risk management process assignment

• Share on Twitter
• Share on LinkedIn
• Share on Facebook
• Share on Pinterest
• Share through Email

How To Create A Risk Management Plan + Template & Examples

Dramatically reduce your chances of project failure with a risk management plan: learn how to create one for your projects, get some examples, and download our template!

A clear and detailed risk management plan helps you assess the impact of project risks and understand the potential outcomes of your decisions. It can be a useful tool to support decision making in the face of uncertainty.

However, I have seen projects fail because stakeholders did not take the risk management plan seriously or because the project failed to implement a risk management strategy.

Read on to learn how you can avoid these mistakes for your projects.

What Is A Risk Management Plan?

A risk management plan, or RMP, is a document describing how your project team will monitor and respond to unexpected or uncertain events that could impact the project.

The risk management plan:

• analyzes the potential risks that exist in your organization or project
• identifies how you will respond to those risks if they arise
• assigns a responsible person to monitor each risk and take action, if needed.

Team members and stakeholders should collaborate to create a risk management plan after starting to develop a project management plan but before the project begins.

What’s Covered In A Risk Management Plan?

The fidelity of your risk management plan will vary depending on the nature of your project and the standard operating procedures that your organization uses. 

A project risk management plan seeks to answer:

• What is this project, and why does it matter?
• Why is risk management important for the project’s success?
• What will the team do to identify, log, assess, and monitor risks throughout the project?
• What categories of risk will we manage?
• What methodology will be used for risk identification and to evaluate risk severity?
• What is expected of the people who own the risks?
• How much risk is too much risk?
• What are the risks, and what are we going to do about them?

Depending on the project, this document could be hundreds of pages—or it could be less than a dozen. So how do you decide how much detail to provide? Here are two illustrative examples (but by no means are they the only ways to do it!).

PS. If you’re looking for additional information, we also did a workshop on managing risk that’s available for DPM members .

2 Types Of Risk Management Plans

In this section, we’ll cover 2 common types of risk management plans—a RAID log and a risk matrix.

#1: Simpler Version—Lightweight RAID Log

In its most minimal form, a risk management plan could be a handful of pages describing:

• how and when to assess risk
• the roles and responsibilities for risk owners
• at what point the project risk should trigger an escalation.

Instead of a formal risk register designed to calculate risk severity, a lightweight risk management approach may simply involve maintaining a risk list in your weekly status report .

This list (also known as a RAID log) tracks risks, assumptions, issues, and dependencies so that the project team and sponsor can review and further discuss.

When to use it : this approach could be useful for a small non-technical project being executed by a team of 3-4 people in an organization that does not have a standard approach to risk management.

Sign up for the DPM newsletter to get expert insights, tips, and other helpful content that will help you get projects across the finish line on time and under budget.

• Your email *
• Yes, I want to sign up to receive regular emails filled with tips, expert insights, and more to build my PM practice.
• By submitting this form, you agree to receive our newsletter and occasional emails related to The Digital Project Manager. You can unsubscribe at any time. For more details, please review our Privacy Policy . We're protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
• Email This field is for validation purposes and should be left unchanged.

#2: Complex Version—Risk Matrix

When an organization already has a culture of risk management, there may be a template to follow that demands a high level of detail. These details may include a full description of the methodology that the organization will follow to perform qualitative and quantitative risk analysis, along with an impact matrix. 

An impact matrix, or risk assessment matrix, shows the relationship between risk factors in calculating risk severity. Risks that are high-probability and high-impact are the most severe.

An organization may design its risk register template to prioritize and assign a numerical severity score to measure the level of risk. 

Additionally, you may need to create a risk breakdown structure to decompose higher-level risk categories into smaller, more specific risk subcategories

When to use it : making a detailed risk management plan isn’t about creating complexity for complexity’s sake—you and your team will be glad to have this level of detail on a large enterprise project that involves larger teams, multiple stakeholders, and high stakes that could have a significant impact on the business.

In terms of tooling, there are some great options available for managing risk on your project. Many organizations favor spreadsheets as part of an enterprise business software bundle, but there are also some providers that support risk management planning specifically. 

Two examples of risk management software are Wrike and monday.com. These tools integrate the entire risk management process with the wider project management plan.

The most important consideration is not the tool used, but rather the discussions you’ll have with your team and your project sponsor about how to navigate risks to increase the likelihood of project success.

How To Make A Risk Management Plan 

Below is a step-by-step guide to developing your own version of a risk management plan. Keep in mind that the nature of these steps may vary depending on the type of project involved, so don’t be afraid to tailor these steps to meet project and organizational needs.

The first 2 steps in the process are preparing supporting documentation and setting the context.

Next, decide how you want to identify & assess risks, and continuously identify those risks.

The next steps in the risk management process include assigning risk owners, populating your risk register, and then publishing it.

Make sure to monitor and assess risks throughout the project, and once the project is over, archive the risk management plan in a way that it can be reused for future projects.

1. Prepare supporting documentation

You’ll want to review existing project management documentation to help you craft your risk management plan. This documentation includes:

• Project Charter: among other things, this document establishes the project objectives , the project sponsor, and you as the project manager. Frankly, it gives you the right to create a project management plan and then a risk management plan within that. If formal project charters aren’t used at your organization, you should at least have this documented in an email or a less formal brief.
• Project Management Plan: not to be confused with the project plan , this document outlines how you’ll manage, monitor, and control your project, including what methodology to use, how to report progress, how to escalate issues, etc. Your risk management plan should act as a subcomponent of the project management plan.
• Stakeholder Register: it’s good to have a solid idea of who the project stakeholders are before assessing risk. Each of these stakeholder groups presents a different set of risks when it comes to people, processes, and technology. You can also invite stakeholders to identify risks throughout the project and even nominate them as risk owners!

2. Set the context

Once you have your supporting documentation available, use it to frame up the discussion around your risk management plan. Specifically, take the project description and objectives from the project charter and use them to outline the business value of the project and the negative impacts that would result should the project fail .

The introduction to your risk management plan should explain the intent of this document and its relationship to the overarching project management plan. Use this context to drive a conversation about risk management with your team and your project sponsor.

3. Decide with your team how to identify and assess risks

Different methodologies are appropriate for different types of projects. The methods you choose also need to be sustainable for the team to perform throughout the project.

The key here is to have the right discussions and gather input to build consensus with your team and your stakeholders early in the project life cycle. Use these discussions to agree on risk categories, risk response plans, and ways to calculate risk severity.

4. Continuously identify risks

Once you’ve decided on the methodology to use, now the real fun begins—thinking about the things that could go astray during your project!

A great way to do this is to hold a risk workshop—a group session involving your team, key stakeholders, project sponsor, and subject matter experts to identify, evaluate, and plan responses to risks.

In the example below, I have used a simple overview from a sample project. During the workshop, you’d discuss everything in columns E-R and make sure that you have clear, SMART outcomes to put in each of the boxes. (SMART stands for specific, measurable, action-oriented, realistic, and timebound.)

I like to keep a copy of the risk register on my desk during the workshop to make sure that each column is discussed and populated appropriately. After the workshop, add any supporting details to finalize the document.

The project manager’s role during a risk workshop is to facilitate the meeting effectively. This involves brainstorming with stakeholders to evaluate both known risks and possible risks that may not have been considered. It could look something like this:

At the end of the workshop, your goal is to come away with stakeholder alignment on project risks, the desired risk response, and the expected impact of the risks. Stakeholder buy-in is critical for a successful risk response, so time in the workshop is likely to be time well-spent.

5. Assign risk owners

As you identify risks, you should work with the team to assign owners (including yourself). Project managers are responsible for risk management too!

That being said, the project manager can’t own everything. Assigning risk owners can be the most difficult area of risk management to finalize because it requires stakeholder accountability.

Make sure that risk owners have reviewed the risk management plan and are clear on their responsibilities. Follow up with them as you monitor risk throughout the project life cycle.

6. Populate the risk register

Following the risk workshop, finish populating any information required for the risk register . This includes a description of the risk, the risk response category, detailed risk response, risk status, and risk owner.

What’s important to remember during this exercise is ensuring that the risk response reflects the severity and importance of the risk. You can then review the broader risk register to understand any wider correlations that might exist among risks.

7. Publish the risk register

Send around the updated risk register within 48 hours of the workshop to give everyone time to read and process the output.

You can also use the risk register within wider project discussions to explain or define the timeline for a project or specific actions that need to be completed. It’s important to be timely so that the output can be used in other project artifacts.

8. Monitor and assess risks continuously throughout the project

New risks are introduced to a project constantly. In fact, mitigating one risk might create another risk or leave “residual risk.”

If feasible within your project constraints, try to run risk workshops periodically throughout the duration of the project or incorporate risk register reviews into other recurring planning activities. 

Nothing feels quite as deflating as when you swerve to avoid one risk only to drive blindly into another, much bigger risk.

9. Archive your risk management plan in a reusable & accessible format

After your project, it’s a good idea to archive your risk management plan for future reference.

There are many reasons why (in fact, it may be mandatory in your organization), but here’s the main one: while not every risk management plan suits every project, the risk and response strategies may remain applicable. Use past risks to create a foundation for your next project.

Examples Of Risk Management Plans In Action

Admittedly, the word “risk” is itself a bit broad. Not having enough resources to hit the project deadline is a risk. Hurricane season is a risk. Disruption of the space-time continuum is a risk. 

So, where do you draw the line on what types of risks to consider—which risks have a large enough potential impact to require attention, or even a contingency plan?

Here’s one way to think about it:

If the item is related to people, processes, resources, or technology and has any likelihood of threatening project success, you should log it as a risk.

Now, you might not need to do a comprehensive analysis on every risk in your risk register, but you do need to revisit the risks identified and conduct risk monitoring throughout the project. If someone starts testing a time machine near your office, for example, your highly unlikely space-time continuum risk has escalated.

Does this matter?

Yes. To prove it, here’s a simple example of risk management that saved a project:

A colleague was working on a service design project that required in-person research (this was before COVID-19), and on her RACI chart , she had clearly communicated to the client that it was the client’s responsibility to book a meeting space to conduct this research. She had logged a risk with her team that the client might not be able to secure a space.

Two days before the research commenced, the client informed her they weren’t able to secure the space. Luckily, her risk mitigation strategy on this particular risk was to book a backup space at the office, which she had done weeks ago. 

Something that could have stalled the project for weeks had become nothing more than an email that said something like “All good, we’ll use our space."

Here’s another example:

An agency agreed to an aggressive timeline for a highly technical project. The team had raised concerns as the project was being initiated, but leadership still wanted to proceed. The project manager and technical architect logged the timeline risk before the project started, and their risk response strategy was to re-evaluate the project timeline using a Monte Carlo simulation. 

After calculating a pessimistic, optimistic, and likely duration for every project activity on the critical path, they determined mathematically that the project had a 3% chance of hitting the deadline.

The project manager raised this with the client, and the client agreed to re-scope the project and re-baseline the project before getting going. It was too big of a risk for them to take.

More Articles

Time tracking: your secret risk management superpower, increase project success with a risk register + easy template, raid logs: definition, template, examples, & how to guide, risk register template.

There are a lot of risk register templates available online, and I would recommend looking at one that fits your needs, rather than one that includes every possible scenario. 

In the risk management plan template available in DPM Membership, we’ve tried to keep the risk register as simple as possible to ensure that you’re able to enter the relevant information for your project.

Best Practices For Risk Management Plans

Consider these best practices to help you craft an effective risk management plan:

• Develop the risk management plan during the project planning phase, after you’ve developed the project charter and the project management plan, to give stakeholders the necessary context
• Adapt the format and level of detail of the risk management plan to align with the needs of the project, industry, and organization that you support
• Assign a risk owner to every risk identified in your risk register, and hold them accountable for the risk response
• Continuously identify risks throughout the project life cycle and update the risk register accordingly
• During project closing , archive your risk management plan and use it to inform risk planning on future projects.

What Do You Think?

Whether you’re a novice project manager or a seasoned pro, having a good risk management plan is vital to project success. And, the key to a successful risk management plan is adaptability.

You need to make sure that, with every project you run, you can adapt the risk management plan to your project, industry, and organization.

If you’ve got a great story about a risk you mitigated successfully on your project or a different way to manage risk, please share it in the comments below!

Risk Management 101: Process, Examples, Strategies

Emily Villanueva

August 16, 2023

Effective risk management takes a proactive and preventative stance to risk, aiming to identify and then determine the appropriate response to the business and facilitate better decision-making. Many approaches to risk management focus on risk reduction, but it’s important to remember that risk management practices can also be applied to opportunities, assisting the organization with determining if that possibility is right for it.

Risk management as a discipline has evolved to the point that there are now common subsets and branches of risk management programs, from enterprise risk management (ERM) , to cybersecurity risk management, to operational risk management (ORM) , to  supply chain risk management (SCRM) . With this evolution, standards organizations around the world, like the US’s National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO) have developed and released their own best practice frameworks and guidance for businesses to apply to their risk management plan.

Companies that adopt and continuously improve their risk management programs can reap the benefits of improved decision-making, a higher probability of reaching goals and business objectives, and an augmented security posture. But, with risks proliferating and the many types of risks that face businesses today, how can an organization establish and optimize its risk management processes? This article will walk you through the fundamentals of risk management and offer some thoughts on how you can apply it to your organization.

What Are Risks?

We’ve been talking about risk management and how it has evolved, but it’s important to clearly define the concept of risk. Simply put, risks are the things that could go wrong with a given initiative, function, process, project, and so on. There are potential risks everywhere — when you get out of bed, there’s a risk that you’ll stub your toe and fall over, potentially injuring yourself (and your pride). Traveling often involves taking on some risks, like the chance that your plane will be delayed or your car runs out of gas and leave you stranded. Nevertheless, we choose to take on those risks, and may benefit from doing so. 

Companies should think about risk in a similar way, not seeking simply to avoid risks, but to integrate risk considerations into day-to-day decision-making.

• What are the opportunities available to us?
• What could be gained from those opportunities?
• What is the business’s risk tolerance or risk appetite – that is, how much risk is the company willing to take on?
• How will this relate to or affect the organization’s goals and objectives?
• Are these opportunities aligned with business goals and objectives?

