The purpose of this document is to provide a framework on risk management activities during <PROJECT NAME> lifecycle. This document details out the approach towards risk identification, analysis of risks, mitigation plans, risk monitor and control and lessons learned. The purpose of the risk management plan document is not to address the mitigation plan for the individual risks – these are all covered in Risk Register.
Using this risk management planning, project team strives to minimize the negative risk and maximize the opportunities for the project success. This will be done by a systematic approach – identifying all possible (both positive and negative) risks associated with the project and the possibility of occurrence and their impact on the project. Action plan will be created for the identified risks in order to manage them during project lifecycle. Risk management planning is a repeated and on-going process throughout the project lifespan and it should be started as early as project initiation. The risk management activities and its approach will be reviewed on a regular basis and the risk management plan along with the risk register will be refined accordingly.
Below are the primary audience for this risk management plan document.
- <PROJECT NAME> Project Team
- <PROJECT NAME> risk key stakeholders
- <PROJECT> Risk Manager
Project risk manager and key stakeholders are the ones who approve this plan.
1.1 Scope of this Document
The scope of this document is to provide a framework on risk management activities during <PROJECT NAME> lifecycle.
This document describes the risk management activities and approaches for the <PROJECT NAME> which mirrors the <PROJECT> risk management approach and uses the same tools and techniques.
1.2 References (See Appendix for sample tools)
Below are the references used in the development of this plan.
- Project Management Institute (PMI©) – PMBOK© 2003 Edition
2.0 Risk Management Strategy, Tools and Methods
2.1 Risk Management Strategy
Using the risk management strategy, project team strives to minimize the negative risk and maximize the opportunities for the project success. This will be done by a systematic approach – identifying all possible (both positive and negative) risks associated with the project and the possibility of occurrence and their impact on the project.
The risk management activities are:
- Risk Management Planning
- Risk identification – identification all known project risks
- Risk Analysis – assess the probability and potential impact of the identified risks
- Risk Response Planning – create mitigation plans to manage the identified risks
- Risk Monitoring and Control – monitor, review and update risk plan and their status
- Risk Closeout – document the outcome and use the lessons learned in future
Risk management planning is an iterated and on-going process throughout the project lifespan and it should be started as early as project initiation. Philosophy of non-risk adverse will be applied during risk management process while complaining to the project objectives with respect to quality, schedule, legal, financial and customer satisfaction.
2.2 Risk Management Tools and Outputs
Below are tools that will be used to formalize and document the outcomes of the risk management process on this project. <PROJECT NAME> Project Manager will be maintaining the physical storage location of this risk management plan.
2.3 Risk Identification
Risk identification activity for <PROJECT NAME> will
- Start during the initiation of the project when it is not active.
- Once the project is commissioned (active), the risk identification activity needs to be repeated in a regular interval as mentioned in risk management process (Monitor and control section)
- For <PROJECT NAME>, risk identification activity will be conducted during weekly project status meeting as well as monthly risk audits
- Any change request submitted for <PROJECT NAME> should be assessed for potential new risk and if any, impact and frequency of the new risk should be quantified and added to the risk register.
- A comprehensive list of all potential positive (opportunities) and negative (threats) risks for <PROJECT NAME> should be logged and vetted with relevant project stakeholders.
Risk identification process should be thorough enough by adding all relevant project stakeholders and all possible risk sources. Below is the risk sources considered for <PROJECT NAME> risk identification process;Please note that additional risks sources can be identified and added in to the risk log as and when required.
Below are the techniques that are used in identifying the risk elements for <PROJECT NAME>
- Risk register for similar projects
- Lesson learned documents
- Interviewing subject matter experts
- Risk management process checklist
- In depth examination of each element in WBS
- Analysing project specific documents for identifying potential risks such as
- Scope statements
- Requirements spec
- Schedule documents
- Design documents
- Statement of work
- Contracts and commitments
- Group process techniques such as
- Workshop for risk identification
- Nominal group techniques
- Delphi technique
Risk statements are documented with unique IDs. All assumptions need to be considered as risk elements and documented accordingly.
2.4 Risk Analysis
This step is to determine which risk events need to be focussed/prioritized for the response plan by analyzing the probability of risk occurrence and impact on the project using various suitable methods. These methods can be broadly classified into three categories;
Irrespective of above method, one should consider the project triple constraints while performing risk analysis – Project cost (labour, equipment, materials etc), time (schedule, delay, activity duration etc.) and Scope (desired features, functionality, project requirements etc)
Probability and likelihood of risk elements are derived from;
- Risk assessment questionnaire outcome
- Fair estimates
- Expert judgement
- Decision trees
- Network Diagram
2.4.1 Qualitative Analysis
Qualitative analysis determines the risk rating for each identified risk by deciding the probability of occurrence and its magnitude of impact using risk tools such as risk log etc. Based on the rating, identified risks will be ranked and provided adequate importance during risk mitigation process.
2.4.2 Quantitative Analysis
Though it is not always possible to assign a dollar value for risk impact, a narrative description will be arrived for each identified risk. For the risks that can be quantified, an Expected Value (EV) will be arrived using probability percentage and magnitude of impact (EV=Probability * Dollar Impact). We have various tools available to calculate the probability percentage for any give risk that we foresee.
