Page tree
Skip to end of metadata
Go to start of metadata


The Risk Management Plan is a component of the project management plan and describes how risk management activities will be structured and performed. 

The Risk Management Plan prepares the project team for what to do when something goes differently than planned or expected. Unexpected events or conditions can threaten or benefit the project. The plan includes identification, assessment, and intentional decisions about how to address these events.

The Risk Management Plan for UW-IT projects generally include the following:

  • Defines the approaches, tools and data sources that will be used to perform risk management for the project. Establish protocols for the communication of risks to sponsors, stakeholders and project team.
  • Roles and Responsibilities. Defines the lead, support and risk management team members for each type of activity in the Risk Management Plan, and clarifies their responsibilities.
  • Defines when and how often the risk management processes will be performed throughout the project life cycle, establishes protocols for application of schedule contingency reserves, and establishes risk management activities for inclusion in the project schedule.




The project manager is responsible for developing the project Risk Management Plan, with support from the project stakeholders.



  • Project Charter
  • Stakeholders and Project Team
  • Review of Risks experienced by similar projects
  • Risk Assessment Spider Chart

Risk Management Steps


  • Identify all potential events that may impact the project negatively or positively. Is it an opportunity or a threat? Document the opportunity or threat events on the Risk Register.
  • Optionally, identify the source of the risk, how was it identified. Common risk sources are defined in the “Tools and Guidelines” section of this document.
  • Optionally, categorize the risk. The Risk Assessment Spider Chart provides some risk categories, and elaboration of the risks from this chart is recommended. Common risk categories are defined in the “Tools and Guidelines” section of this document.


  • Assess:
    Analyze and rate each risk for its impact to the project scope, cost, or customer, and rate each risk for the probability of occurring. Common risk impacts and probabilities are defined in the “Tools and Guidelines” section of this document.
  • Score:
    Determine the risk score for each risk. The risk score helps the risk management team select an appropriate risk response, and help prioritize additional risk planning. A typical scoring matrix is provided in the “Tools and Guidelines” section of this document. The values in this matrix are included in the linked templates
  • Time Frame:
    Determine the risk horizon for each risk. The time frame helps the risk management team prioritize additional risk planning.


Decide on Strategies:

Threat Responses: 
Prioritize, and develop a risk response plan for the highest rated events. With the project team, develop a specific plan for each event. Consider the following response strategies for threats:

    • Avoid – Change your plan to completely eliminate the probability the risk will occur.  Sometimes a lower risk choice is available, thus avoiding a higher risk.
    • Mitigate -Take action to reduce the impact and/or the probability that the risk event will occur.  These actions are tasks that added to the work breakdown structure for the project.
    • Transfer - Transfer the risk to another party.  Plan action steps and funding to monitor the performance of the other party. These actions are tasks that should be added to the work breakdown structure for the project.
    • Accept - Accept the consequences if the risk event occurs.  However, if the risk event does occur, the project will still need to respond with possible unplanned impacts to scope, schedule or budget.
    • Escalate – Manage the risk at a program level or portfolio level because they exceed the scope and authority of the project.  Work with your project sponsor to determine who should be notified as it is important that the risk is accepted by the relevant party. 

Opportunity Responses: 
Consider the following response Strategies for opportunities:

  • Exploit- Take action to capture the opportunity and to ensure that the opportunity occurs.  Increase the probability to 100%.
  • Share – Transfer the ownership of the opportunity to a third party so that it shares some of the benefits if the opportunity occurs.
  • Enhance – Increase the probability and/or impact of an opportunity of an opportunity.
  • Accept – Acknowledge the existence of the opportunity but take no proactive actions.
  • Escalate – The opportunity is outside the scope of the project and the opportunity is managed at a program or portfolio level.

Define Risk Responses.

Determine how the project team will respond to risk events/conditions for the project, including all required communications.



Determine how the project team will monitor risk events/conditions for the project.

  • Track the current status of the risk.
  • Describe the risk event/condition triggers. Describe how to recognize the risk event/condition. 
  • Determine who is responsible for monitoring the risk and managing the response.



Risk Management Plan: potential opportunities and threats and a plan to respond to them.


When is the project Risk Plan written?

The project Risk Management Plan is written during the planning phase, and updated throughout the life of the project.


Who owns the project Risk Plan?

The project manager is the owner of the project Risk Management Plan, the project stakeholders provide input and/or may be assigned as risk managers for one or more risks in the Risk Management Plan.


Tools and Guidelines

The templates listed below can assist the project manager and project team to develop a Risk Management Plan.  Consider the following definitions and guidelines when building a plan:

The following guidelines are used to identify risks in a structured and disciplined way, which ensures that no significant potential risk is overlooked.

