Professional Documents
Culture Documents
GRADUATE SCHOOL
A risk response strategy outlines both the mitigation and contingency risk plans and forms a
key component of the overall risk management plan. The Project Management Body of
Knowledge (PMBOK) refers to a risk response strategy which is undertaken by a project team
or manager. This plan aims to decrease the probability of a risk occurring, and/or lessening
the consequence or impact of a risk (PMI 2021). As outlined in previous chapters, there are
numerous steps that make up the risk response plan, including identifying, evaluating and
analyzing risks, and creating treatment plans. However, the overarching aim of each of these
steps is to decrease the levels of exposure or likelihood of a risk and its overall consequence.
(PMBOK stands for Project Management Body of Knowledge, and it is the entire collection
of processes, best practices, terminologies, and guidelines that are accepted as standard
within the project management industry. PMBOK is considered valuable for companies as
it helps them standardize practices across various departments, tailor processes to suit
specific needs, and prevent project failures.
Information collected and documented within the risk register is used to develop a risk
response plan. Each identified risk and opportunity is outlined, along with the level of
likelihood and consequence and the project risk tolerance threshold. Understanding this
information, the project manager and project team are responsible for determining appropriate
risk responses.
The response plan is a strategy used to consider proactive actions, whereby risk responses are
about preventing risk rather than cancelling the project all together. Within the PMBOK, there
are 2 types of risk response plans: contingency and mitigation.
Contingency plan
The contingency response plan outlines the responses and actions to be implemented if or
when a risk occurs (Heimann 2000). Triggers are defined as the cues to execute
contingency risk plans. It is mandatory to track and define the risk triggers to develop the
risk contingency responses. As different triggers occur in the environment, the reserves
can be used.
Both opportunities and risks should be planned for within contingency plans (Heimann
2000). This includes any event which poses a risk or a threat to the project – defined as a
negative risk. Whereas any event which offers an opportunity for the project is defined as
a positive risk. Across both these events, the response planning is in place to ensure that
the most is made out of any opportunity and to provide a strategy to respond to and
overcome risks.
1) Identify specific events which could trigger the implementation of the contingency plan.
2) Document the roles and responsibilities, timeframes or processes, where the plan occurs
and how it will be implemented.
3) Outline guidelines to report and communicate processes. Document how stakeholders
will be engaged, who will send the information, how frequently, and how soon after risks
occur the communication needs to be shared.
4) Monitor and report the contingency plan, ensuring it is up-to-date with all potential risks.
There are 6 primary components of a contingency plan:
Triggers: the ‘things’ that happen which require the implementation of the plan.
Response plan: outlines what will be done in response to the trigger.
Stakeholder engagement: sharing the risk occurrence and the implementation of the
plan with key or primary stakeholders.
Timeframes: consideration of how soon after the trigger or the risk a response action will
be taken.
Likelihood: how likely it is it that the risk will occur.
Consequence: the level of consequence or effect of the risk occurring.
A primary tool that can be used to develop a contingency plan is the reserve or
contingency budget and schedule analysis. This tool assists the project manager and
team to determine how much contingency is required for both budget and schedule, based
on the risk register. The contingency or reserve is used to respond to risks as they occur.
The project manager and team need to ensure that the remaining contingency (both
budget and schedule) are sufficient throughout the project life cycle. Where there is less
contingency left compared to the number of risks, the project risk manager may need to
seek additional funding and/or resources or complete a mitigation plan.
Implementing a contingency plan requires effective project management to ensure that all
the strategies, risks and deliverables are managed appropriately. This includes the role of
the project team members, who need to be aware of the risks within the register. They
need to be entrusted to respond when needed and be empowered to implement strategies.
In addition, the project team needs to be comfortable with the overarching risk
management process, ensuring that they are comfortable developing risk mitigation and
implementing contingency plans when identified risks occur. The project manager also
needs to hold project team meetings frequently and encourage the project team members
to be involved.
There are 4 common challenges that project managers and project teams face when
trying to use contingency planning for risks:
low priority given to risk contingency planning
project team and stakeholders may be more confident in their original plan
there are no clear organizational strategies in place for enterprise risk
management
not enough investment in risk identification.
