Select Page

How to select a Risk Response Strategy?

Sounds complicated.

But let me simplify it for you in this article.

Here you will find examples of risk responses for both threats and opportunities.

But there’s a catch:

You may have a limited mindset in regards to dealing with risks.

So, I would suggest you review examples of dealing with different risks on a real project first. Click here to read how I managed different kinds of threats.

Test Yourself in Risk Management

Do you think you know enough about Project Risk Management?

Take this short quiz and identify gaps in your knowledge.

In the end, I provide correct answers and explanations.

A document you use to capture all known risks is called:

On a Friday evening John (your best engineer in the team) comes to you and says he quits. You have two weeks to find a substitution. What would reduce the chances of such an event? Why?

A process that involves prioritizing risks for further action or analysis by assessing the impact and the probability of occurrence is called

When do you perform Risk Identification?

As a part of your project, you need to organize a conference. You learn that in the place that you rented there’s a 70% chance of a tropical storm on the selected dates. How should you handle such risk?

Who should be involved in Risk Management activities?

You acquired an expensive piece of equipment for your project. It is know to be sensitive and fragile in work. Several tasks that require this equipment are on a critical path. What’s the BEST action you can do to improve project’s chances for success?

You are on the call with clients. They say the vendor team they hired to create designs is behind schedule. What should you do?

After you performed Qualitative Risk Analysis you need to create:

After reviewing Risk Register you see two critical risks that you anticipate during the next week. What should you do with this knowledge?

Project Risk Management Overview

Definition of Risk Response Strategies

Here is what you need to know:

Risk Response Strategy or Risk Response Plan is not something from an enterprise world.

(By the way, you can use terms interchangeably.)

Risk Response Planning is a process of identifying what will you do with all the risks in your Risk Register .

By PMBOK® Guide the process is called Plan Risk Responses.

Click the image to get access to Complete Guide to the Basics of Project Risk Management book and whole PM Basics Library.
Click the image (opens in new tab). Enter your email. Get access to the whole PM Basics Library.

Should You Create Risk Response Plans for All Known Risks?

Should we really do something with each risk?

No, you cannot eliminate all the risks. It is barely possible, and for sure it is unpractical.

You do need to operate within your constraints of budget, time, and scope .

You may have a specific budget for risk management.

Risk Management and risk response plans have a cost. You need to have a budget for that.

What is a Risk Response in Your Project Management Plan?

You need to understand this:

Your risk management efforts are a part of your project.

It is not something standalone.

Risk Response Plans may require:

  1. Updating Project Scope : adding or removing deliverables, work packages, tasks.
  2. Updating Project Budget: adding reserves, allocating money for additional work, resources, expertise.
  3. Updating Schedule : starting work on specific dates, adding reserves of time to critical tasks.
  4. Introduce new processes and workflows.
  5. Hiring a particular expert, consultants.
  6. Outsourcing part of the Project Scope to a third party.

Here’s the catch:

You plan risk responses later during project planning.


So, you do need to update the required areas of the Project Management Plan with the planned responses.

It should be clearly depicted in your plan.

Risk response plans have consequences as residual risks

Every Risk Response Has Consequences

Here is another important concept. Every action has consequences. Therefore, by eliminating one risk quite often, you can introduce new ones.

There are two types of risks you need to be aware of:

  1. Secondary Risks – any new risks created by the implementation of a risk response plan.
  2. Residual Risks – these are the risks that remain after implementation of all risk response plans. They should be appropriately documented and communicated to stakeholders. Since you will do nothing with these risks.

What Can You Do With a Risk?

In fact, there are not many options here. You can:

  • You can do something to avoid risk.
  • You can do something to reduce Impact and/or Probability of a threat.
  • You can do nothing and let the risk happen but use the reserves to minimize the negative impact.
  • You can do nothing and accept the risk and its effects.

What are the best risk responses?

Responses must be timely.

They should eliminate or mitigate risk before it happens.

You need to be proactive .

Waiting for a risk to happen and only then mitigating the negative impact is a bad strategy.


