Introduction to Risk Management Plan

All projects have inherent risks. After all, risk is an uncertain event or circumstance that can cause or influence a positive or negative result. Not even a Project Management Professional (PMP) can completely stop the risk, but they can make a risk management plan to address, mitigate, and manage the risks of the highest probability or potential impact.

Project Management Institute (PMI) includes risk across their credentialing programs as part of the Project Management Professional (PMP)® certification exam, as the standalone Risk Management Professional (PMI-RMP)® certification, and as questions within other certification categories and assessments. The most significant risks a Project Manager can take are failing to know what a risk management plan is, and not having a risk management plan for their project.

---

---

What are Project Risks?

Before diving into the “risk management plan PMP” as it is informally known, it is crucial to know at the core what a project risk is. The PMI online learning library provides thousands of peer-reviewed articles and resources, and project managers of all industries long study the topic of risk. The risks may vary by industry and organization, even by geography and time of year, but the risk is universal.

Risk is that which could happen. It is the uncertainty that populates every moment. It might rain. It might flood. Your car could have an engine failure. Your computer gets a virus. Risk is everywhere at every moment. Without conscious thought, we constantly evaluate the chances of specific things happening and adjust our behaviors accordingly. Did you take an umbrella with you when you left your home today? Why or why not? Did you specifically check the weather forecast to see if rain was predicted, or did you make your decision based on years of living in a desert climate in which rain is rare and limited to certain times of the year? Rain is a risk, and it can have positive (plants grow, water to drink) or negative (flooding, destruction of crops) impacts depending on its intensity.

So, take the idea of risk and apply it to the environment of a project. Some events or conditions could benefit or harm the project’s overall success. These project risks vary by the type of project, the industry, the company for which the project is done, and more.

Risk	An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. (Source: https://www.pmi.org/pmbok-guide-standards/lexicon)
Project Risk	The cumulative effect of the chances of uncertain occurrences which will adversely affect project objectives. It is the degree of exposure to negative events and their probable consequences. (Source: https://www.pmi.org/learning/library/risk-management-9096)

For the concept of risk, including project risk, project managers must look at it as positive and negative. Risk is not always a bad thing. A project could risk that supplies arrived early and delivered the final product sooner than planned. Project managers have many responsibilities, and among them is using risk management tools and techniques to manage risk.

What is a Risk Management Plan PMP?

Knowing what risk, specifically project risk is, is the first step. The next is what to do about it. This leads to what some call the “risk management plan PMP” or “plan risk management PMP.” Consider this description for a PMI library article:

“…risk management must be seen as preparation for possible events in advance, rather than responding as they happen.”

The management of risk builds off planning for risk. For those working to earn their PMP® credential, it is helpful to know PMI’s official definition of a risk management plan:

Risk Management Plan

A component of the project, program, or portfolio management plan that describes how risk management activities will be structured and performed. (Source: https://www.pmi.org/pmbok-guide-standards/lexicon)

When creating a Project Plan, the Risk Management Plan is one step in the process. Some may be seeking a “PMP Risk management plan template.” While there are undoubtedly many example templates available, once the purpose and process of risk management are understood, the project manager can create a plan specific to the project.

Why is a Risk Management Plan important?

If you asked a sample group of project managers what tool offered higher predictability, they would say risk management. Some project management professionals believe that “project risk management is perhaps…the most effective tool project managers can employ to increase the odds of project success.” For what may be called by the team a “risk management plan PMP,” the project will likely benefit from predictable budgeting and scheduling, even when changes occur. Other reasons the risk management plan is essential to include:

• either through a template or one customized for the project, the risk management plan can shift the overall project work from reactive to proactive,
• project budgets can be better managed with early allocations marked for highly likely risks,
• the process of creating the risk management plan and the associated tools within risk management, such as the risk register, can reduce the anxiety of the team by building confidence via assigned responsibilities and needed actions for risk,
• project schedules can be more accurately managed with built-in flexibility for risks most likely to occur,
• negative risks can be mitigated through a vetted process of planned actions, and
• positive risks can be leveraged through a process of identification and planned actions.

The risk management plan is essential because the project team is not always alert, waiting for change to come from any direction but is prepared for expected changes.

How is the Risk Management Plan used?

The process of creating the risk management plan ensures a heightened understanding of the project’s risks across the team. The result is a project manager with more accurate information to feed into the risk management plan and the project plan, plus a more knowledgeable team about potential future changes in the project.

How does the Risk Management Plan help the project?

It can be said that the risk management plan development process helps to:

• identify risks with impact to the schedule,
• estimate cost of risks and the potential impact on the budget,
• increase the accuracy of the overall project plan, and
• communicate among, and with the team, the potential risks.

The uses of the risk management plan encompass accurate budgeting, reliable scheduling, effective team building, and volatility reduction. There is no doubt that good risk management planning is one of the critical responsibilities of project managers due to the far-reaching positive impact it can have on a project.

What does the Risk Management Plan tell the Project Manager?

