Develop a risk mitigation plan for the most important risks to the project as defined by the risk management strategy.
A critical component of a risk mitigation plan is to develop alternative courses of action, workarounds, and fallback positions, with a recommended course of action for each critical risk. The risk mitigation plan for a given risk
includes techniques and methods used to avoid, reduce, and control the probability of occurrence of the risk, the extent of damage incurred should the risk occur (sometimes called a “contingency plan”), or both. Risks are monitored and when they
exceed the established thresholds, the risk mitigation plans are deployed to return the impacted effort to an acceptable risk level. If the risk cannot be mitigated, a contingency plan can be invoked. Both risk mitigation and contingency plans are
often generated only for selected risks where the consequences of the risks are determined to be high or unacceptable; other risks may be accepted and simply monitored.
Options for handling risks typically include alternatives such as the following:
· Risk avoidance: Changing or lowering requirements while still meeting the user’s needs
· Risk control: Taking active steps to minimize risks
· Risk transfer: Reallocating requirements to lower the risks
· Risk monitoring: Watching and periodically reevaluating the risk for changes to the assigned risk parameters
· Risk acceptance: Acknowledgment of risk but not taking any action
Often, especially for high risks, more than one approach to handling a risk should be generated.
For example, in the case of an event that disrupts continuity of operations, approaches to risk management can include the following:
· Resource reserves to respond to disruptive events
· Lists of appropriate back-up equipment to be available
· Back-up personnel for key personnel
· Plans and results of/for testing emergency response systems
· Posted procedures for emergencies
· Disseminated lists of key contacts and information resources for emergencies
In many cases, risks will be accepted or watched. Risk acceptance is usually done when the risk is judged too low for formal mitigation, or when there appears to be no viable way to reduce the risk. If a risk is accepted, the
rationale for this decision should be documented. Risks are watched when there is an objectively defined, verifiable, and documented threshold of performance, time, or risk exposure (the combination of likelihood and consequence) that will trigger
risk mitigation planning or invoke a contingency plan if it is needed.
Adequate consideration should be given early to technology demonstrations, models, simulations, pilots, and prototypes as part of risk mitigation planning.
Typical Work Products
1. Documented handling options for each identified risk
2. Risk mitigation plans
3. Contingency plans
4. List of those responsible for tracking and addressing each risk
Subpractices
1. Determine the levels and thresholds that define when a risk becomes unacceptable and triggers the execution of a risk mitigation plan or a contingency plan.
Risk level (derived using a risk model) is a measure combining the uncertainty of reaching an objective with the consequences of failing to reach the objective.
Risk levels and thresholds that bound planned or acceptable performance must be clearly understood and defined to provide a means with which risk can be understood. Proper categorization of risk is essential for ensuring appropriate
priority based on severity and the associated management response. There may be multiple thresholds employed to initiate varying levels of management response. Typically, thresholds for the execution of risk mitigation plans are set to engage before
the execution of contingency plans.
2. Identify the person or group responsible for addressing each risk.
3. Determine the cost-to-benefit ratio of implementing the risk mitigation plan for each risk.
Risk mitigation activities should be examined for the benefits they provide versus the resources they will expend. Just like any other design activity, alternative plans may need to be developed and the costs and benefits of each
alternative assessed. The most appropriate plan is then selected for implementation. At times the risk may be significant and the benefits small, but the risk must be mitigated to reduce the probability of incurring unacceptable
consequences.
4. Develop an overall risk mitigation plan for the project to orchestrate the implementation of the individual risk mitigation and contingency plans.
The complete set of risk mitigation plans may not be affordable. A tradeoff analysis should be performed to prioritize the risk mitigation plans for implementation.
5. Develop contingency plans for selected critical risks in the event their impacts are realized.
Risk mitigation plans are developed and implemented as needed to proactively reduce risks before they become problems. Despite best efforts, some risks may be unavoidable and will become problems that impact the project. Contingency
plans can be developed for critical risks to describe the actions a project may take to deal with the occurrence of this impact. The intent is to define a proactive plan for handling the risk, either to reduce the risk (mitigation) or respond to the
risk (contingency), but in either event to manage the risk.
Some risk management literature may consider contingency plans a synonym or subset of risk mitigation plans. These plans also may be addressed together as risk-handling or risk action plans.