After identifying the risk and estimating the exposure, it is necessary to determine an appropriate way to handle it. It is also necessary to prepare for the possibility that the risk will materialize by determining the most appropriate way to handle the problem that the project will face.
Clearly, this process requires a lot of effort. It should therefore be undertaken in stages, using risk exposure levels, anticipated degree of damage and the likelihood that the risk will materialize as a guide. Risks that have the potential to affect the project severely soonest should be dealt with first.
Risk management should reflect both the ways in which a given risk should be handled before it becomes a problem (preventive actions) and the ways in which the problem should be handled once it materializes (corrective actions).
Common response strategies are:
Preventive actions for dealing with a given risk will vary depending on the level of threat posed by the risk and the damage it might cause. In cases where the threat to the project’s success is large enough, it may be necessary to avoid the risk entirely by eliminating any possibility that the risk will materialize or have any impact on the project whatsoever. Such a reaction to risk exposure is called ‘Risk Avoidance’.
For example: A new company that finds itself in a sensitive financial position without a lot of margin for error may choose to avoid committing to a project with a high level of risk exposure, thus eliminating the risk entirely. The company might invest its resources in a different project, where the level of risk associated with the project does not pose an existential threat to the company as a whole.
In cases where it is not possible or practical to avoid all risk exposure but where risk exposure can nonetheless be reduced, it is necessary to determine actions that will lower the probability of risks materializing or ways to limit their impact on the project. Such a reaction to risk exposure is called ‘Risk Mitigation’.
Risk exposure is quite often affected by the party responsible for completing the task. Sometimes, then, the best way to handle the risk is to transfer the task to another party—one who is more suitable for handling it—thereby lowering the risk involved. Such a reaction to risk exposure is called ‘Risk Transfer’.
For example: Using a subcontractor to execute some project tasks may be an attempt to transfer risk due to concerns over whether the organization is capable of executing those same tasks.
One of the most common ways of handling risks is to distribute them among various responsible bodies, thereby lowering the risk each one takes. Common examples of this are purchasing insurance or adding investors to a project. Such a response to risk exposure is called ‘Risk Distribution’.
In cases where the risk for the project is small or cannot be avoided or when it is not worthwhile investing resources to prevent or mitigate the risk, it is possible to accept the situation simply as is and prepare for the possibility that the risk might materialize. Such a reaction is called ‘Risk Acceptance’; it necessitates prior development of corrective actions for handling potential problems. In fact, risks that are not avoided, lowered, transferred or distributed between various bodies are tacitly accepted as risks that must be monitored. Plans for handling the problems these risks will cause when they materialize must be prepared.
For example: When the insurance cost of any piece of equipment is very expensive, and the replacement cost of the item is not too expensive, it might be better to accept the threat and deal with the problem if it occurs.
Advance preparation guarantees a useful and efficient response when a risk materializes and becomes a problem. When no advance preparation has been undertaken, the problem must be handled under pressure, in circumstances where choices may have become severely limited. Unfortunately, such a scenario is far from uncommon. It is known in the field as “putting out fires”. Good project managers are amply prepared and ready to deal with potential problems before they arise.
Deciding how to manage a particular risk depends on cost, among others. Sometimes it is cheaper to handle the resulting problem, if the risk becomes a reality, than to avoid the risk in the first place. Therefore, the economy of risks is another parameter in the risk management decision-making process. However, this parameter does not stand above all others; the dimensions of the risk in their entirety—as well as the potential ramifications for both project and client—should be examined before any final decisions are made.
The economy of risks refers to the cost of preventing or limiting the risk compared to the cost of fixing the problem that will result from the risk materializing. Generating an estimate for this cost requires planning and estimation—just like any other project planning task. These costs must be taken into account in the proposed budget and should be part of the consideration when deciding on project approval. Otherwise, the cost of dealing with various risks may cause the project to deviate from its targets. Furthermore, the responses decided upon as part of the risk management plan must be included in the project’s work plan as tasks and work packages that will influence available resources and overall duration.
All of these form both the risk management plan of the project and the risk avoidance or mitigation plans. These plans should be tightly adhered to and controlled on an ongoing basis, all while keeping the various stakeholders informed.