People often do not realize how low maintenance the risk management process at its basic level can be. I teach my students that you can do very well with only two key documents. Today, we will look more closely at one of them: the risk management plan.
What exactly is a risk management plan, and why do we need one? Well, it is the document that will become part of the overall project management plan, which will be used throughout the project to manage our risk efforts. It is difficult at times to clearly explain what we do when it comes to managing risks. This document, which should be tailored to each project’s specific requirements during planning, will help us provide a clear understanding of the processes, methodology, tools, and techniques we will use.
Most organizations generate a template for the risk management plan, which consists of key content sections that will then be scaled or tailored to a specific project once the project is approved and enters planning. We will review what would a good risk management plan template contains and explain how this content is then used to manage risks. We have attempted to keep some sort of sequential order in this article, but as you will find in most templates, each organization creates the template that will meet their particular needs. The sequence is less important than having the proper content to manage the work.
1. Summary or overview
As with most planning output documents, the first section of our risk plan will consist of a summary or overview of the project, and most will include a statement as to our understanding of the risk level expected for the initiative. Let us then take a tour into the core of the document.
2. Approach and methodology
The largest and most complex section will divide into our approach and methodology in performing the risk work. This section will contain a description of our approach, including what methodology we will use as well as our framework, which will be at the basis of it all. A framework, more often than not, will be derived from a standard such as but not limited to ISO, IRM, PMI®… It is crucial to employ a framework that is flexible enough to cover the different sizes and complexity of projects the organization will handle.
The information here relates to the “work” we will do in planning, managing, analyzing risks, and this will be conducted down to the detail of what processes will be performed, tools, and techniques used and deliverables produced. It will also link the risk work with the overall project management work for the project.
3. Roles and responsibilities
Roles and responsibilities in terms of risk management will come next. This is often done in the form of a RACI (responsible, accountable, consulted, informed) matrix. The key is to know who is doing what in terms of risk management on the project. There are a great number of variations on the RACI chart concept, one that provides a clear view of the risk roles should be used.
4. Budgeting and scheduling
Elements of budgeting and scheduling will be covered next. We need to ensure that items pertaining to the cost and time of performing risk management will be detailed and considered in the planning. You will be able to trace these back to the overall project budget and schedule. Some examples would be for resources allocated to risk identification such as room rental, consultants, food, beverages…
5. Risk Breakdown Structure
Most of what we do in risk management is creating links and mapping elements for a better understanding of a project now and in the future through lessons learned. One of the ways we do this is through cataloging the types or sources of risks with a RBS (risk breakdown structure). We will find the RBS in the risk management plan for use with our risk register in linking risk types to individual risks for the project. It is important to document the process as well for updating and maintaining the RBS catalog from project to project.
6. Probability and impact matrix
A key component is next: the explanation or definition of the probability and impact matrix to be used for risk analysis on the project. Here we’ll map each of the scales to be used, create a model of the matrix which will guide our work in analysis, becoming a map and a guide to converting stakeholders’ perspectives of risk for the project into a visual map of risk.
This section is critical to a good plan and to the success of all risk efforts. An entire section will be dedicated to this information in most cases, although some organizations choose to expand upon this when reviewing the methodology, more specifically, the risk analysis processes that will be performed.
Most plans will expand further by including sections on stakeholder tolerances, reporting formats, and methods to be used for tracking and monitoring of risks.
A good risk management plan will include all of the information that our stakeholders need to understand how risk will be planned, managed, dealt with, and documented throughout the life cycle of our projects. If anything in our protocols for dealing with risks were to change, this is where you would find the information to make sense of it.
However, you look at this document, and no matter what section it includes, without it, we would not have a clear view of what we are doing for managing risks. This will become the document to turn to when the questions of what, who, and how are asked.
When all is said and done, a great risk management plan will need a good risk register to support the work to be done. We are not going to discuss the register at this time, but if you thought that risk management was confusing, you now know that all it takes are a few sections of clearly documented information supported by a working document (register), the will of the team to perform great work and the support of our stakeholders to maneuver the risk obstacles presented to us.
Sylvie Edwards, PMP, MCPM, STDC, CMP has 25 years of project management experience spanning various industries and is the owner of SRE Solutions, catering to clients in need of project management course development, education, project risk management, PMO setup/evaluation or recovery services. She has worked with one of the top five consulting firm, where she led projects in the information technology, banking, government, and securities sectors as well as being a manager in the risk management practice. Sylvie writes about risk management, communication, and PMO.