← Back to Cheat Sheets

⚠️ Risk Response Strategy Grid

Threats vs Opportunities — All response strategies with examples
Process Domain · Risk Management
🔄 Risk Management Process Flow
flowchart LR
  A["Identify
Risks"] --> B["Qualitative
Analysis"]
  B --> C["Quantitative
Analysis"]
  C --> D["Plan Risk
Responses"]
  D --> E["Implement
Responses"]
  E --> F["Monitor
Risks"]
  F -->|"New risks
identified"| A

  style A fill:#ffe4e6,stroke:#e11d48
  style B fill:#fef3c7,stroke:#b45309
  style C fill:#ede9fe,stroke:#7c3aed
  style D fill:#dbeafe,stroke:#2563eb
  style E fill:#dcfce7,stroke:#16a34a
  style F fill:#fce7f3,stroke:#c026d3
🛡️ Threat Responses vs 🌟 Opportunity Responses
flowchart TD
  R["⚠️ RISK IDENTIFIED"]
  R -->|"Negative impact"| T["🛡️ THREAT"]
  R -->|"Positive impact"| O["🌟 OPPORTUNITY"]

  T --> TA["Avoid
Eliminate the threat"]
  T --> TT["Transfer
Shift to a third party"]
  T --> TM["Mitigate
Reduce probability/impact"]
  T --> TAc["Accept
Acknowledge & budget"]
  T --> TE["Escalate
Above PM authority"]

  O --> OE["Exploit
Make it happen"]
  O --> OS["Share
Partner to capture"]
  O --> OEn["Enhance
Increase probability/impact"]
  O --> OA["Accept
Take it if it comes"]
  O --> OEs["Escalate
Above PM authority"]

  style R fill:#fef3c7,stroke:#b45309
  style T fill:#fef2f2,stroke:#dc2626
  style O fill:#f0fdf4,stroke:#16a34a
  style TA fill:#fef2f2,stroke:#dc2626
  style TT fill:#fef2f2,stroke:#dc2626
  style TM fill:#fef2f2,stroke:#dc2626
  style TAc fill:#fef2f2,stroke:#dc2626
  style TE fill:#fef2f2,stroke:#dc2626
  style OE fill:#f0fdf4,stroke:#16a34a
  style OS fill:#f0fdf4,stroke:#16a34a
  style OEn fill:#f0fdf4,stroke:#16a34a
  style OA fill:#f0fdf4,stroke:#16a34a
  style OEs fill:#f0fdf4,stroke:#16a34a
🛡️ Threat Responses (Negative Risks)

🚫 Avoid

Eliminate the threat entirely by changing the project plan.
Example: Remove a risky feature from scope. Change technology to one the team knows. Extend the timeline to avoid resource conflicts.

↗️ Transfer

Shift the negative impact to a third party (doesn't eliminate it).
Example: Buy insurance. Use a fixed-price contract (transfers cost risk to seller). Outsource a risky component to a specialist vendor.

📉 Mitigate

Reduce the probability and/or impact to an acceptable level.
Example: Add testing phases. Build a prototype first. Cross-train team members. Add redundancy to critical systems.
🌟 Opportunity Responses (Positive Risks)

🎯 Exploit

Ensure the opportunity definitely happens.
Example: Assign the best resources to ensure early delivery. Use proven technology to guarantee quality bonus.

🤝 Share

Partner with a third party better positioned to capture the opportunity.
Example: Form a joint venture. Partner with a company that has the expertise to deliver faster.

📈 Enhance

Increase the probability and/or impact of the opportunity.
Example: Add resources to finish early and earn a bonus. Invest in training to increase quality.

✋ Accept (Both Threats & Opportunities)

Acknowledge the risk but take no proactive action. Active acceptance: set aside a contingency reserve. Passive acceptance: deal with it if it happens. Used when the risk is low priority or the cost of response exceeds the impact.

⬆️ Escalate (Both Threats & Opportunities)

The risk is outside the project's scope or the PM's authority. Escalate to program, portfolio, or organizational level. The PM still tracks it but doesn't own the response.
💡 Exam Tips

Mirror pattern: Avoid↔Exploit, Transfer↔Share, Mitigate↔Enhance, Accept↔Accept, Escalate↔Escalate.

Transfer ≠ eliminate. The risk still exists — someone else owns it. Insurance is the classic example.

Residual risk: Risk remaining after a response is implemented. Always document it.

Secondary risk: A new risk created by implementing a risk response. Always analyze for these.

Workaround: An unplanned response to a risk that has occurred (wasn't identified or accepted). Different from contingency plan (planned response to identified risk).

📊 Qualitative vs Quantitative Analysis
flowchart LR
  subgraph qual ["📋 QUALITATIVE (All Projects)"]
    Q1["Probability ×
Impact Matrix"]
    Q2["Risk categorization
(RBS)"]
    Q3["Risk urgency
assessment"]
    Q4["Output: Prioritized
risk list"]
  end
  subgraph quant ["📊 QUANTITATIVE (Large/Complex Only)"]
    N1["Monte Carlo
simulation"]
    N2["Decision tree
analysis"]
    N3["Sensitivity
analysis (tornado)"]
    N4["Output: Probabilistic
forecasts"]
  end

  style qual fill:#fef3c7,stroke:#b45309
  style quant fill:#ede9fe,stroke:#7c3aed