top of page

2.42 Risk Management Plan

Preface

The Risk Management Plan outlines the principles, approaches, and processes that will be used to manage project risk.  Systematic risk management has been proven to be essential to the success of even the most straight-forward project.  Conversely, the inability to anticipate and respond to uncertainty, whether in the project environment or within the project itself, substantially reduces the likelihood of a successful result.  This subsidiary plan sets out the processes that the project will use to manage risk over the project lifecycle with a view to securing the project’s ultimate success.

Table of Contents

   1.0  Rationale and Benefits

   2.0  Risk Management Approach and Processes

        2.1    Definition

        2.2    Risk Management Principles

        2.3    Risk Identification Processes, Roles, and Responsibilities

        2.4    Risk Assessment Processes, Roles, and Responsibilities

        2.5    Risk Response Strategy Processes, Roles, and Responsibilities

        2.6    Risk Management Action Plan Risk and Risk Response Monitoring and Evaluating Processes, Roles, and Responsibilities

   3.0  Risk Register

1.0    Rationale and Benefits       

(Outline the problem or opportunity the project is intended to address.Explain how the problem or opportunity came to be recognized, what its key dimensions are, and how the project bears on those key dimensions.Indicate the benefits JI will capture or realize on successful completion of this project.Explain how the new product, service, or result developed through this project will allow the JI to better fulfill its mandate or better serve its clients and other stakeholders.Append a copy of the relevant decision document, if appropriate.)

2.0  Risk Management Approach and Processes

2.1    Definition

Risk is understood as being an uncertain event or condition that, if it occurs, has a positive or negative effect on any of the factors that contribute to the ultimate success of the project or the functionality of any of its deliverables.

2.2    Risk Management Principles

2.2.1    Projects involve doing things that have not been done before.  As such, there is always uncertainty as to the outcome of any project activity; things will rarely turn out exactly as they were planned.  Sometimes things will turn out more favourably than was anticipated (evidence of positive risk) and sometimes things will turn out less favourably than was anticipated (evidence of negative risk).  The emergence of risk does not indicate poor project management practices, the failure to identify and respond appropriately to risk does.

2.2.2    All members of the project team, including the project sponsor, members of the project steering committee, and stakeholders share responsibility for identifying project-related risk of which they are or become aware and for contributing to the analysis and ultimate resolution of identified risk.

2.2.3    The risk management process consists of five distinct sub-processes.  Risk is first identified, then it is analyzed, then response approaches are defined, action in accord with the defined approach is implemented, and the effectiveness of the response is monitored and evaluated with any necessary adjustments to the response approach also being implemented.

2.3    Risk Identification Processes, Roles, and Responsibilities

Experience has proven that there are a number of different approaches that can be used to identifying project risk.  Project risk may arise from outside the project, the project environment (examples of areas of uncertainty can include general economic conditions, labour demand and supply conditions, materials supply and demand conditions, political stability or instability, weather conditions, and the like).  Risk may also arise in the realm of project sponsorship (examples include relative project priorities, changes in key staff, and the overall success of the performing or client/customer organization).  Has the project team worked together before, are relations among its members harmonious or strained, is the team truly breaking new ground or are they traversing familiar territory, are stakeholder relations harmonious or strained, are their various needs and priorities likely to remain stable over time or are they likely to evolve?  These are the kinds of questions that can help identify project management risk, a third area of project uncertainty.  Finally, we should ask if we fully understand the consequences of all of the project activities we plan to undertake or is there the possibility of some of our actions having unintended consequences?  An affirmative response here can identify another source of uncertainty to which we may need to respond.

Two other approaches to identifying project risk have also proven productive.  One is to examine the assumptions and constraints that have informed project planning.  Assumptions are conditions we accept as being true without necessarily having any proof of their veracity.  Every assumption opens the possibility that things may turn out differently; uncertainty equals risk.  Similarly, constraints limit our project management choice.  As such, constraints may require that certain tasks be performed in a sub-optimal way.  Again, sub-optimal task performance opens the possibility of things turning out differently than we had hoped or intended.

(This section should then go on to address the roles and responsibilities of each significant project stakeholder [sponsor, steering committee member, project manager, team lead, team member, stakeholder representative, etc.] in helping to identify project risk.  The processes that will be used to facilitate risk identification by these groups and individuals should be outlined.  As well, risk escalation processes should also be defined.  There are, as well, a variety of techniques that can be used to identify project risk.  These include reviewing lessons learned from previous projects, structured interviews of key resource people, brain-storming, "what-if" analysis, the Delphi Technique, Nominal Group processes, and checklist reviews.  This section should identify which techniques will be used, when, and by whom.)

