What Is a Project Risk Management Plan?
Project teams create a project risk management plan, a document that helps identify and assess potential risks to a project. The plan outlines how your team will analyze and mitigate the potential risks to ensure project success.
The project risk management plan is one of the most important documents in project risk management. You can learn more about project risks in general — as well as specific types of project risks — in our comprehensive guides
What Does a Risk Management Plan Cover?
A risk management plan should cover a number of areas detailing potential project risks and how your team will deal with them. It will include a description of the project, along with how your team will identify and assess risk.
At a minimum, your project risk management plan should include the following details:
- Project description, including its purpose
- The team plan for identifying, logging, and assessing potential risks
- How the team will identify broad categories of risk
- How the team will evaluate the severity of each potential risk
- How your team will continue to monitor risks throughout the project
- How team members will be assigned as owners of various risks
- Your organization’s tolerance for certain risks, along with criteria for a risk being too large to accept
“A risk management plan defines how the risks for a project will be handled to ensure that the project can be completed within the set timeframe,” says Veniamin Simonov, Director of Product Management at NAKIVO, a backup and ransomware recovery software vendor. “The plan should cover methodology, risk categorization and prioritization, a response plan, staff roles, and responsibility areas and budgets.”
“The risk management plan will address ‘What are we going to do? How are we going to do it? What are the processes we're going to follow?’” says Alan Zucker, Founding Principal of Project Management Essentials. “It may include things such as what are the major categories you're going to use to define your risks. It might also include some guidelines for assessing risks.”
Components in a Project Risk Management Plan
A project risk management plan will include certain components and describe how your project team will use certain tools to understand and manage potential risks. Some components include a risk register, a risk breakdown structure, and a risk response plan.
Here are components or tools that a project risk management plan often includes or describes:
- Risk Register: A risk register is the document your project team will use to identify, log, and monitor potential project risks.
- Risk Breakdown Structure: A risk breakdown structure is a chart that allows your team to identify broad risk categories and specific risks that fit within each category. Your team can decide on the broad categories, depending on your project.
- Risk Assessment Matrix: A risk assessment matrix is a chart matrix that allows teams to score the severity of potential risks based on both the likelihood of each risk happening and the impact to the project if a risk happens.
- Risk Response Plan: A risk response plan is a document that details how your team plans to respond to each potential risk to try to either prevent it from happening or lessen the impact if it does happen. You can learn more about project risk mitigation.
- Roles and Responsibilities: The risk management plan can provide details on the project risk management team, including the lead member for risk management. It also likely details the roles and responsibilities each team member will have in addressing and dealing with specific risks.
- Risk Reporting Formats: The risk management plan describes how the project team will document and report its work on monitoring and dealing with risks. It describes the risk register format that the team will use. It might also describe how risks will be added to or deleted from the register and how the project team will provide periodic summarized risk reports to top project and organization leaders.
- Project Funding and Timing: The plan will likely have a section describing the overall funding and timing for the project. That section also likely details funding for all project risk management work.
To determine what you need to include in your risk management plan, see the following requirements based on project size:
Small Project (short duration; 2-4 members of project team) | Medium Project (duration of several weeks to several months; medium-sized project team) | Large/Complex Project (duration of year or more; large project team) | |
---|---|---|---|
Risk management plan | X | X | |
A basic risk register, to include columns for description of risk, its potential impact and priority, and who is responsible for monitoring | X | ||
A detailed risk register, to include everything in basic risk register along with details on risk triggers and likely timing of risks, risk mitigation details, and status of mitigation response | X | X | |
Risk breakdown structure | X | ||
Risk assessment matrix | X | X | X |
Risk response plan for priority risks | X | X | |
Periodic risk management reports to organizational leaders | X |
An Organization’s Risk Management Plan Often Doesn’t Change with Projects
Many risk management experts emphasize that an organization’s project risk management plans might not change much from project to project. That’s because the plan sets out particulars that will be followed for all projects.
“Remember, it's just an approach document that answers the question: How?” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “The company or the department as a whole should have a single risk management plan that gets built as you're building your project management methodology. And it’s your Bible. It’s your guidebook.
“But it isn't going to change across projects,” Reynolds continues. “What changes are the artifacts, including the risk register. But your approach of how you're going to address risk or analyze risk or plan for risk is in the project risk management plan document. As a company or organization, you create that document, and it exists for a year or two years without changing.”
How to Create a Project Risk Management Plan
To create a project risk management plan, your team should gather important documents and decide on an approach for assessing and responding to risks. This process involves gathering support documents, listing potential risk management tools, and more.
