The Risk Management Plan is a component of the project management plan and describes how risk management activities will be structured and performed.
The Risk Management Plan prepares the project team for what to do when something goes differently than planned or expected. Unexpected events or conditions can threaten or benefit the project. The plan includes identification, assessment, and intentional decisions about how to address these events.
The Risk Management Plan for UW-IT projects generally include the following:
- Defines the approaches, tools and data sources that will be used to perform risk management for the project. Establish protocols for the communication of risks to sponsors, stakeholders and project team.
- Roles and Responsibilities. Defines the lead, support and risk management team members for each type of activity in the Risk Management Plan, and clarifies their responsibilities.
- Defines when and how often the risk management processes will be performed throughout the project life cycle, establishes protocols for application of schedule contingency reserves, and establishes risk management activities for inclusion in the project schedule.
The project manager is responsible for developing the project Risk Management Plan, with support from the project stakeholders.
- Project Charter
- Stakeholders and Project Team
- Review of Risks experienced by similar projects
- Risk Assessment Spider Chart
Risk Management Steps
- Identify all potential events that may impact the project negatively or positively. Is it an opportunity or a threat? Document the opportunity or threat events on the Risk Register.
- Optionally, identify the source of the risk, how was it identified. Common risk sources are defined in the “Tools and Guidelines” section of this document.
- Optionally, categorize the risk. The Risk Assessment Spider Chart provides some risk categories, and elaboration of the risks from this chart is recommended. Common risk categories are defined in the “Tools and Guidelines” section of this document.
Analyze and rate each risk for its impact to the project scope, cost, or customer, and rate each risk for the probability of occurring. Common risk impacts and probabilities are defined in the “Tools and Guidelines” section of this document.
Determine the risk score for each risk. The risk score helps the risk management team select an appropriate risk response, and help prioritize additional risk planning. A typical scoring matrix is provided in the “Tools and Guidelines” section of this document. The values in this matrix are included in the linked templates
- Time Frame:
Determine the risk horizon for each risk. The time frame helps the risk management team prioritize additional risk planning.
Decide on Strategies:
Prioritize, and develop a risk response plan for the highest rated events. With the project team, develop a specific plan for each event. Consider the following response strategies for threats:
- Avoid – Change your plan to completely eliminate the probability the risk will occur. Sometimes a lower risk choice is available, thus avoiding a higher risk.
- Mitigate -Take action to reduce the impact and/or the probability that the risk event will occur. These actions are tasks that added to the work breakdown structure for the project.
- Transfer - Transfer the risk to another party. Plan action steps and funding to monitor the performance of the other party. These actions are tasks that should be added to the work breakdown structure for the project.
- Accept - Accept the consequences if the risk event occurs. However, if the risk event does occur, the project will still need to respond with possible unplanned impacts to scope, schedule or budget.
- Escalate – Manage the risk at a program level or portfolio level because they exceed the scope and authority of the project. Work with your project sponsor to determine who should be notified as it is important that the risk is accepted by the relevant party.
Consider the following response Strategies for opportunities:
- Exploit- Take action to capture the opportunity and to ensure that the opportunity occurs. Increase the probability to 100%.
- Share – Transfer the ownership of the opportunity to a third party so that it shares some of the benefits if the opportunity occurs.
- Enhance – Increase the probability and/or impact of an opportunity of an opportunity.
- Accept – Acknowledge the existence of the opportunity but take no proactive actions.
- Escalate – The opportunity is outside the scope of the project and the opportunity is managed at a program or portfolio level.
Define Risk Responses.
Determine how the project team will respond to risk events/conditions for the project, including all required communications.
Determine how the project team will monitor risk events/conditions for the project.
- Track the current status of the risk.
- Describe the risk event/condition triggers. Describe how to recognize the risk event/condition.
- Determine who is responsible for monitoring the risk and managing the response.
Risk Management Plan: potential opportunities and threats and a plan to respond to them.
When is the project Risk Plan written?
The project Risk Management Plan is written during the planning phase, and updated throughout the life of the project.
Who owns the project Risk Plan?
