I agree Kellye, nice post. It was well thought out.

There are four possible risk response strategies for adverse risks:

Avoid – eliminate the threat to protect the project from the impact of the risk. An example of this is canceling the project.
Transfer – shifts the impact of the threat to a third party, together with ownership of the response. An example of this is insurance.
Mitigate – act to reduce the probability of occurrence or the impact of the risk. An example of this is choosing a different supplier.
Accept – acknowledge the risk, but do not take any action unless the risk occurs. An example of this is documenting the risk and putting aside funds if the risk occurs.

Reference

Risk Responses | IST Project Management Office | University of Waterloo (uwaterloo.ca)

A general way that you can deal with risks is to perform a risk-benefit analysis. This means that you calculate as accurately as possible the possibility of the risk and also the potential cost of this. If you multiply those values you end up with the expected cost of that risk. Second, you should calculate the cost of applying a solution to remedy this risk. This could be delays in your product or a more expensive solution. The lower values dictates the approach one should follow. 

I believe the information in @crysv1226msm2022 's post to be fairly accurate. At first confrontation with a risk the problem should be assessed in its entirety before deciding on a solution. Often times I see "mitigating" and "accepting" to be the go to strategy for companies. Both paths accept the problems they're presented with and then act without completing changing focus. Mitigating or accepting a risk allows the project to continue with a slight hurdle but at large most of the project and time would remain in line barring any unforeseen terminal risks.

As discussed in this week's lecture the common risk response strategies are avoidance, mitigation, avoidance, and transference. Although I have little experience in the medical device industry, I would believe, as the previous post has stated, mitigation and acceptance are the most common risk response strategies. Risk mitigation and risk acceptance seem to waste the least amount of time and money which are extremely precious in industry. However, generally the accepted strategies for dealing with threats are considered in the order of avoidance - transference - mitigation - acceptance. Therefore, the more accepted risk response strategies seem to be the least likely to be used. What are some other reasons companies lean towards mitigation and acceptance? Why do you think avoidance-transference-mitigation-acceptance is the more accepted order? 

@kellyepcarter You bring upon a good point about how risk responses should be addressed given cost-effectiveness, rationality, and effective execution - if the risk response is not appropriate for the given situation it could cause further damage than what was currently possible without that response. Adding on to @crysv1226msm2022 response to your question, there are several other responses that could used for adverse risks such as exploitation, enhancement, sharing, and escalating. Exploitation would include any actions that would be able to add or change the work occurring so that an event would occur avoiding the risk, while the opposite would be enhancement where an inclusion of any type of action would help avoid that particular risk from occurring entirely. Sharing could involve the team seeking guidance or help from another team or collaborating with a third party team to help mitigate the risk. I think the worst case scenario after any of these aforementioned responses do not work would be escalation where the team reaches out to a higher level worker such as a manager. It is important for the team to recognize whether or not they would be able to address the risk after fully exhausting all the other possible responses.

The management's response to a risk is the action it takes to mitigate any potential impacts of the risk. The goal of risk response is to guarantee that all recognized risks are managed by the use of efficient controls, allowing a company to avoid possible losses in terms of money, reputation, and operations. Risk responses could necessitate substantial infrastructure expenditures or they might just be viewed as a normal aspect of conducting business. Risk comes from a variety of sources, hence a variety of actions are needed at all levels of the business. This framework element focuses on procedures that help the company make choices and accomplish its strategic and business goals. In order to accomplish this, organizations use their operating structure to create a practice that: identifies new and emerging risks so management can deploy risk responses quickly; assesses the severity of risks with an understanding of how the risk may change depending on the level of the entity; and prioritizes risks so management can best allocate resources in response to those risks. In order to improve the ability of the company to communicate the degree of risk accepted in the pursuit of strategy and entity-level business objectives, it also identifies, chooses, and develops solutions to risk and a portfolio perspective.

Not all risk is negative. For example, risk exploitation is an appropriate risk response that should always be analyzed. This involves taking actions to maximize the potential benefits of a positive risk. For example, if a project involves using a new technology that has a high potential for success, the project team could exploit the risk by investing in additional research and development to further optimize the technology. Another example, is if there is a risk that a competitor will release a similar product during the project, the team could take steps to release their product first, exploiting the risk as an opportunity.

