Purpose

The risk management plan lays down the groundwork for how risk management will be carried out in a project. It serves as guidance for the risk process, its thresholds, and its formats, defining the roles and responsibilities of stakeholders in risk management. It is notable that the risk management plan is not a listing of specific risks and is not used to establish the particular strategies for risks, once they are identified.

Application

The risk management plan is shared with project stakeholders to clarify their roles and responsibilities in the risk management process and to identify when specific potential risks are truly of concern to the organization. It also outlines the risk budgeting process, detailing how and when risk contingency funds may be allocated and applied.

Content

The risk management plan consists of basic information about how risk management will be conducted during the project. It does not address specific behaviors associated with specific risks, but instead forms a framework for the rest of the risk management process.

1.0 Risk Process

Risk process may be as simple as two steps (e.g., assessment and response) or as complex as six or seven steps (e.g., planning, identification, qualification, quantification, response development, and response control [3]). The process steps should include clarification on how each of the processes will be carried out and the level of depth of information to be provided for each.

2.0 Risk Responsibilities

Just as the buyer and seller in project environments have different responsibilities for deliverables, so do they have different responsibilities for risks. Those responsibilities should be outlined here. Responsibilities may include information on who will identify risks, as well as who should evaluate them and develop strategies for those that are of the greatest significance.

3.0 Risk Thresholds

Thresholds represent personal and organizational tolerance for risk. They are the definitions of tolerance in terms of budget, schedule, requirements, and other sensitive cultural issues (e.g., politics, media exposure). They are normally expressed as ceilings beyond which the project should not proceed, or as notification points for upper echelons of management.

4.0 Risk Finances

This element of the risk management plan may address both funds set aside for risks within the project (contingency reserve) and funds set aside within managemen control for risks outside the project’s purview (management reserve). In both cases, this component of the plan details how and when the project team may draw down funds from those reserve accounts. Risk finances may also provide detail on how the amounts for the reserve accounts will be established.

5.0 Risk Evaluation

Because evaluation protocols vary from project to project, the risk management plan should include some detail on how risks will be scored and termed. Particularly for risk qualification, there should be some definition of terms for both the probability of a risk’s occurrence and for the impact should it come to pass. Many projects employ the high-medium—low (H-M-L) scheme for both impact and probability.
The risk management plan should define each of those terms.

6.0 Process Timing

High-risk projects may require frequent risk reevaluation. Projects with lower risk may not require such frequency. The risk management plan should include detail on the frequency of risk identification, assessment, and response development, as well as the appropriate application of any tracking processes or documentation.

Approaches

For each of the components of the risk management plan, the approaches may be widely varied. The key is to ensure some measure of consistency from project to project within an organization. One example is provided here:

1.0 Risk Process

Risks shall be identified during an initial brainstorming session engaging all available team members. (Risks shall be identified using full sentences to clarify the nature of the negative effect they may have on the project and/or the organization.) They shall be evaluated using the H-M-L scheme defined herein by the project manager and/or his or her designee. Those risks achieving a score of M-H or greater shall be posted on the team watch list, and strategies will be determined for each. Strategies will become tasks embedded in the team activity list and will be assigned to individual team members. They will be tracked as activities in the project management software in a risk table and will be updated to reflect current status. The process shall be updated at least once every 2 months.

2.0 Risk Responsibilities

The project manager shall serve as the risk coordinator. Martin L. will serve as the team’s risk archivist both in updating the project management software and in providing risk reports to management on an as-needed basis. Team members shall be responsible for their assigned risk activity. John C. will document minutes from all risk meetings and be responsible for disseminating them within 3 days of the meetings’ conclusion.

3.0 Risk Thresholds

Any individual risks that (if they come to pass) will exceed these thresholds should be escalated to the project manager’s attention immediately for further dispensation.

Budget: $20,000;

Schedule: any impact to critical path tasks;

Requirements: any requirement impact that would ultimately be visible to the customer or change the nature of the deliverable;

Politics: any risk that could prompt a client phone call to executive management by a customer or end user.

4.0 Risk Finances

Risk contingency for this project is established at 8% of the total project budget. These funds may be allocated by completing Form 517W, identifying the specific nature of and rationale for the allocation. Completed forms should be submitted to Nancy A. in Accounting.

5.0 Risk Evaluation

For this project, the following evaluation criteria apply:

Probability

High—Happens frequently. Few projects don’t have this occur.
Medium—As likely as not. (Default for uncertain risks.) Low—Could happen. It has been seen on at least one project before. Remote—Very unlikely. Never been seen, but still plausible.

Impact

High—Cost: More than $10,000. Schedule: Affects a critical path task. Requirements: Visible to the customer or changes nature of the deliverable. Medium—Cost: $1,000-$10,000. Schedule: Affects any task with less than 3 days of total float. Requirements: Visible internally, no change to the nature of the deliverable.

Low—Cost: Less than $1,000. Schedule: Affects tasks with 3 days of total float or more. Requirements: Invisible to all save the original developer.

All medium-high (probability-impact) items will be evaluated for risk strategies and added to the tracking list.

6.0 Process Timing

The process shall be conducted at least once every other month.

Considerations

Because risk management plans are designed to encourage some measure of consistency in risk management practice, they can often be recycled or reused from project to project. If that’s done, the key is to ensure that the risk thresholds are appropriate for the current project and that the responsibility assignments are updated to reflect the members of the current project team.