It’s firefighting. It’s not efficient. And it might happen so that the risk occurs when you don’t have available resources to address it.

Or it may stack with other risks or critical activities on the project.

The outcome becomes less predictable.

Responses should be appropriate to the level of a threat or opportunity.

It merely means that you shouldn’t waste $10000 to save $2000 of possible impact. Even $10000 effect might not be worth it if the probability is low.

So, you need to assess the costs and benefits of your risks strategies.

“When a risk occurs, with some ingenuity, this may open up an opportunity, and conversely when pursuing an opportunity there will be associated risks. Risks are generally deemed acceptable if the possible gains exceed the possible losses.” – Rory Burke

They should be developed with the team and stakeholders.

Include stakeholders into Risk Management

The best risk responses are generated in close collaboration with as many experts as practical .

That’s the trick:

Quite often your clients can eliminate a severe risk by making a decision that is beyond your authority.

You may come up with some solution. But will it be worth it?

Likewise, subject matter experts have experience in certain areas of the project. They faced all possible risks.

Why going into the same pitfalls? Just ask them for a solution.

It’s OK if one Risk Response Strategy Acts upon Several Risks.

Ideally, you want to address the root cause of a risk. You need to identify the sources of major threats and fix them.

So, for example, low accuracy of estimates may come from lack of Scope Decomposition.

You can put more time to do the estimates and check them with team members.

But adding a Work Breakdown Structure into your project plan may have a profound and permanent effect.

Risk Response Plan or Risk Response Strategy is an action you take to overcome a threat or leverage an opportunity. But which one is better? First of all risk response plans have a cost. They are the part of the project: costs, schedule, scope of work, etc. So, you need to choose an appropriate one for the risk. Moreover, you need to delegate monitoring and acting on the risk to a project team member. Save the pin and read the article to learn all the tips on managing risks. #projectmanagement #riskmanagement #responseplan #responsestrategy
Pin it to your project management board.

How Does it Happen?

First of all, you need to identify the top risks that warrant a response.

Next, you need to work with your team and stakeholders to develop possible options for risk responses for each risk.

It means that each risk will require either some extra work, some action or decision, or reserves of time and money.

It will help you to know risk tolerance and thresholds to develop the most appropriate responses.

Then you need to communicate these options to sponsor, customer, and some key stakeholders . You may need to get their approval. At least you must inform them.

Once everyone agrees to the suggested risk response plans, make them a part of your project management plan.

“The key benefit of this process is that it addresses the risks by their priority, inserting resources and activities in budget, schedule and project management plan as need.” – PMBOK Guide.

Now you need to review the plan and identify secondary and residual risks.

You may need to repeat the whole risk management process several times until you get a satisfactory plan.

5 Risk Response Strategies

For of all let’s review the response plans for the risks. Then, we will do the same for opportunities.

Examples of Valid Negative Risks (Threats) Responses

.tg {border-collapse:collapse;border-spacing:0;border-color:#999;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#999;color:#444;background-color:#F7FDFA;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#999;color:#fff;background-color:#26ADE4;}
.tg .tg-zy27{font-weight:bold;background-color:#3f47bc;border-color:#000000;text-align:left;vertical-align:top}
.tg .tg-iks7{background-color:#ffffff;border-color:#000000;text-align:left;vertical-align:top}

Risk Register Column Entry
Index 0013
WBS Element 1.6.5
Category HR
Description Resources for mobile development are limited and on high demand.
Effects Unavailability of developers may cause delays. Quality may suffer due to multitasking.
Probability 8
Impact 8
Risk Rank 64
Owner Jane K. (Recruiter)
Response Plan Recruiters will prioritize our openings starting next week.
Develop a cross-project HR plan together with Ann Smith and Ron Nagle.
Secure required resources from other projects.

Avoid – It means you need to do something to eliminate the cause of the threat:

  1. Remove a work package or delivery from WBS to secure delivery of the rest of the project.
  2. Remove a conflicting team member to stop demotivation in the team.
  3. Forbid any work in bad weather to avoid the risk that someone will get hurt.

