Friday 22 February 2019

Risk management plan | Project Management

This Risk Management Plan (RMP) presents the process for implementing proactive risk management as part of the overall management of the project.

Risk management is a program management tool to assess and mitigate events that might adversely impact the program thereby decreasing the likelihood of success. Unlike issues, risks relate to events that could occur and may impact the project’s scope, schedule, budget, business performance, or technical objectives. Risks are measured in terms of their probability of occurrence and their impact, as they relate to the project.

The RMP describes methods for identifying, analyzing, prioritizing, and tracking risk drivers; developing risk-handling plans; and managing, tracking, and reporting risk. It assigns specific responsibilities for the management of risk and prescribes the documenting, monitoring, and reporting processes to be followed. The risk management process will enable the project team to create strategies to effectively address potential barriers and to project success.

Risks are identified continuously throughout the life cycle of the project to ensure that potential problems are identified, analyzed, and the appropriate handling or management actions are planned. Risk management provides the opportunity to reduce negative impacts, eliminate rework, and increase the measure of success. It also provides a means to identify risks, which may not generate change but are reported to seniors that the risk exists. The risk may be medium magnitude but have a low probability of occurrence and the team may recommend proceeding without any change.

Overview to Risk Management

Risk Management Strategy

Successful management of projects requires informed, proactive, and timely management of risks. Risk management is an integral part of the project management process and is performed continuously through all phases of the project. All project team members and stakeholders are involved in the process.

Proactive risk management involves identifying critical areas and risk events, both technical and non-technical, and identifying the necessary action to handle them before they become problems, causing serious cost, schedule, or performance impacts. Decisions on appropriate risk handling options involve the stakeholders who are responsible for the resources required for those activities. Risk management activities are coordinated and integrated with the project schedule.

Defining roles and responsibilities

Effective risk management includes all project team members as well as external stakeholders. All project team members and stakeholders are responsible for identifying risks continuously throughout the life cycle of the project. Project team members and stakeholders will be involved with risk assessment and analysis as well as planning and implementing risk handling options. The Project Manager (PM) will incorporate risk reviews into all meetings.

Risk management will be included in all project team meetings to ensure that as risks are identified, they are captured, managed, tracked, and reported.

Project Manager

The PM is responsible for ensuring that risk management is an integral part of the program. This includes the following responsibilities:
  • Reviewing risk information and involving the necessary stakeholders who may be external to the individual project teams.
  • Ensuring that the appropriate level of resources is utilized for risk management activities.

Risk Management Coordinator

The Risk Management Coordinator (RMC) for the project should be designated in writing by the project’s PM. The RMC is responsible for:

  • Maintaining this RMP
  • Briefing the PM on the status of the project’s risk
  • Tracking efforts to reduce moderate and high risk to acceptable levels
  • Providing risk management training
  • Facilitating risk assessment
  • Preparing risk briefings, reports, and documents required for Project Reviews

Project Team Members

Project team members are responsible for implementing risk management tasks per this plan, including the following responsibilities:

  • Identify risks continuously
  • Review and update the assigned risk information
  • For high and medium level risks, identify appropriate risk handling activities
  • Review and justify/validate the risk assessments made and the proposed risk handling plans
  • Manage and report risk information periodically as requested by the project and/or program manager
  • Ensure risk is a consideration at each Project Design Review
  • Ensure project team activities incorporate appropriate risk management tasks
  • Ensure risk is a consideration at each Project Design Review
  • Evaluate and recommend to the RMC changes on the overall risk management approach based on lessons learned.

Risk Training

Risk management Process template

The key to the success of risk efforts is the degree to which all members of the team, both government and contractor, are properly trained. Project risk management training is available within learning articles under the Advanced Project Management courses category.

Risk Planning

Risk planning consists of the up-front activities necessary to execute a successful risk management program. It is an integral part of normal program planning and management. The planning should address each of the other risk management functions, resulting in an organized and thorough approach to identify, assess, handle, and monitor risks. It should also assign responsibilities for specific risk management actions and establish risk reporting and documentation requirements. This risk management process and RMP serves as the basis for all detailed risk planning, which must be continuous.

Risk Identification

The risk identification process includes the identification of risk events that could have an adverse impact on the program. All risks that may have a moderate or significant (non-negligible) impact should be included in the risk management process. Risk identification will be continuous throughout the project/program. Individuals who are most aware of potential problems (risks) to be managed will be identified and involved in the detailed, day-to-day technical, cost, and scheduling aspects of the program.

Anyone with access to the organization’s system may enter a new risk. It is the responsibility of the PM to review the new risk in the “pending risk” area and approve or reject those risks within RRE for the individual project.

The basic process involves searching the entire organization to determine those critical events that would prevent the program from achieving its objectives. All identified risks will be documented in the risk management tool, including the initial details with a statement of the risk and potential impact along with additional available information to categorize and quantify the risk. Refer to Appendices B/C, (organization Data Elements – Entered/Calculated respectively) and the “organization’s User Guide” for further information about entering and managing risk information.

