How to Select Your Risk Responses

This is a guest article by Harry Hall from Not sure where to start with project risk management? Read this guide to getting going with project risk management and then pop back here afterwards.

Risk management is one of the core knowledge areas for project managers.

Harry Hall
Harry Hall

You’ve identified and assessed your project risks — both threats and opportunities. Now, you are planning your risk responses with your risk owners.

A risk response is the way you intend to address the risk.

Risk Response Strategies for Threats

There are a number of ways you can act when faced with a risk. If it’s a threat (i.e. something unwelcome that will happen to the project), the categories for risk response are:

  1. Avoid
  2. Transfer
  3. Reduce
  4. Accept.

You can avoid the risk happening by doing something to make it impossible for the risk to have any effect on your work.

You can transfer all or some of the threat to a third party, commonly via insurance or a risk-sharing contract with a supplier.

You can reduce the risk by taking steps to make the impact of it less, so it’s less of a problem if it does happen.

You can accept the risk and take no active steps to do anything about it, although, as the Praxis Framework points out, you might want to develop a contingency plan so you’ve got something to draw on if the risk does materialize.

Risk Response Strategies for Opportunities

Let’s say the risk is something good, that you want to make happen. These are opportunities. There are again four types of risk response:

  1. Exploit
  2. Share
  3. Enhance
  4. Reject.

Exploiting the risk is when you take advantage of a situation, like new technology being available, to make the most of the project benefit.

You can share the opportunity with a third party as an incentive to make it more likely to happen, or where you’re more likely to achieve greater benefit if you pool resources.

Enhancing the risk means doing something to make it more likely that the opportunity will happen. For example, that could be taking out advertising.

You can reject the risk i.e. do nothing. You might choose this response if it turns out to be too much effort or too expensive to take action to capitalize on the opportunity.

So, how do you select the best response when there are so many?

7 ways to mitigate risk

Decision-making can be challenging, particularly for complex events and conditions. And more so when you have several people making the decision. Stakeholders evaluate risk responses through their own biases.

While risk responses fall into several categories, your risk response plan needs to include specific measures. If you are going to reduce a risk, what exactly are you going to do? There might be two or three actions you can take to reduce the risk, so are you going to do them all or just one? And which would be the best one?

When choosing risk responses, we should consider things such as:

  • Cost of the responses
  • Impact on our project objectives
  • Time and resources required
  • Potential secondary risks.

But how can we bring this together neatly? How can we make the decision in a timely and effective manner?

Let’s look at a method you can use during the risk management process to improve your risk response selection.

risk response

How to Evaluate Risk Response Options

Here are three steps to better evaluate what risk response option you should choose.

1. Identify selection criteria

First, identify your selection criteria (three to six criterion). Get everyone evaluating the same way. We are creating a collective decision-making filter. Ideally, you’d have these documented in your risk response plan and use the same criteria throughout the project.

Read next: Decision-making tools for groups

You need to define the weightings for each criterion. Higher weights indicate greater importance. In the example below, the effectiveness of the response was the most important factor, followed by resource availability.

Cost EffectiveHow cost effective is
the response?
Resource AvailabilityHow available are the resources needed to
execute the response.
Effectiveness of the
How effective would
the response be in
managing the risk?
Ease of ExecutionHow easy will it be to execute the response?10%

2. Apply the criteria

Next, apply the criteria to your potential risk responses.

Start by rating each risk response option on a scale such as 1 to 5. For example, we rated Option A as 4 for being Cost Effective, more effective than B or C. Continue rating each option for each criterion.

Rating Scale: 1 to 5
Risk Response Options
Cost Effective20%433
Weighted Score0.80.60.6
Resource Availability30%243
Weighted Score0.61.2.09
Effectiveness of Response40%424
Weighted Score1.60.81.6
Ease of Execution10%354
Weighted Score0.30.50.4
Total Scores 100%

Calculate the weighted scores by multiplying the rating times the weight (e.g., 4 X 20% = 0.8). Finally, sum the weighted scores for each option to derive the Total Scores (e.g., 3.3 for Option A).

3. Choose the best response

Next, choose the best risk response based on the numerical outcome.

Keep in mind this method helps but it does not make the decision. There may be other variables that should be considered. Typically, the risk owner makes the final decision.

Your role at this point is to facilitate a discussion of the results. In this example, we see that Option C has the highest Total Score of 3.5, followed by A and lastly B. You would want to suggest Option C to the risk owner (or project sponsor).

Once the decision is made, document the decision in the risk response plan and take the necessary steps to implement the decision.

Your Turn

We learn through application, not just reading an article. Pick a significant risk, identify and evaluate the options, and select a risk response.

Once you have used this method once, you’ll find it easier in the future. The approach of identifying criteria, weighting them and assessing against them is a method you can use for all kinds of problem-solving and feasibility studies where there are several options.

About the Author: Harry Hall, the Project Risk Coach, is a speaker, teacher, author, and blogger. He has implemented enterprise and IT PMOs and enterprise risk management (ERM) programs in the financial, healthcare, and agricultural industries. One of Harry’s greatest joys is teaching. Harry is a graduate of the University of Georgia and is a certified PMP®, PMI-RMP®, and has an Associate in Risk Management (ARM-E). Learn more about Harry at or on social media: