Module 4. Mitigation and contingency risk plan
A risk response strategy outlines both the mitigation and contingency risk plans and forms a key component of the overall risk management plan. The PMBOK refers to a risk response strategy which is undertaken by a project team or manager. This plan aims to decrease the probability of a risk occurring, and/or lessening the consequence or impact of a risk (PMI 2021). As outlined in previous chapters, there are numerous steps that make up the risk response plan, including identifying, evaluating and analysing risks, and creating treatment plans. However, the overarching aim of each of these steps is to decrease the levels of exposure or likelihood of a risk and its overall consequence.
Information collected and documented within the risk register is used to develop a risk response plan. Each identified risk and opportunity is outlined, along with the level of likelihood and consequence and the project risk tolerance threshold. Understanding this information, the project manager and project team are responsible for determining appropriate risk responses.
Treatment options need to be developed and actions need to be implemented to enhance opportunities and decrease the impact of risks on project objectives. Therefore, a response plan fits within the project plan and outlines actions required. This plan increases the likelihood and outcome of the identified opportunities, while decreasing the impacts of risks.
The response plan is a strategy used to consider proactive actions, whereby risk responses are about preventing risk rather than cancelling the project all together. Within the PMBOK, there are 2 types of risk response plans: contingency and mitigation.
Contingency plan
The contingency response plan outlines the responses and actions to be implemented if or when a risk occurs (Heimann 2000). Triggers are defined as the cues to execute contingency risk plans. It is mandatory to track and define the risk triggers to develop the risk contingency responses. As different triggers occur in the environment, the reserves can be used.
Both opportunities and risks should be planned for within contingency plans (Heimann 2000). This includes any event which poses a risk or a threat to the project – defined as a negative risk. Whereas any event which offers an opportunity for the project is defined as a positive risk. Across both these events, the response planning is in place to ensure that the most is made out of any opportunity and to provide a strategy to respond to and overcome risks.
Steps for creating the contingency plan:
- Identify specific events which could trigger the implementation of the contingency plan.
- Document the roles and responsibilities, timeframes or processes, where the plan occurs and how it will be implemented.
- Outline guidelines to report and communicate processes. Document how stakeholders will be engaged, who will send the information, how frequently, and how soon after risks occur the communication needs to be shared.
- Monitor and report the contingency plan, ensuring it is up-to-date with all potential risks.
There are 6 primary components of a contingency plan:
- Triggers: the ‘things’ that happen which require the implementation of the plan.
- Response plan: outlines what will be done in response to the trigger.
- Stakeholder engagement: sharing the risk occurrence and the implementation of the plan with key or primary stakeholders.
- Timeframes: consideration of how soon after the trigger or the risk a response action will be taken.
- Likelihood: how likely it is it that the risk will occur.
- Consequence: the level of consequence or effect of the risk occurring.
A primary tool that can be used to develop a contingency plan is the reserve or contingency budget and schedule analysis. This tool assists the project manager and team to determine how much contingency is required for both budget and schedule, based on the risk register. The contingency or reserve is used to respond to risks as they occur. The project manager and team need to ensure that the remaining contingency (both budget and schedule) are sufficient throughout the project life cycle. Where there is less contingency left compared to the number of risks, the project risk manager may need to seek additional funding and/or resources or complete a mitigation plan.
Implementing a contingency plan requires effective project management to ensure that all the strategies, risks and deliverables are managed appropriately. This includes the role of the project team members, who need to be aware of the risks within the register. They need to be entrusted to respond when needed and be empowered to implement strategies. In addition, the project team needs to be comfortable with the overarching risk management process, ensuring that they are comfortable developing risk mitigation and implementing contingency plans when identified risks occur. The project manager also needs to hold project team meetings frequently and encourage the project team members to be involved.
There are 4 common challenges that project managers and project teams face when trying to use contingency planning for risks:
- low priority given to risk contingency planning
- project team and stakeholders may be more confident in their original plan
- there are no clear organisational strategies in place for enterprise risk management
- not enough investment in risk identification.
