Risk Management Plan and Sample Templates

It doesn’t matter how well you plan a project. All projects are prone to risk which may or may not materialize during project execution stage. The risk could be as simple as project member’s unplanned leave which could affect a specific task to as big as a natural calamity which cripples the entire project.  Having said that, it doesn’t mean we should look like a sitting duck out there waiting for the risk becomes imminent. There are procedures in project management which would help us to identify the potential risks, analyze the possibility of those risk occurrence and ways to mitigate or minimize the risk impact on the projects. The risk management procedures should be performed before we start the project and it should be meticulously monitored during the entire project lifecycle. Course corrections need to be deployed on all risk measures as and when required.

In a nutshell, risk is an uncertain event which can arise due to both internal and external factors that might affect the project performance negatively or positively. You must be surprised to see the word “Positive” associated with the term “risk”. It is not true that all risks will result in negative outcome. There are certain events or conditions which could help your projects in a positive way. For an example, a change in government regulation or a drastic drop in one of the raw material prices could help your project execution easy or save project cost a lot. When these happen, we call them opportunities and they should be handled in the same way as risk.

Now, how can we mitigate the risks that we identified? There are various procedures that need to be deployed based on the risk-type we are dealing with. Do you think that we can avoid all possible risks in a project?  A simple answer would be ‘No’.  One cannot foresee or mitigate all possible risks. However, one should identify all risks associated with the project, analyze and deploy ‘Plan B’ for possible risks based on project timeframe, budget and criticality. The idea here is to identify and anticipate all risks in advance which would be better than some unknown risks cripple the project and dealing with them when it is too late to do anything about it.

Hmmm…. The overall risk management plan would define all the possible risks to the project and how we are going to address them. It also documents how the risk to be assessed, responsible project members and risk planning duration. Risk planning is not a onetime activity and it should be performed throughout the project at set duration in order to reevaluate the identified risks and to explore any new risks. Also, it is imperative to come out with a mechanism to measure the impact of each identified risk and the probability of risk occurrence. Some risks are most likely to occur and others are not. In the same way, we would need to figure out the frequency of each risk occurrence.

Risk Management Process

Managing risks in a project is a step-by-step disciplined process that includes risk identification, assessment, mitigation plan and risk monitoring. Risk identification is a structured creative process includes brainstorming sessions where project members are asked to come up with a list of potential risks which might affect the project during execution. In this process, all possible risks should be considered and the more the number of risks identified in advance, the better for the project (quality over quality).

Risk assessment process involves evaluation of potential impact of each risk documented during the risk identification stage. In this assessment stage, risks will be evaluated and quantified based on the impact level to the project. Risk mitigation plan involves prioritizing the risks and devise plans to eliminate/reduce the impact of risks. As I mentioned earlier, risk management process is not a onetime activity and this plan needs to be reviewed and updated on a regular interval during the entire life cycle of the project in order to keep cost, scope and timelines (Triple Constraints) in check.

Risk Management Process
Risk Management Process

Risk Identification: Identify risks to your project

Risk management plan starts with identifying all potential risks that may affect your project. It is crucial to understand the scope of possible risks so that the project manager can develop inclusive, pragmatic and cost-effective solutions for dealing with them. Project manager needs to take a holistic view while considering the type of risks that may affect the business instead of just focusing on the obvious issues such as fire or competition.

Before identifying risk, a thorough assessment of your business is a key. A project manager needs to think about the critical and milestone activities, key resources and roles and crucial business services that he intends to offer through his business. Also, a fair idea on the external business environment will come handy while identifying external risks.

The following are the some of the useful techniques in identifying risks.

  • Ask ‘what if?’ questions
  • Brainstorming sessions with project stakeholders
  • Considering worst case scenarios
  • Expert Interview
  • Risk Assessment meetings
  • Using historical reviews of similar projects

Some companies may create risk checklist based on their past experience with similar projects. This can be used as a good starting point and the project team can develop their own list of risk items by expending them.

Another useful technique would be to identify the risk by its category such as Technical, Cost, Schedule, Resource etc. In this case, the categories of risk will be identified first and then the related risk items will be classified underneath them with a greater detail. This framework is called Risk Breakdown Structure (RBS) which would provide a disciplined process for the team to identify and organize risks based on their category.

Risk Assessment/Evaluation: Analyze and evaluate the impact of risks

Not all fingers are equal and the same goes for risks as well. Some risks are almost certain where as other risks are less likely to happen. Also, impact of the risk towards project (such as cost, schedule etc) may vary from risk to risk. Once all the potential risks associated with the project are identified by the project stakeholders, the risk manager needs to quantify each risk by estimating its probability of occurrence and severity.

It is important to mention your top three risks in the Risk Management Plan. In order to identify the critical risk, risk manager should formulate an effective criteria and evaluation method to cherry-pick the high-impact risks. This would help him/her to narrow the focus on the critical ones and to plan mitigation. For an instance, if you identify any risk that could increase the project planned budget by 6% then extra attention should be given to that risk while preparing project risk mitigation plan. Hence, Risk evolution is all about developing a methodology to identify project critical risks that has high possibility of occurrence and greatest adverse impact on the project.