The project manager is the owner of the project Risk Management Plan, the project stakeholders provide input and/or may be assigned as risk managers for one or more risks in the Risk Management Plan.
Tools and Guidelines
The templates listed below can assist the project manager and project team to develop a Risk Management Plan. Consider the following definitions and guidelines when building a plan:
The following guidelines are used to identify risks in a structured and disciplined way, which ensures that no significant potential risk is overlooked.
1. Risk Information Sources
The risk repository is the historical data containing the list of risks encountered by completed projects.
The risk identification checklist is a questionnaire that helps identify gaps and potential risks. It is developed based on experience and project type.
Risk Identification is also done by brainstorming or interviewing experienced project participants, stakeholders, and subject matter experts.
The project status includes project status meeting notes, status reports, progress reports and quality reports. These reports provide current information on project progress, issues faced, and recognition of additional risks.
Analyze the Project Risk Assessment Spider Chart to understand the underlying risk events or conditions.
2. Risk Category
Risk category provides a list of areas that are prone to risk events. Use high-level, standard categories, which may have to be extended based on the project type.
Requirements, Technology, Interfaces, Performance, Quality, etc
Customer, Contract, Market, Supplier, etc
Project Dependencies, Logistics, Resources, Budget, etc
Planning, Schedule, Estimation, Controlling, Communication, Change Management, etc
3. Risk Analysis
Risk analysis involves examining how project outcomes and objectives might change due to the impact of the risk event.
Once the risks are identified, they are analyzed to identify the qualitative and quantitative impact of the risk on the project so that appropriate steps can be taken to mitigate them.
The following guidelines are used to analyze risks.
Probability of Risk Occurrence
- High probability – (80 % ≤ x ≤ 100%)
- Medium-high probability – (60 % ≤ x < 80%)
- Medium-Low probability – (30 % ≤ x < 60%)
- Low probability (0 % < x < 30%)
- High – Catastrophic (Rating A – 100)
- Medium – Critical (Rating B – 50)
- Low – Marginal (Rating C – 10)
As a guideline for Impact Classification the following matrix is used:
Within 5% of target
Cost Variance 6-10%
Cost Variance >10%
Within 5% of target
Schedule Variance >10%
Scope change barely noticeable
Minor area of scope variance
Major Scope change or scope reduction unacceptable to the client
Quality reduction barely noticeable
Quality reduction does not affect vital functionality
Quality reduction is significant and requires client approval
The score represents bottom thresholds for the classification of risks assuming “normal” conditions. An upgrade of the score to the next or even next + 1 level is necessary, if the risk is impacted by critical factors such as:
- How important the specific customer is
- Whether the project is critical for the further development of the relationship with the customer
- The risk is already in the focus of the customer
- Specific penalties for deviations from project targets are agreed in the contract with the customer
4. Risk Exposure
Risk Exposure or Risk Score is the value determined by multiplying the Impact Rating with Risk Probability:
1 = high
2 = medium high
3 = medium low
4 = low
A = high
Exposure Very High
Exposure Very High
B = medium
Exposure Very High
C = low
The colors represent the urgency of risk response planning and determine reporting levels.
5. Risk Occurrence Timeframe
The timeframe in which this risk will have an impact is identified. This is classified into one of the following:
Now- until one month
Next 2-6 months
Beyond 6 months
In addition to classifying risks according to the above guidelines, it is also necessary to describe the impact on cost, schedule, scope, and quality in as much detail as possible based on the nature of the risk.
6. Risk Recognition
For each risk, identify as clearly as possible how the risk event or condition will be recognized.
Risk Monitoring & Control – Roles & Responsibilities
● Accountable for creation of Risk Management Plan
● Provides project resources
● Manages program level risks
● Owner of the Risk Management Plan
● Monitors performance of risk responses
● Participates in the identification of Risks
● Ensures Risks are evaluated
● Ensures Risk responses are defined and required work is included in the project plan
● Monitors the project environment for the occurrence of a risk event or condition
● Ensures risk response is engaged when/if needed
● Participates in theidentification of Risks
● Participates in evaluation of Risks