Risk mitigation diagram outlining the process for potential risk identification, analysis,
evaluation, tracking, prioritization throughout the process
Risk identification: potential risks are identified and their relationships are defined.
Risk analysis and evaluation: the likelihoods and consequences of risks are assessed.
Consequences can include budget, schedule, technical, performance impacts and
functionality.
Risk prioritization: all identified risks are prioritized and ranked by the most critical to
the least.
Risk mitigation planning, implementation, and monitoring and controlling: risks that
have been analyzed and ranked as high or medium criticality have mitigation planning
conducted.
Risk tracking: throughout the project, the risks are identified and added to the register.
As outlined in the previous chapter, there are many options for responding to the specific
risks within the mitigation process, including accepting, avoiding, controlling,
transferring, monitoring and watching risks.
Roles and responsibilities: this includes documenting who is responsible for identifying
and implementing risks.
High-level mitigation strategies: the aim of creating and developing strategies is to
reduce consequence and likelihood.
Actions and next steps: these need to be identified, based on these primary questions:
What are the necessary actions?
What timeframes need to be followed (e.g., when must actions be finalised or
implemented)?
Who is responsible for taking actions?
What are the necessary resources?
How will the actions decrease the levels of likelihood and consequence for the
potential risks if they were to occur?
The actions required should be completed through one of the processes below:
Backward planning: this is the process of evaluating the impact of the risk and outlining
a schedule for successful intervention (Becker 2004).
Forward planning: this is the process of determining the schedule breakdown required
to implement each step within the action plan, including the expected completion date
(Becker 2004).
These processes will help to evaluate the primary decision points to determine when the
project risk process needs to move from the mitigation plan to the contingency plan.
It is recommended to have both risk contingency and mitigation response plans in place
for managing risk management processes within a project and organization. There are
numerous differences which are outlined in Table 15.
Understanding clients and stakeholder needs: who are the risk decision-makers and
who has the authority to accept and avoid risks?
Liaising with subject matter experts: seek input from experts inside and outside of the
organization.
Recognizing the chance of risks reoccurring: identify and maintain risk awareness, to
ensure that all stakeholders understand that there is always a level of risk present.
Encouraging risk-taking: there are consequences to not taking risks – some may be
negative, others may be positive. There is a need to take some risks to identify and
respond to opportunities.
Recognizing opportunities: there are opportunities that can arise from taking risks.
Identify whether there is an advantage to taking risks (e.g., performance, capability,
flexibility, efficiency).
Encouraging deliberate consideration for mitigation or treatment options: there
needs to be careful analysis of the options to mitigate risks and discussion with project
teams, stakeholders and subject matter experts on the value of specific options.
Not all risks require mitigation: low ranked risks do not require considerable mitigation
planning; however, they need to be tracked, monitored and controlled in case of changes.
The post-project review should include the risk management process, including learnings
from the project, an analysis of how the project went, an evaluation of what occurred
during the project, whether there needs to be improvements, and what went well.
MONITORING AND CONTROLLING PROCESS
Developing the risk response plans (including contingency and mitigation plans), requires
developing and implementing a corresponding monitoring and controlling process. In risk
management, a monitoring and controlling process is ongoing throughout the project life
cycle. This involves developing processes which document information, which in turn
assists with making informed decisions, either before, during or after a risk occurrence.
These processes include:
Regular risk reviews. At least once a week, the project manager and team should
allocate time to review the identified risks, identify new risks and monitor progress of all
the risks which have been triggered or up/down graded. This process should include a
periodic, in-detail review of the entire process and risk register.
Project risk reporting. This involves ensuring that risk exposure levels are documented,
with high likelihood and consequence risks documented within ongoing status reporting.
At a minimum, the top 10 risks should be outlined within the status and performance
reporting. This includes any actions taken to respond to a risk arising or a trigger
occurring.
The monitoring and controlling process occurs throughout the project life cycle; however,
there are some primary documents which are used to support the process. These include:
Risk response plan: outlines the current state of risks, the potential future impacts if the
risk was to occur and the responses required.
Risk register: used for tracking project risks.
Change requests: a log which includes the variations, change orders and changes
implemented throughout the project.
Project communications: all the communications that relate to managing the project and
the corresponding risks.
Post project review: understanding the effectiveness of the project risk responses and
overall management process within the project. This includes identifying opportunities
for improvement.
