Risk management planning is a critical activity in project risk management because it establishes all the activities that the project management team needs to handle to manage the risks and uncertainties of the project. It is the guide that provides procedures, tools and techniques, and document templates that the project management team should use during the management of the project
Risk Management Methodology
Risk management planning should begin when a project is conceived and should be completed early in the project. This activity usually starts with identifying the proper risk strategy and risk management methodology that will be used throughout the project.
The risk strategy describes the general approach to managing risk on this project, while a well-defined risk management methodology defines the specific approaches, tools, and data sources that will be used to perform risk management on the project.
At the minimum level, the risk management methodology should clearly state the relationship of project risk management activities with the organizational environment, key risk management activities to be conducted throughout the project, and how it links to the overall project management methodology, in addition to the relationship of risk management processes with project management processes.
In organizations with high maturity levels in risk management practices, the risk management methodology should include the risk breakdown structure (RBS) that will be used in the project, risk meta language, and key deliverables expected from conducting risk management activities throughout the project.
The project manager with the buy-in of all involved stakeholders should be involved in determining the risk management methodology for the project, and usually, this developed risk-based methodology could be adapted to other similar projects within the organization.
In projects managed using an adaptive development approach, iterative risk management methodology is usually applied. Below is a risk management methodology example you can use in your project.
- Risk management planning: You should look at who you need to get on board and when and how often to conduct risk management tasks throughout the project.
- Risk identification: Risks and opportunities are analyzed across all business risk categories.
- Quantitative risk analysis: In this step, you should look subjectively at probability and impact and identify critical risks. It’s here where the initial decision is made about the potential severity of a risk to a project and the potential escalation to project leadership is needed.
- Qualitative risk analysis: The team should work out which areas need time and resources to manage the risk. As a result, this question should be answered: What is the overall risk versus the benefit of the project?
- Risk response planning: Here, the team should determine what can be done to reduce the probability and impact of a risk. Additionally, we look into increasing the likelihood and gain from opportunities that may present themselves.
- Risk monitoring and control: We put the risk response plan into action and manage its progress and compliance. This includes refining plans as further risks are identified, more qualitative and quantitative analysis is carried out, and more risk responses are planned.
Project Risk Management Plan
Developing the project risk management plan is the process to develop the overall risk management methodology and strategy for the project, deciding how the risk management processes will be executed, and integrating project risk management with all other project management activities.
Risk planning should begin when a project is conceived and should be completed early in the project. It may be necessary to revisit this process later in the project life cycle, for example at a major phase change, if the project scope changes significantly, or if a subsequent review of risk management effectiveness determines that the project risk management process requires modification.
Effective risk management requires the creation of a risk management plan. This plan describes how the risk management processes should be carried out and how they fit in with the other project management processes.
The risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed. The risk management plan may include some or all of the following elements: Risk strategy, risk-based methodology, roles and responsibilities, funding, timing, risk categories, stakeholder's risk appetite, definitions of risk probability and impact, probability, and impact matrix, reporting formats, and tracking.
On a broader level, the risk management plan describes the relationships among project risk management, general project management, and the management processes in the rest of the organization.
To provide the greatest benefit, initial risk management planning should be carried out early in the overall planning of the project, and the corresponding risk management activities integrated into the overall project management plan.
Although the project risk management processes form an integral part of the overall project management plan, a budget for the specific risk management activities should be established in order to better track, monitor, and, as necessary, defend the corresponding expenditures throughout the project.
The cost of responding to risks themselves should be included appropriately in the project budget, while the risk management plan should describe how this part of the project budget is evaluated, allocated, and managed.
The risk management plan will define the risk monitoring methods to ensure that the corresponding expenditures are tracked appropriately, as well as the conditions under which the approved budget for risk management can be modified.
Risk management planning should establish the type and level of risk detail to be addressed and provide a template of the risk register that will be used for recording risk-related information and attributes.
The risk management plan should also indicate the intensity of effort and the frequency with which the various Project Risk Management processes should be applied; this depends on the characteristics of the project as well as on the specified risk management objectives.
In order for the project risk management processes to be carried out correctly and effectively, the project team and other stakeholders need to know where and when they will be expected to participate, their criteria for determining success, their level of authority, and what action to take relative to actions or decisions beyond this level.
The risk management plan specifies the project’s risk management roles and responsibilities and defines the corresponding expectations for both executive management and project personnel.
Sample Risk Management Plan
The risk management plan is a component of the project management plan that describes how risk management activities will be structured and performed. The risk management plan may include some or all of the following elements:
- Risk strategy: Describes the general approach to managing risk on this project.
- Risk methodology: Defines the specific approaches, tools, and data sources that will be used to perform risk management on the project
- Roles and responsibilities: Defines the lead, support, and risk management team members for each type of activity described in the risk management plan, and clarifies their responsibilities.
- Funding: Identifies the funds needed to perform activities related to Project Risk Management. Establishes protocols for the application of contingency and management reserves.
- Timing: Defines when and how often the Risk Management Planning will be performed throughout the project life cycle and establishes risk management activities for inclusion into the project schedule.
- Risk categories: Provide a means for grouping individual project risks. A common way to structure risk categories is with a risk breakdown structure (RBS), which is a hierarchical representation of potential sources of risk.
- Stakeholder risk appetite: The risk appetites of key stakeholders on the project are recorded in the risk management plan, as they inform the details of the Plan Risk Management process. In particular, stakeholder risk appetite should be expressed as measurable risk thresholds around each project objective.
- Definitions of risk probability and impacts: Definitions of risk probability and impact levels are specific to the project context and reflect the risk appetite and thresholds of the organization and key stakeholders. Below is an example of definitions of risk probability and impacts.
- Probability and impact matrix. Prioritization rules may be specified by the organization in advance of the project and be included in organizational process assets, or they may be tailored to the specific project.
- Reporting formats. Reporting formats define how the outcomes of the Project Risk Management process will be documented, analyzed, and communicated.
- Tracking. Tracking documents how risk activities will be recorded and how risk management processes will be audited.
Risks Categories in Project Risk Management
Risk categories provide a means for grouping individual project risks. A common way to structure risk categories is with a risk breakdown structure (RBS), which is a hierarchical representation of potential sources of risk.
Where an RBS is not used, an organization may use a custom risk categorization framework, which may take the form of a simple list of categories or a structure based on project objectives. Project risk examples include:
- Technical Risk. Technical risk examples include but are not limited to Scope definition, requirements definition, and constraints.
- Management Risk. Management risks examples include but are not limited to Project management, operations management, and communication.
- Commercial Risk. Commercial risks examples include but are not limited to Internal procurement, subcontractors, suppliers, and vendors.
- External Risk. External risks examples include but are not limited to Exchange rates, competition, and regulations.
In conclusion, the objectives of risk management planning are to develop the overall risk management strategy for the project, and risk management methodology, to decide how the risk management processes will be executed, and to integrate project risk management with all other project management activities.
If you have advanced knowledge and experience in risk management, or if you are a project manager focused on project risk management, including for large projects in complex environments, then the PMI RMP® Certification is an excellent choice for you.