With that in mind, conversations about risks can progress by asking, “What could go wrong?” or “What if?” Within the business environment, identifying risks starts with key stakeholders and management, who first define the organization’s objectives. Then, with a risk management program in place, those objectives can be scrutinized for the risks associated with achieving them. Although many organizations focus their risk analysis around financial risks and risks that can affect a business’s bottom line, there are many types of risks that can affect an organization’s operations, reputation, or other areas.

Remember that risks are hypotheticals — they haven’t occurred or been “realized” yet. When we talk about the impact of risks, we’re always discussing the potential impact. Once a risk has been realized, it usually turns into an incident, problem, or issue that the company must address through their contingency plans and policies. Therefore, many risk management activities focus on risk avoidance, risk mitigation, or risk prevention.

What Different Types of Risks Are There?

There’s a vast landscape of potential risks that face modern organizations. Targeted risk management practices like ORM and SCRM have risen to address emerging areas of risk, with those disciplines focused on mitigating risks associated with operations and the supply chain. Specific risk management strategies designed to address new risks and existing risks have emerged from these facets of risk management, providing organizations and risk professionals with action plans and contingency plans tailored to unique problems and issues.

Common types of risks include: strategic, compliance, financial, operational, reputational, security, and quality risks.

Strategic Risk

Strategic risks are those risks that could have a potential impact on a company’s strategic objectives, business plan, and/or strategy. Adjustments to business objectives and strategy have a trickle-down effect to almost every function in the organization. Some events that could cause strategic risks to be realized are: major technological changes in the company, like switching to a new tech stack; large layoffs or reductions-in-force (RIFs); changes in leadership; competitive pressure; and legal changes.

Compliance Risk

Compliance risks materialize from regulatory and compliance requirements that businesses are subject to, like Sarbanes-Oxley for publicly-traded US companies, or GDPR for companies that handle personal information from the EU. The consequence or impact of noncompliance is generally a fine from the governing body of that regulation. These types of risks are realized when the organization does not maintain compliance with regulatory requirements, whether those requirements are environmental, financial, security-specific, or related to labor and civil laws.

Financial Risk

Financial risks are fairly self-explanatory — they have the possibility of affecting an organization’s profits. These types of risks often receive significant attention due to the potential impact on a company’s bottom line. Financial risks can be realized in many circumstances, like performing a financial transaction, compiling financial statements, developing new partnerships, or making new deals.

Operational Risk

Risks to operations, or operational risks, have the potential to disrupt daily operations involved with running a business. Needless to say, this can be a problematic scenario for organizations with employees unable to do their jobs, and with product delivery possibly delayed. Operational risks can materialize from internal or external sources — employee conduct, retention, technology failures, natural disasters, supply chain breakdowns — and many more.

Reputational Risk

Reputational risks are an interesting category. These risks look at a company’s standing in the public and in the media and identify what could impact its reputation. The advent of social media changed the reputation game quite a bit, giving consumers direct access to brands and businesses. Consumers and investors too are becoming more conscious about the companies they do business with and their impact on the environment, society, and civil rights. Reputational risks are realized when a company receives bad press or experiences a successful cyber attack or security breach; or any situation that causes the public to lose trust in an organization.

Security Risk

Security risks have to do with possible threats to your organization’s physical premises, as well as information systems security. Security breaches, data leaks, and other successful types of cyber attacks threaten the majority of businesses operating today. Security risks have become an area of risk that companies can’t ignore, and must safeguard against.

Quality Risk

Quality risks are specifically associated with the products or services that a company provides. Producing low-quality goods or services can cause an organization to lose customers, ultimately affecting revenue. These risks are realized when product quality drops for any reason — whether that’s technology changes, outages, employee errors, or supply chain disruptions.

Steps in the Risk Management Process

The six risk management process steps that we’ve outlined below will give you and your organization a starting point to implement or improve your risk management practices. In order, the risk management steps are: 

• Risk identification
• Risk analysis or assessment
• Controls implementation
• Resource and budget allocation
• Risk mitigation
• Risk monitoring, reviewing, and reporting

If this is your organization’s first time setting up a risk management program, consider having a formal risk assessment completed by an experienced third party, with the goal of producing a risk register and prioritized recommendations on what activities to focus on first. Annual (or more frequent) risk assessments are usually required when pursuing compliance and security certifications, making them a valuable investment.

Step 1: Risk Identification

The first step in the risk management process is risk identification. This step takes into account the organization’s overarching goals and objectives, ideally through conversations with management and leadership. Identifying risks to company goals involves asking, “What could go wrong?” with the plans and activities aimed at meeting those goals. As an organization moves from macro-level risks to more specific function and process-related risks, risk teams should collaborate with critical stakeholders and process owners, gaining their insight into the risks that they foresee.

As risks are identified, they should be captured in formal documentation — most organizations do this through a risk register, which is a database of risks, risk owners, mitigation plans, and risk scores.

Step 2: Risk Analysis or Assessment

Analyzing risks, or assessing risks, involves looking at the likelihood that a risk will be realized, and the potential impact that risk would have on the organization if that risk were realized. By quantifying these on a three- or five-point scale, risk prioritization becomes simpler. Multiplying the risk’s likelihood score with the risk’s impact score generates the risk’s overall risk score. This value can then be compared to other risks for prioritization purposes.

The likelihood that a risk will be realized asks the risk assessor to consider how probable it would be for a risk to actually occur. Lower scores indicate less chances that the risk will materialize. Higher scores indicate more chances that the risk will occur.

Likelihood, on a 5×5 risk matrix, is broken out into:

• Highly Unlikely
• Highly Likely

The potential impact of a risk, should it be realized, asks the risk assessor to consider how the business would be affected if that risk occurred. Lower scores signal less impact to the organization, while higher scores indicate more significant impacts to the company.

Impact, on a 5×5 risk matrix, is broken out into:

• Negligible Impact
• Moderate Impact
• High Impact
• Catastrophic Impact

Risk assessment matrices help visualize the relationship between likelihood and impact, serving as a valuable tool in risk professionals’ arsenals.

Organizations can choose whether to employ a 5×5 risk matrix, as shown above, or a 3×3 risk matrix, which breaks likelihood, impact, and aggregate risk scores into low, moderate, and high categories.

Step 3: Controls Assessment and Implementation

Once risks have been identified and analyzed, controls that address or partially address those risks should be mapped. Any risks that don’t have associated controls, or that have controls that are inadequate to mitigate the risk, should have controls designed and implemented to do so.

Step 4: Resource and Budget Allocation

This step, the resource and budget allocation step, doesn’t get included in a lot of content about risk management. However, many businesses find themselves in a position where they have limited resources and funds to dedicate to risk management and remediation. Developing and implementing new controls and control processes is timely and costly; there’s usually a learning curve for employees to get used to changes in their workflow.

Using the risk register and corresponding risk scores, management can more easily allocate resources and budget to priority areas, with cost-effectiveness in mind. Each year, leadership should re-evaluate their resource allocation as part of annual risk lifecycle practices.

Step 5: Risk Mitigation

The risk mitigation step of risk management involves both coming up with the action plan for handling open risks, and then executing on that action plan. Mitigating risks successfully takes buy-in from various stakeholders. Due to the various types of risks that exist, each action plan may look vastly different between risks. 

For example, vulnerabilities present in information systems pose a risk to data security and could result in a data breach. The action plan for mitigating this risk might involve automatically installing security patches for IT systems as soon as they are released and approved by the IT infrastructure manager. Another identified risk could be the possibility of cyber attacks resulting in data exfiltration or a security breach. The organization might decide that establishing security controls is not enough to mitigate that threat, and thus contract with an insurance company to cover off on cyber incidents. Two related security risks; two very different mitigation strategies. 

One more note on risk mitigation — there are four generally accepted “treatment” strategies for risks. These four treatments are:

• Risk Acceptance: Risk thresholds are within acceptable tolerance, and the organization chooses to accept this risk.
• Risk Transfer : The organization chooses to transfer the risk or part of the risk to a third party provider or insurance company.
• Risk Avoidance : The organization chooses not to move forward with that risk and avoids incurring it.
• Risk Mitigation : The organization establishes an action plan for reducing or limiting risk to acceptable levels.

If an organization is not opting to mitigate a risk, and instead chooses to accept, transfer, or avoid the risk, these details should still be captured in the risk register, as they may need to be revisited in future risk management cycles.

Step 6: Risk Monitoring, Reviewing, and Reporting

The last step in the risk management lifecycle is monitoring risks, reviewing the organization’s risk posture, and reporting on risk management activities. Risks should be monitored on a regular basis to detect any changes to risk scoring, mitigation plans, or owners. Regular risk assessments can help organizations continue to monitor their risk posture. Having a risk committee or similar committee meet on a regular basis, such as quarterly, integrates risk management activities into scheduled operations, and ensures that risks undergo continuous monitoring. These committee meetings also provide a mechanism for reporting risk management matters to senior management and the board, as well as affected stakeholders.

As an organization reviews and monitors its risks and mitigation efforts, it should apply any lessons learned and use past experiences to improve future risk management plans.

Examples of Risk Management Strategies

Depending on your company’s industry, the types of risks it faces, and its objectives, you may need to employ many different risk management strategies to adequately handle the possibilities that your organization encounters. 

Some examples of risk management strategies include leveraging existing frameworks and best practices, minimum viable product (MVP) development, contingency planning, root cause analysis and lessons learned, built-in buffers, risk-reward analysis, and third-party risk assessments.

Leverage Existing Frameworks and Best Practices

Risk management professionals need not go it alone. There are several standards organizations and committees that have developed risk management frameworks, guidance, and approaches that business teams can leverage and adapt for their own company. 

Some of the more popular risk management frameworks out there include:

• ISO 31000 Family : The International Standards Organization’s guidance on risk management.
• NIST Risk Management Framework (RMF) : The National Institute of Standards and Technology has released risk management guidance compatible with their Cybersecurity Framework (CSF).
• COSO Enterprise Risk Management (ERM) : The Committee of Sponsoring Organizations’ enterprise risk management guidance.

Minimum Viable Product (MVP) Development

This approach to product development involves developing core features and delivering those to the customer, then assessing response and adjusting development accordingly. Taking an MVP path reduces the likelihood of financial and project risks, like excessive spend or project delays by simplifying the product and decreasing development time.

Contingency Planning

Developing contingency plans for significant incidents and disaster events are a great way for businesses to prepare for worst-case scenarios. These plans should account for response and recovery. Contingency plans specific to physical sites or systems help mitigate the risk of employee injury and outages.

Root Cause Analysis and Lessons Learned

Sometimes, experience is the best teacher. When an incident occurs or a risk is realized, risk management processes should include some kind of root cause analysis that provides insights into what can be done better next time. These lessons learned, integrated with risk management practices, can streamline and optimize response to similar risks or incidents.

Built-In Buffers

Applicable to discrete projects, building in buffers in the form of time, resources, and funds can be another viable strategy to mitigate risks. As you may know, projects can get derailed very easily, going out of scope, over budget, or past the timeline. Whether a project team can successfully navigate project risks spells the success or failure of the project. By building in some buffers, project teams can set expectations appropriately and account for the possibility that project risks may come to fruition.

Risk-Reward Analysis

In a risk-reward analysis, companies and project teams weigh the possibility of something going wrong with the potential benefits of an opportunity or initiative. This analysis can be done by looking at historical data, doing research about the opportunity, and drawing on lessons learned. Sometimes the risk of an initiative outweighs the reward; sometimes the potential reward outweighs the risk. At other times, it’s unclear whether the risk is worth the potential reward or not. Still, a simple risk-reward analysis can keep organizations from bad investments and bad deals.

Third-Party Risk Assessments

Another strategy teams can employ as part of their risk management plan is to conduct periodic third-party risk assessments. In this method, a company would contract with a third party experienced in conducting risk assessments, and have them perform one (or more) for the organization. Third-party risk assessments can be immensely helpful for the new risk management team or for a mature risk management team that wants a new perspective on their program. 

Generally, third-party risk assessments result in a report of risks, findings, and recommendations. In some cases, a third-party provider may also be able to help draft or provide input into your risk register. As external resources, third-party risk assessors can bring their experience and opinions to your organization, leading to insights and discoveries that may not have been found without an independent set of eyes.

Components of an Effective Risk Management Plan

An effective risk management plan has buy-in from leadership and key stakeholders; applies the risk management steps; has good documentation; and is actionable. Buy-in from management often determines whether a risk management function is successful or not, since risk management requires resources to conduct risk assessments, risk identification, risk mitigation, and so on. Without leadership buy-in, risk management teams may end up just going through the motions without the ability to make an impact. Risk management plans should be integrated into organizational strategy, and without stakeholder buy-in, that typically does not happen. 

Applying the risk management methodology is another key component of an effective plan. That means following the six steps outlined above should be incorporated into a company’s risk management lifecycle. Identifying and analyzing risks, establishing controls, allocating resources, conducting mitigation, and monitoring and reporting on findings form the foundations of good risk management. 

Good documentation is another cornerstone of effective risk management. Without a risk register recording all of a company’s identified risks and accompanying scores and mitigation strategies, there would be little for a risk team to act on. Maintaining and updating the risk register should be a priority for the risk team — risk management software can help here, providing users with a dashboard and collaboration mechanism.

Last but not least, an effective risk management plan needs to be actionable. Any activities that need to be completed for mitigating risks or establishing controls, should be feasible for the organization and allocated resources. An organization can come up with the best possible, best practice risk management plan, but find it completely unactionable because they don’t have the capabilities, technology, funds, and/or personnel to do so. It’s all well and good to recommend that cybersecurity risks be mitigated by setting up a 24/7 continuous monitoring Security Operations Center (SOC), but if your company only has one IT person on staff, that may not be a feasible action plan.

Executing on an effective risk management plan necessitates having the right people, processes, and technology in place. Sometimes the challenges involved with running a good risk management program are mundane — such as disconnects in communication, poor version control, and multiple risk registers floating around. Risk management software can provide your organization with a unified view of the company’s risks, a repository for storing and updating key documentation like a risk register, and a space to collaborate virtually with colleagues to check on risk mitigation efforts or coordinate on risk assessments. Get started building your ideal risk management plan today!

Emily Villanueva, MBA, is a Senior Manager of Product Solutions at AuditBoard. Emily joined AuditBoard from Grant Thornton, where she provided consulting services specializing in SOX compliance, internal audit, and risk management. She also spent 5 years in the insurance industry specializing in SOX/ICFR, internal audits, and operational compliance. Connect with Emily on LinkedIn .

