Develop a risk mitigation plan in accordance with the risk management strategy.


A critical component of risk mitigation planning is developing alternative courses of action, workarounds, and fallback positions, and a recommended course of action for each critical risk. The risk mitigation plan for a given risk includes techniques and methods used to avoid, reduce, and control the probability of risk occurrence; the extent of damage incurred should the risk occur (sometimes called a “contingency plan”); or both. Risks are monitored and when they exceed established thresholds, risk mitigation plans are deployed to return the affected effort to an acceptable risk level. If the risk cannot be mitigated, a contingency plan can be invoked. Both risk mitigation and contingency plans often are generated only for selected risks for which consequences of the risks are high or unacceptable. Other risks may be accepted and simply monitored.


Options for handling risks typically include alternatives such as the following:
  • Risk avoidance: changing or lowering requirements while still meeting end user needs
  • Risk control: taking active steps to minimize risks
  • Risk transfer: reallocating requirements to lower risks
  • Risk monitoring: watching and periodically reevaluating the risk for changes in assigned risk parameters
  • Risk acceptance: acknowledging risk but not taking action

Often, especially for high-impact risks, more than one approach to handling a risk should be generated


For example, in the case of an event that disrupts the continuity of operations, approaches to risk management can include establishing the following:
  • Resource reserves to respond to disruptive events
  • Lists of available backup equipment
  • Backups to key staff
  • Plans for testing emergency response systems
  • Posted procedures for emergencies
  • Disseminated lists of key contacts and information resources for emergencies

In many cases, risks are accepted or watched. Risk acceptance is usually done when the risk is judged too low for formal mitigation or when there appears to be no viable way to reduce the risk. If a risk is accepted, the rationale for this decision should be documented. Risks are watched when there is an objectively defined, verifiable, and documented threshold (e.g., for cost, schedule, performance, risk exposure) that will trigger risk mitigation planning or invoke a contingency plan.

Refer to the Decision Analysis and Resolution (DAR) (CMMI-DEV) process area for more information about evaluating alternatives and selecting solutions.

Adequate consideration should be given early to technology demonstrations, models, simulations, pilots, and prototypes as part of risk mitigation planning.

Example Work Products

  1. Documented handling options for each identified risk
  2. Risk mitigation plans
  3. Contingency plans
  4. List of those who are responsible for tracking and addressing each risk


1. Determine the levels and thresholds that define when a risk becomes unacceptable and triggers the execution of a risk mitigation plan or contingency plan.

Risk level (derived using a risk model) is a measure combining the uncertainty of reaching an objective with the consequences of failing to reach the objective.

Risk levels and thresholds that bound planned or acceptable cost, schedule, or performance should be clearly understood and defined to provide a means with which risk can be understood. Proper categorization of risk is essential for ensuring an appropriate priority based on severity and the associated management response. There can be multiple thresholds employed to initiate varying levels of management response. Typically, thresholds for the execution of risk mitigation plans are set to engage before the execution of contingency plans.

2. Identify the person or group responsible for addressing each risk.

3. Determine the costs and benefits of implementing the risk mitigation plan for each risk.

Risk mitigation activities should be examined for benefits they provide versus resources they will expend. Just like any other design activity, alternative plans may need to be developed and costs and benefits of each alternative assessed. The most appropriate plan is selected for implementation.

4. Develop an overall risk mitigation plan for the project to orchestrate the implementation of individual risk mitigation and contingency plans.

The complete set of risk mitigation plans may not be affordable. A tradeoff analysis should be performed to prioritize risk mitigation plans for implementation.

5. Develop contingency plans for selected critical risks in the event their impacts are realized.

Risk mitigation plans are developed and implemented as needed to proactively reduce risks before they become problems. Despite best efforts, some risks can be unavoidable and will become problems that affect the project. Contingency plans can be developed for critical risks to describe actions a project can take to deal with the occurrence of this impact. The intent is to define a proactive plan for handling the risk. Either the risk is reduced (mitigation) or addressed (contingency). In either event, the risk is managed.

Some risk management literature may consider contingency plans a synonym or subset of risk mitigation plans. These plans also can be addressed together as risk handling or risk action plans.