Risk management is the process of identifying risks, analyzing them to see which ones are the most important, responding to the risks and then monitoring risks throughout the project. When considering how to respond to risk, most people immediately think about ways to make sure that the risk event does not happen. After all, risks are bad, right? So, you would normally want to put a plan in place to make sure that the risk does not occur. But you actually have five choices for responding to risks. Here they are:
- Leave it. In this approach, the project manager looks at the risk and decides to do nothing. This can happen for one of three reasons. You may decide that the potential impact of the risk on the project is not substantial enough to require a risk response. You may feel that the negative impact of the risk is not worth the cost and effort required to manage the risk. You may determine there may not be any reasonable and practical activities available to manage the risk. For instance, it's possible that there is a risk of your sponsor leaving and a new sponsor canceling the project. However, you may not be in a position to do much about it as long as the current sponsor is in place, and you may just need to leave it and see how events play out.
- Monitor it. In this case, the project manager doesn't proactively manage the risk, but monitors it. This is also a good approach if you have identified a risk that should be managed, but the risk event is far off in the future. For instance, if your risk event is nine months in the future, it may not make sense to spend resources to manage the risk at this time. It's possible that over time the risk will go away because of other circumstances. However, if it doesn't go away, the team will still need to manage the risk later in the project.
- Avoid it. Avoiding the risk means that the condition causing the problem is eliminated. For instance, risks associated with a particular vendor might be avoided if another vendor is used instead. This is a very effective way to eliminate risks but obviously can be used only in unique circumstances.
- Move it. In some instances, the responsibility for managing a risk can be transferred to a third party. For instance, outsourcing a function to a third party might eliminate that risk for the project team. The third party might have particular expertise that allows them to do the work without the risk.
- Mitigate it. In most cases, this is the approach to take. Mitigating the risk means that you put in place a set of proactive steps to ensure that the risk does not occur, or, if the risk does occur, to ensure the negative impact to your project is minimized.
- The project manager, client and project team can all work together to determine the most appropriate approach for responding to each risk. The key is to identify and respond to each significant risk.