Related Articles

The Risk Management Process: 4 Essential Steps

• 27 September 2021

Risk Management

• Risk Management Process​​

In Project Risk Management  and the Elements of Risk Management Implementation , we looked at what risk management is and the essential elements for implementing risk management into your organization. In this article, we look at the process of risk management and how to identify, assess, and respond to project risks.

The Risk Management Process is a clearly defined method of understanding what risks and opportunities are present, how they could affect a project or organization, and how to respond to them. 

Table of Contents

The 4 essential steps of the risk management process are:.

• Identify the risk.
• Assess the risk.
• Treat the risk.
• Monitor and Report on the risk.

Step 1: Risk Identification

The first step in the risk management process is to identify all the events that can negatively (risk) or positively (opportunity) affect the objectives of the project:

• Project milestones
• Financial trajectory of the project
• Project scope

These events can be listed in the risk matrix and later captured in the risk register.

A risk (or opportunity) is characterized by its description, causes and consequences, qualitative assessment, quantitative assessment and mitigation plan. It can also be characterized by who is responsible for its action. Each of these characteristics are necessary for a risk (or opportunity) to be valid.

In order to be managed effectively, the Risks and Opportunities (R&O) identified must be as precise and specific as possible. The title of the risk or opportunity must be succinct, self-explanatory and clearly defined. 

All members of the project can and should identify R&O, and the content of these is the responsibility of the Risk (or Opportunity) Owners. Risk Managers are responsible for ensuring that a formal process for identifying risks and developing response plans are conducted through exchanges with risk owners. We will explain each of these roles in further detail in our next article on Risk Management Team Roles .

Below are examples of tools to help identify R&O:

• Analysis of existing documentation
• Interviews with experts
• Conducting brainstorming meetings
• Using the approaches of standard methodologies – such as Failure Modes, Effects and Criticality Analysis (FMECA), cause trees, etc.
• Considering the lessons learned from R&Os encountered in previous projects 
• Using pre-established checklists or questionnaires covering the different areas of the project (Risk Breakdown Structure or RBS).

Step 2: Risk Assessment

There are two types of risk and opportunity assessments: qualitative and quantitative. A qualitative assessment analyzes the level of criticality based on the event’s probability and impact. A quantitative assessment analyzes the financial impact or benefit of the event. Both are necessary for a comprehensive evaluation of risks and opportunities.

Qualitative Assessment

The Risk Owner and the Risk Manager will rank and prioritize each identified risk and opportunity by occurrence probability and impact severity , according to the project’s criticality scales.

Evaluating occurrence probability (P):

This is determined preferably based on experience, the progress of the project, or else by speaking to a risk expert, and is on a scale of 1 to 99%.

For example, suppose the risk that: “the inability of supplier X to conduct studies on a modification Y by the end of 2025” is 50% probable. This could be determined from feedback and analysis of the supplier’s workload.

Evaluating impacts severity (I):

To assess the overall impact, it is necessary to estimate the severity of each of the impacts defined at the project level. A scale is used to classify the different impacts and their severities. This ensures that the assessment of the risk and opportunity is standardized and reliable.

The criticality level of a risk or opportunity is obtained by the equation: Criticality = P x I

The purpose of the qualitative assessment is to ensure that the risk management team prioritizes the response on critical items first.

Quantitative Assessment

In most projects, the objective of the quantitative assessment is to establish a financial evaluation of a risk’s impact or an opportunity’s benefit, should it occur. This step is carried out by the Risk Owner, the Risk Manager (with support of those responsible for estimates and figures), or the management controller depending on the organizational set up in the company. These amounts represent a potential additional cost (or a potential profit if we are talking about an opportunity) not anticipated in the project budget.

For this, it is therefore necessary:

• Hours of internal engineering 
• Hours of subcontracting
• Additional work to do
• Amendments and/or claims made to contracts
• To calculate the cost of the undesired event’s consequences by adding these values.

This step will make it possible to estimate the need for additional budget for risks and opportunities of the project.

Step 3: Risk Treatment

In order to treat risks, an organization must first identify their strategies for doing so by developing a treatment plan. The objective of the risk treatment plan is to reduce the probability of occurrence of the risk (preventive action) and/or to reduce the impact of the risk (mitigation action). For an opportunity, the objective of the treatment plan is to increase the likelihood of the opportunity occurring and/or to increase its benefits. Depending on the nature of the risk or opportunity, a response strategy is defined for the project. The following 7 strategies are possible:

7 Risk Response Strategies

• Accept: Do not initiate any action but continue to monitor.
• Mitigate/Enhance: Reduce (for a risk) or increase (for an opportunity) the probability of occurrence and/or the severity of impact.
• Transfer/Share: Transfer responsibility of a risk to a third party who would bear the consequences of the problem (share the benefits of a realized opportunity).
• Avoid/Exploit: Entirely eliminate uncertainty / take advantage of the opportunity. 

Monitoring the progress of the treatment plan is the responsibility of the risk owner. They must report regularly to the risk manager, who must keep the risk register up to date.

Note: The cost of a risk mitigation plan must be integrated into the budget of the project.

When defining a treatment plan:

• Each action begins with an action verb and has a clear purpose.
• Each action has an actionee and a deadline.
• Actions that could generate costs must be tracked and considered in the project.
• For example: to reduce the risk of my car breaking down, a treatment plan could be to have it checked annually by a repair shop.

When does risk become an issue?

It is possible that, despite the actions put in place to mitigate or prevent it, a risk probability could increase and reach 100%. Once a risk is confirmed, we no longer refer to it as a risk but as an issue. The Risk Manager must then inform the various project stakeholders who will relay that a risk has become an issue and transfer it to the issue log.

Step 4: Risk Monitoring and Reporting

Risks and opportunities and their treatment plans need to be monitored and reported on. The frequency of this will depend on the criticality of risk/opp. By developing a monitoring and reporting structure it will ensure there are appropriate forums for escalation and that appropriate risk responses are being actioned.

In the previous article we identified the Risk and Opportunity Management Plan or ROMP as one of the five essential elements of Project Risk Management .  It should include not only the project stakeholders and steering members, but the governance cadence for monitoring and reporting on risks and opportunities. How this is organized and governed is defined by the Risk Manager in conjunction with the Project Manager.

We will go over both of these roles as well as additional roles within the Risk Management Team in more detail in our next article.

This article was written by: Marie BELGODERE, Jérémie CLAUSTRE, Capucine COMTE, Alioune DIALLO, Emmanuel LATGE, Jessy MIGNOT, Ingrid NGOBAY, Pierre PETILLON, Louann SUGDEN, Chris WAMAL .

More on the same subject

Risk Management Team Roles: Who takes care of Project Risk?

5 key elements of risk management implementation, risk contingency reserve, murphy’s law, ready for the inevitable, good risk management, agile risk management.

You might also like:

Loved what you just read? Let's stay in touch.

No spam, only great things to read in our newsletter.

We combine our expertise with a fine knowledge of the industry to deliver high-value project management services.

MIGSO-PCUBED is part of the ALTEN group.

Find us around the world

Australia  – Canada – France – Germany – Italy – Mexico – Portugal – Romania – South East Asia – Spain – Switzerland – United Kingdom – United States

Follow us here

© 2024 MIGSO-PCUBED. All rights reserved | Legal information | Privacy Policy | Cookie Settings | Intranet

Perfect jobs also result from great environments : the team, its culture and energy.  So tell us more about you : who you are, your project, your ambitions, and let’s find your next step together. 

• Netherlands

South East Asia

Switzerland

United Kingdom

United States

In accordance with the General Data Protection Regulations (GDPR), the data entered is processed for the management of recruitment and its improvement. To find out more, visit our privacy policy .

Dear candidates, please note that you will only be contacted via email from the following domain: migso-pcubed.com . Please remain vigilant and ensure that you interact exclusively with our official websites. The MIGSO-PCUBED Team

Discover our global expertise →

Project Services →

Strategy Execution & Business Improvements →

Digital Solutions →

Our case studies →

Join our team →

Company Culture →

Job Families →

Choose your language

Subscribe to our Newsletter

A monthly digest of our best articles on all things Project Management.

Subscribe to our newsletter!

Our website is not supported on this browser

The browser you are using (Internet Explorer) cannot display our content.  Please come back on a more recent browser to have the best experience possible

• Sign up for free
• SafetyCulture
• Risk Assessment

How to Perform a Risk Assessment

Identify, analyze, and mitigate potential hazards and the risks associated with them by conducting risk assessments.

What is a Risk Assessment?

A risk assessment is a systematic process used to identify, analyze, and control hazards and risks present in a situation or place. This decision-making tool aims to determine which measures should be implemented in order to eliminate or control those risks, as well as specify which of them should be prioritized according to the level of likeliness and impact they have on the business.

Risk assessment is one of the major components of a risk analysis . Risk analysis is a process with multiple steps that intends to identify and analyze all of the potential risks and issues that are detrimental to the business or enterprise .

Why is it Important?

Risk assessments are essential to identify hazards and risks that may potentially cause harm to workers. Identifying hazards by using the risk assessment process is a key element in ensuring the health and safety of your employees and customers. OSHA requires businesses to conduct risk assessments. According to regulations set by OSHA, assessing hazards or potential risks will determine the personal protective gears and equipment a worker may need for their job.

Risk Analysis Framework

When Do You Perform a Risk Assessment?

Beyond complying with legislative requirements, the purpose of risk assessments is to eliminate operational risks and improve the overall safety of the workplace. It is the employer’s responsibility to perform risk assessments when:

• new processes or steps are introduced in the workflow;
• changes are made to the existing processes,
• equipment, and tools; or new hazards arise.

Risk assessments are also performed by auditors when planning an audit procedure for a company.

Create your own Risk Assessment checklist

Build from scratch or choose from our collection of free, ready-to-download, and customizable templates.

HSE distinguishes three general risk assessment types:

Large Scale Assessments

This refers to risk assessments performed for large scale complex hazard sites such as the nuclear, and oil and gas industry. This type of assessment requires the use of an advanced risk assessment technique called Quantitative Risk Assessment (QRA).

Required specific assessments

This refers to assessments that are required under specific legislation or regulations, such as the handling of hazardous substances (according to COSHH regulations, 1998) and manual handling (according to Manual Handling Operations Regulations, 1992).

General assessments

This type of assessment manages general workplace risks and is required under the management of legal health and safety administrations such as OSHA and HSE.

Here is an example of a completed risk assessment. See more risk assessment examples in various industries.

How to Perform Risk Assessment in 5 Steps

Below are the 5 steps on how to efficiently perform risk assessments :

1. Identify hazards

Survey the workplace and look at what could reasonably be expected to cause harm. Identify common workplace hazards . Check the manufacturer’s or suppliers’ instructions or data sheets for any obvious hazards. Review previous accident and near-miss reports.

2. Evaluate the risks

To evaluate a hazard’s risk, you have to consider how, where, how much, and how long individuals are typically exposed to a potential hazard. Assign a risk rating to your hazards with the help of a risk matrix. Using a risk matrix can help measure the level of risk per hazard by considering factors such as the likelihood of occurrence, and severity of potential injuries.

3. Decide on control measures to implement

After assigning a risk rating to an identified hazard, it’s time to come up with effective controls to protect workers, properties, civilians, and/or the environment. Follow the hierarchy of controls in prioritizing implementation of controls.

4. Document your findings

It is important to keep a formal record of risk assessments. Documentation may include a detailed description of the process in assessing the risk, an outline of evaluations, and detailed explanations on how conclusions were made.

5. Review your assessment and update if necessary

Follow up with your assessments and see if your recommended controls have been put in place. If the conditions in which your risk assessment was based change significantly, use your best judgment to determine if a new risk assessment is necessary.

Risk Assessment Tools and Techniques

There are options on the tools and techniques that can be seamlessly incorporated into a business’ process. The four common risk assessment tools are: risk matrix, decision tree, failure modes and effects analysis (FMEA), and bowtie model. Other risk assessment techniques include the what-if analysis, failure tree analysis , and hazard operability analysis.

Improve your GRC management

Simplify risk management and compliance with our centralized platform, designed to integrate and automate processes for optimal governance.

How to use a Risk Matrix?

A risk matrix is often used to measure the level of risk by considering the consequence/ severity and likelihood of injury to a worker after being exposed to a hazard. Two key questions to ask when using a risk matrix should be:

• Consequences: How bad would the most severe injury be if exposed to the hazard?
• Likelihood: How likely is the person to be injured if exposed to the hazard?

The most common types are the 3×3 risk matrix, 4×4 risk matrix, and 5×5 risk matrix .

How to Assess Consequences?

It is common to group the injury severity and consequence into the following four categories:

• Fatality – leads to death
• Major or serious injury – serious damage to health which may be irreversible, requiring medical attention and ongoing treatment
• Minor injury – reversible health damage which may require medical attention but limited ongoing treatment). This is less likely to involve significant time off work.
• Negligible injuries – first aid only with little or no lost time.

How to Assess Likelihood?

It is common to group the likelihood of a hazard causing worker injury into the following four categories:

• Very likely – exposed to hazard continuously.
• Likely – exposed to hazard occasionally.
• Unlikely – could happen but only rarely.
• Highly unlikely – could happen, but probably never will.

We recommend OSHA’s great learning resources in understanding how to assess consequence and likelihood in your risk assessments.

Risk Assessment Training

“Safety has to be everyone’s responsibility… everyone needs to know that they are empowered to speak up if there’s an issue.” – Captain Scott Kelly, at the SafetyCulture Virtual Summit.

A good and effective hazard identification and risk assessment training  should orient new and existing workers on various hazards and risks that they may encounter. It should also be able to easily walk them through safety protocols. With today’s technology like SafetyCulture’s Training feature, organizations can create and deploy more tailored-fit programs based on the needs of their workers.

Risk Assessment Templates

Risk assessments are traditionally completed through checklists, which are inconvenient when reports and action plans are urgently needed. Streamline the process with SafetyCulture, a mobile app solution. Get started by browsing this collection of customizable Risk Assessment templates that you can download for free.

Perform Effective Risk Assessments with SafetyCulture

Why use safetyculture.

SafetyCulture is a mobile-first operations platform adopted across industries such as manufacturing, mining, construction, retail, and hospitality. It’s designed to equip leaders and working teams with the knowledge and tools to do their best work—to the safest and highest standard.

