In this article, you’ll find a real-life project risk management plan example. It comes from my 12 years of practical experience working on IT projects.
Additionally, below the example, you’ll find all the required information and resources to create your Project Risk Management Plan quickly and for free.
Risk Management Plan Definition
Risk management plan defines the general approach to managing risks on a project, including risk management processes, tools, techniques, funding, timing, and responsibilities. It includes reference to all other risk management tools (e.g., risk register, risk assessment matrix).
Table of Contents:
- Risk Management Plan Example
- How to Create a Risk Management Plan and Make it Work in Your Team
- Risk Management Plan Template
IT Project Risk Management Plan Example
Introduction
An effective risk management plan describes how the team will manage the project risks, roles and responsibilities, and tools they use. All of its components are integral parts of the project management plan.
For the purpose of this document, the term “Project” means one release cycle from initiation to the deployment to the market in the overall product life cycle. The project follows an established project life cycle.
Project risks are uncertain events or conditions that, if they occur, have a positive or negative effect on a project’s objectives.
A risk event is the trigger for potential risks to materialize.
The main flow of the risk management process includes the following:
- Risk Identification
- Qualitative Risk Analysis (Risk Assessment)
- (Optional) Quantitative Risk Assessment
- Planning Risk Responses
- Implementing Risk Responses
- Monitoring Risks
This team follows the principle of one tool. As much as practical, we will keep all project documentation in Confluence {Google Docs, MS Office 365, Asana, ClickUp, etc.}. Please keep only one copy of the project risk management plan.
All team members and key stakeholders should have access to documentation and the ability to collaborate on it.
The main access point is here: {URL to risk management plan folder}
The project manager is responsible for educating the project team, clients, and project stakeholders on proper risk management skills.
PM should initiate and facilitate all related activities to kick off risk management planning as soon as possible. The team should use an approved version of the risk management plan template.
Risk Identification
During the whole project life cycle, all key stakeholders and the team will continuously identify potential risks. All the time, we should ask a simple question, “What can go wrong here? Do you see any risks?”
The team should log potential risks into the risk register. It’s acceptable to perform risk assessment in batches at a later date.
The risk register is an integral part of the risk management plan.
Access risk register here: {Link to risk register. The risk register template is available as the part of risk management plan template}
The team will use the following techniques:
- Interview
- Meeting
- Brainstorming
- Requirements analysis
- Project documentation review
- Delphi technique
- Expert interview
Besides continuous identification, the team will perform dedicated risk identification sessions for the following events/artifacts:
- During all grooming sessions.
- During a review of the release plan.
- Analysis of work breakdown structure.
- When a change request is approved.
- During an inspection of the architectural design.
- During the sprint planning meeting.
The project manager is also responsible for identifying risks outside of the team.
The project manager will review and analyze the company’s risk categories regularly.
The risk breakdown structure is located here: {Link to project risk breakdown structure}
Budget, Risk Tolerance, and Thresholds
{The project manager should discuss risk appetites, tolerance, and thresholds with clients. It’s a critical input for your risk planning. It will dictate your overall methodology, analysis, and responses for the project. You need to put this information below.}
- Risk appetite is a general and subjective description of an acceptable risk level.
- Organization’s risk tolerance is a measurable and specific project risk level.
- Risk threshold is a particular point at which risks become unacceptable.
{This section of the risk management plan is an example. You need to provide actual information from your clients!!!}
The budget for risk management activities is a part of the overall project budget stated in the project charter.
The risk management budget should not exceed 15% of the overall project budget.
This project is constrained by budget. It means it is constrained by a schedule because the bulk of the project costs are the wages of the team.
Nevertheless, the project sponsor has allocated USD 12000 as a project management reserve for unknown risks. This reserve can be used as a contingency plan for unknown risks only.
Therefore, our overall approach is to generate alternative solutions for the project scope that will meet project objectives. Each risk response should increase the project’s success rate.
Qualitative Risk Analysis
{The risk management plan should clearly explain the methodology we use for risk assessment.}
The goal of this risk management process is to make a list of risks that require a proactive response. We should also identify urgent risks that need a response right now.
The project team should assess all risks in the risk register and identify probability and impact.
- Impact is the level of effect that risk will have on the project.
- Probability is a level of likelihood of occurrence of the project risk.
It’s not an in-depth analysis of potential risks. The team should spend an adequate amount of time to assess the risks.
