3.4.2. Risk Analysis and Response
💡 First Principle: Proactive and systematic management of both threats and opportunities is a critical discipline for increasing the probability of project success and maximizing value delivery.
Scenario: During a risk review, the team identifies a threat: a key supplier might deliver a component late. They decide to 'Mitigate' this risk by ordering a backup from a second supplier. They also identify an opportunity: a new technology could speed up development. They decide to 'Enhance' this by assigning a senior developer to create a prototype.
Proactively managing risks involves a structured process of identification, analysis, response planning, and monitoring.
- Risk Analysis Steps: Identify Risks (Brainstorm, Checklists, Assumptions Analysis, Pre-Mortem); Document (Risk Register or Backlog); Qualitative Analysis (Assess Probability & Impact; Rank via P x I Score or Matrix); Quantitative Analysis (Optional: EMV = P% * $Impact; Decision Tree Analysis; Simulation); Plan Risk Responses (See table below); Implement Responses (Assign owners, execute via Risk-Adjusted Backlog); Allocate Contingency Reserves for accepted threats; Monitor Risks (Track triggers, review effectiveness, identify new risks in Risk Reviews).
Practical Implementation: Risk Response Strategies Table
| Risk Type | Strategy | Action | Scenario Example |
|---|---|---|---|
| Threat | Avoid | Eliminate cause / Change plan to bypass risk | Change design to avoid risky component |
| Mitigate | Reduce Probability or Impact (or both) | "Add redundancy, conduct more testing" | |
| Transfer | Shift impact/ownership to third party (insurance, contract) | Outsource high-risk work with warranty | |
| Escalate | Notify level with authority if outside project scope | Escalate major compliance risk to legal | |
| Accept | Acknowledge risk; Passive: Do nothing; Active: Set contingency | Budget for potential rework (Active Accept) | |
| Opp. | Exploit | Ensure opportunity realized; assign strong resources | Dedicate team to leverage market opening |
| Enhance | Increase Probability or Impact (or both) | Add features to increase positive impact | |
| Share | Allocate ownership to third party best able to capture | Joint venture to pursue new market | |
| Escalate | Notify level with authority if outside project scope | Escalate major strategic opportunity | |
| Accept | Acknowledge opportunity; take no proactive action | Take advantage if it happens naturally |
⚠️ Common Pitfall: Creating a risk register at the start of the project and then never looking at it again. Risk management must be a continuous, iterative process throughout the project lifecycle.
Key Trade-Offs:
- Cost of Response vs. Risk Exposure: The cost of a risk response (e.g., buying insurance, building a redundant system) should be appropriate for the level of risk (the probability and impact). It doesn't make sense to spend $100k to mitigate a $10k risk.
Reflection Question: What is the difference between the 'Accept' risk response strategy when applied to a threat versus when applied to an opportunity?