Tools for project risk monitoring and controlling
There are many tools which can be used to support monitoring and controlling in the
project risk management space. The tools can be either manual or automated. These tools
include project risk audits, status reporting and meetings, project risk assessments, change
variance, and risk trend analysis.
When managing risks in any business or project, it’s essential to have a robust risk mitigation plan in
place. Here are 10 common risk mitigation strategies.
2. Risk avoidance. This approach completely avoids the activity that carries the potential risk.
For instance, if a customer has a history of defaulting on loans, lending money to that person
poses a serious credit risk. To avoid it, an entity may decide to decline the customer’s loan
application. This approach is suitable when the potential impact of the risk is high and the
cost of mitigating it is significant.
3. Risk transfer. As the name suggests, risk transference transfers the risk to another party
when accepting or avoiding the risk yourself is not feasible – say, purchasing an insurance
policy to cover the costs of a data breach. This approach is suitable for risks with a high
potential impact and significant mitigation costs. It can, however, result in additional costs,
and should be implemented after thoroughly evaluating risks and costs.
4. Risk sharing. In this approach, business partners, stakeholders, or other third parties share the
risk. If the risk then happens, the responsibility or loss will not fall solely on one party. This
approach suits risks with a significant potential impact that cannot be avoided. It’s important
to establish clear agreements and communication channels in advance to assure effective risk
sharing and minimize the potential for disputes.
5. Risk buffering. Buffering is the act of adding extra resources, time, or personnel to mitigate
the potential impact of a risk. For example, implementing redundant servers or backup
systems can reduce the risk of a critical system failure.
7. Risk testing. Risk testing is the performance of tests (usually many tests) to verify that a
project is secure and functions as intended. Make sure you complete the testing phase to meet
deadlines and avoid vulnerabilities that threat actors may exploit. A comprehensive risk
testing program should include various techniques, such as vulnerability assessments and
code reviews, to identify and remediate potential security issues.
10. Risk digitization. Risk digitization uses digital tools and technologies to transform how
businesses recognize, evaluate, control, and reduce risks. This involves integrating digital
solutions that provide features such as machine learning, data analytics, automation, and
artificial intelligence to enhance the efficacy of risk management systems.
Crisis Management is an organization’s process- and strategy-based approach for identifying and
responding to a threat, an unanticipated event, or any negative disruption with the potential to harm
people, property, or business processes. Being prepared for any event to become a crisis requires a
crisis management plan.
Crises can occur at any moment with or without warning, and can take many forms: natural disasters,
active shooter scenarios, terrorist events, mass violence occurrences, and even global pandemics.
Beyond any immediate threat to people, property, and processes, crises and critical emergency events
often yield unpredictable and cascading effects on employee morale, brand reputation, customer
satisfaction, and even the supply chain.
Proper planning for critical events includes establishing a crisis management team and developing a
crisis management (CM) plan to keep people from harm, maintain business continuity, enable
recovery from disaster, and protect assets before, during, and after a critical event occurs. Further, it is
imperative that every organization validates and tests its CM plan and deploys the right emergency
communications technology to support crisis response across the organization.
Organizations should recruit CM team members who specialize in a component of the CM plan. An
IT team member is well suited to manage any technology components, and a human resources
representative is appropriate for handling any employee support following the event. A legal
representative and senior leadership member can advise on big-picture perspectives to ensure
decisions are not jeopardizing the organization.
Distributed enterprises and teams can complicate how a crisis team builds, evaluates, and tests a CM
plan. The dispersed nature sets up challenges and introduces many distractions to a team responding
to an incident or business disruption.
When building a CM plan, an organization must facilitate communications and coordination that are
clear and quick, relying on CM technology that ensures the safety of people, the protection of assets,
and the effective recovery of business as usual.
People: People are every organization’s most important asset, and enterprises have a duty of care to
their employees. Ensure that in every critical event, the crisis team can answer whether lives are in
danger, if there is a physical safety issue, and whether there will be an impact on employees,
customers, visitors, and vendors. How will they be notified with emergency notifications?
Technology: A crisis management plan must cover technology as well. Ask yourself: is there a
service disruption, an information security issue, or risk of either? Who is on point for addressing
potential or actual failures in technical infrastructure during a critical event?
