What is the Risk Management Plan?
The Risk Management Plan is a PMBOK document which sets out how risks will be managed on a project. It is forms the basis for all other risk management activities, including risk strategy, identification, funding and monitoring. It will define the processes followed and the templates that will be used (including the risk register). stakeholdermap.comThe risk management plan is created from the process 'Plan Risk Management' in the Project Management Body of Knowledge Guide (Sixth Edition). It is written once and does not usually change over the course of the project.
This is not just a template! It includes a wealth of hints and tips along with examples of a:
- risk management method
- a model risk management process
- risk report form
- risk assessment method
See what is in the Template! Check out the Contents complete with Hints and Tips on how to use.
Check out the contents below or Grab the template now!
What's in the Risk Management Plan?
[Project Name] Risk Management Plan
Project Reference
Document Control
Document information:
- Document Id
- Document Owner
- Issue Date
- Last Saved Date
- File Name
- Version
- Issue Date
- Changes
- Project Sponsor
- Project Review Group
- Project Manager
- ....................
- ....................
Risk Management Methodology
Describe the approach, tools and data that you will use to manage risk on this project.
This project will use Acme’s risk management method defined in the Acme Project Management Methodology. It is a simple four step method which is repeated continuously through the project lifecycle. Once a risk is identified, it is assessed, responses to manage the risk are agreed, and progress is monitored:
An example methodology is provided below:
The Risk Management Method
- Identify – risks are identified on an ongoing basis, through formal risk identification workshops as well as during day to day activities.
- Assess – once identified a risk is assessed to establish the likelihood of it occurring and the impact it will have if it occurs.
- Respond – there several possible actions that can be taken to reduce the likelihood of a risk occurring or the impact of the risk, for example transferring, avoiding, and mitigating. In this step suitable responses are agreed, and budget approved if needed.
- Monitor - progress of the risk responses needs to be monitored and controlled, with corrective action taken if needed. Typically, progress is assessed via project team meetings.
Risk Identification
Describe how risks will be identified and captured. Risks can be revealed from many sources and at any time during the project, so risk identification needs to be an ongoing process.
The entire project team are responsible for identifying risks and reporting them to the Risk Manager. Risks may be identified via risk workshops, but also through many other routes:
An example Risk Identification process is shown below:
The entire project team are responsible for identifying risks and reporting them to the Risk Manager. Risks may be identified via risk workshops, but also through many other routes:
How Risks will be expressed
Risks will be expressed using the following simple statement:IF xxxx assumption proves incorrect THEN xxxxx will happenThis statement ensures that the cause of the risk (the assumption) is clear, as is the impact. For example, if you are assuming shipping will take 10 days, risk of delay could be expressed as:
IF shipping takes longer than 10 days THEN the project will face a cost of $500 per day in unused warehouse space.
Risk report form
Identified risks can be documented on a risk form and sent to the Risk Manager for assessment.Example risk form:
Risk capture and logging
Describe how risks will be captured and documented. Include the information that will be captured along with details of who will be responsible for keeping the documentation up to date. You can include a link to the documents that will be used and/or include a copy in an appendix.
Risks will be captured on a risk form and submitted to the Risk Manager, who will document the risk on the risk register and present it to the risk review board. The risk review board will assess the risk and accept, reject or request more information. If the risk is accepted the board will confirm the suggested mitigating and contingency actions and agree a budget for managing the risk.
An example risk management process is provided below:
Risks will be captured on a risk form and submitted to the Risk Manager, who will document the risk on the risk register and present it to the risk review board. The risk review board will assess the risk and accept, reject or request more information. If the risk is accepted the board will confirm the suggested mitigating and contingency actions and agree a budget for managing the risk.
Risk Assessment Method
Describe how you will know which risks are the most important. Frequently risks are reviewed and given a score or rating of likelihood and impact. In other words, is this risk likely to happen and if it did what would it mean for the project?
Risks will be assessed by impact and likelihood using a 1 to 4 numeric scale. The combined score is the risk priority and will drive the response to each risk.
