Republic of the Philippines

PRESIDENT RAMON MAGSAYSAY STATE UNIVERSITY

(Formerly Ramon Magsaysay Technological University)
Iba, Zambales

GRADUATE SCHOOL

STUDENT: PHILIP OMAR G. FAMULARCANO

SUBJECT: EXECUTIVE EDUCATION
PROFESSOR: DR. IVY H. CASUPANAN

Risk Management in Executive Planning

I. Risk Mitigation Strategies and Contingency Planning

MITIGATION AND CONTINGENCY RISK PLAN

A risk response strategy outlines both the mitigation and contingency risk plans and forms a
key component of the overall risk management plan. The Project Management Body of
Knowledge (PMBOK) refers to a risk response strategy which is undertaken by a project team
or manager. This plan aims to decrease the probability of a risk occurring, and/or lessening
the consequence or impact of a risk (PMI 2021). As outlined in previous chapters, there are
numerous steps that make up the risk response plan, including identifying, evaluating and
analyzing risks, and creating treatment plans. However, the overarching aim of each of these
steps is to decrease the levels of exposure or likelihood of a risk and its overall consequence.
(PMBOK stands for Project Management Body of Knowledge, and it is the entire collection
of processes, best practices, terminologies, and guidelines that are accepted as standard
within the project management industry. PMBOK is considered valuable for companies as
it helps them standardize practices across various departments, tailor processes to suit
specific needs, and prevent project failures.

Because the body of knowledge is constantly growing as practitioners discover new

methods or best practices, it must be regularly updated and disseminated. This is an effort
that is overseen by the Project Management Institute (PMI), a global not-for-profit member
association of project management professionals. You can find a more in-depth discussion
on PMBOK in Wrike’s Project Management Guide.)

Information collected and documented within the risk register is used to develop a risk
response plan. Each identified risk and opportunity is outlined, along with the level of
likelihood and consequence and the project risk tolerance threshold. Understanding this
information, the project manager and project team are responsible for determining appropriate
risk responses.

Treatment options need to be developed and actions need to be implemented to enhance

opportunities and decrease the impact of risks on project objectives. Therefore, a response
plan fits within the project plan and outlines actions required. This plan increases the
likelihood and outcome of the identified opportunities, while decreasing the impacts of risks.

The response plan is a strategy used to consider proactive actions, whereby risk responses are
about preventing risk rather than cancelling the project all together. Within the PMBOK, there
are 2 types of risk response plans: contingency and mitigation.

Contingency plan
 The contingency response plan outlines the responses and actions to be implemented if or
when a risk occurs (Heimann 2000). Triggers are defined as the cues to execute
contingency risk plans. It is mandatory to track and define the risk triggers to develop the
risk contingency responses. As different triggers occur in the environment, the reserves
can be used.

Both opportunities and risks should be planned for within contingency plans (Heimann
2000). This includes any event which poses a risk or a threat to the project – defined as a
negative risk. Whereas any event which offers an opportunity for the project is defined as
a positive risk. Across both these events, the response planning is in place to ensure that
the most is made out of any opportunity and to provide a strategy to respond to and
overcome risks.

STEPS FOR CREATING THE CONTINGENCY PLAN:

1) Identify specific events which could trigger the implementation of the contingency plan.
2) Document the roles and responsibilities, timeframes or processes, where the plan occurs
and how it will be implemented.
3) Outline guidelines to report and communicate processes. Document how stakeholders
will be engaged, who will send the information, how frequently, and how soon after risks
occur the communication needs to be shared.
4) Monitor and report the contingency plan, ensuring it is up-to-date with all potential risks.
There are 6 primary components of a contingency plan:

Triggers: the ‘things’ that happen which require the implementation of the plan.
Response plan: outlines what will be done in response to the trigger.
Stakeholder engagement: sharing the risk occurrence and the implementation of the
plan with key or primary stakeholders.
Timeframes: consideration of how soon after the trigger or the risk a response action will
be taken.
Likelihood: how likely it is it that the risk will occur.
Consequence: the level of consequence or effect of the risk occurring.