The following are indicators that team members may find helpful in identifying and assessing risk; all program areas should be examined:

  • Lack of Stability, Clarity, or Understanding of Requirements: Requirements drive the design of the system. Changing or poorly stated requirements guarantee the introduction of performance, cost, and schedule problems.
  • Failure to Use Best Practices: Assures the program will experience some risk. The further a contractor deviates from best practices, the higher the risk.
  • New Processes: Always are suspect, whether they are related to design, analysis, or production. Until they are validated, and until the people who implement them have been trained and have experience in successfully using the process, there is risk.
  • Process Lacking Rigor: Should also be suspect; it is inherently risky. To have rigor, a process should be mature and documented, it should have been validated, and it should be strictly followed.
  • Insufficient Resources: Necessary ingredients for successfully implementing a process are people, funds, schedule, and tools. If any are inadequate, inclusive of the qualifications of the people, there is risk.
  • Test Failure: May indicate corrective action is necessary. Some corrective actions may not fit available resources, or the schedule, and (for other reasons as well) may contain risk.
  • Qualified Supplier Availability: A supplier not experienced with the processes for designing and producing a specific product is not a qualified supplier and is a source of risk.
  • Negative Trends or Forecasts: They are a cause for concern (risk) and may require specific actions to turn around.

There are a number of techniques and tools available for identifying risks. Among them are:

  • Best Judgment: The knowledge and experience of the collective, multi-disciplined team members and the opinion of Subject Matter Experts (SMEs) are the most common source of risk identification.
  • Lessons Learned: This can come from similar processes and can serve as a baseline for the successful way to achieve requirements. If there is a departure from the successful way, there may be risk.
  • Critical Program Attributes: The metrics that the program office developed to measure progress toward meeting our objectives. Team members, functional managers, contractors, etc., may develop their own metrics to support these measurements. The attributes may be specification requirements, contract requirements, or measurable parameters from any agreement or tasking. The idea is to provide a means to measure whether we are on track in achieving our objectives.
  • Independent Risk Assessors: The method used to help ensure that all risks are identified. The knowledgeable, experienced people are independent from the management and execution of the processes and procedures being reviewed. Independent assessment promotes questions and observations not otherwise achievable.

Risk Assessment

Risk assessment is an evaluation of the identified risk events to determine the probability of those events occurring, and the consequences/impact of the outcomes along with other qualitative data that will be used to prioritize the risk and determine the appropriate risk handling option. Once this information has been determined, the risk event may be rated against the program’s criteria and an overall assessment of risk status as low, moderate, or high. Risk Assessment Parameters, depicts the risk analysis parameters for this program in regard to probability and impact (technical/performance, schedule, cost, and other impact areas).

The analysis of individual risks will be the responsibility of the Risk Owner. All who have information relevant to the risk should be included in analyzing the risk. The results of the analysis of all identified risks must be documented in the RRE tool.

This process involves: 

  • Determine probability and impact of each risk event to establish a risk rating.
  • Prioritization of each risk event relative to other risks within the project or program.
  • Identification of risk time frame.
  • Categorize the risk to identify areas of potential impact.
Risk Assessment Parameters template


For each risk event identified, the likelihood of occurrence must be determined. As shown in Figure 4-2, there are five levels (1 - 5) in the projects risk assessment process, with the corresponding criteria of Remote, Unlikely, Likely, Highly Likely, and Near Certainty. If there is zero likelihood of an event, there is no risk per our definition.


For each risk area identified, the following question must be answered: Given the event occurs, what is the magnitude of the impact? As shown in the figure, there are five levels of impact (1-5). “Impact” is a multifaceted issue. For this program, there are four areas we will evaluated when determining impact: technical performance, schedule, cost, and impact on other teams or areas. At least one of the four impact areas needs to apply for each risk; if there is no adverse consequence in any of the areas, there is no risk.

Risk Level and Exposure: 

After identifying the probability (10% - 90%) and a level of impact (1 - 5), the risk level (green = LOW, yellow = MODERATE, and red = HIGH) and risk exposure (probability x impact) are calculated within the RRE tool. The risk exposure values are associated with the risk level (see Figure 4-3).

Risk Level             Risk Exposure Range
Low                                        0.1 – 0.8
Medium                               0.9 – 2.4
High                                       2.5 – 4.5

Medium (0.9)
Medium (1.8)
High (2.7)
High (3.6)
High (4.5)
Low (0.7)
Medium (1.4)
Medium (2.1)
High (2.8)
High (3.5)
Low (0.5)
Medium (1.0)
Medium (1.5)
Medium (2.0)
High (2.5)
Low (0.3)
Low (0.6)
Medium (0.9)
Medium (1.2)
Medium (1.5)
Low (0.1)
Low (0.2)
Low (0.3)
Low (0.4)
Low (0.5)



Risk Priority: 

The risk priority is established after the risk assessment is done. The priority may be established relative to the risks within one project, or within a program consisting of risks within multiple projects or sub-projects. The priority value is entered in RRE on the Prioritize Risks tab.
The project team reviews the information gathered during the risk assessment to determine the appropriate risk handling actions.

