Planning of risk responses is a subsidiary process of generating risk treatment options and actions to use existing opportunities and reduce threats to project objectives. The risk responses planning process uses information gathered and obtained during risk estimation (Quantitative risk analysis and Quantitative risk analysis). The process is managed by the risk response owner who is responsible for addressing the identified risks by risk priority and rate. The risk response owner uses the risk register and the risk management plan to develop a strategy or a mix of strategies for planning risk responses. The primary idea of such a strategy is to develop an action plan which allows dealing with both potentially positive and negative impacts on project objectives. Positive and negative impacts will be investigated and an expert risk treatment judgment will be given.
Realization of the risk response planning strategy is undertaken by means of a detailed action plan that includes risk treatment procedures and methods. The purpose of the risk treatment action plan is to determine what actions can be taken in response to the identified risks in order to remove or mitigate the overall risk exposure. Unless the risk treatment action plan is not fulfilled, the risk analysis and assessment process (including risk identification and risk description) are general sources for developing this plan. Risk treatment allows converting the earlier project risk analyses into substantive actions to mitigate the identified risks.
The risk treatment action plan consists of procedures that involve:
- Choosing ways to reduce the probability or consequences of each prioritized risk (Extreme, High or Medium risk).
- Defining potential benefits and costs of the chosen ways.
- Developing and implementing detailed action plans for each prioritized risk to reduce the risk.
Upon successful implementation of the risk response planning strategy, the risk response owner suggests appropriate responses to be agreed upon and included in the risk register. Then the risk register will be updated and the following components of this document will be created or modified:
- The identified risks, their descriptions, prioritized lists of project risks, and affected areas of the project.
- The risk owner and his responsibilities.
- The response strategy and risk treatment actions to implement the chosen responses.
- The budget and schedule activities for the strategy.
- Contingency plans for execution of the budget and schedule.
- Secondary risks that may result from implementation of the responses.
The updated and modified risk register is used to make decisions on updating some elements of project management plan, including schedules (schedule management plan), cost (cost management plan), procurement (procurement management plan), quality (quality management plan), staff structure (staffing management plan), and performance (performance management plan). The updated risk register is also used to control change in technical documentation, records and logs.