Grade A Risk Responses

 

It is easy to understand why some people think that the risk response development phase is the most important part of the risk process. This is where we get the chance to make a difference to the risk exposure of our project. If we design and implement good risk responses to address the risks we have identified and assessed, we will be able to minimise threats and maximise opportunities, and so optimise the likelihood of achieving our objectives. But if our risk responses are ineffective (or not implemented), the level of risk exposure remains unchanged – or may even get worse!

But how can we tell if our risk responses are good enough? Can we assess their potential effectiveness before we decide to implement them? Here are seven “Grade A” criteria by which you can test whether your planned risk responses are likely to work. To be effective, all proposed risk responses should be:

1.    Appropriate – The correct level of response must be determined, based on the significance of the risk. This ranges from a crisis response where the project cannot proceed without the risk being addressed, through to a “do nothing” response for minor risks. We should not spend large amounts of time or effort developing aggressive responses for minor risks, but we must also not spend too little time considering how to deal with key risks.

2.    Affordable – The cost-effectiveness of risk responses must be determined, so that the amount of time, effort and money spent on addressing the risk does not exceed the available budget or the degree of risk exposure. Each risk response should also have an agreed budget, added to the approved project cost plan.

3.    Actionable – An action window should be determined, defining the time within which risk responses need to be completed in order to address the risk. Some risks require immediate action, while others can safely be left until later. We must be careful not to leave it too late before we act.

4.    Achievable – There is no point in describing risk responses which are not realistically achievable or feasible, either technically or within the scope of our capability and responsibility. If your planned response is “Hope for a miracle” or “Invent a radical new solution”, you may be disappointed! 

5.    Assessed – All proposed risk responses must work! The “risk-effectiveness” of a response is best determined by making a “post-response risk assessment”. This assesses the level of residual risk assuming effective implementation of the response, including secondary risks of course. The situation after implementing the risk response must be better than before!

6.    Agreed – The consensus and commitment of relevant stakeholders should be obtained before agreeing responses, especially if the proposed response might affect a part of the project in which they have an interest.

7.    Allocated & Accepted – Each risk response should be owned by a single person (and accepted by them) to ensure a single point of responsibility and accountability for implementing the response. Allocating risk responses requires careful delegation, including provision of the necessary resources and support to allow effective action to be taken.

Each proposed risk response should be assessed against these seven criteria before it is accepted. A “Grade A” response will pass all these tests, and is more likely to achieve the desired effect than a response which has not been properly considered or evaluated.