The Risk Management Plan is the document which explains how the organization will address activities within the project. From the PMBOK®, below are elements which can be included in the Risk Management Plan:
- Risk strategy: What is the general approach to managing risks in the project?
- Risk management methodology: As an extension to the risk strategy, what specific approaches, tools, and data sources are used to perform risk management?
- Roles and responsibilities: Who does what in terms of risk management?
- Funding: How are risk activities funded for the project? How much for contingencies? How much for reserves? Where does the funding come?
- Timing: When should the team perform risk activities?
- Risk categories: How are risks classified? For example, they could be technical, management, commercial, or external risks.
- Stakeholder risk appetite: How much risk, and what type of risks, are the stakeholders willing to accept on the project? What objectives of the project assume more risk than others?
- Definitions of risk probability and impacts: What are the levels of risk and their associated probabilities? What is the impact on the project of these levels of risk? For example, a risk classified as “Very High” could have a probability of occurrence of >70%, a time impact of >6 months, a cost impact of >$5M, and a very significant impact on the quality of the product. These are just examples and need to be defined for each project relative to the scale of the project.
- Probability and impact matrix: This is a matrix mapping the probability of the risk occurring to the impact of the risk. The impact could be either positive or negative. For example, there could be a risk which has a high probability of occurring, but the negative impact on the project is exceptionally low. This would result in a threat to the project which is very low. This scoring matrix is used to assess the real threats (or benefits) to the project if a risk is realized.
- Reporting formats: How should the team document, analyze, and communicate risks?
- Tracking: How should risks be tracked?
Note that all these items do not yet name the risks. The items noted above are just to apply a framework for how risks will be identified, documented, and assessed. This Risk Management Plan is an input to other plans needed for a complete project management plan.
One of the benefits of an Agile (or Adaptive) approach is not all the risk may need to be identified upfront. However, since what is noted above is not the risk identification but the framework for handling risk, this is one of the upfront planning tasks that should not be put off. If it is delayed, then the team will not know how to handle risks as they are found along the way in a project, including all the risks identified at the beginning of a project. Therefore, constructing a Risk Management Plan is part of any project, no matter the execution method.
In the next post, we will look at inputs and outputs within the PMBOK® before moving on with other plans.