When projects are complex, project disruptions can be frequent and their consequences severe and costly. No project can be protected from every natural disaster or systemic vulnerability, but organizations can identify the risks that may negatively impact the achievement of project objectives and create a risk-mitigation plan to counter these risks. A risk-mitigation plan consists of one or more of four risk-mitigation strategies: risk avoidance, risk acceptance, risk mitigation and risk transfer.
A vulnerability is a diminished ability to cope with or recover from a threat, such as the disclosure of private information stored on a network. If a risk is associated with a core project process, such as processing invoices, it’s difficult to avoid or prevent the exploitation of a vulnerability, such as the failure to implement particular system security features. In this case, if the risk level is high, it’s worthwhile to consider a risk-avoidance strategy. For example, a company might engage in an alternate activity to avoid the risk, such as contracting with a third party to process invoices. Risk avoidance eliminates a threat, bringing the probability of its occurrence to zero.
If the impact of a risk is sufficiently low or the probability of the risk occurrence is low, but the cost of risk mitigation is relatively high, you might accept the possible outcome of the exploitation of the risk rather than take action to avoid or mitigate the risk. For example, you might set aside funds to respond to the effects of the risk, such as the failure of the primary data storage devices and media that contain customer information needed to print invoices. You would also create a contingency plan to minimize the risk's after effects by a requirement to contract for offline storage at an off-site location.
You mitigate risk by preventing its occurrence or limiting its impact. In the latter case, you implement controls to manage the risk by reducing its effects. For example, a project might accept the risk that a team member may become ill but contract with a third party to provide support personnel to ensure a project team will be fully staffed to avoid the cost of project delays. Other examples of risk mitigation include a disaster-recovery plan, an incident-response plan and a business-continuity plan.
In some cases, it's best to transfer the financial consequences of a risk to a third party, such as an insurance company. You might also transfer risk by delegating the performance of an activity to a third party. For example, you might have risk-laden processes, such as purchasing and payroll, performed by another company that considers this activity a core business process.