The Risk Management Plan is a PMBOK document which sets out how risks will be managed on a project. It is forms the basis for all other risk management activities, including risk strategy, identification, funding and monitoring. It will define the processes followed and the templates that will be used (including the risk register).
stakeholdermap.com
The risk management plan is created from the process 'Plan Risk Management' in the Project Management Body of Knowledge Guide (Sixth Edition). It is written once and does not usually change over the course of the project.
This is not just a template! It includes a wealth of hints and tips along with examples of a:
This is a FREE Risk Management Plan in Word, doc and docx. The template is fully editable with Microsoft Word and can be converted or changed to suit your project requirements. It is suitable for PMBOK/ PMP.
Describe the approach, tools and data that you will use to manage risk on this project.
An example methodology is provided below:
The Risk Management Method
This project will use Acme’s risk management method defined in the Acme Project Management Methodology. It is a simple four step method which is repeated continuously through the project lifecycle. Once a risk is identified, it is assessed, responses to manage the risk are agreed, and progress is monitored:
Identify – risks are identified on an ongoing basis, through formal risk identification workshops as well as during day to day activities.
Assess – once identified a risk is assessed to establish the likelihood of it occurring and the impact it will have if it occurs.
Respond – there several possible actions that can be taken to reduce the likelihood of a risk occurring or the impact of the risk, for example transferring, avoiding, and mitigating. In this step suitable responses are agreed, and budget approved if needed.
Monitor - progress of the risk responses needs to be monitored and controlled, with corrective action taken if needed. Typically, progress is assessed via project team meetings.
Risk Identification
Describe how risks will be identified and captured. Risks can be revealed from many sources and at any time during the project, so risk identification needs to be an ongoing process.
The entire project team are responsible for identifying risks and reporting them to the Risk Manager. Risks may be identified via risk workshops, but also through many other routes:
How Risks will be expressed
Risks will be expressed using the following simple statement:
IF xxxx assumption proves incorrect THEN xxxxx will happen
This statement ensures that the cause of the risk (the assumption) is clear, as is the impact. For example, if you are assuming shipping will take 10 days, risk of delay could be expressed as:
IF shipping takes longer than 10 days THEN the project will face a cost of $500 per day in unused warehouse space.
Risk report form
Identified risks can be documented on a risk form and sent to the Risk Manager for assessment.
Example risk form:
Risk capture and logging
Describe how risks will be captured and documented. Include the information that will be captured along with details of who will be responsible for keeping the documentation up to date. You can include a link to the documents that will be used and/or include a copy in an appendix.
Risks will be captured on a risk form and submitted to the Risk Manager, who will document the risk on the risk register and present it to the risk review board. The risk review board will assess the risk and accept, reject or request more information. If the risk is accepted the board will confirm the suggested mitigating and contingency actions and agree a budget for managing the risk.
Describe how you will know which risks are the most important. Frequently risks are reviewed and given a score or rating of likelihood and impact. In other words, is this risk likely to happen and if it did what would it mean for the project?
An example Risk Assessment method is shown below:
Risks will be assessed by impact and likelihood using a 1 to 4 numeric scale. The combined score is the risk priority and will drive the response to each risk.
Likelihood scale:
the risk is very unlikely to happen for example it is statistically unlikely, or action has already be taken to reduce the likelihood.
the risk is unlikely to happen, but is not unheard of, for example a supplier goes unexpectedly into liquidation or a regulatory change forces a change of materials or project approach.
the risk is highly likely to happen, perhaps it is a common occurrence on projects or a common issue with location, environment, materials, equipment or the technology used. For example, projects are often impacted by staff illness.
Impact scale:
the risk will have little impact, perhaps there are plans or procedures in place that will reduce the impact, or there is a simple low-cost alternative. For example, holding a skype or zoom meeting if a key person can’t make it to the office.
the risk will have some impact, but it can be managed or reduced easily. For example, getting cover for a non-critical staff member who is off sick or a short delay while a contingency plan is put in place.
the risk will have a significant impact. It is likely to require involvement of senior management and trigger a re-assessment of the business case. For example, equipment failure causing a delay to the go live date.
if the risk occurs the project will no longer be viable, perhaps the business case can no longer be achieved, the additional costs would make it ruinous or the delay would be so long as to make the project pointless.
Risk Assessment Matrix
Once you have rated a risk by impact and likelihood you can use a matrix to find the priority/importance of the risk.
An example Risk Assessment Matrix is shown below:
Risks with a priority between 1 – 3 will be accepted (no action will be taken).
Risks with priority between 4 – 8 will be managed using the most appropriate risk response.
Priority 9, 12 and 16 risks may result in the project being cancelled or put on hold until a risk response can be implemented that will reduce the priority to 8 or below.
Risks are often managed by reducing the likelihood of the risk happening or the impact. Other responses are also valid such as transferring the risk, accepting the risk and avoiding the risk. Describe the risk responses that you will use to manage risk on this project.
Timing and Frequency of Risk Management Activities
Document when risk management activities will be carried out including the frequency. Include any risk identification workshops, risk review boards and how and when progress will be monitored.
An example is below:
Progress will be monitored on a weekly basis. The agenda for the weekly project team member will include space for a review of the risk register focusing on the progress of the risk responses. Risks that are scored between 8 and 16 will be reviewed at the monthly Risk Review Board meeting chaired by the Risk Manager..
Risk Funding
Breakdown the funding/budget needed to manage risk on the project. This includes: the cost of risk mitigation, cost for expert consultants, insurance cost, and a contingency budget. This section should also describe how the funding will be allocated, accessed, controlled and measured.
