Risk Management Plan Components

Bernie Roseke, P.Eng., PMP May 8, 2015 0 Comment
people producing a risk management plan

Few projects go off without a hitch, especially when client/sponsor relationships are not strong.  That’s why I would argue that risk management is one of the most important components of project management.

When unexpected events occur, it is clear that the identification and analysis of risks is a central cog in the wheel preventing small mishaps from morphing into complete project disasters.

To ensure smooth projects, the project manager should create a risk management plan.

Format

There is no guideline for length.  The most important thing is that the mission critical information is in place.

For smaller risk management plans they can be a section of the larger project management plan.  For larger, more complex or highly sensitive projects they can be a stand alone document, but should be summarized in the project management plan because it is still a subset of it.

Components

There are six components of a good risk management plan:

  1. Definitions
  2. Assumptions
  3. Risk Breakdown Structure
  4. Probability Impact Matrix
  5. Accuracy Estimates (cost & schedule)
  6. Risk Register

The first five are simply different ways to analyze overall project risk.  The real project risk management takes place in risk register, therefore I will spend most of my time there.

Definitions

In future sections the risks will be identified and given prioritization rankings such as “high/medium/low.”  In the Probability & Impact Matrix there will be categories such as “Probability of 0.05 = Very Low.”  This section defines what those mean and uses words to clarify them.  Usually a definition is written out, such as:

  • Very Low:  The event is highly unlikely to occur under regular circumstances.
  • Low:  The event is unlikely but should be noted by the project team.
  • Medium:  The event has a normal chance of occurring and the project team should be aware of it.
  • High:  The event has a reasonable chance of occurring.  It should be regularly discussed and mitigation actions taken.
  • Very High:  The occurrence of the event should be actively managed and mitigation actions taken.

Assumptions

The assumptions of the project have a major impact on risk analysis.  Ask yourself these questions.

  • What assumptions support the project costs?
  • What assumptions support the project schedule (completion date, milestones, etc.)?
  • What expertise or prior experience does the company have in this work?  How long ago was this experience?  What areas require additional training?
  • Which relationships are being assumed to be strong that are not neccesarily (owner, sponsor, client, contractor, consultant)?
  • How many previous projects with similar components have been completed successfully?  What were the project issues?

Risk Breakdown Structure

This is a categorical listing of the major categories of risk, and it highly specific to the industry.  For example, an I.T. project will look something like this:

typical risk breakdown structure for software projectThe Project Management Institute has only recently incorporated Risk Breakdown Structures in the Project Management Body of Knowledge, and I admit I don’t see huge value in them.  I see value, yes, but not huge value.  It does assist in identifying risks, i.e. When developing the risk register you can make sure that each category has received it’s due attention.  But otherwise it is not a critical component of the plan.

Probability Impact Matrix

Since risk is defined as Probability x Impact, both factors need to be considered when determining the priority of each risk event.  Thus, the probability-impact matrix gives you a more detailed definition of the probability and impact structure used by the risk register (more on that later).  The matrix helps you to consider both factors and sets the stage for the determination of numerical probability and impact values for each risk event.

Probability Impact MatrixConfidence Estimates

A good risk management plan should have some sort of confidence range estimates, particularly for larger, complex projects.  These are excellent for management perusal and discussion.  They are simply an analysis by the risk management team (or project manager) of the potential deviation from the project plan.

It can be as simple as low/medium/high probabilities or as complex as statistical analysis of the probability of meeting deadline dates.

90% confidence estimateRisk Register

As I alluded to earlier, the real meat and potatoes of the risk management plan is in the risk register.  It contains a listing of the most important risks the project faces and how the project management team will deal with them.  The risk register is usually in table form and has the following columns:

  1. Risk Name/Description
    The risk event can be described with descriptors, such as “The contractor could incur additional material supply cost and attempt to pass this on to us.”  Risk identification is a fairly time consuming endeavor that should not be skirted.  See our potential risk checklist.
  2. Probability
    The likelihood of the event occurring.  If possible, a numeric value between 0 and 1 should be used which can be multiplied by the Impact (next column) to determine meaningful risk values.  But for smaller projects a 1-10 scale or “low/medium/high” is also satisfactory.
  3. Impact
    The impact of the risk event.  Again, a number between 0 and 1 or a dollar value is good because it results in meaningful overall risk values.
  4. Risk
    Since Risk = Probability x Impact, multiply the two previous columns together.  If a qualitative scale like low/medium/high was used, simply use the same qualitative scale to describe the overall risk level in light of the probability and impact of the event.
  5. Priority
    A good risk management plan will identify the most important risks to the project.  In this column, the risks will be prioritized starting from 1 and moving consecutively down until they are all prioritized.  Project sponsors, clients, and owners love this, by the way.
  6. Response Plans
    To complete the risk register, a response plan should be created for the top 3 (approximately) risks to the project.  Alternatively, they could be included outside of the table, but often a quick synopsis can make the risk register stronger.  Something like: “Account for project team, call hazardous spill group, and fill out incident form.”  Make it so you don’t have to think about the initial response.

Good luck with your Risk Management Plan, and let me know what tidbits you discovered along the way.

Related posts:

boat with sharksHow to Write a Risk Management Plan Project ManagerParts of a Risk Management Plan Road ClosedHow to Create a Risk Response Plan tightrope walkerProject Risk Management 101 boat with sharksGuide to Project Risk Management Risk managementThe Risk Management Approach in PRINCE2

About Bernie Roseke, P.Eng., PMP

Bernie Roseke, P.Eng., PMP, is the president of Roseke Engineering. As a bridge engineer and project manager, he manages projects ranging from small, local bridges to multi-million dollar projects. He is also the technical brains behind ProjectEngineer, the online project management system for engineers. He is a licensed professional engineer, certified project manager, and six sigma black belt. He lives in Lethbridge, Alberta, Canada, with his wife and two kids.

View all posts by Bernie Roseke, P.Eng., PMP

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Related Posts
View All
Get Started
Agile Project Management
Project Risk Management Resources
Tutorials
Certification
Project Engineer Store
Go to Store
PMP Exam: The Ultimate Study Guide E-book

Price: $17.99

Buy Now
Recent Posts
View All