Business: In a crisis, business processes and activities need to be included in the CM plan. Can the
organization still perform mission-critical business processes? Is this crisis affecting customers or
having a significant financial impact on the company?
Brand Reputation: In a crisis, brand reputation may seem less of a priority, but that’s why it must be
included in the plan. In a crisis, brand reputation is always at stake. How will team members
collaborate to respond quickly to prevent any extreme brand-reputation fallout?
For example, higher education institutions orchestrating a return to in-person classes amid a global
pandemic have entirely new sets of requirements and potential scenarios. The following questions
require evaluation to determine whether there are more resources needed and to identify how the
intended results will be attained:
What happens when one person gets sick? What happens when a cluster of people gets sick?
How do we maintain compliance with regulations requiring timely notifications of illness on
campus?
How are we tracking this reporting and communications data?
How are we coordinating these communications between Health Services/HR/the student and
faculty body?
How do we monitor the overall operations on campus at all times?
Answering the set of questions above (and so many more criteria) is a necessary step in the creation
and evaluation of a crisis management and response plan.
A CM plan should be tested against specific scenarios. Simulations of hurricanes, earthquakes, flash
floods, utility failures, active shooters, or bomb threats are examples of scenarios to test against.
Scenario-based testing will allow the CM team to ensure accurate contact information and scenario-
specific messaging is loaded into the CM communications solution and the execution of emergency
notifications goes as intended.
Testing a CM plan can identify gaps and enable the organization to account for conditions such
as:
Human error: Crises are high-stress situations. “Shaky finger syndrome” is inevitable in such
moments, so it’s critical to ensure the CM team isn’t experiencing the CM plan actions for the first
time in a crisis.
Email fatigue: When employees get so many emails per day that they tune out crisis notification
emails, how do you cut through the noise in an emergency event? Try phone notifications.
The time-consuming nature of emails and phone trees: In a crisis, where every second counts, the
answer is to digitize the crisis response actions using defined policies and a tool offering automated,
one-click alerts.
Dispersed workforce: Does your CM plan use a centralized solution that enables communication
with all stakeholders through one integrated platform?
When seconds make the difference, any number of minutes spent to regroup, repeat, update, or
coordinate is too many. To implement complete crisis management, an automated, end-to-end
solution like Everbridge Critical Event Management platform (CEM) covers all the bases: emergency
notification, critical communication, risk/situation comprehension, crisis management, reporting, and
analysis. The CEM platform automates manual processes, increasing speed and decisiveness, and
improving the accuracy of a leaders’ risk assessment and response. It also uses ad hoc data feeds to
provide richer intelligence and correlate threats with locations of assets and people, and enabling more
rapid and comprehensive incident assessment and remediation.
Stages of a crisis
Warning and risk assessment. As important as it may be to identify risks and plan for ways to
minimize those risks and their effects, it is equally important to establish monitoring systems that can
provide early warning signals of any foreseeable crisis. These early warning systems can take a
variety of forms and differ widely based on the identified risks.
Some early warning systems might be mechanical or electronic. For instance, thermography is
sometimes used to detect a build-up of heat before a fire starts. Other early warning systems may
consist of financial metrics. For example, an organization might be able to anticipate a substantial
drop in revenue by monitoring its customers' stock prices.
Crisis response and management. When a crisis occurs, the crisis manager is responsible for
directing the organization's response in accordance to its established crisis management plan. The
crisis manager is usually also the person who is tasked with communicating to the public.
If a crisis affects public health or safety, then the crisis manager should make a public statement as
quickly as possible. In a public crisis, the media will inevitably seek out employees for comment. It is
important for the organization's employees to know ahead of time who is and is not authorized to
speak to the media. Employees who are allowed to speak to the media must do so in a manner
consistent with what the crisis manager is saying.
Post-crisis and resolution. After a crisis subsides and business begins to return to normal, the crisis
manager should continue to meet with members of the crisis management team, especially those from
the legal and finance departments, to evaluate the progression of the recovery efforts. At the same
time, the crisis manager will need to provide the latest information to key stakeholders to keep them
aware of the current situation.
Following a crisis, it is also important for the crisis management team to revisit the organization's
crisis management plan with the goal of evaluating how well the plan worked and what aspects of the
plan need to be revised based on what was learned during the crisis.