Risk mitigation plans
The risk mitigation plan outlines actions to be taken in advance of a risk occurring or pre-emptively in response to a risk trigger occurring (Becker 2004). The process for creating the risk mitigation plan includes identifying, analysing, planning, implementing, and monitoring and controlling, as outlined in Figure 5. A primary component of the mitigation process is an iterative risk management process.
Figure 5. Risk mitigation plan process, by Carmen Reaiche, Samantha Papavasiliou and Frank Anglani, licensed under CC BY (Attribution) 4.0
- Risk identification: potential risks are identified and their relationships are defined.
- Risk analysis and evaluation: the likelihoods and consequences of risks are assessed. Consequences can include budget, schedule, technical, performance impacts and functionality.
- Risk prioritisation: all identified risks are prioritised and ranked by the most critical to the least.
- Risk mitigation planning, implementation, and monitoring and controlling: risks that have been analysed and ranked as high or medium criticality have mitigation planning conducted.
- Risk tracking: throughout the project, the risks are identified and added to the register.
As outlined in the previous chapter, there are many options for responding to the specific risks within the mitigation process, including accepting, avoiding, controlling, transferring, monitoring and watching risks.
Mitigation plan content should include:
- Roles and responsibilities: this includes documenting who is responsible for identifying and implementing risks.
- High-level mitigation strategies: the aim of creating and developing strategies is to reduce consequence and likelihood.
- Actions and next steps: these need to be identified, based on these primary questions:
- What are the necessary actions?
- What timeframes need to be followed (e.g., when must actions be finalised or implemented)?
- Who is responsible for taking actions?
- What are the necessary resources?
- How will the actions decrease the levels of likelihood and consequence for the potential risks if they were to occur?
The actions required should be completed through one of the processes below:
- Backward planning: this is the process of evaluating the impact of the risk and outlining a schedule for successful intervention (Becker 2004).
- Forward planning: this is the process of determining the schedule breakdown required to implement each step within the action plan, including the expected completion date (Becker 2004).
These processes will help to evaluate the primary decision points to determine when the project risk process needs to move from the mitigation plan to the contingency plan.
Similarities and differences: mitigation versus contingency plans
It is recommended to have both risk contingency and mitigation response plans in place for managing risk management processes within a project and organisation. There are numerous differences which are outlined in Table 15.
Table 15. Risk mitigation versus risk contingency plans
Risk Mitigation Plan | Risk Contingency Plan |
Actions identified to respond to a potential risk occurring, a risk trigger occurring and/or regardless of risk occurrence. | Actions are planned and conditions are monitored for those that could trigger a risk. Actions are taken when warning signs are identified. |
Time and money are spent in advance for a specific risk condition. | Time and money are not spent in advance, but money is set aside to use when or as needed. |
Risk mitigation occurs outside risk thresholds. Applying a mitigation plan can reduce the risk likelihood and consequence. | Contingency plan does not change the likelihood or consequence of risk – the aim is to control the consequence for a risk event that could occur. |
Used as the initial level of defence for high exposure risks. | Used as a fallback plan for high exposure risks. |
In specific situations a proactive action plan is required to reduce the likelihood and consequence of risks. The plan is about supporting the contingency plan. | The contingency reserve is documented in the project management plan to support the budget and/or schedule risk. |
There are numerous factors which need to be considered as part of risk mitigation and contingency plans (Becker 2004), including:
- Understanding clients and stakeholder needs: who are the risk decision-makers and who has the authority to accept and avoid risks?
- Liaising with subject matter experts: seek input from experts inside and outside of the organisation.
- Recognising the chance of risks reoccurring: identify and maintain risk awareness, to ensure that all stakeholders understand that there is always a level of risk present.
- Encouraging risk-taking: there are consequences to not taking risks – some may be negative, others may be positive. There is a need to take some risks to identify and respond to opportunities.
