In the previous chapters we took a look at inputs or resources we will use in the creation of a risk management plan as well as about the Risk Planning Meetings that are used to actually create these plans. So, the next logical step is to know what the risk management plan contains so that we will know what all to include in our plan to ensure smooth and successful risk management in our project.
According to the PMBOK guide, the Risk Management Plan contains the following elements:
1. Risk Methodology
2. Roles & Responsibilities
3. Budgeting Information
4. Timing Information
5. Risk Categories
6. Definition of Risk Probability & Impact
7. The Probability & Impact Matrix
8. Revised Stakeholder Risk Tolerances
9. Reporting Formats and
10. Risk Tracking Information
Many of those contents look pretty straight forward and if you are a PMP you must by now know a fair bit about these elements. Anyways we will be covering them in detail one by one. An important point to note here is that organizations can have templates and documents from previous projects that can be very useful in creating the risk management plan for the current project. From the RMP Exam perspective you need to use the structure that PMBOK suggests.
Risk Methodology covers the “How” of Risk Management. We define the methods and tools we will use in our projects risk management activities. We will also mention the sources from where we will get the data that will be used in the risk related processes in our project.
Roles & Responsibilities
This section defines the roles & responsibilities for everyone who will be involved in risk management activities in our project. “Who” they are and “What” they will be doing will be clearly defined here. A point to note here is that anyone and everyone who will be involved in risk related activities in our project will be added here and most importantly people from outside our project team too could be a part of this.
This section covers the financial aspect of the risk management activities in our project. It defines the amount of funds set aside for risk management activities as well as the contingency reserves that are available. It also describes the amount of money that will be spent on the risk management activities as well as the resources that will be used for the same. This information will be part of the projects overall cost performance baseline
An important point here is that, this section also defines the protocols or situations under which the contingency reserves will be utilized.
This section covers the timing/schedule aspect of the risk management activities in our project. i.e., it explains when the risk management activities will happen in our project. It also contains details of the schedule contingency reserves that are available. This information will be part of the overall projects schedule baseline.
An important point here is that, this section also defines the protocols or situations under which the schedule contingency reserves will be utilized
Did you realize that the budgeting & timing information in the RM plan is part of the Projects overall Cost and Schedule baseline? Did you stop and think why they are being added to the baseline?
This risk management activity is part of the work that will be taken up as part of our project. So it makes sense for us to include the money and time we are going to spend on these activities into the projects overall budget as well as schedule. Doesn’t it?
This section explains all the risk categories that will be used in our project. It could also contain some rationalization/justification behind the selection of these categories. This is done to ensure consistency across the project. The Risk Breakdown Structure is a common way of depicting the risk categories. Though the RBS is fairly common in almost all RM Plans, it is not mandatory. You can decide how you want to depict the risk categories you will be using in your project. It could be a RBS or just a simple list of risk categories.
Revised Stakeholder Risk Tolerances
This section defines/explains the updated risk tolerance levels of all the project stakeholders. This will be the baseline based on which as project managers we will handle risks in our project.
This section defines how risk activities will be documented, analyzed and shared with all appropriate stakeholders. Most organizations have a standard template or format in which this information is shared. Usually the Risk Register (with all the latest updates about the identified risks) is the document that gets shared
This section describes how the risk activities will be recorded with the project as well as how the lessons learned will be documented. This section also contains information on how our risk related processes will be audited.
Definition of Risk Probability & Impact
This section defines the risk probability and impact using a scale or a rating system. This rating system is defined here in the risk management plan so that we can easily and consistently rate all risks that may affect our project. We will be defining the guidelines that we will be using to accurately assess and rate risks in our project. This information will be used in the Qualitative Risk Analysis process where we assign a rating to all our identified risks to shortlist the higher priority risks.
There are various ways of documenting the risk probabilities and impact and as you might have guessed by now, it depends on your organization. Some commonly used ways are to use the “High-Medium-Low” scale or a Numeric scale. The picture below shows two sample scales.
The image on the top classifies the risks based on their impact or probability as low, medium and high whereas the one in the bottom assigns a numeric value based on the same criteria as the table above it.
Probability & Impact Matrix
The probability and impact matrix is used to prioritize risks and to determine which risks require a response. This will serve as a look-up table that combines both the probability and impact rating so that risks can be rated in a consistent manner. This again will be used in the Qualitative Risk Analysis process.
Don’t worry, we will be covering the Qualitative analysis in great detail in future. For now just know that the probability and impact definitions as well as the probability and impact matrix are defined in the RM Plan. Based on the guidelines defined in the RM Plan, risks are first identified and added to the risk Register. They are then prioritized during Qualitative risk Analysis and the risk register is further updated with the Risk Ratings which will help us decide which risks to concentrate on and which ones we can worry less about. This is explained in the picture below:
Prev: Creating the RM Plan
Next: Section Summary