Download this free Risk Management Plan template and use it for your new project. Scroll down to the bottom of the page for the download link.
Because Risks can have multiple impacts to a project, steps must be taken to identify, mitigate, manage and control them. This document should detail these aspects including information about how each team member or role provides support to these activities.
The Introduction should provide a general description of why risk management is essential to effectively managing a project. It should also provide a brief overview of the important definitions related to risk management, and the high-level sections that the document will contain.
A risk is an event or condition that, if it occurs, could have a positive or negative effect on a project’s objectives. The purpose of the Risk Management Plan for is to establish the framework in which the project team will identify risks and develop strategies to mitigate or avoid those risks. This plan also defines how risks associated with the project will be recorded, and monitored throughout the lifecycle of the project.
This Risk Management Plan includes the following sections:
- Risk Management Approach – Deciding how to approach and conduct the risk management activities for the project
- Roles & Responsibilities – Defining how each team role contributes to managing the risk process
- Risk Identification – An initial and continuous effort to identify, quantify and document risks as they are identified.
- Risk Prioritization & Categorization – Evaluate identified risks to determine probability of occurrence, impact, and timeframe.
- Risk Response Planning -Establish an action plan for risk and assign responsibility.
- Risk Monitoring, Controlling, & Reporting – Capture, compile, and report risk using the Risk Register
This section provides a general description for the approach to be taken to identify and manage the risks associated with the project. It should be a short paragraph or two summarizing the approach to risk management on this project.
The basic Risk Management approach for is to identify critical risks and take necessary action before issues arise that impact project objectives. Many different tools will be used as part of this strategy.
The approach taken to manage risks for this project will include a methodical process by which the project team will identify, score, and rank various risks. Risk information identified by the project team will be entered into the Risk Register. The Senior Project Director will maintain the Risk Register, and Risk information will be a principal topic in all status meetings. New risks will be reviewed to determine if mitigation action is required. The most likely and highest impact risks will be added to the project plan to ensure that the assigned risk managers take the necessary steps to implement the mitigation response at the appropriate time during the project. Risk managers will provide status updates on their assigned risks in bi-weekly project team meetings, but only when the meetings include their risk’s planned timeframe. Upon completion of the project, during the closing process, the Senior Project Director will analyze each risk and review the risk management process. Based on this analysis, the Senior Project Director will identify any improvements that can be made to the risk management process for future projects. These improvements will be captured as part of the lessons learned knowledge base.
The table below provides an overview of the Roles & Responsibilities for the Risk Management activities.
|Business Analysts||Assists in identifying and determining the context, consequence, impact, timing, and priority of the risk|
|Project Director||Chairs the risk assessment meetingsCoordinates with Risk Managers to determine if the risk is unique Identifies risk interdependencies across projects and verifies if risk is internal or external to projectAssigns risk classification and tracking numberContinually monitors the projects for potential risks throughout the project lifecycle Analyzes any new risks that are identified and add these items to the Risk Register|
|Risk Manager||Coordinates with the Senior Project Director to identify the risks, the dependencies of the risk within the project, and the context and consequence of the riskDetermines the impact, timing, and priority of the risk Formulates the risk statementsMonitors and controls risks that have been identifiedReviews and updates the top ten risk list [timeframe, as needed, every two weeks, etc.]Escalates issues & problems to management|
|Risk Owners||Determines which risks require mitigation and contingency plansGenerates the risk mitigation and contingency strategies and performs a cost benefit analysis of the proposed strategiesMonitors, controls, and updates the status of the risk throughout the project lifecycleAids in the development of the risk response and risk triggerCarries out the execution of the risk response, if a risk event occursParticipates in the review, re-evaluation, and modification of the probability and impact for each risk item on a weekly basisIdentifies and participates in the analysis of any new risks that occurEscalates issues/problems to PM that significantly impact the projects triple constraint or trigger another risk event to occurHighlights risks that require action prior to the next weekly reviewIdentifies and escalates risks where strategy is not effective or productive (causing the need to execute the contingency plan)|
|Other Key Stakeholders||Assists in identifying and determining the context, consequence, impact, timing, and priority of the risk|
Table 1: Roles and responsibilities
This section explains the process by which the risks associated with this project will be identified. It should describe the method(s) for how the project team will identify risks, the format in which risks are recorded, and the forum in which this process will be conducted. Typical methods of identifying risks are conducting expert interviews, reviewing historical information from similar projects, and conducting risk assessment meetings with the project team and key stakeholders
Risk identification will involve the project team, and appropriate stakeholders, and will include an evaluation of environmental factors, organizational culture and the project management plan including the project scope, schedule, cost, or quality. Careful attention will be given to the project deliverables, assumptions, constraints, Work Breakdown Schedule, cost/effort estimates, resource plan, and other key project documents.