A primary tool that can be used to develop a contingency plan is the reserve or
contingency budget and schedule analysis. This tool assists the project manager and
team to determine how much contingency is required for both budget and schedule, based
on the risk register. The contingency or reserve is used to respond to risks as they occur.
The project manager and team need to ensure that the remaining contingency (both
budget and schedule) are sufficient throughout the project life cycle. Where there is less
contingency left compared to the number of risks, the project risk manager may need to
seek additional funding and/or resources or complete a mitigation plan.

Implementing a contingency plan requires effective project management to ensure that all
the strategies, risks and deliverables are managed appropriately. This includes the role of
the project team members, who need to be aware of the risks within the register. They
need to be entrusted to respond when needed and be empowered to implement strategies.
In addition, the project team needs to be comfortable with the overarching risk
management process, ensuring that they are comfortable developing risk mitigation and
implementing contingency plans when identified risks occur. The project manager also
needs to hold project team meetings frequently and encourage the project team members
to be involved.

There are 4 common challenges that project managers and project teams face when
trying to use contingency planning for risks:
  low priority given to risk contingency planning
 project team and stakeholders may be more confident in their original plan
 there are no clear organizational strategies in place for enterprise risk
management
 not enough investment in risk identification.

Risk mitigation plans

The risk mitigation plan outlines actions to be taken in advance of a risk occurring or pre-
emptively in response to a risk trigger occurring (Becker 2004). The process for creating
the risk mitigation plan includes identifying, analyzing, planning, implementing, and
monitoring and controlling, as outlined in Figure 5. A primary component of the
mitigation process is an iterative risk management process.

Figure 5. Risk mitigation plan process,

by Carmen Reaiche, Samantha Papavasiliou and Frank Anglani,
licensed under CC BY (Attribution) 4.0

Risk mitigation diagram outlining the process for potential risk identification, analysis,
evaluation, tracking, prioritization throughout the process
Risk identification: potential risks are identified and their relationships are defined.
Risk analysis and evaluation: the likelihoods and consequences of risks are assessed.
Consequences can include budget, schedule, technical, performance impacts and
functionality.
Risk prioritization: all identified risks are prioritized and ranked by the most critical to
the least.
Risk mitigation planning, implementation, and monitoring and controlling: risks that
have been analyzed and ranked as high or medium criticality have mitigation planning
conducted.
Risk tracking: throughout the project, the risks are identified and added to the register.
As outlined in the previous chapter, there are many options for responding to the specific
risks within the mitigation process, including accepting, avoiding, controlling,
transferring, monitoring and watching risks.

Mitigation plan content should include:

Roles and responsibilities: this includes documenting who is responsible for identifying
and implementing risks.
High-level mitigation strategies: the aim of creating and developing strategies is to
reduce consequence and likelihood.
Actions and next steps: these need to be identified, based on these primary questions:
 What are the necessary actions?
 What timeframes need to be followed (e.g., when must actions be finalised or
implemented)?
 Who is responsible for taking actions?
 What are the necessary resources?
 How will the actions decrease the levels of likelihood and consequence for the
potential risks if they were to occur?

The actions required should be completed through one of the processes below:

Backward planning: this is the process of evaluating the impact of the risk and outlining
a schedule for successful intervention (Becker 2004).
 Forward planning: this is the process of determining the schedule breakdown required
to implement each step within the action plan, including the expected completion date
(Becker 2004).
These processes will help to evaluate the primary decision points to determine when the
project risk process needs to move from the mitigation plan to the contingency plan.

Similarities and differences: mitigation versus contingency plans

It is recommended to have both risk contingency and mitigation response plans in place
for managing risk management processes within a project and organization. There are
numerous differences which are outlined in Table 15.

