Lesson 4

MITIGATION AND CONTINGENCY RISK PLAN

A risk response strategy outlines both the mitigation and contingency risk

plans and forms a key component of the overall risk management plan. The

PMBOK refers to a risk response strategy which is undertaken by a project

team or manager. This plan aims to decrease the probability of a risk

occurring, and/or lessening the consequence or impact of a risk (PMI 2021).

There are numerous steps that make up the risk response plan, including

identifying, evaluating and analysing risks, and creating treatment plans.

However, the overarching aim of each of these steps is to decrease the

levels of exposure or likelihood of a risk and its overall consequence.

 Information collected and documented within the risk register is used to
develop a risk response plan. Each identified risk and opportunity is outlined,
along with the level of likelihood and consequence and the project risk
tolerance threshold. Understanding this information, the project manager and
project team are responsible for determining appropriate risk responses.
Treatment options need to be developed and actions need to be implemented
to enhance opportunities and decrease the impact of risks on project
objectives.

 Therefore, a response plan fits within the project plan and outlines actions
required. This plan increases the likelihood and outcome of the identified
opportunities, while decreasing the impacts of risks. The response plan is a
strategy used to consider proactive actions, whereby risk responses are about
preventing risk rather than cancelling the project all together. Within the
PMBOK, there are 2 types of risk response plans: contingency and mitigation.
 Contingency plan The contingency response plan outlines the responses
and actions to be implemented if or when a risk occurs (Heimann 2000).
Triggers are defined as the cues to execute contingency risk plans.

 It is mandatory to track and define the risk triggers to develop the risk
contingency responses. As different triggers occur in the environment,
the reserves can be used. Both opportunities and risks should be
planned for within contingency plans (Heimann 2000). This includes any
event which poses a risk or a threat to the project – defined as a
negative risk. Whereas any event which offers an opportunity for the
project is defined as a positive risk. Across both these events, the
response planning is in place to ensure that the most is made out of any
opportunity and to provide a strategy to respond to and overcome risks.
 Steps for creating the contingency plan:

1. Identify specific events which could trigger the implementation of the

contingency plan.

2. Document the roles and responsibilities, timeframes or processes, where

the plan occurs and how it will be implemented.

3. Outline guidelines to report and communicate processes. Document how

stakeholders will be engaged, who will send the information, how
frequently, and how soon after risks occur the communication needs to be
shared.

4. Monitor and report the contingency plan, ensuring it is up-to-date with all
potential risks.
 There are 6 primary components of a contingency plan:

1. Triggers: the ‘things’ that happen which require the implementation of

the contingency plan.

2. Response plan: outlines what will be done in response to the trigger.

3. Stakeholder engagement: sharing the risk occurrence and the

implementation of the plan with key or primary stakeholders.

4. Timeframes: consideration of how soon after the trigger or the risk a

response action will be taken.

5. Likelihood: how likely it is it that the risk will occur.

6. Consequence: the level of consequence or effect of the risk occurring.

 A primary tool that can be used to develop a contingency plan is the
reserve or contingency budget and schedule analysis. This tool assists
the project manager and team to determine how much contingency is
required for both budget and schedule, based on the risk register. The
contingency or reserve is used to respond to risks as they occur. The
project manager and team need to ensure that the remaining
contingency (both budget and schedule) are sufficient throughout the
project life cycle.

 Where there is less contingency left compared to the number of risks,

the project risk manager may need to seek additional funding and/or
resources or complete a mitigation plan. Implementing a contingency
plan requires effective project management to ensure that all the
strategies, risks and deliverables are managed appropriately. This
includes the role of the project team members, who need to be aware of
the risks within the register.
They need to be entrusted to respond when needed and be empowered to
implement strategies. In addition, the project team needs to be comfortable with
the overarching risk management process, ensuring that they are comfortable
developing risk mitigation and implementing contingency plans when identified
risks occur. The project manager also needs to hold project team meetings
frequently and encourage the project team members to be involved.

There are 4 common challenges that project managers and project teams
face when trying to use contingency planning for risks:

• low priority given to risk contingency planning

• project team and stakeholders may be more confident in their original plan

• there are no clear organisational strategies in place for enterprise risk

management

• not enough investment in risk identification.

 Risk mitigation plans The risk mitigation plan outlines actions to be
taken in advance of a risk occurring or pre-emptively in response to a
risk trigger occurring (Becker 2004). The process for creating the risk
mitigation plan includes identifying, analysing, planning, implementing,
and monitoring and controlling. A primary component of the mitigation
process is an iterative risk management process.
Risk mitigation plan
process:
1. Risk identification: potential risks are identified and their relationships
are defined.

2. Risk analysis and evaluation: the likelihoods and consequences of risks

are assessed. Consequencescan include budget, schedule, technical,
performance impacts and functionality.

3. Risk prioritisation: all identified risks are prioritised and ranked by the
most critical to the least.

4. Risk mitigation planning, implementation, and monitoring and

controlling: risks that have been analysed and ranked as high or medium
criticality have mitigation planning conducted.