Consider some of these basic steps and factors as you begin creating the project risk management plan:
- Gather Supporting Documents: Gather and read through supporting documents related to the overall project, including the project and project management plan. It’s important for your project risk team to have a full view of project goals and objectives.
- Frame the Context: Make sure your team understands both the business value of the project and the impact on the organization if the project fails.
- Decide on Risk Assessment Criteria: Decide how your team will identify and assess important risks. That will require your team to have an understanding of which types of risks your organization can tolerate and which risks could be ruinous to the project.
- Inventory Possible Risk Management Tools: Make a list of risk management tools and documents that your team might use to help identify and manage project risk.
- Think About Risks in Categories: Consider which categories of risk are relevant to your project, such as internal and external risks. It might mean thinking about other ways to categorize risks.
Your team should also think broadly about risks as known, unknown, and unknowable:- Known Risks: At the start of a project, team members will be able to identify a number of known risks, such as budget issues, shortages of material, and human and other resource constraints, which are measurable and based on specific events.
- Unknown Risks: At the start of a project, team members will not be able to identify a range of unknown risks that could impact your project. Those risks are not as easily or objectively measurable as known risks and can crop up at any point during a project. A main goal of project risk management is to help your team discover and address unknown risks before they happen.
- Unknowable Risks: Your team will not be able to anticipate unknowable risks that could affect the project, such as catastrophic weather events, accidents, and major system failures.
- Understand Human Bias: Studies have shown that people overestimate their ability to predict and influence the future. We often think we have more control than we do. Those biases can affect how we assess and manage risks in a project. We tend to give too much credence to what happened with past processes, fall into agreement with others in our group, and be more optimistic than we should be about how long a project will take or how much it will cost.
It’s important to account for all of those biases as your team identifies and assesses project risk.
Steps in Developing a Project Risk Management Plan
After your project team has gathered documents and done other preparation work, you will want to follow nine basic steps in creating a project risk management plan. Those start with identifying and assessing risks.
Here are details on the nine steps of project risk management to keep in mind while drafting your project risk management plan:
- Identify Risks: Your team should gather information and request input from team and organization members to determine potential risks to the project. Some specific risks can threaten many projects. Other risks will vary, based on the type of project and the industry.
“If you're talking about a software project, you could have risks associated with the technology, resources, and interdependencies with other systems,” says Zucker. “If you have vendors you're working with, there may be risks associated with the vendors. There may be risks that are software- or hardware-specific. If you're working on a construction project, those risks obviously would be very different.
”You can learn more about project risk analysis and how to identify potential risks to a project. - Assess Potential Impact of Each Risk: After your team identifies potential risks, it can assess the likelihood of each risk, along with the expected impact on the project if the risk happens. Your team can use a risk matrix to identify both the likelihood and impact of each risk. You can learn more about how to create a risk matrix and assess risks.
- Determine Your Organization's Risk Threshold and Tolerance: Your team will want to understand your organization’s risk threshold, or tolerance for risk. Organization leaders might decide that some risks should be avoided at all costs, while others are acceptable. Take the time to understand those views as you prioritize project risks.
- Prioritize Risks Based on Impact and Risk Tolerance: Once your team assesses the potential impact of a risk and your organization's risk tolerance for risks, it will prioritize risks accordingly. “Prioritize risks based on their disruptive potential for an organization,” says Simonov.
- Create a Risk Response Plan: Your team should then create a response plan for each risk that the team considers a priority. That response plan will include measures that could prevent the risk from happening or lessen the risk’s impact if it does happen.
- Select Project Risk Management Tools: Your team will need to decide on the best risk management tools to use for your project. That will likely include a risk register and a risk assessment matrix. It might include other tools, such as Monte Carlo simulations. Learn more about various tools and documents to use in risk management.
- Select an Owner for Each Risk: Each identified risk should have an assigned owner. In some cases, a department might be an owner of a risk, but most often, the team will assign individuals to monitor risks. In some cases, the owner will be responsible for dealing with the risk if it happens. Teams can list the owners of each risk on their project risk register.
- Determine Possible Triggers for Each Risk: As your team conducts a closer assessment of all risks, it should identify risk triggers where possible. Triggers are events that can cause a risk to happen. Your team won’t be able to identify triggers for all risks, but it will for some. For example, if you have a plant without sufficient backup power, a trigger could be warnings of a violent storm that could cause a power outage.
