Develop a risk mitigation plan for the most
important risks to the project as defined by the risk management
A critical component of risk mitigation
planning is developing alternative courses of action, workarounds, and
fallback positions, and a recommended course of action for each critical
risk. The risk mitigation plan for a given risk includes techniques and
methods used to avoid, reduce, and control the probability of risk
occurrence; the extent of damage incurred should the risk occur (sometimes
called a “contingency plan”); or both. Risks are monitored and when they
exceed established thresholds, risk mitigation plans are deployed to
return the impacted effort to an acceptable risk level. If the risk cannot
be mitigated, a contingency plan can be invoked. Both risk mitigation and
contingency plans often are generated only for selected risks for which
consequences of the risks are high or unacceptable. Other risks may be
accepted and simply monitored.
|Options for handling risks typically
include alternatives such as the following:
- Risk avoidance: changing or
lowering requirements while still meeting user
- Risk control: taking active steps to minimize
- Risk transfer: reallocating requirements to lower
- Risk monitoring: watching and periodically
reevaluating the risk for changes in assigned risk
- Risk acceptance: acknowledging risk but not
Often, especially for high-impact risks, more than one
approach to handling a risk should be generated.
|For example, in the case of an event that
disrupts the continuity of operations, approaches to risk management
can include establishing the following:
- Resource reserves to respond
to disruptive events
- Lists of available back-up
- Back-up of key
- Plans for testing emergency
- Posted procedures for
- Disseminated lists of key
contacts and information resources for
In many cases, risks are accepted or watched. Risk
acceptance is usually done when the risk is judged too low for formal
mitigation or when there appears to be no viable way to reduce the risk.
If a risk is accepted, the rationale for this decision should be
documented. Risks are watched when there is an objectively defined,
verifiable, and documented threshold of performance, time, or risk
exposure (i.e., the combination of likelihood and consequence) that will
trigger risk mitigation planning or invoke a contingency
Refer to the Decision Analysis and
Resolution process area for more information about evaluating
alternatives and selecting solutions.
Adequate consideration should be given early to technology
demonstrations, models, simulations, pilots, and prototypes as part of
risk mitigation planning.
Typical Work Products
- Documented handling options for each
- Risk mitigation plans
- Contingency plans
- List of those responsible for tracking and
addressing each risk
- Determine the levels and thresholds that
define when a risk becomes unacceptable and triggers the execution of a
risk mitigation plan or contingency plan.
Risk level (derived using a risk model) is a measure
combining the uncertainty of reaching an objective with the consequences
of failing to reach the objective.
Risk levels and thresholds that bound planned or
acceptable performance must be clearly understood and defined to provide
a means with which risk can be understood. Proper categorization of risk
is essential for ensuring an appropriate priority based on severity and
the associated management response. There may be multiple thresholds
employed to initiate varying levels of management response. Typically,
thresholds for the execution of risk mitigation plans are set to engage
before the execution of contingency plans.
- Identify the person or group responsible for
addressing each risk.
- Determine the costs and benefits of
implementing the risk mitigation plan for each risk.
Risk mitigation activities should be examined
for benefits they provide versus resources they will expend. Just like
any other design activity, alternative plans may need to be developed
and costs and benefits of each alternative assessed. The most
appropriate plan is selected for implementation.
- Develop an overall risk mitigation plan for
the project to orchestrate the implementation of individual risk
mitigation and contingency plans.
The complete set of risk mitigation plans may not be
affordable. A tradeoff analysis should be performed to prioritize risk
mitigation plans for implementation.
- Develop contingency plans for selected
critical risks in the event their impacts are
plans are developed and implemented as needed to proactively reduce
risks before they become problems. Despite best efforts, some risks may
be unavoidable and will become problems that impact the project.
Contingency plans can be developed for critical risks to describe
actions a project may take to deal with the occurrence of this impact.
The intent is to define a proactive plan for handling the risk. Either
the risk is reduced (mitigation) or addressed (contingency). In either
event, the risk is managed.
Some risk management literature may consider
contingency plans a synonym or subset of risk mitigation plans. These
plans also may be addressed together as risk handling or risk action