5. Risk tracking: throughout the project, the risks are identified and added
to the register.
 Mitigation plan content should include:

• Roles and responsibilities: this includes documenting who is responsible for identifying
and implementing risks.

• High-level mitigation strategies: the aim of creating and developing strategies is to

reduce consequence and likelihood.

• Actions and next steps:

these need to be identified, based on these primary questions:

◦ What are the necessary actions?

◦ What timeframes need to be followed (e.g., when must actions be finalised or

implemented)?

◦ Who is responsible for taking actions?

◦ What are the necessary resources?

◦ How will the actions decrease the levels of likelihood and consequence for the potential
risks if they were to occur?
The actions required should be completed through one of the
processes below:

• Backward planning: this is the process of evaluating the impact of the

risk and outlining a schedule for successful intervention (Becker 2004).

• Forward planning: this is the process of determining the schedule

breakdown required to implement each step within the action plan,
including the expected completion date (Becker 2004).

These processes will help to evaluate the primary decision points to

determine when the project risk process needs to move from the mitigation
plan to the contingency plan.
Similarities and differences:

mitigation versus contingency plans It is recommended to have both risk

contingency and mitigation response plans in place for managing risk

management processes within a project and organisation. There are

numerous differences which are outlined below

There are numerous factors which need to be considered as part of risk
mitigation and contingency plans (Becker 2004), including:

• Understanding clients and stakeholder needs: who are the risk decision-
makers and who has the authority to accept and avoid risks?

• Liaising with subject matter experts: seek input from experts inside and
outside of the organisation.

• Recognising the chance of risks reoccurring: identify and maintain risk

awareness, to ensure that all stakeholders understand that there is always
a level of risk present.

• Encouraging risk-taking: there are consequences to not taking risks –

some may be negative, others may be positive. There is a need to take
some risks to identify and respond to opportunities.
• Recognising opportunities: there are opportunities that can arise from
taking risks. Identify whether there is an advantage to taking risks (e.g.,
performance, capability, flexibility, efficiency).

• Encouraging deliberate consideration for mitigation or treatment options:

there needs to be careful analysis of the options to mitigate risks and
discussion with project teams, stakeholders and subject matter experts on
the value of specific options.

• Not all risks require mitigation: low ranked risks do not require
considerable mitigation planning; however, they need to be tracked,
monitored and controlled in case of changes. The post-project review
should include the risk management process, including learnings from the
project, an analysis of how the project went, an evaluation of what occurred
during the project, whether there needs to be improvements, and what
went well.
Monitoring and controlling process

Developing the risk response plans (including contingency and mitigation

plans), requires developing and implementing a corresponding monitoring
and controlling process. In risk management, a monitoring and controlling
process is ongoing throughout the project life cycle. This involves
developing processes which document information, which in turn assists
with making informed decisions, either before, during or after a risk
occurrence.

These processes include:

• evaluating the risk response plans implemented

• assessing effectiveness of the actions taken

• ongoing environmental monitoring for potential risk triggers

• reassessing identified risks to examine if there are any changes in their
exposure levels
• once a risk has been triggered and a response action taken, determining
the residual risks
• creating assurance processes to ensure that policies and procedures
associated with risk plans are used
• determining the validity of the contingency plans implemented or not
used
• accounting for project scope, schedule, budget and quality changes that
may have been approved
throughout the project life cycle
• ongoing assessment of whether the project assumptions, constraints, and
risks are valid.
There are 2 primary elements within the process for controlling
risks within a project:

• Regular risk reviews. At least once a week, the project manager and team

should allocate time to review the identified risks, identify new risks and

monitor progress of all the risks which have been triggered or up/down

graded. This process should include a periodic, in-detail review of the entire

process and risk register.

• Project risk reporting. This involves ensuring that risk exposure levels are

documented, with high likelihood and consequence risks documented

within ongoing status reporting. At a minimum, the top 10 risks should be

outlined within the status and performance reporting. This includes any

actions taken to respond to a risk arising or a trigger occurring.

The monitoring and controlling process occurs throughout the project life cycle;
however, there are some primary documents which are used to support the process.

These include:

• Risk response plan: outlines the current state of risks, the potential future impacts
if the risk was to occur and the responses required.

• Risk register: used for tracking project risks.

• Change requests: a log which includes the variations, change orders and changes
implemented throughout the project.

• Project communications: all the communications that relate to managing the

project and the corresponding risks.

• Post project review: understanding the effectiveness of the project risk responses
and overall management process within the project. This includes identifying
opportunities for improvement.
 Tools for project risk monitoring and controlling There are many tools
which can be used to support monitoring and controlling in the project
risk management space. The tools can be either manual or automated.

 These tools include project risk audits, status reporting and meetings,
project risk assessments, change variance, and risk trend analysis.
These processes can be run manually or streamlined to be automated,
depending on the size of the project, the complexity and the industry.

 Regardless of how the monitoring and controlling is completed, the

information needs to be collected and displayed in real-time or as close
to real-time. This enables project managers, project team members and
stakeholders to track risks, and allows the assessment of risk, based on
up-to-date information.