HKSM

Response options to address negative risks, typically avoid, transfer, mitigate, accept, or escalate. The selected strategy depends on exposure, feasibility, authority, and cost-benefit, and is implemented through specific actions and owners.

Key Points

• Applies to negative risks (threats) affecting objectives; opportunities use different strategies.
• Common options: avoid, transfer, mitigate, accept, and escalate, chosen based on exposure and control.
• Accept can be active (with contingency and triggers) or passive (no immediate action).
• Transfer shifts ownership to a third party via contracts, insurance, or warranties.
• Mitigate lowers probability and/or impact through preventive actions and design changes.
• Avoid removes the threat by changing scope, approach, technology, or timing.
• Every response must consider residual and secondary risks and may require reserves.

Purpose of Analysis

• Choose the most effective and economical way to reduce threat exposure.
• Align responses with stakeholder risk appetite, thresholds, and governance.
• Define clear actions, owners, and timing to implement risk responses.
• Estimate and justify needed cost and schedule reserves for remaining risk.

Method Steps

• Clarify the threat: cause, event, effect, and when it could occur.
• Assess exposure using qualitative and, if needed, quantitative analysis.
• Check authority and boundaries to decide if escalation is required.
• Brainstorm feasible responses for avoid, transfer, mitigate, and accept.
• Evaluate options using cost-benefit, practicality, lead time, and side effects.
• Select the primary strategy (and backups) and define specific actions.
• Assign a risk owner, action owners, due dates, and success criteria.
• Identify triggers, residual and secondary risks, and needed reserves.
• Integrate actions into plans, budgets, and contracts as applicable.
• Monitor effectiveness and adjust during periodic risk reviews.

Inputs Needed

• Risk register/log with causes, assessments, and prioritization.
• Risk appetite, tolerance, and thresholds from governance or stakeholders.
• Qualitative and quantitative risk analysis results (e.g., probability-impact ratings, simulations).
• Scope, schedule, and cost baselines; constraints and assumptions.
• Procurement strategy, contract types, market data, and insurance options.
• Lessons learned and historical response performance data.

Outputs Produced

• Selected threat response strategies with actionable tasks and owners.
• Updates to the risk register, including residual and secondary risks.
• Contingency and management reserve recommendations and justifications.
• Change requests to scope, schedule, cost, or procurement documents.
• Defined triggers, fallback plans, and monitoring approach.

Interpretation Tips

• Use avoid when a design or scope change can eliminate the cause at reasonable cost.
• Use transfer when a capable third party can better bear or control the threat.
• Use mitigate when practical preventive actions can meaningfully reduce exposure.
• Use accept when the threat is minor, not cost-effective to treat, or unavoidable; set triggers.
• Escalate only when the risk sits outside the team’s authority or at a higher organizational level.
• Combine strategies if helpful (e.g., mitigate then transfer) and revisit after implementation.

Example

A high-risk component may face delivery delays. Options include changing the design to remove that component (avoid), negotiating a fixed-price contract with liquidated damages or using a specialized logistics firm (transfer), qualifying a second supplier and adding schedule buffer (mitigate), or monitoring with a contingency plan if the delay is acceptable (accept). If supplier selection is controlled by a corporate function, escalate to that body for action.

Pitfalls

• Defaulting to mitigate for every threat without comparing alternatives.
• Choosing a strategy without estimating cost, lead time, or operational impact.
• Failing to define triggers, owners, and due dates for accepted threats.
• Ignoring secondary risks introduced by the chosen response.
• Underfunding reserves or not updating baselines and contracts.
• Escalating risks that could be handled within the team’s authority.

PMP Example Question

A key supplier may miss a critical delivery. The project team can redesign to use a standard part, buy schedule insurance, add a second supplier and buffer, or monitor with a contingency plan. Which response best represents transfer?

1. Redesign to eliminate dependence on the supplier.
2. Purchase insurance to cover delay costs.
3. Qualify a backup supplier and add schedule buffer.
4. Monitor the risk and prepare a contingency plan.

Correct Answer: B — Purchase insurance to cover delay costs.

Explanation: Transfer shifts the financial exposure to a third party, such as an insurer or through contract terms. The other options represent avoid, mitigate, and accept, respectively.