Here are Five Strategies for the Responding to Risks

Risks are future events or conditions that have a probability of occurrence and an impact to the project if they occur. Identifying risks is only the start of the risk management process. After you identify risks, you need to analyze them to see which ones are important enough for you to manage. For all "high" risks you must create a risk response. There are a number risk response options that the project manager should consider.

• Leave the risk (accept). Sometimes we see a high risk and still decide to leave it. This can happen for one of two reasons.
  • First, the project manager may feel that cost and effort of managing the risk is more than the impact of the risk event itself. In this case you would rather deal with the costs of the risk occurring that the cost of trying to manage the risk.
  • Second, there may not be any reasonable and practical activities available to manage the risk. For instance, it is possible that there is a risk of your sponsor leaving and a new sponsor canceling the project. However, you may not be in a position to do much about it as long as the current sponsor is in place, and you may just need to leave it and see how events play out.
• Monitor the risk. This is a good approach if you have identified a risk that should be managed, but the risk event is far off in the future. In this case, the project manager does not proactively manage the risk, but monitors it to see whether it is more or less likely to occur as time goes on. If it looks more likely to occur later in the project, the team must formulate a different response at a later time.
• Avoid the risk. Avoiding the risk means that the condition that is causing the problem is eliminated. For example, let's say you identify a risk associated with using new equipment. You could avoid the risk by deciding to use current equipment that you are familiar with. You eliminated the cause of the risk, therefore avoiding the risk itself. 
• Move the risk (transfer). In some instances, the responsibility for managing a risk can be removed from the project by assigning the risk to another entity or third party. For instance, you may identify a risk associated with a new technology. Outsourcing the function to a third party might eliminate that risk for the project team. The risk event is still there, but now some other entity is dealing with it.
• Mitigate the risk. Mitigating is the most common risk response. Mitigation means that you create a plan to minimize the likelihood that the risk will occur, or minimize the impact if the risk occurs. You could eliminate the risk by reducing the likelihood down to zero percent, or reducing the impact to zero. However, even if you cannot eliminate the risk, minimizing either the probability or the impact of the risk is often the most viable risk response strategy. 

These are the risk responses for negative risks. After you have a risk response plan in place, you need to monitor the plan to ensure it is working as you expect.