Foundational Risk Management

8.5 Basic Mitigation and Contingency Planning

Risk analysis and prioritization provide the foundation for deciding how to address each risk effectively. The next step is determining what actions to take—known as risk response strategies—and ensuring there are backup plans (contingencies) for high-impact threats. At the portfolio level, mitigation and contingency planning help balance strategic objectives against the potential downsides of various initiatives. For CIOs and senior IT leaders, this is where risk management transitions from theoretical assessment to practical, action-oriented steps that protect and optimize the value of the portfolio.

8.5.1 Risk Response Strategies

The most commonly referenced risk response strategies can be broadly grouped into categories, each applicable to negative (threat) risks and sometimes adapted for positive (opportunity) risks:

  1. Avoid (Threat) / Exploit (Opportunity)
    • Avoid (Threat): Completely eliminating a threat by changing the approach or scope of a project. For instance, if a legacy technology presents an unacceptable security vulnerability, the organization might decide to replace it entirely rather than patching it.
    • Exploit (Opportunity): Taking steps to ensure a positive risk definitely happens, like fast-tracking an AI pilot that could give the company a major competitive advantage.
  2. Mitigate (Threat) / Enhance (Opportunity)
    • Mitigate (Threat): Reducing the probability or impact of a threat. Examples include adding more robust testing to address quality concerns or scaling back scope to limit complexity.
    • Enhance (Opportunity): Increasing the likelihood or potential benefit of an opportunity. For example, allocating additional budget to a promising project so it can reach the market faster and capture a larger share.
  3. Transfer (Threat) / Share (Opportunity)
    • Transfer (Threat): Shifting the responsibility for a risk to a third party, such as outsourcing a high-risk component to a specialized vendor or purchasing insurance.
    • Share (Opportunity): Partnering with another organization to jointly develop or market an innovative product, spreading both cost and reward.
  4. Accept (Threat or Opportunity)
    • Acknowledging that the risk—positive or negative—will be accepted with no immediate change in project plans. This usually applies when the risk is low probability, low impact, or is too costly to mitigate relative to its potential effect.

Choosing the right response depends on the organization’s risk appetite, resource availability, strategic priorities, and the practicality of each approach. Often, decisions are escalated to the portfolio governance level to ensure alignment with broader business objectives.

8.5.2 Developing a Risk Response Plan

A Risk Response Plan details exactly how each prioritized risk will be handled, who will be responsible, and what the milestones or triggers are. Key elements include:

  1. Assignment of Ownership
    • Identify a risk owner—the person or team accountable for implementing the response strategy.
    • Use a RACI (Responsible, Accountable, Consulted, Informed) matrix if multiple stakeholders are involved.
  2. Action Steps and Resources
    • Clearly outline the specific actions needed (e.g., conducting vendor due diligence, creating additional test scenarios, securing insurance).
    • Estimate time, budget, and skill sets required to execute these actions successfully.
  3. Timelines and Milestones
    • Include due dates or time-bound triggers: for example, “Complete security testing by the end of Q2” or “Revisit contract terms with vendor if major milestone is missed.”
    • Align risk response actions with stage gate reviews to ensure ongoing governance oversight.
  4. Success Criteria
    • Define measurable outcomes that indicate whether the risk response has been effective (e.g., a reduction in defect rates, on-time vendor deliverables).
    • Link these criteria back to portfolio KPIs or strategic metrics when possible.

Because risk profiles evolve as projects advance, a good risk response plan remains dynamic. It’s reviewed and updated regularly—especially during major milestones or when external conditions shift (e.g., new regulations, market changes).

8.5.3 Contingency Planning

Contingency plans serve as the fallback when a risk event actually materializes or if mitigation strategies prove insufficient. They provide clear instructions for reacting quickly and efficiently to minimize further damage or take advantage of sudden opportunities.