2.4.3 Risk Prioritization
Not all identified risks will be considered for the risk response planning due to the involvement of cost and effort. Hence, analysed risk will be forced ranked in order to identify the top risks that affect the project. Top risks will be identified based on Quantitative expected value rating and Qualitative overall rating as performed in the above two steps. In practice, the risks that are scoring “HIGH” in both these parameters will be ranked at the top. Other threats and opportunities also force ranked separately for further analysis.
In addition to Qualitative and Quantitative ratings, a few other factors that are important to customers and stakeholders will also be considered while ranking the risks. This factor can be derived from the following sources;
- Statement of Work
- Project Scope
- Requirement and Design Specifications
- Contract and Commitment agreements
In addition to this, risk differentiation and further filtering will be applied using below techniques (if needed)
- Comparative Risk Ranking
- Risk Filtering (Refer 8.2)
The remaining identified risks will not be part of the list but those will be reconsidered at a regular interval as per the Risk Management Plan set duration for Risk Monitoring and Control.
2.5 Risk Response Planning
Risk response plan will be developed for all the risks selected in risk prioritization and filtering process. The minimum requirement is to plan risk responses for the risks with the overall risk rating “HIGH”. Response plan should be integrated with Project Plan and to be captured in Risk Log. In addition to the risk responses, we need to document the following;
- Risk owner who is responsible for managing the response
- Risk response strategy
- Cost of the risk response
- Project objectives impacted by this risk
- Other dependent projects impacted by this risk
- Stakeholders impact
- Description of the mitigation plan
To optimize various risk responses, a risk response matrix can be created to identify priorities and primary response plan to manage several risks.
2.6 Risk Monitoring and Control
This process includes risk assessment during major project milestones/events, plan for the risk identified in risk log, identify new risks and reassess the mitigation plan effectiveness for the existing risks. Minutes of Meeting needs to be duly captured and shared among risk managers and project communication managers. Project stakeholders will be duly notified in case any major change in the risk plan or high-impact potential risk identified.
- Project manager conducts meetings at a regular interval (as mentioned in Risk Management Plan) with project leads to review the <PROJECT NAME> risks with the overall rating of “HIGH” or “VERY HIGH”
- Monthly meetings will be conducted by Risk manager to review all identified risks
- Weekly meetings will be conducted to review the high value risks status and overall project risk status with project team members
- Adhoc risk review meetings during major project events/milestones
- Quarterly risk review meetings with <CUSTOMER> representatives
2.7 Assumptions and Constraints
- Active participation from customer and associated partners during risk review meetings
- All project divisions should perform same level of risk management activities
- Timely and relevant project reports should be made available to the project managers with a risk section included
- Level of expertise in identifying and assessing risks can be different at different project divisions
- Other project divisions must support information requirements (say COST) during risk assessment
- Resources must be trained on risk management processes at the early stage of the project
3.0 Roles and Responsibilities
Person names performing the roles;
3.1 Risk Stakeholders
- Periodical risk management workshops will be created and delivered to all project members to ensure their understanding and support on risk management activities
- Trainings will be audience-specific as needed (Top management, Customers etc.)
- Mandated attendance for project managers and team members who perform risk management activities for <PROJECT NAME>
- The objective of the program should cover/enhance the knowledge of risk management, their roles and responsibilities and process that needs to be followed
- Project quality reviews
- Project status reports
- Risk audit reports
- Change requests
- Project outputs (WBS, Scope, SOW etc.)
- Project stakeholders
- Risk management tools and templates (Risk log etc.)
Thresholds limits for project scope, budget and schedule will be identified and the same will be considered while analysing the risks on the impact. This will be used in developing risk strategies accordingly. Risks that affect schedule, budget and scope will be analysed on a case to case basis and its overall impact on project deliverable will be determined.
A contingent plan and reserve budget should be created at the project task level to manage any risks that materialize during project life-cycle. It is the responsibility of integrated risk manager to control this budget reserve and the program director will provide the authorization for releasing this fund.
6.0 Timing and Schedule
Risk management process needs to be initiated and performed from project initiation and continue to be in-effect till the project closure. The schedule for various risk management activities will be defined in the project plan and project Gantt chart and triggers for risk activities will also be determined in advance.
7.0 Reporting and Communication
Risk log and other risk management tools (as applicable) will be the primary reporting modes for <PROJECT NAME> project. Also, project weekly status will contain a section to address the identified risk status. Risk log and associated risk reports will also be shared with the customers as applicable.
8.1 Risk Response Matrix
The risk response matrix can be used to identify the effective response plans that are primary for more than one risks. This way, the same response can be used to manage multiple risks and the overall risk management effort can be optimized. For an example, in the below risk response matrix, we can determine that the response plan for B is also effective response plan for risk D. In the same way, response plan for E can be effective for risk A. Hence, response plan for B, C and E can be effective for all identified risks.
8.2 Risk Filter Decision Tree
This tool will be helpful in identifying and prioritizing risks so that the risk management effort is optimized.