The document discusses various strategies for responding to negative risks or threats in projects. It defines negative risks as conditions, situations or circumstances that can have a potential negative impact on project objectives. The main strategies discussed are risk avoidance, risk transference, risk mitigation, and risk acceptance.
Risk avoidance aims to eliminate threats entirely by countering vulnerabilities or removing assets from harm. Risk transference involves shifting the impact of a threat to a third party through insurance, contracts, or other agreements. Risk mitigation seeks to reduce the probability or impact of risks through contingency planning or other means. Finally, risk acceptance acknowledges risks and decides whether to passively accept consequences or actively develop contingency plans.
5. Negative Risk
Negative risks or threats are
unfavorable conditions, situations,
circumstances or risks that can have
potential negative impact on project
objectives if they materialize.
From PROJECT MANAGEMENT LEXICON 5
7. Risk Avoidance
Risk avoidance is a risk response strategy
whereby the project team acts to eliminate the
threat or protect the project from its impact. -
PMBOK® Guide Fifth Edition
• This is the most preferred risk control strategy as it
seeks to avoid risk/treats entirely.(1)
• Avoidance is accomplish through countering treats,
removing vulnerabilities in assets, limiting access to
assets, and adding protective safeguards.(2)
1. http://www.projectmanagementlexicon.com/topics/strategies-for-negative-risks-threats/
2. Risk Management Vs Risk Avoidance Presentation By William Gillette 7
8. Example of Risk Avoidance
Any changes in project ecosystem
during execution phase.
No project manager likes to handle
such changes. So avoid them.
However, avoiding risk in real life
scenarios is very rare.
https://pmpguide.wordpress.com/2011/07/22/get-it-right-concept-3-different-risk-response-strategies/ 8
9. Methods of risk avoidance
Avoidance through application of
policy.
Avoidance through application of
training and education.
Avoidance though application of
technology.
Risk Management Vs Risk Avoidance
Presentation By William Gillette 9
10. Avoidance through application
of policy
This mandates that procedure must be
followed when dealing with a sensitive
asset.
◦ Example requiring random assigned
password to access sensitive assets like
customer databases.
Risk Management Vs Risk Avoidance
Presentation By William Gillette 10
11. Avoidance through application
of training and education
New policies must be communicated
to employees.
General security awareness issues.
Awareness, education, and training
are essential if employees are to
exhibit safe controlled behavior.
Risk Management Vs Risk Avoidance
Presentation By William Gillette 11
12. Avoidance though application of
technology.
The use of countering measure to
reduce or eliminating the exposure of
a particular asset to a specific treat.
Implementing safeguards to defect
attack on systems and therefore
minimize the probability of a attack will
be successful.
Risk Management Vs Risk Avoidance
Presentation By William Gillette 12
13. Risk Transference
Risk transference is a risk response strategy
whereby the project team shifts the impact of
A threat to a third party, together with ownership of
the response. – PMBOK® Guide Fifth Edition
RC_Guide_RiskTransferStrategytoHelpProtectYou+Business_CNA.pdf
CNA Financial Corporation is a financial corporation based in Chicago, United States
Continental National American Group
http://www.projectmanagementlexicon.c
om/topics/strategies-for-negative-risks-
threats/ 13
14. CNA
Risk transfer is a risk management and control strategy that involves
the contractual shifting of a pure risk from
one party to another.
Insurance (Risk transfer is most often accomplished through an insurance
policy)
Contracts(Risk transfer can also be accomplished through non-insurance
agreements such as contracts)
Certificates of Insurance
A certificate of insurance is a form issued by an insurer or agent that lists the
coverage(s), expiration date(s) and limits of the insured's coverage(s). It
includes important information about such coverage, including policy number,
policy limits, insurer, agent, coverage period and name of the insured.
http://www.projectmanagementlexicon.c
om/topics/strategies-for-negative-risks-
threats/ 14
15. How to Employ Risk Transfer as
a Strategy for Protection
Certificates of Insurance
Additional Insured Status
Contracts You Ask Others to Sign
Contracts That Others Ask You to Sign
Record Keeping
http://www.projectmanagementlexicon.c
om/topics/strategies-for-negative-risks-
threats/ 15
16. Example of Risk Transfer
E.g. Outsourcing is the classic example
of transferring the risk.
However no risk can be 100% transferred to third
party.
If vendor fails to deliver the solution, project manager from client
organization can sue vendor, put monitory penalties on vendor as per
the contract, but still client has to bear the consequences of absence
of the desired system. So in ‘Transfer’ scenario as well, project
manager from outsourcing side should do active risk management.
http://www.projectmanagementlexicon.c
om/topics/strategies-for-negative-risks-
threats/ 16
17. Risk Mitigation
Risk mitigation is a risk response strategy whereby
the project team acts to reduce the probability of
occurrence or impact of a risk. – PMBOK® Guide
Fifth Edition
http://www.projectmanagementlexicon.com/topics/strategies-for-negative-risks-threats/
17
18. Mitigate probability
Lower down the chance of occurring the
risk. Project manager should try to
mitigate the probability of risk if it can’t be
completely avoided.
E.g. Changes during the execution phase of the project. In ideal
world, this risk should be avoided as we saw above. However, than
never happens in real life scenarios, hence project manager
should strive to mitigate the probability of changes during
execution phase. How? Either foresee all the requirements and
elicit them before execution phase or apply strict change control
measures.
https://pmpguide.wordpress.com/2011/07/22/get-it-right-concept-3-different-risk-response-strategies/ 18
19. Mitigate impact
Assuming risk still occurs, project
manager should look forward to lower
the impact of risk on the project.
E.g. In the same example of changes during the execution
phase of the project, project manager should build strategy to
keep the impact of changes as minimal as can be. How?