Promote a culture of accountability and transparency within your organization where every member takes ownership of their actions. Align governance practices, enhance risk management protocols, and ensure compliance with legal requirements and internal policies by streamlining and standardizing workflows through a unified platform.

✓ Save time and reduce costs ✓ Stay on top of risks and incidents ✓ Boost productivity and efficiency ✓ Enhance communication and collaboration ✓ Discover improvement opportunities ✓ Make data-driven business decisions

FAQs About Risk Assessment

What is the difference between risk assessment and job safety analysis (jsa).

The key difference between a risk assessment and a JSA is scope. Risk assessments assess safety hazards across the entire workplace and are oftentimes accompanied with a risk matrix to prioritize hazards and controls. Whereas a JSA focuses on job-specific risks and is typically performed for a single task, assessing each step of the job.

What are the 3 main tasks of risk assessment?

The three main tasks of risk assessment include identifying the hazards, assessing the risks that come along with them, and placing control measures to either eliminate them totally or at least minimize their impact on the business and its people.

What are the top 5 operational risk categories?

The five most common categories of operational risks are people risk, process risk, systems risk, external events risk or external fraud, and legal and compliance risk. Operational risks refer to the probability of issues relating to people, processes, or systems negatively impacting the business’s daily operations.

How often should risk assessments be performed?

As stated above, risk assessments are ideally performed when there’s a new process introduced or if there are changes to the existing ones, as well as when there are new equipment or tools for employees to use. Outside of these instances, however, it is recommended that businesses schedule risk assessments at least once a year so that the procedures are updated accordingly.

Who should perform risk assessments?

Risk assessments should be carried out by competent persons who are experienced in assessing hazard injury severity, likelihood, and control measures.

Jairus Andales

Related articles.

• Reputational Risk

Learn more about reputational risk, why it’s important that businesses properly manage it, and how to effectively implement risk mitigation strategies.

• Find out more

• Reputation Management

This guide will discuss what reputation management is, why it’s important, and ways in which business leaders can maintain their organization’s healthy image

• Environmental Aspects and Impacts

Explore the intricacies of environmental aspects and impacts of the organization’s practices to enhance the company’s sustainability, compliance, and competitive advantage.

Related pages

• Integrated Risk Management Software
• Operational Risk Management Software
• Risk Based Inspection Software
• Supplier Risk Management Software
• Risk Register Software
• Risk Mitigation Strategies
• Risk Assessment Examples
• Contract Risk Assessment Checklist
• Point of Work Risk Assessment Template
• 7 Best Risk Assessment Templates
• 5×5 Risk Matrix Template
• Risk Mitigation Plan Template

How to Create a Project Risk Management Plan

By Kate Eby | February 27, 2023

• Share on Facebook
• Share on LinkedIn

Link copied

Teams can use a project risk management plan to identify and assess the potential risks to a project. We’ve gathered expert tips on creating an effective risk management plan, as well as step-by-step instructions for creating an example plan.

On this page, you’ll find information on what to include in a project risk management plan and how to create a plan , as well as step-by-step instructions for completing an example project risk management plan .

What Is a Project Risk Management Plan?

Project teams create a project risk management plan , a document that helps identify and assess potential risks to a project. The plan outlines how your team will analyze and mitigate the potential risks to ensure project success.

The project risk management plan is one of the most important documents in project risk management . You can learn more about project risks in general — as well as specific types of project risks — in our comprehensive guides

What Does a Risk Management Plan Cover?

A risk management plan should cover a number of areas detailing potential project risks and how your team will deal with them. It will include a description of the project, along with how your team will identify and assess risk.

At a minimum, your project risk management plan should include the following details:

• Project description, including its purpose
• The team plan for identifying, logging, and assessing potential risks
• How the team will identify broad categories of risk
• How the team will evaluate the severity of each potential risk
• How your team will continue to monitor risks throughout the project
• How team members will be assigned as owners of various risks
• Your organization’s tolerance for certain risks, along with criteria for a risk being too large to accept

“A risk management plan defines how the risks for a project will be handled to ensure that the project can be completed within the set timeframe,” says Veniamin Simonov, Director of Product Management at NAKIVO , a backup and ransomware recovery software vendor. “The plan should cover methodology, risk categorization and prioritization, a response plan, staff roles, and responsibility areas and budgets.”

“The risk management plan will address ‘What are we going to do? How are we going to do it? What are the processes we're going to follow?’” says Alan Zucker, Founding Principal of Project Management Essentials . “It may include things such as what are the major categories you're going to use to define your risks. It might also include some guidelines for assessing risks.”

Components in a Project Risk Management Plan 

A project risk management plan will include certain components and describe how your project team will use certain tools to understand and manage potential risks. Some components include a risk register, a risk breakdown structure, and a risk response plan.

Here are components or tools that a project risk management plan often includes or describes:

• Risk Register: A risk register is the document your project team will use to identify, log, and monitor potential project risks.
• Risk Breakdown Structure: A risk breakdown structure is a chart that allows your team to identify broad risk categories and specific risks that fit within each category. Your team can decide on the broad categories, depending on your project.
• Risk Assessment Matrix: A risk assessment matrix is a chart matrix that allows teams to score the severity of potential risks based on both the likelihood of each risk happening and the impact to the project if a risk happens.
• Risk Response Plan: A risk response plan is a document that details how your team plans to respond to each potential risk to try to either prevent it from happening or lessen the impact if it does happen. You can learn more about project risk mitigation . 
• Roles and Responsibilities: The risk management plan can provide details on the project risk management team, including the lead member for risk management. It also likely details the roles and responsibilities each team member will have in addressing and dealing with specific risks.
• Risk Reporting Formats: The risk management plan describes how the project team will document and report its work on monitoring and dealing with risks. It describes the risk register format that the team will use. It might also describe how risks will be added to or deleted from the register and how the project team will provide periodic summarized risk reports to top project and organization leaders.
• Project Funding and Timing: The plan will likely have a section describing the overall funding and timing for the project. That section also likely details funding for all project risk management work.

To determine what you need to include in your risk management plan, see the following requirements based on project size:

An Organization’s Risk Management Plan Often Doesn’t Change with Projects  

Many risk management experts emphasize that an organization’s project risk management plans might not change much from project to project. That’s because the plan sets out particulars that will be followed for all projects.

“Remember, it's just an approach document that answers the question: How?” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The company or the department as a whole should have a single risk management plan that gets built as you're building your project management methodology. And it’s your Bible. It’s your guidebook. 

“But it isn't going to change across projects,” Reynolds continues. “What changes are the artifacts, including the risk register. But your approach of how you're going to address risk or analyze risk or plan for risk is in the project risk management plan document. As a company or organization, you create that document, and it exists for a year or two years without changing.”

To create a project risk management plan, your team should gather important documents and decide on an approach for assessing and responding to risks. This process involves gathering support documents, listing potential risk management tools, and more. 

Consider some of these basic steps and factors as you begin creating the project risk management plan:

• Gather Supporting Documents: Gather and read through supporting documents related to the overall project, including the project and project management plan. It’s important for your project risk team to have a full view of project goals and objectives.
• Frame the Context: Make sure your team understands both the business value of the project and the impact on the organization if the project fails.
• Decide on Risk Assessment Criteria: Decide how your team will identify and assess important risks. That will require your team to have an understanding of which types of risks your organization can tolerate and which risks could be ruinous to the project.
• Inventory Possible Risk Management Tools: Make a list of risk management tools and documents that your team might use to help identify and manage project risk.
• Known Risks: At the start of a project, team members will be able to identify a number of known risks , such as budget issues, shortages of material, and human and other resource constraints, which are measurable and based on specific events. 
• Unknown Risks: At the start of a project, team members will not be able to identify a range of unknown risks that could impact your project. Those risks are not as easily or objectively measurable as known risks and can crop up at any point during a project. A main goal of project risk management is to help your team discover and address unknown risks before they happen.
• Unknowable Risks: Your team will not be able to anticipate unknowable risks that could affect the project, such as catastrophic weather events, accidents, and major system failures.
• Understand Human Bias: Studies have shown that people overestimate their ability to predict and influence the future. We often think we have more control than we do. Those biases can affect how we assess and manage risks in a project. We tend to give too much credence to what happened with past processes, fall into agreement with others in our group, and be more optimistic than we should be about how long a project will take or how much it will cost.  It’s important to account for all of those biases as your team identifies and assesses project risk.

Steps in Developing a Project Risk Management Plan

After your project team has gathered documents and done other preparation work, you will want to follow nine basic steps in creating a project risk management plan. Those start with identifying and assessing risks.

Here are details on the nine steps of project risk management to keep in mind while drafting your project risk management plan:

• Identify Risks: Your team should gather information and request input from team and organization members to determine potential risks to the project. Some specific risks can threaten many projects. Other risks will vary, based on the type of project and the industry. “If you're talking about a software project, you could have risks associated with the technology, resources, and interdependencies with other systems,” says Zucker. “If you have vendors you're working with, there may be risks associated with the vendors. There may be risks that are software- or hardware-specific. If you're working on a construction project, those risks obviously would be very different. ”You can learn more about project risk analysis and how to identify potential risks to a project .
• Assess Potential Impact of Each Risk: After your team identifies potential risks, it can assess the likelihood of each risk, along with the expected impact on the project if the risk happens. Your team can use a risk matrix to identify both the likelihood and impact of each risk. You can learn more about how to create a risk matrix and assess risks .
• Determine Your Organization's Risk Threshold and Tolerance: Your team will want to understand your organization’s risk threshold , or tolerance for risk. Organization leaders might decide that some risks should be avoided at all costs, while others are acceptable. Take the time to understand those views as you prioritize project risks.
• Prioritize Risks Based on Impact and Risk Tolerance: Once your team assesses the potential impact of a risk and your organization's risk tolerance for risks, it will prioritize risks accordingly. “Prioritize risks based on their disruptive potential for an organization,” says Simonov.
• Create a Risk Response Plan: Your team should then create a response plan for each risk that the team considers a priority. That response plan will include measures that could prevent the risk from happening or lessen the risk’s impact if it does happen.
• Select Project Risk Management Tools: Your team will need to decide on the best risk management tools to use for your project. That will likely include a risk register and a risk assessment matrix. It might include other tools, such as Monte Carlo simulations. Learn more about various tools and documents to use in risk management . 
• Select an Owner for Each Risk: Each identified risk should have an assigned owner. In some cases, a department might be an owner of a risk, but most often, the team will assign individuals to monitor risks. In some cases, the owner will be responsible for dealing with the risk if it happens. Teams can list the owners of each risk on their project risk register. 
• Determine Possible Triggers for Each Risk: As your team conducts a closer assessment of all risks, it should identify risk triggers where possible. Triggers are events that can cause a risk to happen. Your team won’t be able to identify triggers for all risks, but it will for some. For example, if you have a plant without sufficient backup power, a trigger could be warnings of a violent storm that could cause a power outage.
• Determine How Your Team Will Monitor Risks: An important part of your plan includes recording concrete details about how your team will ensure that it can continually monitor risks throughout the life of a project.

Risk Management Plan Examples, Templates, and Components

Examples of project risk management plans can help your team understand what information to include in a plan. The risk management plan can also detail various components that will be part of your team’s risk management.

Project Risk Management Plan Template

Download the Sample Project Risk Management Plan Template for Microsoft Word  

Download this sample project risk management plan, which includes primary components that might be described in a project risk management plan, such as details on risk identification, risk mitigation, and risk tracking and reporting.

Download the Blank Project Risk Management Plan for Microsoft Word

Use this blank template to create your own project risk management plan. The template includes sections to ensure that your team covers all areas of risk management, such as risk identification, risk assessment, and risk mitigation. Customize the template based on your needs.

Project Risk Register Template

Download the Sample Project Risk Register for Excel

This sample project risk register gives your team a better understanding of the information that a risk register should include to help the team understand and deal with risks. This sample includes potential risks that a project manager might track for a construction project.

Download the Blank Project Risk Register Template for Excel  

Use this project risk register template to help your team identify, track, and plan for project risks. The template includes columns for categorizing risks, providing risk descriptions, determining a risk severity score, and more.  

Quantitative Risk Register Template

Download the Sample Quantitative Project Risk Impact Matrix for Excel

This sample quantitative project risk impact matrix template can help your team assess a project risk based on quantitative measures, such as potential monetary cost to the project. The template includes columns where your team can assess and track the probability and potential cost of each project risk. The template calculates a total monetary risk impact based on your estimates of probability and cost.

Risk Breakdown Structure Template

Download the Risk Breakdown Structure Template for Excel

Your team can use this template to create a risk breakdown structure diagram that shows different types of risks that could affect a project. The template helps your team organize risks into broad categories.

Step-By-Step Guide to Creating a Project Risk Management Plan

Below are step-by-step instructions on how to fill out a project risk management plan template. Follow these steps to help you and your team understand the information needed in an effective risk management plan.

This template is based on a project risk management plan template created by Arrowhead Consulting of Tulsa, Oklahoma, and was shared with us by Kris Reynolds.

• Cover Section: Provide information for the cover section , also known as the summary section . This will include the name of the project, the project overview, the project goals, the expected length of the project, and the project manager.
• Risk Management Approach: Write a short summary of your organization's overall approach to project risk management for all projects, not only the project at hand. The summary might describe overall goals, along with your organization’s view of the benefits of good project risk management.
• Plan Purpose: Write a short summary explaining how the plan will help your team perform proper risk management for the project.
• Risk Identification: Provide details on how your team plans to identify and define risks to the project. Those details should include who is assigned to specific responsibilities for risk identification and tracking, as well as what information and categories will be included in your team’s project risk register.
• Risk Assessment: Provide details on how your team will assess the probability and potential impact of each risk it has identified. Your team should also include details on any risk matrices it plans to use and how the team will prioritize risks based on those matrices.
• Risk Response: Provide details on the ways your team can choose to respond to various risks. In the case of high-priority risks, that will include prevention or mitigation plans for each risk. In the case of low-priority risks, or risks that might be prohibitively expensive to mitigate, it might include accepting the risk with limited mitigation measures.
• Risk Mitigation: Provide more details on how your team plans to lessen the likelihood  or impact of each risk. Your team should also provide details on how it will monitor the effectiveness of prevention and mitigation strategies, and change them if needed.
• Risk Tracking and Reporting: Provide details on how your team plans to track and report on risks and risk mitigation activities. These details will likely include information on the project risk register your team plans to use and information on how your team plans to periodically report risk and risk responses to organizational leadership.