2.4    Risk Assessment Processes, Roles, and Responsibilities

Once risk has been identified it needs to be analyzed or assessed.  There are two different but conceptually similar ways to assess project risk.  They both involve assessing the likelihood that a risk event will emerge from a particular area or situation and then assessing the consequences for the project of the emergence of such a risk event.  Both likelihood and consequences can be assessed on a scale running from low (likelihood or consequence) to high (likelihood or consequence).  The scales can be either relative – assessment on a relative scale is called qualitative risk assessment – or numerical (a five point scale commonly used), which is called quantitative risk assessment.  In either event, the likelihood and consequences factors are combined with a view to isolating those risks – both positive and negative – that have a reasonably high likelihood of occurring and will have significant consequences if they do.  Isolating this kind of risk is the objective of risk assessment.  It allows us to focus management attention on those risk events that call for the development of a specific risk response strategy before the risk event occurs.

(In this section you should define whether the project will use qualitative or quantitative risk assessment methodologies and, if the later, the scales that will be used.  If risk is to be assessed quantitatively, definitions should also be assigned to each ordinal point on the scales.  The project may also use a mix of qualitative and quantitative approaches.  If this is the case, this section should describe the circumstances in which each will be used.  This section should also address the roles and responsibilities of each significant project stakeholder [sponsor, steering committee member, project manager, team lead, team member, stakeholder representative, etc.] in helping assess project risk.  The processes that will be used to facilitate risk assessment by these groups and individuals should be outlined.)

2.5    Risk Response Strategy Processes, Roles, and Responsibilities

Once high priority risks have been isolated, there are three different strategies that may be pursued in response to any positive risk event.  These are called:

  • "exploit" which aims to increase the likelihood of a positive risk event occurring;

  • "enhance" which aims to increase the consequences of a positive risk event occurring; and

  • "share" which aims to find another party to take part in the occurrence of a positive risk event.Share strategies are the basis for partnerships and joint ventures.

There are also three different strategies that may be pursued in response to any negative risk event.  These are called:

  • "avoid" which aims to decrease the likelihood of a negative risk event occurring;

  • "mitigate" which aims to decrease the consequences of a negative risk event occurring; and

  • "transfer" which aims to find another party to whom the financial consequences of a negative risk event can be transferred.Transfer strategies are demonstrated through such mechanisms as insurance and performance bonds.

Finally, there are two closely related strategies that can be pursued in response to either a positive or negative risk event:

  • "accept" which is an active, rather than a passive state."Accept" recognizes that not all risk can be strategized in advance; for some risk we need to maintain watchful awareness and the flexibility to respond to unexpected developments; and what is called

  • "contingent response strategy" which sets out the specific course of action to be taken if a specific uncertain event occurs.

(Different stakeholders have different degrees of risk tolerance.  Some are fully comfortable when a high degree of uncertainty attaches to a certain project while others grow uneasy in the face of even the lowest levels of risk.  Stakeholder risk tolerance will define the amount of effort that the project team needs to put into managing the risk associated with the project.  This section, thus, should consider the risk tolerance of each of the sponsor, steering committee members, project manager, and other key stakeholder representatives.  This section should also address the roles and responsibilities of these stakeholders in helping define the appropriate strategy for each major risk category and monitoring risk and risk responses as the project proceeds, as well as the processes by which that input will be secured and communicated.)

2.6    Risk Management Action Plan Risk and Risk Response Monitoring and Evaluating Processes, Roles, and Responsibilities

(This section of the plan should address project team members’ roles and responsibilities for noting issues  - that is the emergence of risk events - the escalation of issues, and related communications expectations and procedures.  In addition, procedures for and roles and responsibilities in implementing previously defined risk response strategies and in developing strategies to respond to previously unidentified risks should be set out.  Once response strategies have been implemented, the project team will need to monitor their effectiveness in "getting the project back on track" as well as making adjustments in the strategy to increase its effectiveness or adapt to emerging conditions.  Procedures, roles, and responsibilities for these activities need to be set out, as well.  Finally, once response strategies have been fully implemented and the project as progressed sufficiently that their effectiveness can be judged reliably, that evaluative effort should be made; this section should also spell out procedures, roles, and responsibilities for post-implementation evaluation and for capturing and communicating these lessons learned.)

3.0  Risk Register

(Processes for reviewing and updating the preliminary risk register should be addressed in this section.  The preliminary risk register should also be reproduced here or be attached to the plan as an appendix.)

bottom of page