Mitigate – Do something to reduce the impact or the probability of a threat:

  1. Prototype unclear or risk delivery early on to get early feedback from a customer.
  2. Plan frequent visits to a vendor to learn about problems as early as possible.
  3. Train the team in risk management approach.

Transfer – Take action to make another party responsible for the risk:

  1. Outsource part of a project.
  2. Buy insurance on the property.
  3. Employ a part-time legal or procurement expert.

Actively Accept – It means that you need to develop a (contingency) plan and make reserves for a risk. However, you will only act if and when the risk happens.

  1. If a critical person gets sick – we will get a substitution.
  2. If a work package takes more time, we will work overtime.
  3. If the equipment breaks, we will buy a new one using reserves.

Passively Accept – Do really nothing. If a risk happens, you will need to decide if there is a workaround.

Don't focus only on threats. Leverage project opportunities as well.

Examples of Positive Risk Response Strategies (Opportunities)

.tg {border-collapse:collapse;border-spacing:0;border-color:#999;}
.tg td{font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#999;color:#444;background-color:#F7FDFA;}
.tg th{font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#999;color:#fff;background-color:#26ADE4;}
.tg .tg-zy27{font-weight:bold;background-color:#3f47bc;border-color:#000000;text-align:left;vertical-align:top}
.tg .tg-iks7{background-color:#ffffff;border-color:#000000;text-align:left;vertical-align:top}

Risk Register Column Entry
Index 0043
WBS Element 1.6
Category Technical
Description Purchasing “Photo Grid” module may reduce project duration and costs
Effects A ready-made solution can be used for the Portfolio Feature. It reduces the duration from 2 months to 1 week. It saves about $10000 of the project budget.
Probability 9
Impact 5
Risk Rank 45
Owner Nizhebetskiy D.
Response Plan Added as WBS Element 1.6.1 – Research Results of Available ModulesMake a POC on the integration of the module with the app.
Check copyrights of the premium version.
Acquire approval and budget for the purchase.

Exploit – Do some extra work or change the project plan to make an opportunity happen:

  1. Plan risky work packages for the most experienced team members.
  2. Suggest a better approach to reduce the required efforts.
  3. Suggest a solution to get a new contract from the client.
  4. Finish current project earlier to get another project.

Enhance – Do something to increase the chances or impact of an opportunity:

  1. Buy the equipment beforehand when the price is lower.
  2. Negotiate the transfer of exceptional expert to your team as early as possible.
  3. Promise incentives to the team to finish a project beforehand to start a new one.

Share – Share benefits with another party for an opportunity to happen for both of you.

  1. Create a partnership with a third party to achieve your goals.

You can Actively and Passively Accept opportunities as well as threats.

Escalate Risks as a Risk Response Strategy

Escalate – Do something to get engagement from a stakeholder who can eliminate or mitigate risk.

There is a group of risks that you can’t handle.

However, there is a person who relatively easy can. So, you just need to reach him and get some of his attention.

What is a Risk Owner’s Role in the Risk Response Plan?

Remember this:

You don’t control all Risk Response Plans personally.

You must assign an Owner to each risk.

You actually put the owner’s name (and contacts) into the Risk Register.

Delegate risk response plans to risk owners

This person should monitor the risk.

Sometimes the risk may start impacting your project sooner than you anticipated. Sometimes you may underestimate the risk in general.

So, the owner keeps the assigned risk at the top of the mind .

When the time comes, the owner implements or controls the implementation of a Risk Response Plan. To some degree, you do it as well – but on a higher level.

He or she also controls and reports to you the efficiency of the strategy. If something goes wrong, these problems should be escalated to you.

It’s totally fine if one person owns several risks. But ensure that all those risks don’t happen at the same time. Otherwise, the person will be overwhelmed.


That is all for today. It was not too hard, I believe.

This approach gives a limited number of options. Nevertheless, it provides a robust framework to deal with risks. So you don’t need to invent the wheel.

I Also Recommend Reading:

The post Risk Response Strategy (Definitive Guide with Examples) appeared first on Project Management Basics .

Click For Original Article