Table 15. Risk mitigation versus risk contingency plans

Risk Mitigation Plan Risk Contingency Plan

Actions are planned and conditions are
Actions identified to respond to a potential risk
monitored for those that could trigger a risk.
occurring, a risk trigger occurring and/or
Actions are taken when warning signs are
regardless of risk occurrence.
identified.
Time and money are spent in advance for a Time and money are not spent in advance, but
specific risk condition. money is set aside to use when or as needed.
Contingency plan does not change the
Risk mitigation occurs outside risk thresholds.
likelihood or consequence of risk – the aim is
Applying a mitigation plan can reduce the risk
to control the consequence for a risk event that
likelihood and consequence.
could occur.
Used as the initial level of defense for high Used as a fallback plan for high exposure
exposure risks. risks.
In specific situations a proactive action plan is
The contingency reserve is documented in the
required to reduce the likelihood and consequence
project management plan to support the budget
of risks. The plan is about supporting the
and/or schedule risk.
contingency plan.
There are numerous factors which need to be considered as part of risk mitigation and
contingency plans (Becker 2004), including:

Understanding clients and stakeholder needs: who are the risk decision-makers and
who has the authority to accept and avoid risks?
Liaising with subject matter experts: seek input from experts inside and outside of the
organization.
Recognizing the chance of risks reoccurring: identify and maintain risk awareness, to
ensure that all stakeholders understand that there is always a level of risk present.
Encouraging risk-taking: there are consequences to not taking risks – some may be
negative, others may be positive. There is a need to take some risks to identify and
respond to opportunities.
Recognizing opportunities: there are opportunities that can arise from taking risks.
Identify whether there is an advantage to taking risks (e.g., performance, capability,
flexibility, efficiency).
Encouraging deliberate consideration for mitigation or treatment options: there
needs to be careful analysis of the options to mitigate risks and discussion with project
teams, stakeholders and subject matter experts on the value of specific options.
Not all risks require mitigation: low ranked risks do not require considerable mitigation
planning; however, they need to be tracked, monitored and controlled in case of changes.
The post-project review should include the risk management process, including learnings
from the project, an analysis of how the project went, an evaluation of what occurred
during the project, whether there needs to be improvements, and what went well.
 MONITORING AND CONTROLLING PROCESS
Developing the risk response plans (including contingency and mitigation plans), requires
developing and implementing a corresponding monitoring and controlling process. In risk
management, a monitoring and controlling process is ongoing throughout the project life
cycle. This involves developing processes which document information, which in turn
assists with making informed decisions, either before, during or after a risk occurrence.
These processes include:

 evaluating the risk response plans implemented

 assessing effectiveness of the actions taken
 ongoing environmental monitoring for potential risk triggers
 reassessing identified risks to examine if there are any changes in their exposure
levels
 once a risk has been triggered and a response action taken, determining the
residual risks
 creating assurance processes to ensure that policies and procedures associated
with risk plans are used
 determining the validity of the contingency plans implemented or not used
 accounting for project scope, schedule, budget and quality changes that may have
been approved throughout the project life cycle
 ongoing assessment of whether the project assumptions, constraints, and risks are
valid.
There are 2 primary elements within the process for controlling risks within a project:

Regular risk reviews. At least once a week, the project manager and team should
allocate time to review the identified risks, identify new risks and monitor progress of all
the risks which have been triggered or up/down graded. This process should include a
periodic, in-detail review of the entire process and risk register.
Project risk reporting. This involves ensuring that risk exposure levels are documented,
with high likelihood and consequence risks documented within ongoing status reporting.
At a minimum, the top 10 risks should be outlined within the status and performance
reporting. This includes any actions taken to respond to a risk arising or a trigger
occurring.
The monitoring and controlling process occurs throughout the project life cycle; however,
there are some primary documents which are used to support the process. These include:

Risk response plan: outlines the current state of risks, the potential future impacts if the
risk was to occur and the responses required.
Risk register: used for tracking project risks.
Change requests: a log which includes the variations, change orders and changes
implemented throughout the project.
Project communications: all the communications that relate to managing the project and
the corresponding risks.
Post project review: understanding the effectiveness of the project risk responses and
overall management process within the project. This includes identifying opportunities
for improvement.
Tools for project risk monitoring and controlling
There are many tools which can be used to support monitoring and controlling in the
project risk management space. The tools can be either manual or automated. These tools
include project risk audits, status reporting and meetings, project risk assessments, change
variance, and risk trend analysis.