Create flexible enough design to adapt the changes or build
reusable code.
https://pmpguide.wordpress.com/2011/07/22/get-it-right-concept-3-different-risk-response-strategies/ 19
20. Risk Acceptance
Risk acceptance is a risk response strategy
whereby the project team decides to acknowledge
the risk and not take any action unless the risk
occurs. – PMBOK® Guide Fifth Edition
There are primarily two types of risk :
1. Passive Acceptance
2. Active Acceptance
http://www.projectmanagementlexicon.c
om/topics/strategies-for-negative-risks-
threats/ 20
21. Risk Acceptance
If the servers are in a permanent test
environment, it is good, but if they are to
be deployed to a production
environment, the risks will no longer be
acceptable. This is why one should think
twice before using the risk accepting
option this way.
https://blog.outpost24.com/2014/02/20/r
isk-acceptance/ 21
22. Example of Risk Acceptance
E.g. Market conditions, Change in government policies, Change in
organization policies of a client.
Let’s say client decides to stop outsourcing and build in-house
capabilities. This leads to another risk of ‘lowered revenue levels
for your org’.
Another example is of ‘unfinished’ touch to short lived applications.
E.g. Data transfer utilities. Since this is used by small users and for
shorter duration, one need not go for fancy UI. Risk of not so good
user experience is accepted.
https://pmpguide.wordpress.com/2011/07/22/get-it-right-concept-3-different-risk-response-strategies/ 22
23. Passive Acceptance
Passive acceptance is a risk response technique
employed when the risk cannot be
avoided/mitigated in any way and the project team
must accept the consequences of the risk when it
materializes without an
adequate response strategy.(1)
In this we find Work Around(2)
1. http://www.projectmanagementlexicon.com/topics/strategies-for-negative-risks-threats/
2. http://www.slideshare.net/aleemhabib7/project-risk-management-pmbok-5
23
24. Active Acceptance
Active acceptance is a risk response technique
employed when the risk cannot be
avoided/mitigated in any way and the project team
must accept the consequences of the risk by
developing contingency plans or reserve to put in
action when the risk materializes.
http://www.projectmanagementlexicon.com/topics/strategies-for-negative-risks-threats/ 24
25. Active Acceptance
Contingency plan
Fall back Plan
For Example:
setting aside contingency to offset the
effect of the risk.(2)
1. http://www.slideshare.net/aleemhabib7/project-risk-management-pmbok-5
2. https://pmpsnacks.wordpress.com/2011/07/02/be-careful-5-risk-acceptance-active-vs-passive/ 25
26. Example for Active & Passive
The software that was purchased for the project will
be defective.
There is a probability of 2 percent that this will occur.
The CD of the software is delivered on will not work
and will have to be replaced with a new CD.
This causes a delay of five days to a task that has
twenty-five days of free float.
Passive acceptance will probably be used in
dealing with this risk.
http://www.projectmanagementlexicon.com/topics/strategies-for-negative-risks-threats/ 26
27. Active and Passive Acceptance
Comparison
One simple way to remember this:
remember disaster movies like “Titanic”,
“Armageddon” or “2012”.
There are always those characters in the movie
where they just accept that they are going to die
and of course there are the hero's who take some
action to get out alive. Think of the former as
“Passive Acceptance” and the hero's as “Active
Acceptance”.
https://pmpsnacks.wordpress.com/2011/07/02/be-careful-5-risk-acceptance-active-vs-passive/ 27
28. Risk Acceptance
It should be possible to accept risks in
different ways
A conditional accept
A time-based accept
An indefinite accept
https://blog.outpost24.com/2014/02/20/r
isk-acceptance/ 28
29. Example of the conditional
risk
An example of the conditional risk
acceptance can be that a web
application firewall should be in place.
This should be marked as a time
based acceptance to ensure that the
compensating control is still in place
and is still effective.
https://blog.outpost24.com/2014/02/20/r
isk-acceptance/ 29
30. Time based acceptance
The time based acceptance is the
number one most commonly used
form of risk acceptance, and it is
based on the very common statement
that something will be fixed “soon”.
https://blog.outpost24.com/2014/02/20/r
isk-acceptance/ 30
31. Time based acceptance
Example
for example it may not be possible to
patch now, but 3 months from now the
systems will be updated. This risk
should be set to accepted, but only for
3 months. After that, it is important to
follow up on the risk as if it is a new
risk.
https://blog.outpost24.com/2014/02/20/r
isk-acceptance/ 31
32. Indefinite accept
The indefinite accept should be used
carefully, only when there is a
business justification
For example for risks when the tool
sets up a fulfilled condition for its
report, or where the conditional state
is known to be permanent.
https://blog.outpost24.com/2014/02/20/risk-
acceptance/
32
35. “ Smoking can cause cancer”
ACCEPT TRANSFER MITIGATE AVOID
At the onset of
smoking habit,
you accept the
risk.
When you get
conscious of its
hazards, you
buy a insurance
cover to ease of
medical cost.
When negative
consequences
of the smoking
starts
appearing, you
tend to reduce
the intake
On the arrival of
the doctor’s
warning, that
you have
crossed the
threshold and
life is at risk, you
jump on ‘avoid’
strategy.
http://www.projectmanagementlexicon.com/topics/ BY Saket Bansel 35
36. Questionnaire
You are working on a Road Construction Project and
you Realized that the Proposed Road is passing
through the disputed land and because of this dispute
you have a Risk of not getting the approval from
authorities on time, you discussed this problem with
your stakeholders and made them agreed to change the
path of road in such a way that this area is now not
covered in your project scope.
Which risk response strategy is applied here?
A. Avoid
B. Accept
C. Mitigate
D. Transfer
www.Forum.izenbridge.com 36