Develop a risk mitigation plan for the most important risks to the project as defined by the risk management strategy.
A critical component of a risk mitigation planning is developing alternative courses of action, workarounds, and fallback positions, and a recommended course of action for each critical risk.
The risk mitigation plan for a given risk includes techniques and methods used to avoid, reduce, and control the probability of risk occurrence, the extent of damage incurred should the risk occur (sometimes called a contingency plan), or both. Risks are monitored and when they exceed established thresholds, risk mitigation plans are deployed to return the
impacted effort to an acceptable risk level. If the risk cannot be mitigated, a contingency plan can be invoked. Both risk mitigation and contingency plans often are generated only for selected risks for which consequences of the risks are high or
unacceptable; other risks may be accepted and simply monitored.
Options for handling risks typically include alternatives such as the following:
· Risk avoidance: changing or lowering requirements while still meeting user needs
· Risk control: taking active steps to minimize risks
· Risk transfer: reallocating requirements to lower risks
· Risk monitoring: watching and periodically reevaluating the risk for changes in assigned risk parameters
· Risk acceptance: acknowledging risk but not taking action
Often, especially for high risks, more than one approach to handling a risk should be generated.
For example, in the case of an event that disrupts the continuity of operations, approaches to risk management can include establishing the following:
· Resource reserves to respond to disruptive events
· Lists of available back-up equipment
· Back-up personnel for key personnel
· Plans for and results of testing emergency response systems
· Posted procedures for emergencies
· Disseminated lists of key contacts and information resources for emergencies
In many cases, risks are accepted or watched. Risk acceptance is usually done when the risk is judged too low for formal mitigation or when there appears to be no viable way to reduce the
risk. If a risk is accepted, the rationale for this decision should be documented. Risks are watched when there is an objectively defined, verifiable, and documented threshold of performance, time, or risk exposure (i.e., the combination of
likelihood and consequence) that will trigger risk mitigation planning or invoke a contingency plan.
Thresholds for supplier risks that affect the project (e.g., schedule, quality, or risk exposure due to supplier risks) are specified in the supplier agreement along with escalation
procedures if thresholds are exceeded.
Adequate consideration should be given early to technology demonstrations, models, simulations, pilots, and prototypes as part of risk mitigation planning.
Typical Work Products
1. Documented handling options for each identified risk
2. Risk mitigation plans
3. Contingency plans
4. Disaster recovery or continuity plans
5. List of those responsible for tracking and addressing each risk
Typical Supplier Deliverables
1. Documented handling options for each identified risk
2. Risk mitigation plans
3. Contingency plans
4. Disaster recovery or continuity plans
5. List of those responsible for tracking and addressing each risk
Subpractices
1. Determine the levels and thresholds that define when a risk becomes unacceptable and triggers the execution of a risk mitigation
plan or contingency plan.
Risk level (derived using a risk model) is a measure combining the uncertainty of reaching an objective with the consequences of failing to reach the objective.
Risk levels and thresholds that bound planned or acceptable performance must be clearly understood and defined to provide a means with which risk can be understood. Proper categorization of
risk is essential for ensuring an appropriate priority based on severity and the associated management response. There may be multiple thresholds employed to initiate varying levels of management response. Typically, thresholds for the execution of
risk mitigation plans are set to engage before the execution of contingency plans.
2. Identify the person or group responsible for addressing each risk.
3. Determine the cost-to-benefit ratio of implementing the risk mitigation plan for each risk.
Risk mitigation activities should be examined for benefits they provide versus resources they will expend. Just like any other design activity, alternative plans may need to be developed and
costs and benefits of each alternative assessed. The most appropriate plan is selected for implementation.
4. Develop an overall risk mitigation plan for the project to orchestrate the implementation of individual risk mitigation and
contingency plans.
The complete set of risk mitigation plans may not be affordable. A tradeoff analysis should be performed to prioritize risk mitigation plans for implementation.
5. Develop contingency plans for selected critical risks in the event their impacts are realized.
Risk mitigation plans are developed and implemented as needed to proactively reduce risks before they become problems. Despite best efforts, some risks may be unavoidable and will become
problems that impact the project. Contingency plans can be developed for critical risks to describe actions a project may take to deal with the occurrence of this impact. The intent is to define a proactive plan for handling the risk, either to
reduce the risk (mitigation) or respond to the risk (contingency), but in either event to manage the risk.
Some risk management literature may consider contingency plans a synonym or subset of risk mitigation plans. These plans also may be addressed together as risk-handling or risk action
plans.
327/353 - 0 sub articles
CMMI-ACQ 1.2
4. 
SP 3.1 Develop Risk Mitigation Plans