These processes can be run manually or streamlined to be automated, depending on the

size of the project, the complexity and the industry. Regardless of how the monitoring and
 controlling is completed, the information needs to be collected and displayed in real-time
or as close to real-time. This enables project managers, project team members and
stakeholders to track risks, and allows the assessment of risk, based on up-to-date
information.

10 Risk Mitigation Strategies to Consider

When managing risks in any business or project, it’s essential to have a robust risk mitigation plan in
place. Here are 10 common risk mitigation strategies.

1. Risk acceptance. Risk acceptance acknowledges a risk and accepts its potential

consequences without taking further actions to mitigate or eliminate it. This approach is
appropriate when the likelihood and impact of the risk are both low, and the cost of
addressing it outweighs the potential benefits.

2. Risk avoidance. This approach completely avoids the activity that carries the potential risk.
For instance, if a customer has a history of defaulting on loans, lending money to that person
poses a serious credit risk. To avoid it, an entity may decide to decline the customer’s loan
application. This approach is suitable when the potential impact of the risk is high and the
cost of mitigating it is significant.

3. Risk transfer. As the name suggests, risk transference transfers the risk to another party
when accepting or avoiding the risk yourself is not feasible – say, purchasing an insurance
policy to cover the costs of a data breach. This approach is suitable for risks with a high
potential impact and significant mitigation costs. It can, however, result in additional costs,
and should be implemented after thoroughly evaluating risks and costs.

4. Risk sharing. In this approach, business partners, stakeholders, or other third parties share the
risk. If the risk then happens, the responsibility or loss will not fall solely on one party. This
approach suits risks with a significant potential impact that cannot be avoided. It’s important
to establish clear agreements and communication channels in advance to assure effective risk
sharing and minimize the potential for disputes.

5. Risk buffering. Buffering is the act of adding extra resources, time, or personnel to mitigate
the potential impact of a risk. For example, implementing redundant servers or backup
systems can reduce the risk of a critical system failure.

6. Risk strategizing. Risk strategizing involves creating a contingency plan or “Plan B” for

certain risks. For example, if the project’s size makes risk management a challenge,
developing an alternative plan to manage the project in smaller segments can reduce potential
risks.

7. Risk testing. Risk testing is the performance of tests (usually many tests) to verify that a
project is secure and functions as intended. Make sure you complete the testing phase to meet
deadlines and avoid vulnerabilities that threat actors may exploit. A comprehensive risk
testing program should include various techniques, such as vulnerability assessments and
code reviews, to identify and remediate potential security issues.

8. Risk quantification. Accurately quantifying risks allows an organization to determine the

potential financial implications of a risk event. This information is critical for making
informed decisions about risk transfer through insurance purchases or risk sharing among
 stakeholders. Moreover, quantifying risks helps you to prioritize them in the risk register
based on their potential impact; that allows you to allocate resources more effectively.

9. Risk reduction. Risk reduction is the implementation of risk controls to mitigate potential

hazards or bad outcomes that may arise during a project or with an enterprise. Reduction
helps to enhance the safety and security of the projects and the organization by identifying
and addressing potential risks before they become significant.

10. Risk digitization. Risk digitization uses digital tools and technologies to transform how
businesses recognize, evaluate, control, and reduce risks. This involves integrating digital
solutions that provide features such as machine learning, data analytics, automation, and
artificial intelligence to enhance the efficacy of risk management systems.

Crisis Management and Response

What is Crisis Management?