Risk Handling

After the program’s risks have been identified and assessed, the approach to handling each significant risk must be developed. There are essentially four techniques or options for handling risks: avoidance, control/mitigation, transfer, and assumption/acceptance (see Table 4-2). For all identified risks, the various handling techniques should be evaluated in terms of feasibility, expected effectiveness, cost and schedule implications, the effect on the system’s technical performance, and the most suitable technique selected.

The Risk Owner that assessed the risk is responsible for evaluating and recommending to the PM the risk-handling options best fitted to the program’s circumstances. For each selected handling option, the responsible Risk Owner will develop specific tasks that, when implemented, will reduce the probability and/or impact of the risk on the program, or to eliminate the risk.

The tasks (mitigation steps) identified should explain what has to be done, the due date, and identify the point of contact responsible for the task. The risk handling option, description, and tasks are entered and tracked within RRE. Activities may also be added to the project schedule for tracking.

Risk Handling Options


This technique recognizes the risk and its uncontrollability. Acceptance is a passive technique that focuses on allowing whatever outcome to occur without trying to prevent that outcome. This technique is normally used for low or very low risks where an efficient means of reducing the risk is not apparent.
This technique uses an approach that avoids the possibility of risk occurrence. Avoidance can be thought of as nullifying the risk by changing the contract parameters established between the Customer and Integrator. The following items represent ways of avoiding risks:
1.      Work Scope Reduction
2.      Changing the requirements and/or specifications
3.      Changing the Statement of Work (SOW)
4.      Changing the Technical Baseline
5.      Developing and submitting Waivers and Deviations
This technique is made up of actions that are to be taken that reduce the risk probability and/or impact. Mitigation actions occur at all points throughout the project's lifecycle and are typically the most common response. They typically identify an action or product that becomes part of the work plans, and which are monitored and reported as part of the regular performance analysis and progress reporting of the project.
This technique defers all actions until more work is done and/or facts are known. Investigation-based responses do not define any mitigation for reducing an individual risk. They are responses to risks where no clear solution is identified, and further research is required. Research may include root cause analysis. Research responses immediately and directly lead to a greater aggregated project risk. This is because the probability quantifier for each risk includes the effect of the applied response, for which there is none, and the level of control quantifier indicates the level of influence to apply that response, which is low.
Transference is the process of moving something from one place to another or from one party to another. In this option, the risk can be transferred to the customer or to the contractor. Typically, transference includes sub-contracting to specialist suppliers who are able to reduce overall risk exposure. This technique is best utilized during the proposal process. Transfer can also include the use of third party guaranties, such as insurance backed performance bonds.

Low risks may be placed on a watch list if it is decided not to develop risk mitigation actions. The risks in a “watch” status must be reviewed on a periodic basis to identify any change in status that may signify the need for an alternate risk handling option.

For high risks, consideration should be given to development of a contingency plan in the event that the risk does occur. Contingency plans should be developed for high risks that are in the short or near time frame that cannot be mitigated to an acceptable level.

Risk Monitoring

Risk monitoring systematically tracks and evaluates the performance of risk-handling actions. Essentially, it compares predicted results of planned actions with the results actually achieved to determine status and the need for any change in risk-handling actions.

To ensure significant risks are effectively monitored, risk-handling actions (which include specific events, schedules, and success criteria) will be reflected in integrated program planning and scheduling. Identifying these risk-handling actions and events in the context of Work Breakdown Structure (WBS) elements establishes a linkage between them and specific work packages, making it easier to determine the impact of actions on cost, schedule, and performance. The detailed information on risk-handling actions and events will be included in the Risk Management Tool.

The functioning of the Risk Owner is crucial to effective risk monitoring. They are the front line for obtaining indications risk-handling efforts are achieving their desired effects. Each Risk Owner is responsible for monitoring and reporting the effectiveness of the handling actions for the assigned risks. Overall the projects risk assessment reports will be prepared by the PM working with the assigned Risk Owner.

Risks rated as Moderate or High will be reported to the PM and RMC, who will also track them, using information provided by the appropriate Risk Owner, until the risk is considered Low and recommended to be retired. The Risk Originator that initially reported the risk retains ownership and cognizance for reporting status and keeping the database current. Ownership means implementing handling plans and providing periodic status of the risk and of the handling plans. Risk will be made an agenda item at each management review, providing an opportunity for all concerned to offer suggestions for the best approach to managing risk. Communicating risk increases the program’s credibility and allows early actions to minimize adverse consequences.

The risk management process is continuous. Information obtained from the monitoring process is fed back for reassessment and evaluations of handling actions. When a risk area is changed to Low, it is no longer tracked by the PM. The owners of all Low risk areas will continue monitoring Low risks to ensure they stay Low.

Risk Closing

When it has been determined that a risk no longer poses any potential for impact on the project, it should be retired and removed from the active risk list. A risk maintained within the RRE tool may be updated by changing the status to retired. The risk will then be removed from the active risk list and be placed in the Pending Risk list. The Risk Coordinator for the project must then accept the change in the risk status and approve that the risk be retired. Retired risks may then be viewed within the Retired Risks area of RRE.

Risks Management template

Risks Management template

No comments:

Post a Comment