How to respond to risk? Grade Risk Mitigations

It is easy to understand why some people think that the risk response development phase is
the most important part of the risk process. This is where we get the chance to make a
difference to the risk exposure of our project. If we design and implement good risk responses
to address the risks we have identified and assessed, we will be able to minimise threats and
maximise opportunities, and so optimise the likelihood of achieving our objectives. But if our
risk responses are ineffective (or not implemented), the level of risk exposure remains
unchanged – or may even get worse!

But how can we tell if our risk responses are good enough? Can we assess their potential
effectiveness before we decide to implement them? Here are seven “Grade A” criteria by
which you can test whether your planned risk responses are likely to work. To be effective, all
proposed risk responses should be :

1. Appropriate – The correct level of response must be determined, based on the
significance of the risk. This ranges from a crisis response where the project cannot
proceed without the risk being addressed, through to a “do nothing” response for minor
risks. We should not spend large amounts of time or effort developing aggressive
responses for minor risks, but we must also not spend too little time considering how to
deal with key risks.

2. Affordable – The cost-effectiveness of risk responses must be determined, so that the
amount of time, effort and money spent on addressing the risk does not exceed the
available budget or the degree of risk exposure. Each risk response should also have an
agreed budget, added to the approved project cost plan.

3. Actionable – An action window should be determined, defining the time within which risk
responses need to be completed in order to address the risk. Some risks require
immediate action, while others can safely be left until later. We must be careful not to
leave it too late before we act.

4. Achievable – There is no point in describing risk responses which are not realistically
achievable or feasible, either technically or within the scope of our capability and
responsibility. If your planned response is “Hope for a miracle” or “Invent a radical new
solution”, you may be disappointed!

5. Assessed – All proposed risk responses must work! The “risk-effectiveness” of a
response is best determined by making a “post-response risk assessment”. This
assesses the level of residual risk assuming effective implementation of the response,
including secondary risks of course. The situation after implementing the risk response
must be better than before!

6. Agreed – The consensus and commitment of relevant stakeholders should be obtained
before agreeing responses, especially if the proposed response might affect a part of the
project in which they have an interest.

7. Allocated & Accepted – Each risk response should be owned by a single person (and
accepted by them) to ensure a single point of responsibility and accountability for
implementing the response. Allocating risk responses requires careful delegation,
including provision of the necessary resources and support to allow effective action to be

Each proposed risk response should be assessed against these seven criteria before it is
accepted. A “Grade A” response will pass all these tests, and is more likely to achieve the
desired effect than a response which has not been properly considered or evaluated.

For more information, visit

© Dr David Hillson FIRM, HonFAPM, PMI Fellow