Crisis Management is an organization’s process- and strategy-based approach for identifying and
responding to a threat, an unanticipated event, or any negative disruption with the potential to harm
people, property, or business processes. Being prepared for any event to become a crisis requires a
crisis management plan.

Crises can occur at any moment with or without warning, and can take many forms: natural disasters,
active shooter scenarios, terrorist events, mass violence occurrences, and even global pandemics.
Beyond any immediate threat to people, property, and processes, crises and critical emergency events
often yield unpredictable and cascading effects on employee morale, brand reputation, customer
satisfaction, and even the supply chain.
Proper planning for critical events includes establishing a crisis management team and developing a
crisis management (CM) plan to keep people from harm, maintain business continuity, enable
recovery from disaster, and protect assets before, during, and after a critical event occurs. Further, it is
imperative that every organization validates and tests its CM plan and deploys the right emergency
communications technology to support crisis response across the organization.

How to Assemble a Crisis Management Team

It’s critical for all CM stakeholders to have a holistic, common operating picture and reliable
emergency communications to ensure the crisis response plan is executed as designed. CM teams
often comprise operations, finance, and human resources personnel, as well as legal representatives. A
crisis manager is a pivotal member of the crisis team. The crisis manager directs the organization’s
execution of the CM plan and the organization’s public response to the event.

Organizations should recruit CM team members who specialize in a component of the CM plan. An
IT team member is well suited to manage any technology components, and a human resources
representative is appropriate for handling any employee support following the event. A legal
representative and senior leadership member can advise on big-picture perspectives to ensure
decisions are not jeopardizing the organization.

How to Build, Evaluate and Test a Crisis Management Plan

A crisis management plan prepares an organization for the unpredictable, defines roles and responses,
and minimizes the damage to the organization, its employees, and its customers.

Distributed enterprises and teams can complicate how a crisis team builds, evaluates, and tests a CM
plan. The dispersed nature sets up challenges and introduces many distractions to a team responding
to an incident or business disruption.

Building a Crisis Management Plan

A timely and precise response to each critical event is essential to minimize the impact of the crisis. A
CM plan must prevent delays, missed tasks and assignments, or laggy crisis response times. Even if
crises aren’t all digital, “digital-first” is the best way to approach developing a crisis management
plan. For example, if the organization has only one physical campus, an on-premises solution could
prove a pitfall if the operations center were to become inaccessible.

When building a CM plan, an organization must facilitate communications and coordination that are
clear and quick, relying on CM technology that ensures the safety of people, the protection of assets,
and the effective recovery of business as usual.

Successful CM plans address five essential topics: people, facilities/critical infrastructure,

technology, business, and brand reputation.

People: People are every organization’s most important asset, and enterprises have a duty of care to
their employees. Ensure that in every critical event, the crisis team can answer whether lives are in
danger, if there is a physical safety issue, and whether there will be an impact on employees,
customers, visitors, and vendors. How will they be notified with emergency notifications?

Facilities/Critical Infrastructure: Facilities and critical infrastructure must be checked to ascertain

whether they have been impacted by the event or are at risk of harm in the event of a crisis that plays
out over time.

Technology: A crisis management plan must cover technology as well. Ask yourself: is there a
service disruption, an information security issue, or risk of either? Who is on point for addressing
potential or actual failures in technical infrastructure during a critical event?
Business: In a crisis, business processes and activities need to be included in the CM plan. Can the
organization still perform mission-critical business processes? Is this crisis affecting customers or
having a significant financial impact on the company?

Brand Reputation: In a crisis, brand reputation may seem less of a priority, but that’s why it must be
included in the plan. In a crisis, brand reputation is always at stake. How will team members
collaborate to respond quickly to prevent any extreme brand-reputation fallout?

Evaluating a Crisis Management Plan

Evaluating a CM plan requires determining whether the components of the plan are necessary and
adequate to protect, manage and recover from a critical event, and to assess the feasibility of planned
actions.

