Develop Risk Mitigation Plans

A critical component of a risk mitigation plan is to develop alternative courses of action, workarounds, and fallback positions, with a recommended course of action for each critical risk. The risk mitigation plan for a given risk includes techniques and methods used to avoid, reduce, and control the probability of occurrence of the risk, the extent of damage incurred should the risk occur (sometimes called a “contingency plan”), or both. Risks are monitored and when they exceed the established thresholds, the risk mitigation plans are deployed to return the impacted effort to an acceptable risk level. If the risk cannot be mitigated, a contingency plan may be invoked. Both risk mitigation and contingency plans are often generated only for selected risks where the consequences of the risks are determined to be high or unacceptable; other risks may be accepted and simply monitored.

Options for handling risks typically include alternatives such as:

• Risk avoidance: Changing or lowering requirements while still meeting the user’s needs
• Risk control: Taking active steps to minimize risks
• Risk transfer: Reallocating design requirements to lower the risks
• Risk monitoring: Watching and periodically reevaluating the risk for changes to the assigned risk parameters
• Risk acceptance: Acknowledgment of risk but not taking any action

Often, especially for high risks, more than one approach to handling a risk should be generated.

In many cases, risks will be accepted or watched. Risk acceptance is usually done when the risk is judged too low for formal mitigation, or when there appears to be no viable way to reduce the risk. If a risk is accepted, the rationale for this decision should be documented. Risks are watched when there is an objectively defined, verifiable, and documented threshold of performance, time, or risk exposure (the combination of likelihood and consequence) that will trigger risk mitigation planning or invoke a contingency plan if it is needed.

Adequate consideration should be given early to technology demonstrations, models, simulations, and prototypes as part of risk mitigation planning prioritization are sometimes called “risk assessment” or “risk analysis.”

• Determine the levels and thresholds that define when a risk becomes unacceptable and triggers the execution of a risk mitigation plan or a contingency plan.

  Risk level (derived using a risk model) is a measure combining the uncertainty of reaching an objective with the consequences of failing to reach the objective.

  Risk levels and thresholds that bound planned or acceptable performance must be clearly understood and defined to provide a means with which risk can be understood. Proper categorization of risk is essential for ensuring both appropriate priority, based on severity and the associated management response. There may be multiple thresholds employed to initiate varying levels of management response. Typically, thresholds for the execution of risk mitigation plans are set to engage before the execution of contingency plans.

• Identify the person or group responsible for addressing each risk.
• Determine the cost-to-benefit ratio of implementing the risk mitigation plan for each risk. Risk mitigation activities should be examined for the benefits they provide versus the resources they will expend. Just like any other design activity, alternative plans may need to be developed and the costs and benefits of each alternative are assessed. The most appropriate plan is then selected for implementation. At times the risk may be significant and the benefits small, but the risk must be mitigated to reduce the probability of incurring unacceptable consequences.
• Develop an overall risk mitigation plan for the project to orchestrate the implementation of the individual risk mitigation and contingency plans.

  The complete set of risk mitigation plans may not be affordable. A tradeoff analysis should be performed to prioritize the risk mitigation plans for implementation.

• Develop contingency plans for selected critical risks in the event their impacts are realized.

  Risk mitigation plans are developed and implemented as needed to proactively reduce risks before they become problems. Despite best efforts, some risks may be unavoidable and will become problems that impact the project. Contingency plans can be developed for critical risks to describe the actions a project may take to deal with the occurrence of this impact. The intent is to define a proactive plan for handling the risk, either to reduce the risk (mitigation) or respond to the risk (contingency), but in either event to manage the risk.

  Some risk management literature may consider contingency plans a synonym or subset of risk mitigation plans. These plans also may be addressed together as risk-handling or risk action plans.