  1. Trigger Points
    • Predefine thresholds or signals that prompt the activation of contingency measures (e.g., budget burn rate exceeding 15% above plan, a significant vendor delay, or a security breach).
    • Include these triggers in risk registers or governance dashboards so they are monitored regularly.
  2. Resource and Budget Reserves
    • Management Reserve: A top-level budget that senior leadership controls to address unforeseen issues.
    • Contingency Reserve: A portion of the project or portfolio budget earmarked for known risks with defined response plans.
    • Plan for temporary staffing or third-party support if the risk event requires specialized intervention.
  3. Fallback Planning
    • Identify alternative vendors, backup technologies, or parallel solutions that can be quickly deployed.
    • Ensure the organization can pivot if the primary plan fails or becomes unviable (e.g., substituting in-house development with a commercial SaaS solution).
  4. Communication Protocols
    • Outline who needs to be notified and how—executive sponsors, project teams, affected business units, possibly external stakeholders like customers or regulators.
    • Establish escalation paths so decision-makers can rapidly approve budget changes, schedule re-alignments, or additional resource deployments.

A well-thought-out contingency plan can significantly reduce the “firefighting” typical of unanticipated crises, enabling the organization to remain resilient and continue delivering value.

8.5.4 Practical Tips for Effective Mitigation and Contingency

  1. Prioritize Based on Impact
    • Not every risk justifies a detailed contingency plan. Focus on high-impact or time-sensitive risks that could derail strategic objectives.
  2. Align With Governance Reviews
    • Make risk response and contingency planning a standing agenda item at steering committee meetings and stage gate reviews.
    • This ensures decision-makers stay informed and can provide top-down guidance or additional resources as needed.
  3. Document Clearly and Concisely
    • Store response plans and contingency details in a central repository (e.g., a PMO risk register, SharePoint site, or PPM software).
    • Use templates for consistency and clarity.
  4. Test Your Plans
    • Run periodic “fire drills” or tabletop exercises for critical risks (e.g., a cybersecurity breach simulation).
    • This practice reveals potential weaknesses and fosters a culture of readiness.
  5. Adapt Over Time
    • As projects proceed, some risks may diminish while others escalate. Revisit and update strategies and reserves accordingly.

8.5.5 Key Takeaways

  • Tailored Response Strategies: Whether you choose to avoid, mitigate, transfer, or accept a threat (or exploit, enhance, or share an opportunity), ensure the action aligns with the organization’s risk appetite and strategic goals.
  • Clarity in Ownership: Each risk should have a clearly defined owner who is accountable for implementing mitigation actions or triggering contingency plans.
  • Built-In Resilience: Contingency planning ensures you have a Plan B (and sometimes a Plan C) for critical risks, reducing the likelihood of crises that blindside the portfolio.
  • Ongoing Governance: Keep mitigation and contingency planning front and center in stage gate and steering committee reviews; this is where executive oversight and resource decisions are made.
  • Culture of Preparedness: An organization that invests in thorough risk response and contingency strategies is typically more agile, competitive, and resilient—especially when faced with rapid changes in technology or market conditions.

At this foundational stage of PPM, basic mitigation and contingency measures can make a significant difference, setting the stage for more integrated, advanced techniques in later chapters. By systematically addressing top-priority risks and maintaining clear fallback options, IT leaders and PMOs create robust portfolios capable of withstanding uncertainties and capturing new opportunities.

Last Updated:
8.1 The Role of Risk Management in the Portfolio Context
8.2 Key Risk Categories and Examples
8.3 Basic Risk Identification Techniques
8.4 Simple Risk Analysis and Prioritization
8.6 Introduction to Integrated Risk Management
8.7 Ongoing Risk Monitoring and Review
8.8 Tools and Templates for Foundational Risk Management
8.9 Practical Examples and Case Studies
8.10 Conclusion and Next Steps

Join The Largest Global Network of CIOs!

Over 75,000 of your peers have begun their journey to CIO 3.0 Are you ready to start yours?
Join Short Form
Cioindex No Spam Guarantee Shield