6.1 Threat Response Strategies

The Five Threat Strategies

A threat is a risk with a negative effect on one or more project objectives. PMI recognizes exactly five strategies for responding to threats, and the exam expects you to apply the right one to a scenario rather than just recite the list. The mnemonic Every Angry Tiger Must Accept keeps them in order: Escalate, Avoid, Transfer, Mitigate, Accept.

Each strategy answers a different question. Avoid removes the threat entirely. Transfer hands its financial impact to someone else. Mitigate shrinks it. Accept lives with it. Escalate sends it somewhere the project cannot reach. The skill being tested is matching the strategy to the threat's priority and to what the response costs.

Responses are documented in the risk register against each risk, with a chosen strategy, specific actions, a risk owner, and any new contingency reserve or plans the response requires. The strongest exam answers pick a proactive strategy for high-priority threats and reserve acceptance for low-priority ones where no economical action exists.

Avoid

Avoid eliminates the threat's cause so the probability of the event drops to zero. Typical avoidance moves include changing scope, extending the schedule, clarifying ambiguous requirements, or dropping a risky vendor. Because avoidance removes the uncertainty entirely, it is usually reserved for high-priority threats where the impact is unacceptable.

A frequent trap: merely reducing a threat is not avoidance — only fully eliminating the cause counts. If a scenario says the team "lowered" probability but the risk can still occur, the answer is mitigate, not avoid. Avoidance is the most decisive threat response and often the most expensive in scope or schedule terms.

Transfer

Transfer shifts the impact of a threat, along with ownership of the response, to a third party. The threat still exists; you have simply moved who bears the financial consequence. Classic transfer instruments are insurance, warranties, performance bonds, guarantees, and fixed-price contracts.

Transfer almost always carries a cost — the premium you pay for that protection — so it suits threats whose potential impact exceeds the premium. A fixed-price contract transfers cost-overrun risk to the seller; insurance transfers catastrophic-loss risk to the insurer. The project still owns the relationship, which is what separates transfer from escalate.

Mitigate

Mitigate reduces the probability of the threat occurring, its impact if it does occur, or both. Unlike avoidance, the threat is not eliminated — mitigation simply makes it smaller and more manageable. Examples include adding redundancy, running a prototype, building in extra testing, or choosing a more reliable supplier. Mitigation is the most common proactive threat response because it balances effort against the exposure it removes.

Accept

Accept acknowledges a threat without taking proactive action to change it, usually because the priority is low or no cost-effective response exists. PMI splits acceptance into two forms:

• Active acceptance — establish a contingency reserve (time, money, or resources) to absorb the threat if it occurs.
• Passive acceptance — take no action beyond documenting the risk and reviewing it periodically.

Active acceptance is the more common exam answer when a contingency plan or reserve is mentioned.

Escalate

Escalate applies when a threat falls outside the project's authority or scope — it belongs to the program, portfolio, or the wider organization. The project manager hands ownership upward to the party who can act on it, and once accepted there, the threat is removed from the project's active risk register and monitored at the higher level. Escalate is the only strategy where the project team stops managing the risk; do not confuse it with transfer, where the project still owns the relationship with the third party.

Choosing a Strategy

Strategy selection is driven by the risk's priority (from qualitative and quantitative analysis) and the cost of the response relative to the exposure removed.

Secondary Risks

Every response can spawn a secondary risk — a new risk created directly by implementing the response itself. For example, transferring delivery risk to a subcontractor introduces the secondary risk that the subcontractor underperforms or goes insolvent. Mitigating schedule risk by adopting a new tool introduces the secondary risk of a learning curve.

The exam expects you to analyze and plan for secondary risks just like any identified risk. A complete response plan accounts for the new exposure it creates, not only the original threat it addresses, and adds material secondary risks to the register with their own owners and responses. Distinguish this from residual risk — the leftover exposure that remains after the response — which is covered in section 6.3. Secondary is newly caused; residual is still left over.