1.     Risk Information Sources

Risk Source


Risk Repository

The risk repository is the historical data containing the list of risks encountered by completed projects.

Checklist Analysis

The risk identification checklist is a questionnaire that helps identify gaps and potential risks.  It is developed based on experience and project type.

Expert Judgement

Risk Identification is also done by brainstorming or interviewing experienced project participants, stakeholders, and subject matter experts.

Project Status

The project status includes project status meeting notes, status reports, progress reports and quality reports.  These reports provide current information on project progress, issues faced, and recognition of additional risks.

Risk Assessment

Spider Chart

Analyze the Project Risk Assessment Spider Chart to understand the underlying risk events or conditions.

2.      Risk Category
Risk category provides a list of areas that are prone to risk events. Use high-level, standard categories, which may have to be extended based on the project type.

Risk Category

Extended Categories


Requirements, Technology, Interfaces, Performance, Quality, etc


Customer, Contract, Market, Supplier, etc


Project Dependencies, Logistics, Resources, Budget, etc

Project Management

Planning, Schedule, Estimation, Controlling, Communication, Change Management, etc

3.     Risk Analysis

Risk analysis involves examining how project outcomes and objectives might change due to the impact of the risk event.
Once the risks are identified, they are analyzed to identify the qualitative and quantitative impact of the risk on the project so that appropriate steps can be taken to mitigate them.
The following guidelines are used to analyze risks.

Probability of Risk Occurrence

  1. High probability – (80 % ≤ x ≤ 100%)
  2. Medium-high probability – (60 % ≤ x < 80%)
  3. Medium-Low probability – (30 % ≤ x < 60%)
  4. Low probability (0 % < x < 30%)

Risk Impact

  1. High – Catastrophic (Rating A – 100)
  2. Medium – Critical (Rating B – 50)
  3. Low – Marginal (Rating C – 10)

As a guideline for Impact Classification the following matrix is used:

Project Objective


Rating 10


Rating 50


Rating 100


Within 5% of target

Cost Variance 6-10%

Cost Variance >10%


Within 5% of target

Schedule Variance


Schedule Variance >10%


Scope change barely noticeable

Minor area of scope variance

Major Scope change or scope reduction unacceptable to the client


Quality reduction barely noticeable

Quality reduction does not affect vital functionality

Quality reduction is significant and requires client approval

The score represents bottom thresholds for the classification of risks assuming “normal” conditions. An upgrade of the score to the next or even next + 1 level is necessary, if the risk is impacted by critical factors such as:

  • How important the specific customer is
  • Whether the project is critical for the further development of the relationship with the customer
  • The risk is already in the focus of the customer
  • Specific penalties for deviations from project targets are agreed in the contract with the customer

4.     Risk Exposure

Risk Exposure or Risk Score is the value determined by multiplying the Impact Rating with Risk Probability:


1 = high

2 = medium high

3 = medium low

4 = low


A = high

Exposure Very High
(Score 100)

Exposure Very High
(Score 80)

Exposure High
(Score 60)

Exposure moderate
(Score 30)


B = medium

Exposure Very High
(Score 50)

Exposure moderate
(Score 40)

Exposure moderate
(Score 30)

Exposure low
(Score 15)


C = low

Exposure low
(Score 15)

Exposure low
(Score 8)

Exposure low
(Score 6)

Exposure low
(Score 3)

The colors represent the urgency of risk response planning and determine reporting levels.

5.     Risk Occurrence Timeframe

The timeframe in which this risk will have an impact is identified. This is classified into one of the following:




Now- until one month


Next 2-6 months


Beyond 6 months

In addition to classifying risks according to the above guidelines, it is also necessary to describe the impact on cost, schedule, scope, and quality in as much detail as possible based on the nature of the risk.

6.     Risk Recognition

For each risk, identify as clearly as possible how the risk event or condition will be recognized.






Risk Monitoring & Control – Roles & Responsibilities




●      Accountable for creation of Risk Management Plan

●      Provides project resources

●      Manages program level risks

 Project Manager

●      Owner of the Risk Management Plan

●      Monitors performance of risk responses

●      Participates in the identification of Risks

●      Ensures Risks are evaluated

●      Ensures Risk responses are defined and required work is included in the project plan

 Risk Owner

●      Monitors the project environment for the occurrence of a risk event or condition

●      Ensures risk response is engaged when/if needed


●      Participates in theidentification of Risks

●      Participates in evaluation of Risks




●      Risk Management Template (Simple risk Register)

●      Risk Management Template (Robust risk Register)