Risk management does not need to be a complicated process. Depending on the application, over engineering something may be the best way to mitigate risk. A certain factor of safety is always included when creating any medical device, especially one subjected to loading. Simply making the product more robust is the easiest way to manage risk in terms of product failure. However, as others have said here; risk management is a multi fold process which requires analysis of not only physical failure modes.

In the lecture, the risk management process involves assessing, evaluating, managing, and measuring. You assess the situation with what can go wrong and make a list. Then, you evaluate the list to see how probable and if they can hurt someone or how bad it can be. With managing, you can defer the risk, change the design to mitigate the risk, or accept the risk. Lastly, once the changes are made and accepted, you measure the final amount of risk that is posed in the device. If it is not acceptable, you would have to assess it again and repeat the cycle or process until it is deemed “acceptable”.

Manage is the important part of the risk management process cycle. This is the solution that is planned to handle the risk. This includes avoidance, mitigation, acceptance, and transference. These four are the most relevant examples of effective and appropriate risk responses. Crysv1226msm2022 had the basic definitions for these four risk response strategies for adverse risks. Mitigation is the number choice and transference is usually the last choice or not thought about often. These tools are used to deal with the risks, if necessary. All of these are designed out while putting up safeguards, as well as giving training and/or printed warnings. Managing is done on multiple areas of a project, not just a single area, which includes the product, product design, and manufacturing process.

In addition, mitigation involves Failure Mode Effects Analysis (FEMA), a method to analyze risks, and it looks at how something can fail, the severity of consequences, and the probability that it will fail. Mitigation also involves brainstorming and it is looking at every possible risk that can occur, as well as composing a list of risks to analyze. Lastly, the Fish Bone Diagram looks at the relationship between parts of a device, process, and root causes of possible failures. How does the risk management team ensure there is a backup strategy if the mitigation strategy were to fail?

As mentioned in the PMBOK Guide, good risk management practices minimize problems and maximize opportunities in a project. These responses should be logical, financially practical, acceptable to the team, and assigned to the right person. For example, the team can decide to make use of the older technology available instead of new technology, which might not work well. This completely removes the risk. The team can decide to order earlier or find another supplier in case there was a chance that the supplier would not deliver goods on time. This would reduce the chances of delays. In the case of high risk activities, sometimes a business hires a skilled contractor or buys insurance. This transfers the risk to a third party. The team can decide to accept small and tiny risks and allocate a little more to alternatives. The team can also target opportunities in risk responses. The business can decide to invest in a new tool that increases productivity if it has the potential to allow the team to finish work earlier. The business can increase their marketing activities to take advantage of the chance to get more customers if they finish the project early. Good risk responses, are intelligent and realistic actions that either mitigate problems or enhance benefits. These should be available, mutually accepted by everyone, and specifically assigned to a person who will implement them. 

I think effective risk responses are the ones that are realistic and proportional to the actual risk, not just theoretical solutions pulled from a list. For example, if there is a risk of a supplier delay, instead of overreacting and redesigning the product, a cost-effective response could be qualifying a second supplier early in the project. That action reduces exposure without dramatically increasing cost, and it can be clearly assigned to a sourcing or operations lead to own.

Another example could be technical uncertainty during development. Rather than committing full resources upfront, the team could plan an early feasibility test or prototype. That addresses the risk while changes are still manageable and less expensive. It is realistic, agreed upon during planning, and owned by a specific engineering lead.

For opportunities, if there is a chance to finish early, the team might allocate limited extra resources to critical path tasks. If everyone agrees the benefit outweighs the cost, that becomes a deliberate and owned strategy rather than just hoping for a positive outcome.

To me, what makes a response effective is not just choosing avoidance or mitigation. It is making sure the response makes financial sense, is practical to implement, and has clear accountability so it actually gets executed.

Do you think projects struggle more with selecting the right risk response, or with actually following through once it’s assigned?