Today, virtually all major corporations, nonprofit agencies and public sector organizations use crisis
management. Developing, practicing and updating a crisis management plan is a critical piece of
ensuring a business can respond to unforeseen disasters. The nature of the crisis management
activities can vary however, based on the organization type. For instance, a manufacturing company
will likely need a crisis management plan for responding to a large-scale industrial accident, such as
an explosion or chemical spill, whereas an insurance company would be far less likely to face such
risks.
Of course, it doesn't take something as dramatic as an industrial accident to require the activation of a
crisis management plan. Any event that has the potential to damage the organization's finances or
reputation, may be cause for putting the crisis management plan into action.
Monitors and reports on worldwide events on a 24/7 basis, focusing on topics and issues relevant for
the EEAS and the EU as a whole;
Liaises 24/7 with CSDP Missions and Operations through a Watchkeeping Capability, as well as with
EU Delegations;
Supports HRVP and relevant EEAS services, the Council, and cooperates closely with the
Commission;
Plays a role in the EU Integrated Political Crisis Response arrangements (IPCR) to support political
coordination and decision-making in major, complex, inter-disciplinary crisis;
Manages and develops relations with national crisis response and crisis coordination centres of EU
Member States;
Has regular contacts with other regional and international organizations' crisis centres, such as the UN
Department for Peacekeeping Operations (UN DPKO), League of Arab States (LAS), African Union
(AU) and the Association of Southeast Asian Nations (ASEAN).
The final step in the risk management process is developing the risk
response or treatment plan. This is added to the risk register and provides
vital information for what actions need to be taken if a risk occurs or is
occurring (Lavanya and Malarvizhi 2008). As risks can be triggered at any
stage of the project, the treatment plan requires an appropriate level of
detail. The risk response plan requires numerous components, including:
The level of detail required for risk management plans will differ depending
on their likelihood or consequence (Lavanya and Malarvizhi 2008).
For the most significant risks (e.g., high likelihood and consequence),
a detailed action plan is necessary.
For medium risks (e.g., medium likelihood and consequence), a brief
action plan will do.
For small risks (e.g., low likelihood and consequence), no action plan
may be required at all.
It is important that all risks within the action plan be allocated to a person
who can take the actions required to respond to the risk. The action plan
includes the following.
Each risk identified must be documented within the risk register and these
need to be discussed with the project sponsors and stakeholders. The
process needs to be understood by the project manager.
Action or response plans are not necessary for all risks. There are different
responses which can be applied to the risks identified (Kendrick 2019),
including:
Avoid: threat to be eliminated or removed.
Transfer: shift the risk to a third party.
Mitigate/treat: take actions to reduce the probability or impact of the
risk occurring.
Accept: where necessary, it may be important to proceed and accept
the risk.
The risk response plan needs to consider the impact on schedule and
budget. Therefore, when planning a risk response schedule, a budget
needs to be outlined as precisely as possible. By being precise in the risk
response plan, alternative actions can support the implementation of
integrated changes.
2. Risk triggers
Each risk trigger needs to be documented within the broader risk register.
The triggers can be used to identify the causes or warning signs.
Furthermore, understanding triggers can support identifying risks that are
about to occur, or provide an indication about certain risks that are likely to
occur. Table 12 outlines an example of the risk triggers.
Table 12. Risk trigger examples
Limited resource
Unexpected leave due to illness
availability
REFERENCES
https://jcu.pressbooks.pub/pmriskquality/chapter/module-4-mitigation-and-contingency-risk-plan/
#:~:text=Risk%20mitigation%20occurs%20outside%20risk,risk%20event%20that%20could
%20occur.
https://www.everbridge.com/blog/what-is-crisis-management/#:~:text=Crisis%20Management%20is
%20an%20organization's,%2C%20property%2C%20or%20business%20processes.
https://www.techtarget.com/whatis/definition/crisis-management
https://www.techtarget.com/searchdisasterrecovery/definition/crisis-management-plan-CMP
https://reciprocity.com/blog/11-proven-risk-mitigation-strategies/
https://jcu.pressbooks.pub/pmriskquality/chapter/module-3-risk-management-process-by-life-cycle-
phase/