top of page
  • Writer's pictureBill Holmes

Mitigate! Mitigate! Mitigate! Wait, I can do something else?? Go on….

“A ship is safe in harbor, but that’s not what ships are for.” William G.T. Shedd

Projects must move forward in the face of risk!

So what is your “Mitigation Strategy”? That may be one of the most overused questions in Project Management! Your Risk Response Strategy may include mitigation, but that is only one possible choice.

The response strategy should be built around the two components of risk:

• Probability – how likely is the event to occur

• Impact – what will happen if the event occurs

When determining the response for a specific risk, you should look at the Probability and Impact Matrix to determine what type of risk you are addressing. I don’t mean risk categories – risk categories generally refer to a logical grouping of risk for risk assessment or identification. For example – legal risk, schedule risk, cost risk, etc. I am referring to the logical distribution of risk along the matrix. The 4 broad categories and the appropriate response strategies are listed below:

• High probability, high impact (HPHI)– it probably will occur and it will be awful. You should avoid this! This is a common sense solution that is sometimes difficult to actually move through project governance. I believe this is because so many organizations are locked into a predictive model of Project Management. They believe that since so much effort went into the planning phase, that a risk of this sort should have been identified early on and planned for. This is completely counter to the notion of continual risk assessment! Poor planning is unacceptable, and risks identified in the planning phase should be avoided by modification to the plan. Once the plan is approved, risks are still continually identified and assessed (moving them from unknown to known). If a previously unknown HPHI risk is identified, the PM should be congratulated and the Project Plan modified to avoid it.

• High probability, low impact (HPLI) – it will probably occur, but it won’t be too bad. This is where “mitigation” comes in! Mitigation simply means that you are going to take action to reduce the likelihood that a risk will occur, while avoidance is bringing the probability down to zero. These are the annoying minor things that impact your project. Each one isn’t bad, but in totality they can be devastating! Think of barnacles growing on the bottom of a boat – a single one doesn’t make much of a difference, but hundreds can have a dramatic impact. Don’t ignore these.

• Low probability, low impact (LPLI) – it probably won’t occur, and if it does it won’t be too bad. Accept these! The cost of mitigation probably isn’t worth it.

• Low probability, high impact (LPHI) – it probably won’t occur, but if it does it will be bad. This one can be a bit tricky and often requires more analysis to determine what exactly is meant by “high”. I once worked on a project where we were analyzing a risk that had a LPHI score. When I pressed the expert, the probability was estimated to be one in a million. Given what the risk was, it was determined one in a million was unacceptable! This was a true mitigation as we still had the risk, but the odds were dramatically reduced.

Transference is a risk response strategy that may be used for any of these. It is a very simple concept; you transfer the risk to someone else! Think of going to a bar with your friends to celebrate something. Someone has to drive but no one wants to be the designated driver. So you call a taxi or Uber to take you home, thus transferring the risk of “getting pulled over” to a third party!

Transference is most commonly used for both types of high impact risk. You should alter your project plan for HPHI risks and can use a third party to complete the related work, transferring the risk to them contractually. You can also use transference for LPHI, although many of my Project Management colleagues will point out that there is distinction between insurable risk and project risk.

In our personal lives we transfer the risk of a LPHI risk with insurance! The reason we make a distinction between project risk and insurable risk is that insurable risk merely covers the cost of the event, not the impact. If you have an accident in your car, the car is still wrecked! You just get a check to get it fixed.

Finally, there are contingent response strategies. These are used when the specific risk you are analyzing will "signal" that it will occur in advance of the event. You describe the circumstances under which the contingent response strategy will be triggered, and if that occurs you execute the predetermined response. Say you are managing a construction project in a hurricane prone area and you are concerned about the people working there and the building itself. In risk terms, there is a low probability that your project will be hit by a hurricane, but a high impact if it does. Your contingent response strategy may be to evacuate your team if a hurricane strike is imminent, and to insure the building and equipment.

It should be noted that any risk response strategy can create secondary or residual risks. Using the example above, the cost and time associated with a hurricane strike would no doubt create cost and schedule risk.

Next week we will discuss “reserve” as pertains to risk


I decided to do meme’s to make my publications more interesting, and have done 3 so far. It’s tough to come up with something that is both funny (hopefully!) and still connects to Project Management in some way. The Polar Bear one at the top of this post is more obscure than most, but I hope you got it! I thought it was funny and was chuckling to myself when my daughter walked in. She thought it was funny that I thought it was funny, but didn’t get it. Another daughter walked in and told me that “the fact that you think that is funny is why I love you”. I had to think about whether I considered that a compliment or not! In any case, I still think it’s funny…


bottom of page