- Determine How Your Team Will Monitor Risks: An important part of your plan includes recording concrete details about how your team will ensure that it can continually monitor risks throughout the life of a project.
Risk Management Plan Examples, Templates, and Components
Examples of project risk management plans can help your team understand what information to include in a plan. The risk management plan can also detail various components that will be part of your team’s risk management.
Project Risk Management Plan Template
Download the Sample Project Risk Management Plan Template for Microsoft Word
Download this sample project risk management plan, which includes primary components that might be described in a project risk management plan, such as details on risk identification, risk mitigation, and risk tracking and reporting.
Download the Blank Project Risk Management Plan for Microsoft Word
Use this blank template to create your own project risk management plan. The template includes sections to ensure that your team covers all areas of risk management, such as risk identification, risk assessment, and risk mitigation. Customize the template based on your needs.
Project Risk Register Template
Download the Sample Project Risk Register for Excel
This sample project risk register gives your team a better understanding of the information that a risk register should include to help the team understand and deal with risks. This sample includes potential risks that a project manager might track for a construction project.
Download the Blank Project Risk Register Template for Excel
Use this project risk register template to help your team identify, track, and plan for project risks. The template includes columns for categorizing risks, providing risk descriptions, determining a risk severity score, and more.
Quantitative Risk Register Template
Download the Sample Quantitative Project Risk Impact Matrix for Excel
This sample quantitative project risk impact matrix template can help your team assess a project risk based on quantitative measures, such as potential monetary cost to the project. The template includes columns where your team can assess and track the probability and potential cost of each project risk. The template calculates a total monetary risk impact based on your estimates of probability and cost.
Risk Breakdown Structure Template
Download the Risk Breakdown Structure Template for Excel
Your team can use this template to create a risk breakdown structure diagram that shows different types of risks that could affect a project. The template helps your team organize risks into broad categories.
Step-By-Step Guide to Creating a Project Risk Management Plan
Below are step-by-step instructions on how to fill out a project risk management plan template. Follow these steps to help you and your team understand the information needed in an effective risk management plan.
This template is based on a project risk management plan template created by Arrowhead Consulting of Tulsa, Oklahoma, and was shared with us by Kris Reynolds.
- Cover Section: Provide information for the cover section, also known as the summary section. This will include the name of the project, the project overview, the project goals, the expected length of the project, and the project manager.
- Risk Management Approach: Write a short summary of your organization's overall approach to project risk management for all projects, not only the project at hand. The summary might describe overall goals, along with your organization’s view of the benefits of good project risk management.
- Plan Purpose: Write a short summary explaining how the plan will help your team perform proper risk management for the project.
- Risk Identification: Provide details on how your team plans to identify and define risks to the project. Those details should include who is assigned to specific responsibilities for risk identification and tracking, as well as what information and categories will be included in your team’s project risk register.
- Risk Assessment: Provide details on how your team will assess the probability and potential impact of each risk it has identified. Your team should also include details on any risk matrices it plans to use and how the team will prioritize risks based on those matrices.
- Risk Response: Provide details on the ways your team can choose to respond to various risks. In the case of high-priority risks, that will include prevention or mitigation plans for each risk. In the case of low-priority risks, or risks that might be prohibitively expensive to mitigate, it might include accepting the risk with limited mitigation measures.
- Risk Mitigation: Provide more details on how your team plans to lessen the likelihood or impact of each risk. Your team should also provide details on how it will monitor the effectiveness of prevention and mitigation strategies, and change them if needed.
- Risk Tracking and Reporting: Provide details on how your team plans to track and report on risks and risk mitigation activities. These details will likely include information on the project risk register your team plans to use and information on how your team plans to periodically report risk and risk responses to organizational leadership.
Do Complex Projects Require More Complex Project Risk Management Plans?
Experts say that complex projects shouldn’t require more complex project risk management plans. A project might have more complex tools, such as a more detailed risk register, but the risk management plan should cover the same basics for all projects.
“The problem is, most people get these management plans confused. They then start lumping in the artifacts [such as risk registers] — which can be more complex and have more detail — to the risk management plan itself,” says Reynolds. “You want it to be easily understood and easily followed.
“I don't think the complexity of the project changes the risk management plan,” Reynolds says. “You may have to circulate the plan to more people. You may have to meet more frequently. You may have to use quantitative risk analysis. That would be more complex with more complex projects. But the management plan itself — no.”
Effectively Manage Project Risks with Real-Time Work Management in Smartsheet
From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.