Risk response strategies are the project manager's methods for managing the risk events that occur. A proactive approach to risk management, as with every facet of project management, lessens the impact of those risks that can be identified early in the project's life cycle. Generally, there are four techniques for responding to risks: avoidance, transference, mitigation, and acceptance.
Often the best defense against a risk event is simply to avoid it. We know that risks occur in every project, and it is not feasible, or even wise, to try to structure a project to have no risks. A project without risk is not worth pursuing. On the other hand, facing a risk that is likely to end in loss of time, revenues, or even the entire project, also is unwise. It is also unwise to accept a risk that we have defined as a pure or insurable risk. In these cases, it is best to consider alternative approaches that allow the risk to be transferred or, lacking that, avoided altogether.
The most common way of avoiding a risk is to consider an alternative approach that contains less or no risk. For example, if a system design calls for a new, undeveloped software operating system, it could represent a significant risk to the project. A less risky approach would be to use a proven off-the-shelf operating system, provided that it meets the customer's requirements. A common occurrence in information technology projects occurs during the development of a system that has a specified operating system for which a new version is developed prior to system completion. If the new software version is likely to have defects, it could be better to avoid any attendant risks by continuing with the previous version.
Risk transference is commonly done in practice by teaming or by hiring a vendor. When the project requires expertise not resident in the organization or group, it is common practice to team with another company or to hire a vendor who does possess the requisite expertise. Common examples of risk transference also occur where insurance is the practical way of planning for risks. For instance, a company that is located in a flood plain or in a tornado alley would routinely purchase insurance against such risks.
Mitigating risk means that the risk event is controlled in such a way that either the impact or the probability of the event occurrence is lessened. Mitigation can occur either by reducing the level of impact, that is, cost or schedule added to the baseline, or by reducing the probability of the event occurring, or both. Generally, mitigation occurs by adding more resources or by using better-trained or more experienced personnel. Using tested and tried technology, rather than newer, untested technology, can also mitigate risk. Risk mitigation is a form of risk acceptance. That is, the risk is expected, and it is an acceptable risk to take; however, an attempt is made to significantly reduce the impact to the project.
Risk acceptance is simply that—the risk is expected, and the level of impact to the project is within the tolerance level of the project team or organization. Usually, this kind of risk is the result of such things as the unpredictability of resource availability. For example, there is always a certain level of risk associated with the real-world problem of sharing resources across multiple projects. A risk to schedule exists if the resources are not available at the time they are needed. In these cases, the risk is recognized and accepted, and it will be dealt with when it occurs.