Do Complex Projects Require More Complex Project Risk Management Plans? 

Experts say that complex projects shouldn’t require more complex project risk management plans. A project might have more complex tools, such as a more detailed risk register, but the risk management plan should cover the same basics for all projects.

“The problem is, most people get these management plans confused. They then start lumping in the artifacts [such as risk registers] — which can be more complex and have more detail — to the risk management plan itself,” says Reynolds. “You want it to be easily understood and easily followed.

“I don't think the complexity of the project changes the risk management plan,” Reynolds says. “You may have to circulate the plan to more people. You may have to meet more frequently. You may have to use quantitative risk analysis. That would be more complex with more complex projects. But the management plan itself —  no.”

Effectively Manage Project Risks with Real-Time Work Management in Smartsheet

From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover a better way to streamline workflows and eliminate silos for good.

Want to create or adapt books like this? Learn more about how Pressbooks supports open publishing practices.

16. Risk Management Planning

Adrienne Watt; David Wiley, et al.; Project Management Open Resources; and TAP-a-PM

Click play on the following audio player to listen along as you read this section.

Even the most carefully planned project can run into trouble. No matter how well you plan, your project can always encounter unexpected problems. Team members get sick or quit, resources that you were depending on turn out to be unavailable, even the weather can throw you for a loop (e.g., a snowstorm). So does that mean that you’re helpless against unknown problems? No! You can use risk planning to identify potential problems that could cause trouble for your project, analyze how likely they are to occur, take action to prevent the risks you can avoid, and minimize the ones that you can’t.

A risk is any uncertain event or condition that might affect your project. Not all risks are negative. Some events (like finding an easier way to do an activity) or conditions (like lower prices for certain materials) can help your project. When this happens, we call it an opportunity; but it’s still handled just like a risk.

There are no guarantees on any project. Even the simplest activity can turn into unexpected problems. Anything that might occur to change the outcome of a project activity, we call that a risk. A risk can be an event (like a snowstorm) or it can be a condition (like an important part being unavailable). Either way, it’s something that may or may not happen …but if it does, then it will force you to change the way you and your team work on the project.

If your project requires that you stand on the edge of a cliff, then there’s a risk that you could fall. If it’s very windy out or if the ground is slippery and uneven, then falling is more likely (Figure 16.1).

When you’re planning your project, risks are still uncertain: they haven’t happened yet. But eventually, some of the risks that you plan for do happen, and that’s when you have to deal with them. There are four basic ways to handle a risk.

• Avoid: The best thing you can do with a risk is avoid it. If you can prevent it from happening, it definitely won’t hurt your project. The easiest way to avoid this risk is to walk away from the cliff, but that may not be an option on this project.
• Mitigate: If you can’t avoid the risk, you can mitigate it. This means taking some sort of action that will cause it to do as little damage to your project as possible.
• Transfer: One effective way to deal with a risk is to pay someone else to accept it for you. The most common way to do this is to buy insurance.
• Accept: When you can’t avoid, mitigate, or transfer a risk, then you have to accept it. But even when you accept a risk, at least you’ve looked at the alternatives and you know what will happen if it occurs. If you can’t avoid the risk, and there’s nothing you can do to reduce its impact, then accepting it is your only choice.

By the time a risk actually occurs on your project, it’s too late to do anything about it. That’s why you need to plan for risks from the beginning and keep coming back to do more planning throughout the project.

The risk management plan tells you how you’re going to handle risk in your project. It documents how you’ll assess risk, who is responsible for doing it, and how often you’ll do risk planning (since you’ll have to meet about risk planning with your team throughout the project).

Some risks are technical, like a component that might turn out to be difficult to use. Others are external, like changes in the market or even problems with the weather.

It’s important to come up with guidelines to help you figure out how big a risk’s potential impact could be. The impact tells you how much damage the risk would cause to your project. Many projects classify impact on a scale from minimal to severe, or from very low to very high. Your risk management plan should give you a scale to help figure out the probability of the risk. Some risks are very likely; others aren’t.

Risk Management Process

Managing risks on projects is a process that includes risk assessment and a mitigation strategy for those risks. Risk assessment includes both the identification of potential risk and the evaluation of the potential impact of the risk. A risk mitigation plan is designed to eliminate or minimize the impact of the risk events —occurrences that have a negative impact on the project. Identifying risk is both a creative and a disciplined process. The creative process includes brainstorming sessions where the team is asked to create a list of everything that could go wrong. All ideas are welcome at this stage with the evaluation of the ideas coming later.

Risk Identification

A more disciplined process involves using checklists of potential risks and evaluating the likelihood that those events might happen on the project. Some companies and industries develop risk checklists based on experience from past projects. These checklists can be helpful to the project manager and project team in identifying both specific risks on the checklist and expanding the thinking of the team. The past experience of the project team, project experience within the company, and experts in the industry can be valuable resources for identifying potential risk on a project.

Identifying the sources of risk by category is another method for exploring potential risk on a project. Some examples of categories for potential risks include the following:

• Contractual
• Environmental

You can use the same framework as the work breakdown structure (WBS) for developing a risk breakdown structure (RBS) . A risk breakdown structure organizes the risks that have been identified into categories using a table with increasing levels of detail to the right. The people category can be subdivided into different types of risks associated with the people. Examples of people risks include the risk of not finding people with the skills needed to execute the project or the sudden unavailability of key people on the project.

Example: Risks in John’s Move

In John’s move, John makes a list of things that might go wrong with his project and uses his work breakdown structure as a guide. A partial list for the planning portion of the RBS is shown in Table 16.1.

The result is a clearer understanding of where risks are most concentrated. This approach helps the project team identify known risks, but can be restrictive and less creative in identifying unknown risks and risks not easily found inside the WBS.

Risk Evaluation

After the potential risks have been identified, the project team then evaluates each risk based on the probability that a risk event will occur and the potential loss associated with it. Not all risks are equal. Some risk events are more likely to happen than others, and the cost of a risk can vary greatly. Evaluating the risk for probability of occurrence and the severity or the potential loss to the project is the next step in the risk management process.

Having criteria to determine high-impact risks can help narrow the focus on a few critical risks that require mitigation. For example, suppose high-impact risks are those that could increase the project costs by 5% of the conceptual budget or 2% of the detailed budget. Only a few potential risk events meet these criteria. These are the critical few potential risk events that the project management team should focus on when developing a project risk mitigation or management plan. Risk evaluation is about developing an understanding of which potential risks have the greatest possibility of occurring and can have the greatest negative impact on the project (Figure 16.2). These become the critical few.

There is a positive correlation—both increase or decrease together—between project risk and project complexity. A project with new and emerging technology will have a high-complexity rating and a correspondingly high risk. The project management team will assign the appropriate resources to the technology managers to ensure the accomplishment of project goals. The more complex the technology, the more resources the technology manager typically needs to meet project goals, and each of those resources could face unexpected problems.

Risk evaluation often occurs in a workshop setting. Building on the identification of the risks, each risk event is analyzed to determine the likelihood of occurrence and the potential cost if it did occur. The likelihood and impact are both rated as high, medium, or low. A risk mitigation plan addresses the items that have high ratings on both factors—likelihood and impact.

Example: Risk Analysis of Equipment Delivery

A project team analyzed the risk of some important equipment not arriving at the project on time. The team identified three pieces of equipment that were critical to the project and would significantly increase costs if they were late in arriving. One of the vendors, who was selected to deliver an important piece of equipment, had a history of being late on other projects. The vendor was good and often took on more work than it could deliver on time. This risk event (the identified equipment arriving late) was rated as high likelihood with a high impact. The other two pieces of equipment were potentially a high impact on the project but with a low probability of occurring.

Not all project managers conduct a formal risk assessment on a project. One reason, as found by David Parker and Alison Mobey in their phenomenological study of project managers, was a low understanding of the tools and benefits of a structured analysis of project risks (2004). The lack of formal risk management tools was also seen as a barrier to implementing a risk management program. Additionally, the project manager’s personality and management style play into risk preparation levels. Some project managers are more proactive and  develop elaborate risk management programs for their projects. Other managers are reactive and are more confident in their ability to handle unexpected events when they occur. Yet others are risk averse, and prefer to be optimistic and not consider risks or avoid taking risks whenever possible.

On projects with a low-complexity profile, the project manager may informally track items that may be considered risk items. On more complex projects, the project management team may develop a list of items perceived to be higher risk and track them during project reviews. On projects of even greater complexity, the process for evaluating risk is more formal with a risk assessment meeting or series of meetings during the life of the project to assess risks at different phases of the project. On highly complex projects, an outside expert may be included in the risk assessment process, and the risk assessment plan may take a more prominent place in the project implementation plan.

On complex projects, statistical models are sometimes used to evaluate risk because there are too many different possible combinations of risks to calculate them one at a time. One example of the statistical model used on projects is the Monte Carlo simulation, which simulates a possible range of outcomes by trying many different combinations of risks based on their likelihood. The output from a Monte Carlo simulation provides the project team with the probability of an event occurring within a range and for combinations of events. For example, the typical output from a Monte Carlo simulation may indicate a 10% chance that one of the three important pieces of equipment will be late and that the weather will also be unusually bad after the equipment arrives.

Risk Mitigation

After the risk has been identified and evaluated, the project team develops a risk mitigation plan, which is a plan to reduce the impact of an unexpected event. The project team mitigates risks in various ways:

• Risk avoidance
• Risk sharing
• Risk reduction
• Risk transfer

Each of these mitigation techniques can be an effective tool in reducing individual risks and the risk profile of the project. The risk mitigation plan captures the risk mitigation approach for each identified risk event and the actions the project management team will take to reduce or eliminate the risk.

Risk avoidance usually involves developing an alternative strategy that has a higher probability of success but usually at a higher cost associated with accomplishing a project task. A common risk avoidance technique is to use proven and existing technologies rather than adopt new techniques, even though the new techniques may show promise of better performance or lower costs. A project team may choose a vendor with a proven track record over a new vendor that is providing significant price incentives to avoid the risk of working with a new vendor. The project team that requires drug testing for team members is practising risk avoidance by avoiding damage done by someone under the influence of drugs.

Risk sharing involves partnering with others to share responsibility for the risky activities. Many organizations that work on international projects will reduce political, legal, labour, and others risk types associated with international projects by developing a joint venture with a company located in that country. Partnering with another company to share the risk associated with a portion of the project is advantageous when the other company has expertise and experience the project team does not have. If a risk event does occur, then the partnering company absorbs some or all of the negative impact of the event. The company will also derive some of the profit or benefit gained by a successful project.

Risk reduction is an investment of funds to reduce the risk on a project. On international projects, companies will often purchase the guarantee of a currency rate to reduce the risk associated with fluctuations in the currency exchange rate. A project manager may hire an expert to review the technical plans or the cost estimate on a project to increase the confidence in that plan and reduce the project risk. Assigning highly skilled project personnel to manage the high-risk activities is another risk-reduction method. Experts managing a high-risk activity can often predict problems and find solutions that prevent the activities from having a negative impact on the project. Some companies reduce risk by forbidding key executives or technology experts to ride on the same airplane.

Risk transfer is a risk reduction method that shifts the risk from the project to another party. The purchase of insurance on certain items is a risk-transfer method. The risk is transferred from the project to the insurance company. A construction project in the Caribbean may purchase hurricane insurance that would cover the cost of a hurricane damaging the construction site. The purchase of insurance is usually in areas outside the control of the project team. Weather, political unrest, and labour strikes are examples of events that can significantly impact the project and that are outside the control of the project team.

Contingency Plan

The project risk plan balances the investment of the mitigation against the benefit for the project. The project team often develops an alternative method for accomplishing a project goal when a risk event has been identified that may frustrate the accomplishment of that goal. These plans are called contingency plans. The risk of a truck drivers’ strike may be mitigated with a contingency plan that uses a train to transport the needed equipment for the project. If a critical piece of equipment is late, the impact on the schedule can be mitigated by making changes to the schedule to accommodate a late equipment delivery.

Contingency funds are funds set aside by the project team to address unforeseen events that cause the project costs to increase. Projects with a high-risk profile will typically have a large contingency budget. Although the amount of contingency allocated in the project budget is a function of the risks identified in the risk analysis process, contingency is typically managed as one line item in the project budget.

Some project managers allocate the contingency budget to the items in the budget that have high risk rather than developing one line item in the budget for contingencies. This approach allows the project team to track the use of contingency against the risk plan. This approach also allocates the responsibility to manage the risk budget to the managers responsible for those line items. The availability of contingency funds in the line item budget may also increase the use of contingency funds to solve problems rather than finding alternative, less costly solutions. Most project managers, especially on more complex projects, manage contingency funds at the project level, with approval of the project manager required before contingency funds can be used.

Project Risk by Phases

Project risk is dealt with in different ways depending on the phase of the project.

Risk is associated with things that are unknown. More things are unknown at the beginning of a project, but risk must be considered in the initiation phase and weighed against the potential benefit of the project’s success in order to decide if the project should be chosen.

Example: Risks by Phase in John’s Move

In the initiation phase of his move, John considers the risk of events that could affect the whole project. Lets assume that John’s move is not just about changing jobs, but also a change of cities. This would certainly incur more risks for the project.  He identifies the following risks during the initiation phase that might have a high impact and rates the likelihood of their happening from low to high.

• His new employer might change his mind and take back the job offer after he’s given notice at his old job: Low.
• The current tenants of his apartment might not move out in time for him to move in by the first day of work at the new job: Medium.
• The movers might lose his furniture: Low.
• The movers might be more than a week late delivering his furniture: Medium.
• He might get in an accident driving from Chicago to Atlanta and miss starting his job: Low.

John considers how to mitigate each of the risks.

• During his job hunt, John had more than one offer, and he is confident that he could get another job, but he might lose deposit money on the apartment and the mover. He would also lose wages during the time it took to find the other job. To mitigate the risk of his new employer changing his mind, John makes sure that he keeps his relationships with his alternate employers cordial and writes to each of them thanking for their consideration in his recent interviews.
• John checks the market in Atlanta to determine the weekly cost and availability of extended-stay motels.
• John checks the mover’s contract to confirm that they carry insurance against lost items, but they require the owner to provide a detailed list with value estimates and they limit the maximum total value. John decides to go through his apartment with his digital camera and take pictures of all of his possessions that will be shipped by truck and to keep the camera with him during the move so he has a visual record and won’t have to rely on his memory to make a list. He seals and numbers the boxes so he can tell if a box is missing.
• If the movers are late, John can use his research on extended-stay motels to calculate how much it would cost. He checks the moving company’s contract to see if they compensate the owner for late delivery, and he finds that they do not.
• John checks the estimated driving time from Chicago to Atlanta using an Internet mapping service and gets an estimate of 11 hours of driving time. He decides that it would be too risky to attempt to make the drive by himself in one day, especially if he didn’t leave until after the truck was packed. John plans to spend one night on the road in a motel to reduce the risk of an accident caused by driving while too tired.