For example, higher education institutions orchestrating a return to in-person classes amid a global
pandemic have entirely new sets of requirements and potential scenarios. The following questions
require evaluation to determine whether there are more resources needed and to identify how the
intended results will be attained:

 What happens when one person gets sick? What happens when a cluster of people gets sick?
 How do we maintain compliance with regulations requiring timely notifications of illness on
campus?
 How are we tracking this reporting and communications data?
 How are we coordinating these communications between Health Services/HR/the student and
faculty body?
 How do we monitor the overall operations on campus at all times?
Answering the set of questions above (and so many more criteria) is a necessary step in the creation
and evaluation of a crisis management and response plan.

Testing a Crisis Management Plan

Testing a CM plan is a non-negotiable step in validating the plan’s ongoing efficacy. It ensures the
CM plan can be executed as designed and reveals any gaps in the intended flow of operations or
personnel assigned to the task force. Periodic testing also affirms that no aspects of the plan become
obsolete.

A CM plan should be tested against specific scenarios. Simulations of hurricanes, earthquakes, flash
floods, utility failures, active shooters, or bomb threats are examples of scenarios to test against.
Scenario-based testing will allow the CM team to ensure accurate contact information and scenario-
specific messaging is loaded into the CM communications solution and the execution of emergency
notifications goes as intended.

Testing a CM plan can identify gaps and enable the organization to account for conditions such
as:

Human error: Crises are high-stress situations. “Shaky finger syndrome” is inevitable in such
moments, so it’s critical to ensure the CM team isn’t experiencing the CM plan actions for the first
time in a crisis.
Email fatigue: When employees get so many emails per day that they tune out crisis notification
emails, how do you cut through the noise in an emergency event? Try phone notifications.
The time-consuming nature of emails and phone trees: In a crisis, where every second counts, the
answer is to digitize the crisis response actions using defined policies and a tool offering automated,
one-click alerts.
Dispersed workforce: Does your CM plan use a centralized solution that enables communication
with all stakeholders through one integrated platform?
When seconds make the difference, any number of minutes spent to regroup, repeat, update, or
coordinate is too many. To implement complete crisis management, an automated, end-to-end
solution like Everbridge Critical Event Management platform (CEM) covers all the bases: emergency
notification, critical communication, risk/situation comprehension, crisis management, reporting, and
analysis. The CEM platform automates manual processes, increasing speed and decisiveness, and
improving the accuracy of a leaders’ risk assessment and response. It also uses ad hoc data feeds to
provide richer intelligence and correlate threats with locations of assets and people, and enabling more
rapid and comprehensive incident assessment and remediation.

Stages of a crisis
Warning and risk assessment. As important as it may be to identify risks and plan for ways to
minimize those risks and their effects, it is equally important to establish monitoring systems that can
provide early warning signals of any foreseeable crisis. These early warning systems can take a
variety of forms and differ widely based on the identified risks.

Some early warning systems might be mechanical or electronic. For instance, thermography is
sometimes used to detect a build-up of heat before a fire starts. Other early warning systems may
consist of financial metrics. For example, an organization might be able to anticipate a substantial
drop in revenue by monitoring its customers' stock prices.

Key steps at each stage of a crisis

The key to effective pre-crisis planning is to involve as many stakeholders as possible. That way, all
areas of the organization are represented in the risk identification and risk planning process. Corporate
crisis response teams often include representatives from the organization's legal, human resources
(HR), finance and operations staff. It is also customary to identify someone to act as a crisis manager.

Crisis response and management. When a crisis occurs, the crisis manager is responsible for
directing the organization's response in accordance to its established crisis management plan. The
crisis manager is usually also the person who is tasked with communicating to the public.

If a crisis affects public health or safety, then the crisis manager should make a public statement as
quickly as possible. In a public crisis, the media will inevitably seek out employees for comment. It is
important for the organization's employees to know ahead of time who is and is not authorized to
speak to the media. Employees who are allowed to speak to the media must do so in a manner
consistent with what the crisis manager is saying.