Likelihood scale:
An example Risk Assessment method is shown below:
Risks will be assessed by impact and likelihood using a 1 to 4 numeric scale. The combined score is the risk priority and will drive the response to each risk.
Likelihood scale:
- the risk is very unlikely to happen for example it is statistically unlikely, or action has already be taken to reduce the likelihood.
- the risk is unlikely to happen, but is not unheard of, for example a supplier goes unexpectedly into liquidation or a regulatory change forces a change of materials or project approach.
- the risk is likely to happen, for example: rain in September in the UK or scope creep on IT projects (see 20 common project risks).
- the risk is highly likely to happen, perhaps it is a common occurrence on projects or a common issue with location, environment, materials, equipment or the technology used. For example, projects are often impacted by staff illness.
- the risk will have little impact, perhaps there are plans or procedures in place that will reduce the impact, or there is a simple low-cost alternative. For example, holding a skype or zoom meeting if a key person can’t make it to the office.
- the risk will have some impact, but it can be managed or reduced easily. For example, getting cover for a non-critical staff member who is off sick or a short delay while a contingency plan is put in place.
- the risk will have a significant impact. It is likely to require involvement of senior management and trigger a re-assessment of the business case. For example, equipment failure causing a delay to the go live date.
- if the risk occurs the project will no longer be viable, perhaps the business case can no longer be achieved, the additional costs would make it ruinous or the delay would be so long as to make the project pointless.
Risk Assessment Matrix
Once you have rated a risk by impact and likelihood you can use a matrix to find the priority/importance of the risk.
Risks with a priority between 1 – 3 will be accepted (no action will be taken).
Risks with priority between 4 – 8 will be managed using the most appropriate risk response.
Priority 9, 12 and 16 risks may result in the project being cancelled or put on hold until a risk response can be implemented that will reduce the priority to 8 or below.
3 x 3 Risk Matrix
4 x 4 Risk Matrix
5 x 5 Risk Matrix
An example Risk Assessment Matrix is shown below:
Risks with a priority between 1 – 3 will be accepted (no action will be taken).
Risks with priority between 4 – 8 will be managed using the most appropriate risk response.
Priority 9, 12 and 16 risks may result in the project being cancelled or put on hold until a risk response can be implemented that will reduce the priority to 8 or below.
Other examples of risk matrices:
3 x 3 Risk Matrix
4 x 4 Risk Matrix
5 x 5 Risk Matrix
Risk Responses
Risks are often managed by reducing the likelihood of the risk happening or the impact. Other responses are also valid such as transferring the risk, accepting the risk and avoiding the risk. Describe the risk responses that you will use to manage risk on this project.
Timing and Frequency of Risk Management Activities
Document when risk management activities will be carried out including the frequency. Include any risk identification workshops, risk review boards and how and when progress will be monitored.
Progress will be monitored on a weekly basis. The agenda for the weekly project team member will include space for a review of the risk register focusing on the progress of the risk responses. Risks that are scored between 8 and 16 will be reviewed at the monthly Risk Review Board meeting chaired by the Risk Manager..
An example is below:
Progress will be monitored on a weekly basis. The agenda for the weekly project team member will include space for a review of the risk register focusing on the progress of the risk responses. Risks that are scored between 8 and 16 will be reviewed at the monthly Risk Review Board meeting chaired by the Risk Manager..
Risk Funding
Breakdown the funding/budget needed to manage risk on the project. This includes: the cost of risk mitigation, cost for expert consultants, insurance cost, and a contingency budget. This section should also describe how the funding will be allocated, accessed, controlled and measured.
Risk Management Plan Template
Word .docx download - Risk Management Plan
Word .doc download - Risk Management Plan
PDF download - Risk Management Plan
More Project Templates to download!
- Microsoft Project Plans – real world project plans in Microsoft Project.
- Project Management Templates – All of our FREE project management templates in Word and Excel
PMBOK Management Plans
- 20 Common Project Risks
© 2008 - 2080 T Morphy. stakeholdermap.com. All rights reserved.