The following methods will be used to assist in the identification of risks associated with
- Expert Interviews
- Risk Assessment Meetings
- Historical Reviews of Similar Projects
- SWOT (Strengths, Weaknesses, Opportunities and Threats)
The Risk Register will be updated as needed and will be stored electronically in the project library located at <file location>.
Once risks are identified it is important to determine and revisit the probability and impact of each risk in order to allow the project manager to prioritize the risk avoidance and mitigation strategy. Risks which are more likely to occur and have a significant impact on the project will be the highest priority risks while those which are more unlikely or have a low impact will be a much lower priority. This is usually done with a probability – impact matrix. This section explains risks were qualified and prioritized for this project.
In order to determine the severity of the risks identified by the team, a probability and impact factor will be assigned to each risk. This process will allow the Senior Project Director to prioritize risks based upon the potential impact to the project.
As risks are assigned a probability and impact, the Senior Project Director will move forward with risk mitigation/avoidance planning.
The probability and impact of occurrence for each identified risk will be assessed by the Senior Project Director, with input from the project team using the following approach:
- High – Between 80% and 100% probability of occurrence
- Medium – Between 20% and 79% probability of occurrence
- Low – Below 20% probability of occurrence
- High – Risk that has the potential to greatly impact project cost, project schedule or performance
- Medium – Risk that has the potential to slightly impact project cost, project schedule or performance
- Low – Risk that has relatively little impact on cost, schedule or performance
Figure 1: Probability and impact
Risks that fall within the RED and YELLOW zones will have a risk response plan which may include both a risk response strategy and a risk contingency plan.
Each major risk (those falling in the Red & Yellow zones) will be assigned to a risk owner for monitoring and controlling purposes to ensure that the risk will be addressed and managed appropriately.
For each major risk, one of the following approaches will be selected:
- Avoid – Eliminate the threat or condition, or avoid impact to the project objectives by eliminating the cause. The project plan may need to be altered to account for the risk avoidance. Avoidance may be achieved by changing scope, adding time, or adding resources.
- Mitigate – Identify ways to reduce the probability or the impact of the risk. These steps may be costly and time-consuming, but could be preferable to allowing the risk to go forward in an unmitigated state.
- Accept –The project team accepts that the risk exists and makes no change to the project plan to address the risk. No response strategy is identified.
- Contingency –Define actions to be taken in response to risks.
- Transfer – Shift the consequence and ownership of a risk by making another party responsible (buy insurance, outsourcing, etc.).
The Senior Project Director will lead the project team in developing responses to each identified risk. As more risks are identified, they will be qualified and the team will develop the response. These risks will also be added to the Risk Register and the project plan to ensure they are monitored at the appropriate times and are responded to accordingly.
For each risk that will be mitigated, the project team will identify ways to prevent the risk from occurring or reduce its impact or probability of occurring. This may include prototyping, adding tasks to the project schedule, adding resources, etc. Any secondary risks that result from risk mitigation response will be documented and will follow the same risk management protocol as primary risks.
This section should discuss how the risks in the project will be actively monitored. An effective way to monitor project risks is to add those risks with the highest scores to the project plan & schedule with an assigned risk manager. This allows the project manager to recognize when these risks need to be monitored more closely and when to expect the risk manager to provide status updates at the bi-weekly project team meetings. The key to risk monitoring is to ensure that it is continuous throughout the life of the project and includes the identification of trigger conditions for each risk and thorough documentation of the process.
The Risk Register for is a log of all identified risks, their probability and impact to the project, the category they belong to, mitigation strategy, and when the risk is estimated to occur. This register will be created in the early planning phase of the project. Based on the identified risks and timeframes in the risk register, applicable risks will be added to the project plan. At the appropriate time in the plan—prior to when the risk is most likely to occur—the project manager will assign a risk manager to ensure adherence to the agreed upon mitigation strategy.
The level of risk on will be tracked, monitored, controlled and reported throughout the project lifecycle. The most likely and greatest impact risks will be added to the project schedule to ensure that proper monitoring occurs during the time of risk exposure. As risks are added to the project schedule, a Risk Manager will be assigned. During the bi-weekly project team meeting, the Risk Manager will discuss the status of their assigned risks. Only risks which fall in the current time period will be discussed. Risk monitoring will be a continuous process throughout the life of this project.
Critical risks will also be assigned a risk owner(s) who will track, monitor, and control their assigned risks. The risk owner will also provide a weekly status report to the Project Manager and Risk Management Team. This report should contain an assessment of the effectiveness of each risk response action.
As Risk Events occur, the list will be re-prioritized during weekly reviews and risk management plan will reflect any and all changes to the risk lists including secondary and residual risks.
The Senior Project Director will notify the Project Sponsor of important changes to risk status as in the weekly Project Status Report.
Click here to download Risk Management Plan template.