Post-crisis and resolution. After a crisis subsides and business begins to return to normal, the crisis
manager should continue to meet with members of the crisis management team, especially those from
the legal and finance departments, to evaluate the progression of the recovery efforts. At the same
time, the crisis manager will need to provide the latest information to key stakeholders to keep them
aware of the current situation.

Following a crisis, it is also important for the crisis management team to revisit the organization's
crisis management plan with the goal of evaluating how well the plan worked and what aspects of the
plan need to be revised based on what was learned during the crisis.

Best practices for managing a crisis

The field of crisis management is generally considered to have originated with Johnson & Johnson's
handling of a situation in 1982, when cyanide-laced Tylenol killed seven people in the Chicago area.
The company immediately recalled all Tylenol capsules in the country and offered free products in
tamper-proof packaging. As a result of the company's swift and effective response, the effect to
shareholders was minimized and the brand recovered and flourished.

Today, virtually all major corporations, nonprofit agencies and public sector organizations use crisis
management. Developing, practicing and updating a crisis management plan is a critical piece of
ensuring a business can respond to unforeseen disasters. The nature of the crisis management
activities can vary however, based on the organization type. For instance, a manufacturing company
will likely need a crisis management plan for responding to a large-scale industrial accident, such as
an explosion or chemical spill, whereas an insurance company would be far less likely to face such
risks.

Of course, it doesn't take something as dramatic as an industrial accident to require the activation of a
crisis management plan. Any event that has the potential to damage the organization's finances or
reputation, may be cause for putting the crisis management plan into action.

This was last updated in April 2020

Continue Reading About crisis management
Roles and responsibilities of a crisis management team
5 steps to create a coronavirus crisis management response plan
IT incident management best practices to minimize disruptions
Related Terms
API security
Application program interface (API) security refers to policies and procedures that protect APIs
against malicious attacks and ... See complete definition
NICE Framework (National Initiative for Cybersecurity Education Cybersecurity Workforce
Framework)
The NICE Framework (National Initiative for Cybersecurity Education Cybersecurity Workforce
Framework) is a reference resource ... See complete definition
security analytics
Security analytics is a cybersecurity approach that uses data collection, data aggregation and analysis
tools for threat ... See complete definition
Word of the Day
DEI
Diversity, equity and inclusion is a term used to describe policies and programs that promote the
representation and participation of different groups of individuals.

CRISIS RESPONSE CYCLE

Emerging and acute crises require swift responses, not only to alleviate human suffering, to avoid or
prevent further escalation and instead strive to promote dialogue, reconciliation and reconstruction,
and to protect EU citizens. Unlike in other areas of foreign policy, the capacity of the EU to meet the
needs and challenges that (often unexpectedly) arise in natural and man-made emergencies crucially
depends on its ability to take, in real time, ad hoc decisions and actions. In short, when crises erupt –
though they seldom follow a predictable pattern – immediate attention and coordination is required.
Response is thus complementary to medium- to long term measures and integral part of a
comprehensive approach that includes conflict prevention and peace building, CSDP missions or
development programmes.

THE EU SITUATION ROOM

The EU Situation Room is the first point of contact for all information on crisis situations. It is a
permanent stand-by body that serves as a situation information hub for all relevant stakeholders from
the European institutions. It acts as the EEAS switchboard and embeds within situation reports or
flash reports all crisis related information provided, among others, by EU Delegations, EU Member
States, EU CSDP Operations and Missions, EUSR teams, and International Organisations.

More specifically, the EU Situation Room:

Monitors and reports on worldwide events on a 24/7 basis, focusing on topics and issues relevant for
the EEAS and the EU as a whole;
Liaises 24/7 with CSDP Missions and Operations through a Watchkeeping Capability, as well as with
EU Delegations;
Supports HRVP and relevant EEAS services, the Council, and cooperates closely with the
Commission;
Plays a role in the EU Integrated Political Crisis Response arrangements (IPCR) to support political
coordination and decision-making in major, complex, inter-disciplinary crisis;
Manages and develops relations with national crisis response and crisis coordination centres of EU
Member States;
Has regular contacts with other regional and international organizations' crisis centres, such as the UN
Department for Peacekeeping Operations (UN DPKO), League of Arab States (LAS), African Union
(AU) and the Association of Southeast Asian Nations (ASEAN).