PMP exam questions maybe around risk management plan definitions, methodology, or process. Whether as part of prepping to take the PMP certification exam or to get stakeholder buy-in for the risk management process efforts, project managers should know that “the risk management plan tells you how you are going to handle risk in your project.” It accomplishes this by documenting:

• how risks will be identified
• how risks will be assessed for the probability of occurrence
• how risks will be assessed for impact
• who will own each risk
• how each risk will be tracked
• how each risk will be addressed if it occurs

The risk management process and plan tell the project manager what could be on the horizon and how the team will respond.

How do Project Managers use a Risk Management Plan?

The project manager and the team uses the risk management plan to predict (or in some cases influence) future occurrences. 

When is a Risk Management Plan needed?

Every project has risks. Thus, every project needs a risk management plan. However, not all risk management plans are the same size. The scope of that risk management plan, and the amount of time and effort invested in its creation and maintenance, should be determined by the project’s overall scope and budget. If 500K is invested in risk management planning for a project with a budget allocation of only 50K, the risk is that the company will not last long with that type of management.

When does a Risk Management Plan need to be created?

Since risk is always present, the risk management plan should be addressed early in the project planning process. Updates can be made to the risk management plan as the project work progresses, but the plan itself is an input into the overall project plan and thus needs to be created early in the overall effort.

How often is the Risk Management Plan updated?

PMP exam questions may indirectly assess your knowledge of risk management with questions around the frequency of risk management plan updates. The risk management plan should be created early in the project work, align with project milestones or work cycles, reassess risks, and document changes, activities, and results. The risk plan document should be updated throughout the project and regularly. Those intervals should be mapped with the project schedule to keep the team aligned and informed.

What are the types of Project Risks?

There are kinds of project risks: known, unknown, and unknowable. They may also be referred to as known-known, known-unknown, and unknown-unknown.

Known	Unknown	Unknowable
Known-Known	Known-Unknown	Unknown-Unknowns
Risks identified and documented during project planning by the project team.	Risks identified and documented during project planning by a specialist or subject matter expert.	Risks that are not anticipated and thus undocumented.

Known Risk

What the risk is and the impact of that risk is known. The risk is identified early and documented in the risk management plan.

For example, a supplier has informed you of a 3% price increase effective in 3 months for a part used in the final stage of a manufacturing process. You know the risk (increased cost) and when it will happen.

Unknown Risk

As implied, the unknown risk is a known risk with an unknown timing or full impact. The risk is often identified by a subject matter expert or a specialist. The risk is identified and documented in the risk management plan.

For example, hurricanes are known to happen in the Atlantic Ocean at certain times of the year, but how many storms will occur in a season or where they may come onto the shore is unknown.  The National Hurricane Center will make annual predictions for hurricanes to assist with planning, but there is no absolute when, where, or how big a storm could be.

Unknowable Risk

A rare occurrence but with great impact potential if it occurs, the unknowable risks are not identified at any time, and thus there are no associated plans in place.

Sticking with our supplier price and hurricane examples, a weather system sinks the ship bringing over the needed widget (the widgets’ price and arrival being known risks), and it will take time to secure a replacement boat and to manufacture replacement widgets (time to find replacement boat being unknown risk). An unpredicted weather system (unknowable risk) destroyed the single needed shipment.

---

---

How to make a Risk Management Plan?

Preparation for the PMP certification exam will include knowing the components of a Risk Management Plan. While plans can vary in size reflective of the project’s scope, there are vital elements to include, and the process of creating the plan should be consistent. 

What are the components of a Risk Management Plan?

From a PMP certification exam lens, it can be helpful to reference the PMI’s A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition, as it lists Risk Management Plan inputs and the process guiding them. Highlights include:

• authority levels of decision making for risk response
• enterprise environmental factors
• risk management methodology
• organizational process assets
• organizational risk policy
• project charter
• project management plan
• project risk background
• risk categories
• risk concepts and terms
• risk reporting types and frequency
• risk response timing
• risk roles and responsibilities
• risk tolerance levels
• stakeholder register

Not all risk management plans will have all components. Creating the plan should be to scope it to align with the project’s overall scope. The more complex, higher budget, and longer duration projects will likely have more comprehensive risk management plans.

What are Risk Management PMP tools and techniques?

When discussing risk from a formal PMP certification perspective, it is helpful to know commonly recommended risk tools and techniques. Think of it as inputs for your “Risk management plan PMP” work. Widening the scope of information sources can help narrow down what risks need what level of planning. 

Analytical Techniques

As the name implies, analytical techniques are about getting to the root of things and thinking critically using reliable data.

Risk Register

A list of risks with descriptions, probability of occurrence ratings, impact rankings, mitigation activities, and status, the risk register is the risk inventory for a project.  What are the risks, and what can be/was done for each? The risk register is the “database” of a project’s risks.

Root Cause Analysis

Those with their PMP certification already know the power of root cause analysis.  It is a way to get to the source of a risk using a systematic process. Rather than trying to combat the result of risk, focus on the source and make adjustments there.

SWOT

Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis is a process in which each risk is reviewed from four perspectives. Go through the acronym and capture risk for each quadrant or category to apply this tool. In most cases, negative risks emerge around weakness and threats, and positive risks are identified through strengths and opportunities.

