Risk Management Plan

What is a Risk Management Plan?

businesswoman reviewing paperwork in office
Caiaimage/Sam Edwards/OJO+/Getty Images

A risk management plan is a formal project document that catalogs risks to a project, their likelihood of occurring, their potential impact and how the project team will address them. A risk management plan is sometimes called a risk mitigation plan. The two terms can be used interchangeably. 

While risks tend to be thought of as negative, projects can have positive risks. Both should be included in a risk management plan.

Here are a few examples of negative risks to a project:

  • A project could lose its funding source.

  • A project sponsor could scrap the project.

  • The project manager could be reassigned from the project to a different project.

  • Stakeholders could withdraw their support for the project.

Following are a few examples of positive risks to a project:

  • The project budget could increase.

  • Project costs could come in under budget.

  • A part of the project is completed ahead of schedule.

Creating a risk management plan helps the project manager, project sponsor and project team members think through what unexpected things could happen to the project. The risk management plan turns these unanticipated events into known variables that may or may not affect the project.

Perhaps the most valuable part of a risk management plan is simply creating it. This activity forces the project team to think through all aspects of the project.

Beyond the benefit of having the plan to guide future actions, this process helps project team members gain a deep, shared understanding of the project.

Once the project team has identified positive and negative risks, it assigns numerical values to each risk based on the likelihood of occurrence and intensity of impact.

In most methodologies for assigning risk values, likelihood of occurrence and intensity of impact both have Lickert scales attached to them. For instance, 1 through 5. A given risk’s two values are multiplied to determine an overall risk value. The higher the value, the more intense risk mitigation planning the team must do.

A risk with high likelihood of occurrence and an intense impact demands the project team’s attention. However, a risk very unlikely to happen with minimal effect does not merit as much of the team’s effort. This is where the numerical scoring comes in handy. Using these values, the project team can appropriately prioritize its time related to risk mitigation.

Once the project team has ranked their risks in order from greatest to least, the project manager can facilitate a discussion on how the team will address the risks and respond to them should they occur. There are several acronyms project management systems have for the activities related to addressing risks, but they all boil down to basically these: avoid the risk; mitigate it; share it; accept it.

As you can see, mitigation is just one of the ways to address risk. But it is the most common, so sometimes calling the plan a “risk mitigation plan” is not a misnomer. The ways to address risk are often called mitigation strategies even though, mitigation is not the only way to address a risk.

Here are brief explanations of each way to address a risk:

  • Avoid: When a project manager avoids a risk, he or she plans the project such that the risk cannot happen. This strategy can be cumbersome but is sometimes worth doing.  

  • Mitigate: To mitigate a risk means to decrease its likelihood of happening. It is important to note this strategy does not address a risk’s impact to the project.

  • Share: Sharing a risk means giving part or all of the risk to another party to bear. Some methodologies call this transferring.

  • Accept: Accepting the risk means the project team does nothing to prevent the risk from happening. If the risk comes about, the project team will deal with it at that point.

Even if a project manager puts in place a perfect risk management plan, risks still come about. No plan can prevent everything. This is why project teams spend time planning what they will do if a risk happens. Documenting plans of action keeps project teams from scrambling to address the risk when mitigation strategies fail.

Once these actions have been determined, the risk mitigation plan is complete; however, it is a living document. Prudent project managers revisit the plan periodically to ask the project team if any new risks have been identified and if all the parts of the plan are still viable. Over the course of time, a risk may change in likelihood of occurrence, intensity of impact and appropriateness of mitigation strategies.

Continue Reading...