Step 3. Risk response

The final step in the risk management process is developing the risk
response or treatment plan. This is added to the risk register and provides
vital information for what actions need to be taken if a risk occurs or is
occurring (Lavanya and Malarvizhi 2008). As risks can be triggered at any
stage of the project, the treatment plan requires an appropriate level of
detail. The risk response plan requires numerous components, including:

 risk description associated with the risk analysis and assessment

 planned action to respond to the risk arising
 owner of risk response actions
 commitment date required to finalise actions.

The level of detail required for risk management plans will differ depending
on their likelihood or consequence (Lavanya and Malarvizhi 2008).

 For the most significant risks (e.g., high likelihood and consequence),
a detailed action plan is necessary.
 For medium risks (e.g., medium likelihood and consequence), a brief
action plan will do.
 For small risks (e.g., low likelihood and consequence), no action plan
may be required at all.

It is important that all risks within the action plan be allocated to a person
who can take the actions required to respond to the risk. The action plan
includes the following.

1. The response plan

Each risk identified must be documented within the risk register and these
need to be discussed with the project sponsors and stakeholders. The
process needs to be understood by the project manager.

Action or response plans are not necessary for all risks. There are different
responses which can be applied to the risks identified (Kendrick 2019),
including:
  Avoid: threat to be eliminated or removed.
 Transfer: shift the risk to a third party.
 Mitigate/treat: take actions to reduce the probability or impact of the
risk occurring.
 Accept: where necessary, it may be important to proceed and accept
the risk.

The risk response plan needs to consider the impact on schedule and
budget. Therefore, when planning a risk response schedule, a budget
needs to be outlined as precisely as possible. By being precise in the risk
response plan, alternative actions can support the implementation of
integrated changes.

Once the response plan is successfully implemented, risk scores can be

lowered or adjusted based on the current environment.

2. Risk triggers

Each risk trigger needs to be documented within the broader risk register.
The triggers can be used to identify the causes or warning signs.
Furthermore, understanding triggers can support identifying risks that are
about to occur, or provide an indication about certain risks that are likely to
occur. Table 12 outlines an example of the risk triggers.
Table 12. Risk trigger examples

Risk Event Risk Trigger

Schedule delay due to Confirmed extended forecast showing adverse weather is

weather set to occur

Limited resource
Unexpected leave due to illness
availability

    3. Risk ownership

Every risk must be allocated an owner and this person must be

documented within the risk register (Lavanya and Malarvizhi 2008). A risk
owner is the person or position who can monitor the risk and undertake
actions in the response plans. This risk owner reports changes to risk
status and takes necessary actions.

An example of a risk register is outlined in Table 13, showing the different

triggers and response plans. The risk register needs to be updated
throughout the risk management process and across the project
management life cycle.
Table 13. Risk register example

REFERENCES

https://jcu.pressbooks.pub/pmriskquality/chapter/module-4-mitigation-and-contingency-risk-plan/
#:~:text=Risk%20mitigation%20occurs%20outside%20risk,risk%20event%20that%20could
%20occur.

https://www.everbridge.com/blog/what-is-crisis-management/#:~:text=Crisis%20Management%20is
%20an%20organization's,%2C%20property%2C%20or%20business%20processes.

https://www.techtarget.com/whatis/definition/crisis-management

https://www.techtarget.com/searchdisasterrecovery/definition/crisis-management-plan-CMP

https://reciprocity.com/blog/11-proven-risk-mitigation-strategies/

https://jcu.pressbooks.pub/pmriskquality/chapter/module-3-risk-management-process-by-life-cycle-
phase/