizes risks according to their potential effect on project objectives and overall project outcomes. A quantitative risk analysis aims to numerically analyze the probability of each risk and its consequences on project objectives, as well as the extent of overall project risk.

As a result of both a qualitative and a quantitative risk analysis, you will receive a list of risks, together with a measure of their potential impact, that will need to be addressed in the risk response planning process.

The qualitative and quantitative risk analysis outputs that may be useful as inputs to risk response planning include:

• list of prioritized risks
• risk ranking of the project
• prioritized list of quantified risks
• probabilistic analysis of the project
• probability of achieving project objectives
• qualitative and quantitative risk analysis trend results

One qualitative risk analysis output that acts as a valuable input to risk response planning is a list of prioritized risks. During the qualitative risk analysis process, risks are prioritized using a number of criteria. Risks may be assigned a rank of high, medium or low, depending on their potential severity of impact. Risks may also be grouped by those that require an immediate response and those that can be handled at a later date. Prioritized risks usually include risks that affect project cost, schedule, scope, and quality.

As a project manager, you can use this list of prioritized risks during risk response planning to help you decide which risks require your immediate attention. This list will also help you formulate responses for those risks that have the potential to negatively impact critical project objectives.

Another qualitative risk analysis output that you can use as an effective input to risk response planning is a risk ranking of the project. This ranking will indicate the overall risk position of a project relative to other projects by comparing the risk scores.

A risk ranking can also be used to assign resources to projects with different risk rankings, make a benefit-cost analysis decision about the project, or support a recommendation for project initiation, continuation or cancellation.

A risk ranking will help you decide which projects have the greatest needs and which projects will produce the greatest overall benefit. This will allow you to plan effectively for those projects that require immediate risk responses.

As a project manager, you can also use quantitative risk analysis outputs when preparing for risk response planning. These outputs can help you identify sensitive risk areas and formulate potential responses to threatening project risks.

A prioritized list of quantified risks will detail which risks pose the greatest threat or present the greatest opportunity to your project, together with a measure of their impact. This will help you identify risks that require an immediate risk response.

A probabilistic analysis of the project will forecast potential project costs and completion dates. This analysis will help you determine the type of risk response that is required to address threatening cost and scheduling risks.

An estimate of the probability of achieving project objectives under the current plan will indicate whether the project is progressing as planned, or whether it requires immediate risk response action in order to be completed successfully.

The last qualitative and quantitative risk analysis output that is useful as a risk response planning input is qualitative and quantitative risk analysis trend results. Trends can be defined as patterns of results that track in a particular direction. Once you've performed multiple risk analyses on your project, a trend of results may become apparent. This trend of results will indicate the level of urgency and the importance of the risk response.

As a project manager, you can use qualitative and quantitative risk analysis trend results to help you focus on those areas that would benefit from an immediate risk response the most.

Qualitative and quantitative risk analysis outputs will help you identify risks that require an immediate risk response so that you can reduce or eliminate their impact on project objectives and increase your project's chance of success.