10.2 Risk Management Plan

The risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed^[1]. This plan tells us how we are going to handle individual and overall risks in our project. It documents how we will identify and analyze risks, who will be responsible for doing it, and how often we will review the risks (since we have to meet about risk planning with the project team throughout the project.)

This plan allows the project team to reduce the likelihood of negative surprises (problems, weaknesses, and threats), proactively take advantage of positive risks (opportunities), and ensure risk management is considered when schedules, budgets, and other management plans are developed. Creating and maintaining a risk management plan significantly increases the likelihood of project success. The risk management plan identifies the processes and procedures to be used in managing risk throughout the life of the project. It includes a number of key sections such as risk sources, categories, assessment definitions (e.g., very high to very low), probability/impact assessment (matrix), roles and responsibilities, budget and schedule estimates for risk-related activities, and the risk register. Like the other knowledge area (e.g., scope, schedule, stakeholder) management plans, the risk management plan is integrated into the project management plan, and must be aligned with all the subplans and the project management plan.

The risk management plan can consist of some or all of the following items:

• Methodology
  • What kind of approaches, tools, and data sources will be utilized to perform risk management activities (e.g., risk identification, risk assessment, risk response strategies)?
  • g., checklists, risk indicator scales, probability-impact matrices, informal direct risk assessment, probabilistic modeling.
• Risk strategy
• Roles and responsibilities
  • The guidelines how identified risks will be assigned to team members, and how these risk owners will take care of risks, and monitor them.
• Risk categories
  • Risks can be grouped into high-level categories to facilitate the identification of individual risks. Some of the categories can be technical, cost, schedule, client, contractual, weather, financial, political, environmental, and people.
  • Similar to a WBS (Work Breakdown Structure), RBS (Risk Breakdown Structure) would be a very helpful tool (Table 10.1).
• Risk probability and impact
  • Level and percentage of probabilities and impact of negative and positive risks
  • Which project aspects will be included in the impact analysis (e.g., scope, quality, schedule, cost, safety, environment)?
• Risk register
  • How will the risk register be structured?
  • Components such as risk ID, description, risk owner, probability, and impact (see 10.3)
• Risk response plan
  • How will risk response plan be structured?
  • Strategies for negative and positive risks, and individual and overall project risks.
• Funding of reserves
  • How will contingency and management reserves be determined and released?
• Reporting formats
  • Reporting formats and frequency should be in alignment with other project plans.

Table 10.1: An Example of a Risk Breakdown Structure (RBS)

Adapted from Project Management Institute’s Learning website^[2]