John concludes that the medium-risks can be mitigated and the costs from the mitigation would be acceptable in order to get a new job.

Planning Phase

Once the project is approved and it moves into the planning stage, risks are identified with each major group of activities. A risk breakdown structure (RBS) can be used to identify increasing levels of detailed risk analysis.

Example: Risk Breakdown Structure for John’s Move

John decides to ask Dion and Carlita for their help during their first planning meeting to identify risks, rate their impact and likelihood, and suggest mitigation plans. They concentrate on the packing phase of the move. They fill out a table of risks, as shown in Table 16.2.

• RA: Risk avoidance
• RS: Risk sharing
• RR: Risk reduction
• RT: Risk transfer

Implementation Phase

As the project progresses and more information becomes available to the project team, the total risk on the project typically reduces, as activities are performed without loss. The risk plan needs to be updated with new information and risks checked off that are related to activities that have been performed.

Understanding where the risks occur on the project is important information for managing the contingency budget and managing cash reserves. Most organizations develop a plan for financing the project from existing organizational resources, including financing the project through a variety of financial instruments. In most cases, there is a cost to the organization to keep these funds available to the project, including the contingency budget. As the risks decrease over the length of the project, if the contingency is not used, then the funds set aside by the organization can be used for other purposes.

To determine the amount of contingency that can be released, the project team will conduct another risk evaluation and determine the amount of risk remaining on the project. If the risk profile is lower, the project team may release contingency funds back to the parent organization. If additional risks are uncovered, a new mitigation plan is developed including the possible addition of contingency funds.

Closeout Phase

During the closeout phase, agreements for risk sharing and risk transfer need to be concluded and the risk breakdown structure examined to be sure all the risk events have been avoided or mitigated. The final estimate of loss due to risk can be made and recorded as part of the project documentation. If a Monte Carlo simulation was done, the result can be compared to the predicted result.

Example: Risk Closeout on John’s Move

To close out the risk mitigation plan for his move, John examines the risk breakdown structure and risk mitigation plan for items that need to be finalized. He makes a checklist to be sure all the risk mitigation plans are completed, as shown in Table 16.3. Risk is not allocated evenly over the life of the project. On projects with a high degree of new technology, the majority of the risks may be in the early phases of the project. On projects with a large equipment budget, the largest amount of risk may be during the procurement of the equipment. On global projects with a large amount of political risk, the highest portion of risk may be toward the end of the project.

Parker, D., & Mobey, A. (2004). Action Research to Explore Perceptions of Risk in Project Management. International Journal of Productivity and Performance Management 53( 1), 18–32.

Text Attributions

This chapter was adapted and remixed by Adrienne Watt from the following sources:

• Text under “Risk Management Planning” was adapted from “Risk Management Planning” in Project Management for Skills for All Careers by Project Management Open Resources and TAP-a-PM. Licensed under a CC BY 3.0 licence .
• Text under “Risk Management Process ” and “Project Risk by Phases” adapted from   Project Management for Instructional Designers by Amado, M., Ashton, K., Ashton, S., Bostwick, J., Clements, G., Drysdale, J., Francis, J., Harrison, B., Nan, V., Nisse, A., Randall, D., Rino, J., Robinson, J., Snyder, A., Wiley, D., & Anonymous.  Licensed under a CC BY-NC-SA (Attribution-NonCommercial-ShareAlike) licence .

Media Attributions

• Risk Management Options © Barron & Barron Project Management for Scientists and Engineers is licensed under a CC BY (Attribution) license
• Risk and Impact © Wiley, et al. is licensed under a CC BY-NC-SA (Attribution NonCommercial ShareAlike) license

16. Risk Management Planning Copyright © 2014 by Adrienne Watt; David Wiley, et al.; Project Management Open Resources; and TAP-a-PM is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License , except where otherwise noted.

Share This Book

• Twitter icon
• Facebook icon
• LinkedIn icon

7 Steps to Write a Risk Management Plan For Your Next Project (With Free Template!)

🎁 Bonus Material: Free Risk Management Template

5 Steps to Find Your Definition of Done (With Examples and Workflows)

3 Steps to Minimize Workplace Distraction And Take Back Control of your Focus

The Essential Guide to Writing a Project Communication Plan: What It Is and Why You (Actually) Need One

Working with planio, see how our customers use planio.

• Contact sales

Start free trial

How to Make a Risk Management Plan (Template Included)

You identify them, record them, monitor them and plan for them: risks are an inherent part of every project. Some project risks are bound to become problem areas—like executing a project over the holidays and having to plan the project timeline around them. But there are many risks within any given project that, without risk assessment and risk mitigation strategies, can come as unwelcome surprises to you and your project management team.

That’s where a risk management plan comes in—to help mitigate risks before they become problems. But first, what is project risk management ?

What Is Risk Management?

Risk management is an arm of project management that deals with managing potential project risks. Managing your risks is arguably one of the most important aspects of project management.

The risk management process has these main steps:

• Risk Identification: The first step to manage project risks is to identify them. You’ll need to use data sources such as information from past projects or subject matter experts’ opinions to estimate all the potential risks that can impact your project.
• Risk Assessment: Once you have identified your project risks, you’ll need to prioritize them by looking at their likelihood and level of impact.
• Risk Mitigation: Now it’s time to create a contingency plan with risk mitigation actions to manage your project risks. You also need to define which team members will be risk owners, responsible for monitoring and controlling risks.
• Risk Monitoring: Risks must be monitored throughout the project life cycle so that they can be controlled.

If one risk that’s passed your threshold has its conditions met, it can put your entire project plan in jeopardy. There isn’t usually just one risk per project, either; there are many risk categories that require assessment and discussion with your stakeholders.

That’s why risk management needs to be both a proactive and reactive process that is constant throughout the project life cycle. Now let’s define what a risk management plan is.

What Is a Risk Management Plan?

A risk management plan defines how your project’s risk management process will be executed. That includes the budget , tools and approaches that will be used to perform risk identification, assessment, mitigation and monitoring activities.

Get your free

Risk Management Plan Template

Use this free Risk Management Plan Template for Word to manage your projects better.

A risk management plan usually includes:

• Methodology: Define the tools and approaches that will be used to perform risk management activities such as risk assessment, risk analysis and risk mitigation strategies.
• Risk Register: A risk register is a chart where you can document all the risk identification information of your project.
• Risk Breakdown Structure: It’s a chart that allows you to identify risk categories and the hierarchical structure of project risks.
• Risk Assessment Matrix: A risk assessment matrix allows you to analyze the likelihood and the impact of project risks so you can prioritize them.
• Risk Response Plan: A risk response plan is a project management document that explains the risk mitigation strategies that will be employed to manage your project risks.
• Roles and responsibilities: The risk management team members have responsibilities as risk owners. They need to monitor project risks and supervise their risk response actions.
• Budget: Have a section where you identify the funds required to perform your risk management activities.
• Timing: Include a section to define the schedule for the risk management activities.

How to Make a Risk Management Plan

For every web design and development project, construction project or product design, there will be risks. That’s truly just the nature of project management. But that’s also why it’s always best to get ahead of them as much as possible by developing a risk management plan. The steps to make a risk management plan are outlined below.

1. Risk Identification

Risk identification occurs at the beginning of the project planning phase, as well as throughout the project life cycle. While many risks are considered “known risks,” others might require additional research to discover.

You can create a risk breakdown structure to identify all your project risks and classify them into risk categories. You can do this by interviewing all project stakeholders and industry experts. Many project risks can be divided up into risk categories, like technical or organizational, and listed out by specific sub-categories like technology, interfaces, performance, logistics, budget, etc. Additionally, create a risk register that you can share with everyone you interviewed for a centralized location of all known risks revealed during the identification phase.

You can conveniently create a risk register for your project using online project management software. For example, use the list view on ProjectManager to capture all project risks, add what level of priority they are and assign a team member to own identify and resolve them. Better than to-do list apps, you can attach files, tags and monitor progress. Track the percentage complete and even view your risks from the project menu. Keep risks from derailing your project by signing up for a free trial of ProjectManager.

2. Risk Assessment

In this next phase, you’ll review the qualitative and quantitative impact of the risk—like the likelihood of the risk occurring versus the impact it would have on your project—and map that out into a risk assessment matrix

First, you’ll do this by assigning the risk likelihood a score from low probability to high probability. Then, you’ll map out your risk impact from low to medium to high and assign each a score. This will give you an idea of how likely the risk is to impact the success of the project, as well as how urgent the response will need to be.

To make it efficient for all risk management team members and project stakeholders to understand the risk assessment matrix, assign an overall risk score by multiplying your impact level score with your risk probability score.

3. Create a Risk Response Plan

A risk response is the action plan that is taken to mitigate project risks when they occur. The risk response plan includes the risk mitigation strategies that you’ll execute to mitigate the impact of risks in your project. Doing this usually comes with a price—at the expense of your time, or your budget. So you’ll want to allocate resources, time and money for your risk management needs prior to creating your risk management plan.

4. Assign Risk Owners

Additionally, you’ll also want to assign a risk owner to each project risk. Those risk owners become accountable for monitoring the risks that are assigned to them and supervising the execution of the risk response if needed.

Related: Risk Tracking Template

When you create your risk register and risk assessment matrix, list out the risk owners, that way no one is confused as to who will need to implement the risk response strategies once the project risks occur, and each risk owner can take immediate action.

Be sure to record what the exact risk response is for each project risk with a risk register and have your risk response plan it approved by all stakeholders before implementation. That way you can have a record of the issue and the resolution to review once the entire project is finalized.

5. Understand Your Triggers

This can happen with or without a risk already having impacted your project—especially during project milestones as a means of reviewing project progress. If they have, consider reclassifying those existing risks.

Even if those triggers haven’t been met, it’s best to come up with a backup plan as the project progresses—maybe the conditions for a certain risk won’t exist after a certain point has been reached in the project.

6. Make a Backup Plan

Consider your risk register and risk assessment matrix a living document. Your project risks can change in classification at any point during your project, and because of that, it’s important you come up with a contingency plan as part of your process.

Contingency planning includes discovering new risks during project milestones and reevaluating existing risks to see if any conditions for those risks have been met. Any reclassification of a risk means adjusting your contingency plan just a little bit.

7. Measure Your Risk Threshold

Measuring your risk threshold is all about discovering which risk is too high and consulting with your project stakeholders to consider whether or not it’s worth it to continue the project—worth it whether in time, money or scope .

Here’s how the risk threshold is typically determined: consider your risks that have a score of “very high”, or more than a few “high” scores, and consult with your leadership team and project stakeholders to determine if the project itself may be at risk of failure. Project risks that require additional consultation are risks that have passed the risk threshold.

To keep a close eye on risk as they raise issues in your project, use project management software. ProjectManager has real-time dashboards that are embedded in our tool, unlike other software where you have to build them yourself. We automatically calculate the health of your project, checking if you’re on time or running behind. Get a high-level view of how much you’re spending, progress and more. The quicker you identify risk, the faster you can resolve it.

Free Risk Management Plan Template

This free risk management plan template will help you prepare your team for any risks inherent in your project. This Word document includes sections for your risk management methodology, risk register, risk breakdown structure and more. It’s so thorough, you’re sure to be ready for whatever comes your way. Download your template today.

Best Practices for Maintaining Your Risk Management Plan

Risk management plans only fail in a few ways: incrementally because of insufficient budget, via modeling errors or by ignoring your risks outright.

Your risk management plan is one that is constantly evolving throughout the course of the project life cycle, from beginning to end. So the best practices are to focus on the monitoring phase of the risk management plan. Continue to evaluate and reevaluate your risks and their scores, and address risks at every project milestone.

Project dashboards and other risk tracking features can be a lifesaver when it comes to maintaining your risk management plan. Watch the video below to see just how important project management dashboards, live data and project reports can be when it comes to keeping your projects on track and on budget.

In addition to your routine risk monitoring, at each milestone, conduct another round of interviews with the same checklist you used at the beginning of the project, and re-interview project stakeholders, risk management team members, customers (if applicable) and industry experts.

Record their answers, adjust your risk register and risk assessment matrix if necessary, and report all relevant updates of your risk management plan to key project stakeholders. This process and level of transparency will help you to identify any new risks to be assessed and will let you know if any previous risks have expired.

How ProjectManager Can Help With Your Risk Management Plan

A risk management plan is only as good as the risk management features you have to implement and track them. ProjectManager is online project management software that lets you view risks directly in the project menu. You can tag risks as open or closed and even make a risk matrix directly in the software. You get visibility into risks and can track them in real time, sharing and viewing the risk history.

Tracking & Monitor Risks in Real Time

Managing risk is only the start. You must also monitor risk and track it from the point that you first identified it. Real-time dashboards give you a high-level view of slippage, workload, cost and more. Customizable reports can be shared with stakeholders and filtered to show only what they need to see. Risk tracking has never been easier.

Risks are bound to happen no matter the project. But if you have the right tools to better navigate the risk management planning process, you can better mitigate errors. ProjectManager is online project management software that updates in real time, giving you all the latest information on your risks, issues and changes. Start a free 30-day trial and start managing your risks better.

Deliver your projects on time and on budget

Start planning your projects.

A complete guide to the risk assessment process

Lucid Content

Reading time: about 7 min

Mark Zuckerberg, the founder of Facebook, once said, “The biggest risk is not taking any risk. In a world that's changing really quickly, the only strategy that is guaranteed to fail is not taking risks.”

While this advice isn't new, we think you’ll agree that there are some risks your company doesn’t want to take: Risks that put the health and well-being of your employees in danger.

These are risks that aren’t worth taking. But it’s not always clear what actions, policies, or procedures are high-risk. 

That’s where a risk assessment comes in.

With a risk assessment, companies can identify and prepare for potential risks in order to avoid catastrophic consequences down the road and keep their personnel safe.

