Risk response plan: What to know about risk planning + an example
What is a risk response plan?
Broadly speaking, risk response planning is the systematic process of developing options and determining actions to risks.
A risk response plan is a specific plan which is created and maintained in order to respond one of a specific set of risks which have been identified and analysed.
Developing a risk response plan requires knowing what you are planning for, so the development of a risk response plan is the third (3) stage of risk management:
- Identify risks prior to and during projects
- Analyse these risks through risk assessment frameworks and registers
- Develop risk response plans to the risks which require a response plan (which is decided based on the analysis above)
Getting the first two stages of risk management right are obviously critical to good risk response planning, because the plans will fail or not be appropriate if the risk has been identified poorly or analysed wrongly.
Risk response plans are used in many different industries including construction, oil and gas, mining, medicine and more.
For our purposes today, we are going to focus more heavily on risk response planning in the industrial sector.
The key risk plan responses...
When developing a risk response plan, there are only so many different types of risk responses to choose from. The four (4) major risk responses to negative rand potentially damaging risks are:
Plan to avoid the risk -
Avoiding risk doesn't mean avoiding the problem, it means that you take actions to eliminate the threat completely or protect the project from the impact of the risk.
When risk response planning, the main actions which can be taken to avoid a risk include:
- Changing the scope of the project or specific phase of works
- Adjusting other aspects of the project like the budget or schedule to eliminate unexpected risks
- Applying new techniques, tools or knowledge to the risk to reduce the risk
- Clarifying specific objectives or activities to eliminate peripheral risk and misunderstandings
The type of action you choose above will depend on the nature and severity of the risk in question as well as the type of risk. For very specific risks, a change in tooling or requirements may be enough, and for larger risks, the project plan may need to be altered.
Plan to mitigate the risk -
If the risk can not be avoided, then the next natural step should be to try to mitigate it - or minimise the likelihood or severity of it.
In most cases, mitigating risk is about reducing the severity of the impact, which typically involves creating contingency plans and things of that nature.
Companies and project managers are constantly trying to mitigate risk, but when talking about a risk response plan, the mitigation strategies are usually more comprehensive.
The key thing to consider when thinking about and implementing this risk response plan action is that risk can almost always be reduced further - but it comes at a cost. The person or group of people thinking about mitigating actions will need to carefully weight up the pros and cons of the risk mitigating actions.
Plan to transfer the risk -
If a risk can not be avoided (eliminated) or adequately mitigated, then the next step down in risk response planning is to attempt to transfer the risk.
Transferring the risk doesn't mean transferring it to another person or department, it means transferring it to a third party like an insurance company or through warranty etc.
In these cases, the company finds it more advantageous to transfer the risk for a fee than deal with it or accept it.
Plan to accept the risk -
If in your risk response planning you can't see that any of the above options are available or feasible, then the only other option is to accept the risk or not conduct the activity or project.
Choosing to accept the risk doesn't mean giving up or not doing anything. Accepting the risk often triggers a specific strategy or contingency plan or plan for containing the consequences if they do occur.
Not all risk response planning is based on negative outcomes. In fact, there are a number of risks which create new opportunities for companies too.
When doing a risk response plan, if you come across some new opportunities, you can respond to those opportunities in a few different ways:
When an opportunity presents itself, the best strategy is often to exploit it. Exploiting the opportunity might involve adding work or changing the project scope so you can capture the opportunity.
Enhancing an opportunistic risk is the next best thing to exploit it. Enhancing it means increasing the probability that it will occur, and hopefully increasing the size of the opportunity impact.
Sometimes you can't capture all of the opportunities which arise on a project, but you may be able to share them. In this case, you will be sharing the opportunity with some third party.
When there is no obvious risk response plan or action and a project manager or person can't make the neccessary call - the next option is often to escalate the risk or response to a more senior person or group who can help in deciding the appropriate action.
Risk response plan example
The best way to understand a risk response plan is often to see some examples. While every risk response plan is a little different, examples provide you with a framework and reference for developing your own good risk response planning strategies.
Before we dive into the risk response plan example, we need to surface one other critical aspect of any risk response plan: the trigger condition.
Trigger condition -
The trigger condition is arguably the most important aspect of risk response planning. A trigger condition is a 'condition' which is reached (something happens, a certain amount of time passes etc.) which triggers the response outlined in the risk response plan.
The purpose of the trigger condition is to create certainty around when when the risk response plan will be triggered so no one asks why a response was initiated etc. and also to ensure that the plan is implemented when it should be, and isn't incorrectly overlooked.
The trigger condition sets the exact conditions for when an action will take place - removing human error and misunderstandings from risk management.
The missing part of this risk response plan example is of course the risk identification and analysis. Before we get to this point and understand the risk well enough to make a plan, we have to spend a fair amount of time in our risk register - where we store and analyse our different risks.
So let's take a look at the risk response plan example below:
Hopefully this risk response plan example gives you a good idea of what a risk response plan looks like.
Other things you should know about risk response planning
Not all risks require a risk response plan. There are simply too many risks and eventualities associated with a project of any reasonable size to plan for every risk.
But the purpose of the first two stages of risk planning are to make sure that you spend your risk response planning time wisely, on the risks which matter most to you, your team and your projects.
When done correctly, you will have a neat assortment of risk response plans in your risk register (or linked out from your register), and the trigger conditions will be clear to everyone.
The other key element of risk response planning is deciding and planning how the risk response actions and plan will be implemented and communicated.
If as in our risk response plan example, the excavator operator is in charge of the trigger condition, who does he contact to trigger the response plan actions? The project manager? The project director?
Once this person receives notification of the risk response plan being triggered, how do they communicate that to the rest of the team and begin to move resources to Zone 2?
And where is the document or register that everyone is supposed to reference? Is it a real-time document which everyone can access and update at any time or are people relying on their own spreadsheets?
These are all of the questions you need to be able to answer when developing and deploying your risk response plan.
Risk response planning is hard work, but it is necessary work. Good risk management is the major difference between successful projects and unsuccessful projects. Changes and unexpected things are bound to happen on all projects - it's how you respond to these things and prepare to respond to these things which really matters in the long run.