Risk Matrix
Risk Matrix: https://pm4id.org

Normally, project risk is positively correlated with complexity of project. For an example, a project with new technology can be rated as complex and normally have high risks associated with it. As the project is using an emerging technology, the resources involved in that project may face some unexpected problems and these risks need to be identified and the mitigation plan should be put in place in advance.

Risk evaluation process happens with a series of brainstorming sessions in a workshop setup. The identified risk events will are analyzed individually and rated based on likelihood and impact. Potential cost impact and possibility of occurrence are rated as High, Medium and Low. Project manager must make sure that the risk mitigation plan addresses all the risk events with high ratings on impact and likelihood.

Risk Mitigation: Treat risks to your project

When you are planning a project and identifying the risks associated with the project, those risks are still uncertain; they may or may not happen during the execution of the project. If the potential risks that you have identified turn up, you would need to be prepared to deal with them. An identified risk can be treated in four different ways based on different project factors. Before we get into the basic methods of treating risks, let’s consider a hypothetical project for a better understanding.

Imagine that the project is to make a person stand at the edge of a two storied building. To make things worse, assume the climate is rainy and windy so the terrace is kind of slippery and uneven too. Hence, the person standing at the edge of the terrace is more likely to fall. Falling from the roof is the one of the risks that we can come up with this project. Now, let us see how we can deal with this risk using different methods.

  1. Avoid: The best thing you can do with any risk is to avoid it completely. If you can avoid the risk from happening, it is no longer going to affect the project’s desired outcome. In our example, you make the person to stand in the middle of the terrace rather than at the edge. This way, you can prevent him falling from the building. This may not be an option on the project in most cases.
  2. Mitigate: As we discussed above, it’s not possible to avoid all risks. If we cannot completely avoid a risk, we can build some mechanism or take some sort of action that would reduce the damage to our project in case of risk occurrence. In our example, in order to mitigate the risk of person falling down from roof, we can either use rope grab or safety net installation.
  3. Transfer: Another effective and practical way to deal with any kind of risk would be to pay some else to accept the risk for you. Insurance is the most widely used risk transfer mechanism so any adverse outcome (falling from terrace) will be compensated by the insurance company or third party by paying a relatively small premium in advance
  4. Accept: In some case, an identified risk cannot be avoided, mitigated or transferred to a third party. This is a type of risk for which you can do nothing and you would need to accept the risk as integral part of project and hope for the best. Going back to our example, let’s assume that building a safety net is not economically feasible and no third party is ready to bear the risk then you have no option but accept the risk of falling from roof and continue with the project execution.

Implementation and Control: Review and update your plan

Similar to your business, industry and environment in which you operate the risks can also change. Hence, it is imperative that you will need to continuously examine, evaluate and update your risk plan throughout the project life-cycle. Regularly reviewing and updating the risk plan enables you to uncover any new risk that arises during project execution or the one the team missed during risk identification stage. Also, this helps you in monitoring the effectiveness of your risk mitigation strategies.

The risk review results should be recorded and reported to the appropriate management committee by the project manager. These results also act as an input for any future review and help to develop the overall project’s risk management framework as a part of continuous improvement process. Responsibilities for monitoring and reviewing risk plan in action and the threshold levels should be clearly defined. Hence, this process will;

  • Make sure that all risk controls are effective and efficient in both setup and operation level
  • Help to obtain further data points to improve risk assessment for current and future projects
  • Help in analyzing risk management plan with respect to successes, failures, near-misses and trends
  • Assist in identifying new and upcoming risks

This is not a onetime activity rather an ongoing process so that each risk event in the risk registers is continuously appraised. Here is an example of how the results can be documented in a risk register.

Risk Monitoring and Review

Sample Risk Management Plan Templates


Recommendations for Insights

 Watch this risk management training video to learn simple processes, tools and techniques for handling project risks. This video helps you to understand the beauty of risk and a few basic concepts to build an effective risk management plan for any project type.

You might be interested in reading these articles related to project risk management plan

You might be interested in reading related news stories on project risk management plan

Recommended books to read on project risk management plan

  • A report says over 40% of capital projects experience cost and schedule overruns and the project manager is expected to deliver his promises in an environment of increasing uncertainty and ever-growing stakeholder expectations. This book is not just another collection of management theories but a succinct guide for risk practitioners. Its unique ATOM methodology (Active Threat and Opportunity Management) methodology can be applied to projects of any size and industry


  • Today’s projects are more time constrained, test the technical limits and rarely have adequate resources which make them almost “Mission Impossible”. All of these lead to greater project risk and low chance of being a success. Throughout this book, sample modern projects show us how effectively new ideas can be implemented to make the impossible possible

Leave a Reply

Your email address will not be published. Required fields are marked *