Project Documentation

If available, access project documentation, especially the types that align with PMP-type processes and documents.  For example, for projects of a similar type, review the following:

• lessons learned
• project summaries
• project audits
• risk management plan
• risk register
• risk management methodology

It can be a time-saver and help reduce negative risks when lessons learned, and existing resources can be leveraged.  For example, starting the process with a “PMP risk management template” can be a great foundation.

Expert Judgment

Never exclude the insights of industry experts, including experienced project managers and field experts. While the inherent biases of those experts should be factored in, the unique perspective of those that have intimate knowledge of a given process, project type, or field of study can be a powerful input into the overall risk management process and resulting plan. To get the expert judgment, tap into groups such as:

• professional organizations
• academic institutions
•  certifying bodies

Interviews, Brainstorming Sessions, and Focus Groups

Gathering input for risk planning often involves asking questions. Those questions can be in the form of interviews, surveys, or brainstorming sessions. 

• project team members
• stakeholders
• existing customers
• prospective customers
• subject matter experts
• project managers

Whether the questions are provided as sticky notes on a whiteboard (brainstorming), as a list on a screen (online survey), or asked in person (focus group), the risk insights gained to improve the accuracy of the project planning and budgeting. No template can convey the intuitions and lived-in experience from interviews, brainstorming, and focus groups. 

What is a Risk Management Plan Process?

Companies may use slightly different terms for the risk management plan process than what is found in the formal PMP certification exam or PMBOK® Guide.  However, the sequence of steps is almost always the same.

1. Identify | determine risks for project
2. Analyze | document risks
3. Prioritize | determine which risks have the highest probability of occurrence and highest potential impact (positive or negative)
4. Assign | map each risk to roles and detail associated responsibilities
5. Plan | document preventative strategies, risk threshold, and monitoring for each risk
6. Monitor | stay informed of risk status
   1. Threat | take planned action if a risk occurs Measure your risk threshold and work with project stakeholders
7. Report | communicate any actions are taken, status changes, outcomes for each risk

In this process, note that there may be no “Threat” if a risk never occurs because no action was taken.  However, that is important to note and could be valuable data for future projects. So, even if a risk never happens and thus there is no action taken, that should be documented and included in lessons learned and project summary data.

What are Risks Categories?

Risk categories are a way to organize risks to make it easier to monitor and plan for similar ones.  The PMP certification exam is designed to assess one’s knowledge of formal project management as captured in the PMBOK® Guide and other PMI resources. Thus, some standard risk categories may appear in the PMP exam, but some companies may have their own based on their internal needs and industry.

Risk Category: Technical

Technical can mean much more than just “are we using Windows or Apple systems?” within the technical category are factors such as:

• access
• availably of trained staff
• frequency of patches
• frequency of upgrades
• hardware changes
• hardware costs
• integration with other systems
• license cost
• quality control
• quality standards
• technology source
• virus vulnerability

Risk Category: External

It can be hard enough to manage the work within a project, but the fact is, the external factors are there and can be a risk to a project. For the external risk category, consider:

• customer changes
• contract requirements
• market changes
• supplier changes
• political changes
• regulation changes

Risk Category: Organizational

Even with the most detailed project plan ever created, things can shift in an organization resulting in risk. For the risk category organizational, areas to keep in mind include:

• project dependencies
• personnel departures
• internal resources
• project funding allocations
• company leadership changes
• company priorities change

Risk Category: Project Management

Of course, the project management process and methodology, tools band techniques, plans and templates, all factor into the project’s risk and chances for success. Within the risk category of project management, address items such as:

• schedule
• budget estimation
• quality control
• communication
• personnel
• risk management

What are best practices for maintaining a Risk Management Plan?

The maintenance of a Risk Management Plan relies on conducting effective risk audits and ensuring the plan aligns with the organizational risk strategies and methodologies and appropriately incorporates stakeholders’ risk appetites. There is never a situation where the plan is created, which is the end of risk management work. 

• Including risk reviews and audits in the project plan at regular intervals can take the risk management plan from “just a document” to keep the project on track no matter the changes.
• Communicate risk status and work with the team, stakeholders, and clients to maintain trust and alignment.
• Monitor risk throughout the project and be ready to take action when needed.

If you have a risk management plan, you have already started implementing best practices. Do not think it stops with that document; risk is a constant, and so should your risk management work throughout the project.

Conclusion

No matter how thorough your risk management planning is, you cannot predict or plan for every risk, no matter how well documented your risks are. But you can be prepared. And through good risk management planning, you can leverage positive risk to add to the project’s success and prevent negative risk to keep the project on track.

Regarding the PMP certification exam, students should know what a Risk Management Plan is, when the Risk Management plan is created, what types of risks and risk categories are, how often the Risk Management plan is updated, and how a risk management plan is plan benefits the project.

Just as there are endless risks in life, any project has infinite potential risks. However, some risks are more likely to occur than others, and some risks will have minimal impact if they occur. Those with PMP certification know that planning for risk can be the difference between project success or failure.

---