What is risk assessment?

During the risk assessment process, employers review and evaluate their organizations to:

• Identify processes and situations that may cause harm, particularly to people (hazard identification).
• Determine how likely it is that each hazard will occur and how severe the consequences would be (risk analysis and evaluation).
• Decide what steps the organization can take to stop these hazards from occurring or to control the risk when the hazard can't be eliminated (risk control).

It’s important to note the difference between hazards and risks. A hazard is anything that can cause harm , including work accidents, emergency situations, toxic chemicals, employee conflicts, stress, and more. A risk, on the other hand, is the chance that a hazard will cause harm . As part of your risk assessment plan, you will first identify potential hazards and then calculate the risk or likelihood of those hazards occurring.

The goal of a risk assessment will vary across industries, but overall, the goal is to help organizations prepare for and combat risk. Other goals include:

• Providing an analysis of possible threats
• Preventing injuries or illnesses
• Meeting legal requirements
• Creating awareness about hazards and risk
• Creating an accurate inventory of available assets
• Justifying the costs of managing risks
• Determining the budget to remediate risks
• Understanding the return on investment

Businesses should perform a risk assessment before introducing new processes or activities, before introducing changes to existing processes or activities (such as changing machinery), or when the company identifies a new hazard.

The steps used in risk assessment form an integral part of your organization’s health and safety management plan and ensure that your organization is prepared to handle any risk.  

Preparing for your risk assessment 

Before you start the risk management process, you should determine the scope of the assessment, necessary resources, stakeholders involved, and laws and regulations that you’ll need to follow. 

Scope: Define the processes, activities, functions, and physical locations included within your risk assessment. The scope of your assessment impacts the time and resources you will need to complete it, so it’s important to clearly outline what is included (and what isn’t) to accurately plan and budget. 

Resources : What resources will you need to conduct the risk assessment? This includes the time, personnel, and financial resources required to develop, implement, and manage the risk assessment. 

Stakeholders: Who is involved in the risk assessment? In addition to senior leaders that need to be kept in the loop, you’ll also need to organize an assessment team. Designate who will fill key roles such as risk manager, assessment team leader, risk assessors, and any subject matter experts. 

Laws and regulations: Different industries will have specific regulations and legal requirements governing risk and work hazards. For instance, the Occupational Safety and Health Administration (OSHA) sets and enforces working condition standards for most private and public sectors. Plan your assessment with these regulations in mind so you can ensure your organization is compliant. 

5 steps in the risk assessment process

Once you've planned and allocated the necessary resources, you can begin the risk assessment process.

Proceed with these five steps.

1. Identify the hazards

The first step to creating your risk assessment is determining what hazards your employees and your business face, including:

• Natural disasters (flooding, tornadoes, hurricanes, earthquakes, fire, etc.)
• Biological hazards (pandemic diseases, foodborne illnesses, etc.)
• Workplace accidents (slips and trips, transportation accidents, structural failure, mechanical breakdowns, etc.)
• Intentional acts (labor strikes, demonstrations, bomb threats, robbery, arson, etc.)
• Technological hazards (lost Internet connection, power outage, etc.)
• Chemical hazards (asbestos, cleaning fluids, etc.)
• Mental hazards (excess workload, bullying, etc.)
• Interruptions in the supply chain

Take a look around your workplace and see what processes or activities could potentially harm your organization. Include all aspects of work, including remote workers and non-routine activities such as repair and maintenance. You should also look at accident/incident reports to determine what hazards have impacted your company in the past.

Use Lucidchart to break down tasks into potential hazards and assets at risk—try our free template below.

2. Determine who might be harmed and how

As you look around your organization, think about how your employees could be harmed by business activities or external factors. For every hazard that you identify in step one, think about who will be harmed should the hazard take place.

3. Evaluate the risks and take precautions

Now that you have gathered a list of potential hazards, you need to consider how likely it is that the hazard will occur and how severe the consequences will be if that hazard occurs. This evaluation will help you determine where you should reduce the level of risk and which hazards you should prioritize first.

Later in this article, you'll learn how you can create a risk assessment chart to help you through this process.

4. Record your findings

If you have more than five employees in your office, you are required by law to write down your risk assessment process. Your plan should include the hazards you’ve found, the people they affect, and how you plan to mitigate them. The record—or the risk assessment plan—should show that you:

• Conducted a proper check of your workspace
• Determined who would be affected
• Controlled and dealt with obvious hazards
• Initiated precautions to keep risks low
• Kept your staff involved in the process

5. Review your assessment and update if necessary

Your workplace is always changing, so the risks to your organization change as well. As new equipment, processes, and people are introduced, each brings the risk of a new hazard. Continually review and update your risk assessment process to stay on top of these new hazards.

How to create a risk assessment chart

Even though you need to be aware of the risks facing your organization, you shouldn’t try to fix all of them at once—risk mitigation can get expensive and can stretch your resources. Instead, prioritize risks to focus your time and effort on preventing the most important hazards. To help you prioritize your risks, create a risk assessment chart.

The risk assessment chart is based on the principle that a risk has two primary dimensions: probability and impact, each represented on one axis of the chart. You can use these two measures to plot risks on the chart, which allows you to determine priority and resource allocation.

Be prepared for anything

By applying the risk assessment steps mentioned above, you can manage any potential risk to your business. Get prepared with your risk assessment plan—take the time to look for the hazards facing your business and figure out how to manage them.

Now it's time to create your own risk management process, here are five steps to get you started.

About Lucidchart

Lucidchart, a cloud-based intelligent diagramming application, is a core component of Lucid Software's Visual Collaboration Suite. This intuitive, cloud-based solution empowers teams to collaborate in real-time to build flowcharts, mockups, UML diagrams, customer journey maps, and more. Lucidchart propels teams forward to build the future faster. Lucid is proud to serve top businesses around the world, including customers such as Google, GE, and NBC Universal, and 99% of the Fortune 500. Lucid partners with industry leaders, including Google, Atlassian, and Microsoft. Since its founding, Lucid has received numerous awards for its products, business, and workplace culture. For more information, visit lucidchart.com.

Related articles

5 steps to any effective risk management process.

While you can’t entirely avoid risk, you can anticipate and mitigate risks through an established risk management process. Follow these steps!

5 steps of the strategic planning process

Implement the strategic planning process to make measurable progress toward achieving your company’s vision and make decisions that will keep you on the path to success for years to come.

Bring your bright ideas to life.

or continue with

By registering, you agree to our Terms of Service and you acknowledge that you have read and understand our Privacy Policy .

Guide for the Process of Managing Risk on Rapid Renewal Projects (2012)

Chapter: 9 implementing risk management plan.

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

103 9 IMPLEMENTING RISK MANAGEMENT PLAN INTRODUCTION As discussed in Chapter 8, the risk management plan is intended to optimize project performance through the following three basic elements: • Specific actions whose purpose is to reduce particular individual risks, focusing on the higher-priority risks; • Management of contingency to cover most of the residual risks and other uncer- tainties; and • Recovery if established contingency is inadequate (i.e., to cover the rest of the residual risks and other uncertainties). However, like any plan, the risk management plan must be appropriately implemented to be successful and actually achieve optimal project performance. Also like any plan, successful implementation requires the follow- ing (at a minimum): • Responsibility—assignment of a risk manager and “owners” of significant individual risks; • Commitment—the organization has to commit to the plan; • Resources—adequate resources (funding and staff) have to be provided to carry out the plan; and • Authority—specific individuals have to be given adequate authority, as well as resources, for carrying out their assigned plan responsibilities. Adequately and efficiently implement the risk management plan: • Proactively reduce individual risks. • Address changing conditions. • Establish, track, and control contingency. • Decide on “recovery” (if needed).

104 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS A unique feature of the risk management plan, unlike most plans, is that it is actually an evolving document, with the expectation that it will be adjusted to reflect changes in the project as that project develops (including any changes due to recovery). This means that those project actions and conditions must be monitored and the plan periodically updated to reflect observed changes. For example: • Planned risk reduction actions generally should be performed as planned. Their progress should be monitored and their actual impact on risks should be assessed. However, these plans might be adjusted on the basis of their progress and pro- jected results, considering changing needs. For example, it might be determined (based on new information) that the risk being addressed is not as important as previously thought. • Risks will either happen or not happen during various project phases. If they have not happened while their window is open, they will not happen after their window has closed and they can be retired in the risk register. Conversely, if they have happened, contingency should be reserved for that risk and this should be noted in the risk register. However, such expenditure of contingency must be carefully controlled. • As conditions change, particular risks (either their assessed probability or impacts) whose windows have not yet closed can change (e.g., becoming either more or less likely). In fact, sometimes previously unidentified (“new”) risks are identified and should be assessed and included with the other existing risks. Such changes in remaining risks should be noted in the risk register. • As noted above, realized risks might result in spending or reserving some of the established contingency, leaving less contingency for the rest of the project. Con- versely, if few risks are realized, there might be excess contingency. The adequacy of the remaining contingency needs to be periodically reevaluated to give as much advance warning as possible of either possible future inadequacy (which might trigger recovery plans) or excess contingency (which can be released for other purposes). This process of implementing the risk management plan (which includes monitor- ing, updating, and implementing protocols for making significant project decisions, for example, regarding contingency and recovery) needs to be effective but should also be efficient and compatible with the DOT organization and project. PROCESS OF IMPLEMENTING THE RISK MANAGEMENT PLAN Implementation of the risk management plan consists of first getting set up to carry out the plan, and then actually implementing the various elements of the plan. Preparing to carry out the plan requires the following steps: • Organizationally committing to the plan; • Assigning responsibility for the plan;

105 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS • Providing adequate authority and resources to carry out the plan; and • Gathering and distributing information. Without these steps, the plan likely will not be successfully implemented—it will be just another document on the shelf. As part of this, it is recommended that a risk manager, a position reporting directly to the project manager, be named for the project and given overall responsibility for implementing the plan; for small projects (which should not require much effort) the risk manager might simply be the project manager, whereas for larger projects (which might require significant effort) it would be a sepa- rate person (e.g., the assistant project manager). The risk manager then typically will delegate responsibility for various elements of the plan to those who are in the best position to complete them and will follow up with them to ensure that they actually complete those elements. For this to happen, the risk manager must be given adequate authority and resources (e.g., budget). However, this needs to be done as efficiently as possible to prevent wasting resources. For example, periodic risk management status meetings should be short and integrated into regular project status meetings. Similarly, risk management status reports should be streamlined, simply highlighting changes since the last report, and appropriately distributed in a timely fashion. With an adequate organizational structure and set of procedures in place, the vari- ous elements of the plan can be successfully implemented. The basic elements of the plan, which are somewhat flexible in order to be most efficient, include the following (see Chapter 8): • Risk reduction actions. A set of actions is specified in the risk management plan for reducing individual risks. These actions must be successfully performed to realize any risk reduction, although the actual amount of risk reduction, and typically to a lesser extent their cost and schedule to implement, will be uncertain before- hand. However, such actions can be adjusted (e.g., stopped) as their projected performance or need changes. The DOT must assign responsibility for each ac- tion, and then track progress of that action. The cost and schedule, as well as the results (in terms of risk reduction), of implementing that action will be re- ported. Figure 9.1 provides an example based on the Risk Management Plan form for Phase A for Phase A for Phase A for Phase B for Phase B for Phase B for Phase C for Phase C for Phase C 0 1 2 3 4 5 6 7 A B C Project Phase C on tin ge nc y ($ M ) cumulativetriggerrecovery Figure 9.1. Contingency drawdown and recovery for project phases.

106 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS Example Risk Reduction Action from Risk Management Plan (this is not the hypothetical case study) Action successfully completed, and risk eliminated <by name and date> 6 2014.01.13 R09 10 Guide Chapter 9_final for composition.docx significant right-of-way risk. The management actions provide an estimate of the resources, an estimate of the risk reduction, and a person who is responsible for verifying that the risk plan has been implemented by a key milestone. Status updates can then be documented on this form. [Insert Box 9.2] Contingency management. Contingency allowances for cost and schedule are established in the risk management plan to cover the residual risks (after they have been reduced) with appropriate confidence. As risks are realized, some of the contingency must be reserved to cover them. However, like any project costs, such expenditures must be carefully controlled; similarly, giving up project float in the project schedule must also be carefully controlled. Conversely, if few risks occur and contingency is not used, then the excess contingency can be released for other purposes. As shown in Figure 9.1, such Example Risk Reduction Action from Risk Management Plan (this is not the hypothetical case study): ti n successfully complete , and risk eliminated <by name and date> RUi(1). The team will design around areas where right of way may be an issue, specifically at US555-SH111 junction. Design lead, in conjunction with right-of-way lead By end of preliminary design Need to get approval for design deviations. provided in Appen dix C. In this example, the project team has determined that it will be more cost-effective to design around an area with a significant right-of-way risk. The management actions provide an estimate of the resources, an estimate of the risk reduction, and a person who is responsible for verifying that the risk plan has been implemented by a key milestone. Status updates can then be documented on this form. • Contingency management. Contingency allowances for cost and schedule are es- tablished in the risk management plan to cover the residual risks (aft r they have been reduced) with appropriate confidence. As risks are realized, some of the con- tinge cy must be reserve to cover them. However, like a y project costs, such expenditures must be carefully controlled; similarly, giving up project float in the project schedule must also be carefully controlled. Conversely, if few risks oc- cur and contingency is not used, then the excess contingency can be released for other purposes. As shown in Figure 9.1, such contingencies are typically allocated to, and tracked by, the different phases of the project. For the case shown in red circles in this example, the contingency actually spent in each phase (and thus cumulatively) was less than that budgeted (e.g., in Phase A, only $2 million of the budgeted $3 million was spent); after each phase, unused contingency could be released. DOTs typically have established protocols for approving and tracking contingency expenditure and releases, with approvals generally required at higher organizational levels as the amounts increase. • Recovery. Contingency (or recovery) plans are identified in the risk management plan just in case the contingency allowances are found to be inadequate (e.g., if a disproportionate number of significant risks actually happen). For example, if as

107 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS shown in the black square in Figure 9.1, the reserved contingency exceeds the allowable contingency during a phase, then recovery is triggered (e.g., in Phase A, $4 million was spent, which was $1 million more than the $3 million budgeted for that phase, meaning that there is not enough left for later phases). Typically, such plans are somewhat drastic (e.g., deferring or eliminating scope to save cost and/ or schedule) and are only intended as a last resort. However, in general, each such plan is only possible up to a specific point in project development; for example, savings associated with deferring some scope cannot be realized once that scope has been built. Clearly, such decisions must be made at a high organizational level. Because (as described above) the plans are somewhat flexible to adapt to changing conditions, to be successfully completed, each of the above elements of the risk man- agement plan requires specific information at various points in time: • The status and projected results of the various risk reduction actions, as well as projected needed performance improvements; • The status or availability of contingency, as well as projected contingency needs; and • The status or availability of recovery actions, as well as projected recovery needs. In particular, to determine changes in needs (whether for risk reduction, for con- tingency, or for recovery), the changes in risks should be adequately monitored and updated. Such changes in risks are due to inevitable changes in project conditions with time. Monitoring is relatively quick, but informative. The following should be moni- tored periodically (e.g., monthly, or less frequently at moderately important points or changes in project development): project development status and conditions, risk reduction action status and projected results, existing risks, and contingency and recov- ery plans. These should be adequately documented (e.g., in a memorandum or directly in the risk register). For example: (a) the status of a risk reduction action is illustrated in the above example; (b) qualitative changes in risk might simply be described, includ- ing their cause; and (c) the status of contingency is illustrated in Figure 9.1. Updating is more involved (including reassessment and reanalysis, if needed), but also more informative, than monitoring. The following should be updated periodically (e.g., quarterly, or less frequently at important points or changes in project develop- ment, as indicated by monitoring): base performance, risks (including adding new risks), and contingency and recovery requirements. These should be documented (e.g., in the risk register and in the risk management plan).