After that, the team will use a risk assessment matrix to prioritize project risks that require a risk mitigation plan.
{You need to adjust the tables below based on your environment and risk appetites. This is arguably the most critical part of the entire risk management process. Learn more about Qualitative Risk Assessment in the video below.}
Impact Grades for Project Risks
Probability Grades for Project Risks
Impact-Probability Matrix (Risk Assessment Matrix)
In fact, a risk assessment matrix is just a visualization of priorities. It will help you assess risks.
Ensure that everyone understands the legend of your risk assessment matrix. It may be as simple as this:
- Red – risks that warrant a response.
- Yellow – project risks that require further analysis and investigation.
- Green – potential risks that can be ignored. Risk monitoring is still required here.
Quantitative Risk Analysis
{The risk management plan should clearly state whether we use any advanced risk assessment techniques. In most cases, project risks don’t need additional analysis.}
It’s not cost-efficient to perform a quantitative risk assessment for this project.
In exceptional cases, the project team may calculate the monetary value of critical risks and develop a decision tree.
Risk Response Plan
{A risk response plan is an action, reserve, or agreement that will help with risk mitigation. A risk response plan should follow methodologies described in this risk management plan}
The project may plan risk responses as additional tasks, reserves of time, reserves of budget, or adjustments to processes.
All risk responses should be logged in Jira as impediments or tasks. These Jira entries should be linked to the risks in the risk register.
Risk responses are part of the project scope, budget, and schedule. Therefore, all critical risks should addressed during the project planning phase.
To overcome systematic project risks, the project team may introduce additional processes and workflows. They should be appropriately documented and approved by the Department Manager.
Other types of risk mitigation should be developed in collaboration with clients and department managers.
Each risk response plan should have a dedicated owner. It should be a specific person who will monitor the project risk and collaborate on risk management strategy.
The owner of the risk must manage risk in all its aspects. In case of issues, the risk owner should escalate it to the project manager.
Learn more about possible risk response strategies in the video below:
Implementing Risk Responses
{This section of the risk management plan should clearly describe roles and responsibilities for assigned project risks, risk assessment, and risk mitigation.}
The risk owner is responsible for:
- Monitoring the assigned risks.
- Reporting on the progress of response implementation.
- Reporting any changes to the risks.
- Identifying and logging any secondary or residual risks.
The project manager is responsible for the overall control of all risk management activities.
The project team will discuss immediate risks daily during scrum meetings.
The project manager will report on the immediate risks on every status report meetings.
Monitoring risks
During the whole lifetime of the project, the project team will continuously monitor the existing risks. Risk assessment is also a regular activity.
- The team will review the risk management plan regularly.
- The team will review the risk register regularly.
- The team will review and update risk categories after risk events.
- The risk management team will monitor risks and control risk events.
- The risk management team will have regular brainstorming sessions.
- The risk management team will assess risk of newly discovered threats.
- The risk owner will control the risk’s impact and probability.
- Risk owners will assess the efficiency of risk responses.
- Risk owners will keep the risk register up-to-date.
- The project manager will continuously coach the team and clients on the best practices of risk management.
- Subject matter experts may conduct risk audits on demand.
- Project owners will help to manage risks related to their side of the business.
How to Create a Risk Management Plan and Make it Work in Your Team
Below is the step-by-step action plan you can use to kickstart risk management on your project.
Step 1: Get a Project Risk Management Plan Template
First things first. Write out your risk management plan.
It’s not that difficult, but you need to plan before you act! You can use my project risk management plan template as a starting point.
Here’s a tip:
An essential part of this process is to define probability and impact levels clearly. The risk matrix is your most frequently used risk management tool.
Step 2: Create a Risk Register Document
The risk register is a cornerstone tool in project management. Therefore, you should integrate it through the risk management planning process.
Create a template that is aligned with what you described in the risk management plan.
If you don’t know where to start, look at my article about the Risk Register. You can find a template there.
Step 3: Explain the Methodology to the Project Team
Risk management planning can be tricky with an inexperienced team. In this case, I highly recommend writing out a simple risk management plan.
Why?
Risk management tends to separate actual estimates of efforts and costs required to finish a task from all fears, uncertainty, and buffers
People don’t like to show uncertainty, inefficiency, or incompetence. Likewise, they don’t want to expose others. It’s a conflict, and no one likes conflicts.
That’s why it’s so important to send the right message.