- Recognising opportunities: there are opportunities that can arise from taking risks. Identify whether there is an advantage to taking risks (e.g., performance, capability, flexibility, efficiency).
- Encouraging deliberate consideration for mitigation or treatment options: there needs to be careful analysis of the options to mitigate risks and discussion with project teams, stakeholders and subject matter experts on the value of specific options.
- Not all risks require mitigation: low ranked risks do not require considerable mitigation planning; however, they need to be tracked, monitored and controlled in case of changes.
The post-project review should include the risk management process, including learnings from the project, an analysis of how the project went, an evaluation of what occurred during the project, whether there needs to be improvements, and what went well.
Monitoring and controlling process
Developing the risk response plans (including contingency and mitigation plans), requires developing and implementing a corresponding monitoring and controlling process. In risk management, a monitoring and controlling process is ongoing throughout the project life cycle. This involves developing processes which document information, which in turn assists with making informed decisions, either before, during or after a risk occurrence. These processes include:
- evaluating the risk response plans implemented
- assessing effectiveness of the actions taken
- ongoing environmental monitoring for potential risk triggers
- reassessing identified risks to examine if there are any changes in their exposure levels
- once a risk has been triggered and a response action taken, determining the residual risks
- creating assurance processes to ensure that policies and procedures associated with risk plans are used
- determining the validity of the contingency plans implemented or not used
- accounting for project scope, schedule, budget and quality changes that may have been approved throughout the project life cycle
- ongoing assessment of whether the project assumptions, constraints, and risks are valid.
There are 2 primary elements within the process for controlling risks within a project:
- Regular risk reviews. At least once a week, the project manager and team should allocate time to review the identified risks, identify new risks and monitor progress of all the risks which have been triggered or up/down graded. This process should include a periodic, in-detail review of the entire process and risk register.
- Project risk reporting. This involves ensuring that risk exposure levels are documented, with high likelihood and consequence risks documented within ongoing status reporting. At a minimum, the top 10 risks should be outlined within the status and performance reporting. This includes any actions taken to respond to a risk arising or a trigger occurring.
The monitoring and controlling process occurs throughout the project life cycle; however, there are some primary documents which are used to support the process. These include:
- Risk response plan: outlines the current state of risks, the potential future impacts if the risk was to occur and the responses required.
- Risk register: used for tracking project risks.
- Change requests: a log which includes the variations, change orders and changes implemented throughout the project.
- Project communications: all the communications that relate to managing the project and the corresponding risks.
- Post project review: understanding the effectiveness of the project risk responses and overall management process within the project. This includes identifying opportunities for improvement.
Tools for project risk monitoring and controlling
There are many tools which can be used to support monitoring and controlling in the project risk management space. The tools can be either manual or automated. These tools include project risk audits, status reporting and meetings, project risk assessments, change variance, and risk trend analysis.
These processes can be run manually or streamlined to be automated, depending on the size of the project, the complexity and the industry. Regardless of how the monitoring and controlling is completed, the information needs to be collected and displayed in real-time or as close to real-time. This enables project managers, project team members and stakeholders to track risks, and allows the assessment of risk, based on up-to-date information.
Now let’s review our knowledge:
Key Takeaways
- The monitoring and controlling process occurs throughout the project life cycle.
- Information collected and documented within the risk register is used to develop a risk response plan.
- The contingency response plan outlines the responses and actions to be implemented if or when a risk occurs.
- A primary tool that can be used to support the development of contingency plans is the reserve or contingency budget and schedule analysis.
References
Becker GM (2004) ‘A practical risk management approach’, paper presented at PMI® Global Congress 2004—North America, Anaheim, CA., Project Management Institute, Newtown Square, PA.
Heimann JF (2000) ‘Contingency planning as a necessity’, paper presented at Project Management Institute Annual Seminars & Symposium, Houston, TX., Project Management Institute, Newtown Square, PA.
Project Management Institute (2021) A guide to the project management body of knowledge (PMBOK® Guide), 7th edn, Project Management Institute, Newtown Square, PA.