108 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS CONCLUSIONS ON IMPLEMENTING THE RISK MANAGEMENT PLAN The risk management plan consists of three main elements designed to optimize project performance: (1) plans for individual risk reduction actions; (2) protocols for contingency management; and (3) protocols for recovery plans. Because project condi- tions, and hence risks, inherently change as a project moves through the development process, the risk management plan is intended to be an evolving document, adjusting as the project develops. This in turn requires monitoring (e.g., of the progress and results of specific risk reduction action, of specific risks in the risk register, and of con- tingency) and periodic updating (e.g., of residual risks, of risk reduction plans, and of contingency requirements). This then requires a DOT commitment to carrying out the risk management plan, including assignment of responsibility (e.g., a designated risk manager), with adequate authority and resources, and ways to gather and distribute relevant information. This also needs to be an efficient process, compatible with the DOT organization and project. Example Risk Register Update (this is not the hypothetical case study) There was a risk of a landowner being unwilling to sell a parcel needed to construct a project. When it was first identified, there was a high probability (50%) that the owner would not be willing to sell and the impact of this risk was $500,000 and 2-month delay, with an expected value of about $300,000 [including increased escalation and extended overheads (OHs)] and 1 month (critical path). However, as seen in a previous example, the manage- ment action was successfully taken to avoid this risk by designing around the parcel, at a cost of about $100,000 ($150,000 including increased escalation and extended OHs) and 1-month delay. The resulting reduction in risk meant that about $300,000 and 1 month less contingency was required; however, the resulting cost ($150,000) and delay (1 month) of the mitigation effort had to be added to the base cost and schedule. Based on such updates of the various inputs, the contingency requirements (and recovery requirements) could be recalculated. Risk RUi updated <by name and date> 10 2014.01.13 R09 10 Guide Chapter 9_final for composition.docx CBaum 1/30/14 11:16 AM Deleted: 2013.02.11 R09 10 Guide Chapter 9.docx <H1>Conclusions on Implementing the Risk Management Plan The risk management plan consists of three main elements designed to optimize project performance: (1) plans for individual risk re uction a tions; (2) p otocols for contingen y management; and (3) protocols for recovery plans. Because project co ditions, and hence risks, Example Risk Register Update (this is not the hypothetical case study): There was a risk of a landowner being unwilling to sell a parcel needed to construct a project. When it was first identified, there was a high probability (50%) that the owner would not be willing to sell and the impact of this risk was $500,000 and 2-month delay, with an expected value of about $300,000 [including increased escalation and extended overheads (OHs)] and 1 month (critical path). However, as seen in a previous example, the management action was successfully taken to avoid this risk by designing around the parcel, at a cost of about $100,000 ($150,000 including increased escalation and extended OHs) and 1-month delay. The resulting reduction in risk meant that about $300,000 and 1 month less contingency was required; however, the resulting cost ($150,000) and delay (1 month) of the mitigation effort had to be added to the base cost and schedule. Based on such updates of the various inputs, the contingency requirements (and recovery requirements) could be recalculated. Risk RUi updated <by name and date>

109 GUIDE FOR THE PROCESS OF MANAGING RISK ON RAPID RENEWAL PROJECTS Example The hypothetical QDOT case study (see Appendix D), which is used to illustrate the various steps of the risk man- agement process and includes a risk management plan (RMP, Appendix E), describes an effective and efficient implementation of its RMP following the principles and process outlined in this chapter, as documented in RMP Section 9 and summarized below. After QDOT developed the RMP, its implementation was adequately supported by management and adequate resources provided. The RMP included an organizational structure with specified responsibility and authority (i.e., the project manager served as the risk manager) to implement that RMP throughout project development. The project’s designated risk manager then successfully implemented that RMP, as follows: • Proactively and cost-effectively reduced individual risks that were within QDOT’s control, including monitor- ing and updating the risks and the RMP over time, resulting in successful reduction of several large risks; • Used established protocols for contingency control, including monitoring and periodic updating of con- tingency status (expended to date and capacity required for completion) and recommending contingency expenditure (to cover actual risk occurrences as needed) and releasing excess contingency (when no longer needed), resulting in adequacy of the initially established contingency throughout the project, with the unused contingency subsequently released; and • Used established protocols for recovery decisions, including monitoring and periodic updating of recov- ery status (achieved to date and capacity required for completion) and recommending recovery actions as needed when remaining contingency was not sufficient, resulting in no recovery actions being required.

TRB’s second Strategic Highway Research Program (SHRP 2) S2-R09-RW-2: Guide for the Process of Managing Risk on Rapid Renewal Projects describes a formal and structured risk management approach specifically for rapid renewal design and construction projects that is designed to help adequately and efficiently anticipate, evaluate, and address unexpected problems or “risks” before they occur.

In addition to the report, the project developed three electronic tools to assist with successfully implementing the guide:

• The rapid renewal risk management planning template will assist users with working through the overall risk management process.

• The hypothetical project using risk management planning template employs sample data to help provide an example to users about how to use the rapid renewal risk management template

• The user’s guide for risk management planning template will provide further instructions to users who use the rapid renewal risk management template

Renewal Project R09 also produced a PowerPoint presentation on risk management planning.

Disclaimer: This software is offered as is, without warranty or promise of support of any kind either expressed or implied. Under no circumstance will the National Academy of Sciences or the Transportation Research Board (collectively "TRB") be liable for any loss or damage caused by the installation or operation of this product. TRB makes no representation or warranty of any kind, expressed or implied, in fact or in law, including without limitation, the warranty of merchantability or the warranty of fitness for a particular purpose, and shall not in any case be liable for any consequential or special damages.

Errata: When this prepublication was released on February 14, 2013, the PDF did not include the appendices to the report. As of February 27, 2013, that error has been corrected.

READ FREE ONLINE

Welcome to OpenBook!

You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

Do you want to take a quick tour of the OpenBook's features?

Show this book's table of contents , where you can jump to any chapter by name.

...or use these buttons to go back to the previous chapter or skip to the next one.

Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

To search the entire text of this book, type in your search term here and press Enter .

Share a link to this book page on your preferred social network or via email.

View our suggested citation for this chapter.

Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

Get Email Updates

Do you enjoy reading reports from the Academies online for free ? Sign up for email notifications and we'll let you know about new publications in your areas of interest when they're released.

Risk Management Framework

Role assignment.

Assign roles to team members for the risk management framework.

• 1 Project Manager
• 2 Risk Analyst
• 3 Team Leader

Identify Potential Risks

Identify the potential risks that may impact the project or process. This task plays a crucial role in risk management as it helps in proactively identifying and understanding potential threats. By identifying these risks, we can develop strategies to mitigate or eliminate them, ensuring the smooth progress of the project or process.

Key Points:

• Understand the scope, objectives, and stakeholders of the project or process.
• Analyze previous similar projects or processes to uncover potential risks.
• Brainstorm with team members to gather different perspectives and insights.
• Use historical data or industry knowledge to identify commonly occurring risks.

Required Resources or Tools:

• Risk Assessment Template
• Brainstorming Techniques
• Previous Project or Process Data
• Industry Research
• 1 Technical
• 2 Financial
• 3 Operational
• 4 Environmental

Analyse Risk Impact

Assess the potential impact of identified risks on the project or process. This task helps in understanding the severity and likelihood of each risk, enabling effective prioritization and allocation of resources.

• Review the descriptions and impact of identified risks.
• Use qualitative and quantitative methods to evaluate the potential impact.
• Consider the probability and consequences of each risk.
• Assess the potential impact on timelines, costs, quality, and stakeholders.
• Risk Impact Assessment Template
• Probability and Impact Matrix
• Subject Matter Experts' Inputs
• Historical Project or Process Data

Prioritise Identified Risks

Prioritize the identified risks based on their severity and importance. This task helps in focusing resources on addressing the most critical risks first, ensuring efficient risk management.

• Review the impact assessments of identified risks.
• Rank the risks based on their severity and importance.
• Consult with stakeholders and subject matter experts to gain different perspectives.
• Risk Prioritization Matrix
• Stakeholder and Expert Inputs
• Risk Ranking Criteria
• Shared Decision-Making Tools

Approval: Risk Prioritisation

• Prioritise Identified Risks Will be submitted

Develop Mitigation Strategies

Develop effective strategies to mitigate or eliminate identified risks. This task helps in proactively addressing potential threats, minimizing their impact, and increasing the chances of success for the project or process.

• Review the prioritized list of identified risks.
• Identify the most suitable mitigation strategies for each risk.
• Consider both preventive and responsive strategies.
• Consult with stakeholders and subject matter experts to ensure feasibility.
• Risk Mitigation Strategy Template
• Best Practices and Industry Standards
• Lessons Learned from Previous Projects or Processes
• Expert Inputs
• 1 Preventive
• 2 Responsive

Implement Mitigation Strategies

Execute the planned mitigation strategies to minimize or eliminate identified risks. This task helps in actively managing risks and avoiding their potential negative impacts on the project or process.

• Assign responsibilities to team members for executing the mitigation strategies.
• Ensure proper communication and coordination among team members.
• Regularly monitor the progress of the implementation of mitigation strategies.
• Make necessary adjustments or updates to the strategies based on feedback and emerging risks.
• Implementation Plan Template
• Communication Tools
• Collaboration Platforms
• Monitoring and Reporting Mechanisms

Monitor Risk Response

Regularly monitor the effectiveness of implemented mitigation strategies in addressing identified risks. This task helps in ensuring that the mitigation strategies are on track and adequately managing the risks throughout the project or process lifecycle.

• Establish monitoring mechanisms to track the progress of risk response activities.
• Periodically review the status and outcomes of implemented mitigation strategies.
• Identify any emerging risks or deviations from the planned strategies.
• Make necessary adjustments or updates to the risk response actions.
• Performance Tracking Templates
• Periodic Review Schedule
• Communication Channels
• 2 Deviation
• 3 Emerging risk

Documentation of Risk Response

Document the risk response activities and outcomes for future reference and learning. This task helps in capturing lessons learned, improving risk management practices, and facilitating knowledge sharing within and across projects or processes.

• Record details of implemented mitigation strategies and their outcomes.
• Document any adjustments or updates made to the risk response actions.
• Summarize lessons learned and key insights from the risk response process.
• Ensure the documentation is accessible and easily understandable for future reference.
• Risk Response Documentation Template
• Knowledge Management Systems
• Lessons Learned Databases
• Sharing and Collaboration Platforms

Review Risk Management Process

Review the overall risk management process to assess its effectiveness and propose improvements. This task helps in continuously enhancing the risk management approach, learning from experiences, and optimizing future risk management efforts.

• Evaluate the outcomes and learnings from the risk management process.
• Identify strengths, weaknesses, and areas for improvement.
• Solicit feedback from stakeholders and team members.
• Propose revisions or updates to the risk management process or framework.
• Risk Management Process Evaluation Checklist
• Feedback Collection Mechanisms
• Continuous Improvement Methodologies
• 1 Effectiveness
• 2 Efficiency
• 3 Adaptability
• 4 Stakeholder Satisfaction

Approval: Risk Management Review

• Review Risk Management Process Will be submitted

Perform Periodic Risk Assessment

Conduct regular risk assessments to identify new risks and review the existing ones. This task helps in maintaining up-to-date risk information and ensuring that emerging risks are promptly identified and addressed.

• Establish a frequency and schedule for periodic risk assessments.
• Gather inputs from relevant stakeholders and subject matter experts.
• Identify new risks and changes in the severity or likelihood of existing risks.
• Update the risk register or database with the latest risk information.
• Periodic Risk Assessment Template
• Input Gathering Mechanisms
• Risk Register or Database
• Historical Data and Trend Analysis

Update Risk Management Framework

Revise and update the risk management framework based on the outcomes of the periodic risk assessments and lessons learned. This task helps in refining the risk management approach, incorporating new insights, and aligning with the evolving project or process context.

• Review the outcomes of periodic risk assessments and associated documentation.
• Identify areas for improvement or updates in the risk management framework.
• Consult with stakeholders and team members to gain different perspectives.
• Update the framework to reflect revised risk response strategies and processes.
• Risk Management Framework Template
• Lessons Learned Documentation
• Change Management Techniques

Approval: Framework Update

• Update Risk Management Framework Will be submitted

Communicate Updated Framework to Team

Inform and educate the team members about the updates in the risk management framework. This task helps in ensuring everyone is aware of the revised risk response strategies and processes, promoting consistent risk management practices, and fostering a proactive risk-aware culture.

• Prepare clear and concise communication materials about the updated framework.
• Conduct team meetings or training sessions to explain the changes and rationale.
• Address any questions or concerns raised by the team members.
• Ensure easy access to the updated risk management framework for future reference.
• Communication Plan
• Communication Materials
• Training or Meeting Platforms
• Question and Answer Sessions

Take control of your workflows today.

More templates like this.