Step 4: How to Get the Buy-In From the Team
The risk management plan is just a tool. It is your reference point.
However, a project manager must explain what the benefits of proper risk assessment are.
What’s the main message?
You want to reduced level of stress for team and stakeholders.
Risk management helps to control the work with less tension by tackling known risks as planned tasks.
But how does it work?
You have a commitment from a team member. He or she explained a potential risk.
After that, together, you agreed to try to assess potential risks. It increases the risk exposure. Therefore the whole team can help to mitigate risks.
This way, the manager is aware of the problem early on. There are management reserves for risk management. And it’s a valid reason to use them.
Everyone will be aware of the new project risk and the actions taken to resolve the issue. In most cases, everyone will be supportive.
Step 5: No More Buffers, Only Specific Risks
Transparency is the key:
You need to ensure that all buffers transform into risk responses, contingency, or management reserves.
Only this way you can control the project work.
The risk management plan should clearly communicate that we should operate with risk reserves rather than buffers. Only approved risk mitigation strategies should be used.
That’s because a project manager needs to know the exact amount of “buffer” for each task. Moreover, it is critical to monitor whether the reserve was actually used or not. Was it even efficient?
Step 6: Describe Responsibilities
A risk management plan defines two key responsibilities:
- General responsibility for following the risk management plan.
- Responsibility for a specific risk.
You can’t do risk management efficiently on your own. In theory, the whole organization should think about the risks of a project. Risk exposure is critical!
That leads to the next important point.
Step 7: Clear Expectations
The risk management plan should set clear expectations for each team role.
In most cases, you will need to build a role hierarchy. All team members should actively participate in risk identification.
While team leads and senior experts should also:
- Assess the qualitative and quantitative impact
- Develop response plans
- Establish risk monitoring
- Control response plans efficiency
- Escalated related problems
- Identify Risks Continuously
Now it’s time to develop a habit of talking and thinking about risks.
Once you feel that you understand the scope of work, you know what the project team needs to do; you are quite happy with estimates, ask these questions:
- What can go wrong?
- What will delay us?
- What if… and name all dependent activities.
- Can this part of the project impact the project management plan?
Don’t stop here. Think of different scenarios and “what if” cases. If something bothers you or the team, put it into the Risk Register.
As an additional source of ideas, check this list of risk categories (risk breakdown structure).
Step 8: Log all Risks into the Risk Register
During planning, the risk register should be close at hand. Need to identify risks continuously.
I prefer to have a bookmarked Google spreadsheet. Always accessible, easy to update rapidly.
But, again all your project risk management tools should be linked in the plan. Remember that people don’t know what they don’t know.
Step 9: Analyze and Shortlist Risks at Key Events
At some point, you will have a good draft of a project management plan. Also, there should be an extensive list of risks.
By this moment, you’ll have some experience in managing risks with your team. Don’t be afraid to adjust documents and the approach if needed.
After that, take the list and assess each risk in terms of impact and probability. Focus on the most severe ones and put them aside for further analysis.
Step 10: Make Risk Response Plans a Part of the Project
Once you shortlisted the Risk Register, select the risk you want to work with.
Collaborate with the project team and stakeholders to identify possible steps, extra activities, or reserves to mitigate or avoid the risk. You may need to explain typical risk mitigation strategies.
Make these activities and reserves a part of your project.
By the way, don’t forget to keep an eye on opportunities. It is wise to leverage any chance to improve the project’s progress.
Step 11: Talk About Risks Daily
New, potential, and identified risks should be a part of your work with the team and project stakeholders.
You need to be aware of the project risks that may happen soon. Look for triggers and risk events, and control the implementation of risk responses. Overall, monitor risks all the time.
Risks are not static. They change their properties.
New risks may appear. Known risks may go away.
What’s important:
You should also perform risk identification as a part of any change request. Changes always impose risks.
So, it’s a good idea to clearly describe daily risk assessment activities in the risk management plan.
Risk Management Plan Template
Unfortunately, this article was just one piece of a complex project risk management framework: Many other processes happen before and after this one.
If one part doesn’t work, the whole system breaks.
My Risk Management Plan Template connects all processes and tools into one cohesive system. It also provides access to other articles and videos on risk management.
Don’t put your projects and reputation at risk. Ensure you know how risk management works in the real world.
All successful project managers know it’s better to learn from someone else’s experience (aka lessons learned). Tap into my 12 years of practical IT experience and get the Risk Management Plan Template.