Risk management is generally accepted as a fundamental part of project management. Most project governance standards require you to define a risk management plan, which describes how you will manage risk on the project. In this article, we describe the elements that will be present in a typical risk management plan.
The risk strategy is an overview of your approach to managing risks on this project. It should specify what organizational policies you comply with and whether you are adopting a qualitative or quantitative risk management approach. Integral to the risk strategy is risk scope, which outlines the specific elements of the project that fall within the purview of the risk management process. You might exclude particular components from the risk scope because another department manages them. For instance, the procurement department might handle all risks associated with vendors - such as supply chain disruptions, vendor compliance issues, or contractual disputes.
The methodology covers the specific processes, tools, and sources of information that the team will use to manage risk. For instance, your project might use the PMBOK risk management process and store all risks in Jira. Typical sources of risk information would be the project plan, requirements specification, schedule, issues log, and so on.
This section describes who is responsible for various parts of the risk process. Typical responsibilities include:
Preparing the risk management plan
Approving the risk management plan
Organizing and chairing risk workshops
Attending risk workshops and other meetings
Development of risk response plans
Creation and maintenance of the risk register
Reporting risk status
Ensuring the risk process is being adhered to
Funding is a crucial part of the risk management plan as it lays out the resources available for managing risk. It should cover the cost of all risk-related resources, including staff and tooling. It should also indicate how the project funds both treatment strategies and contingency plans. For example, any contingency plan under $25,000 might be funded from the general project contingency, whereas plans over that amount require the approval of the project sponsor.
The timing aspect of the plan specifies when and how often risk management activities will be conducted. You would typically schedule a risk workshop at the start of a project and then have regular risk review meetings as the project progresses.
Risk categories provide a structure for classifying risks, which helps both in identification and reporting. A typical risk breakdown structure is as follows:
Technical
Management
Organizational
Commercial
External
You can also categorize risks according to a work breakdown structure, a cost breakdown structure, an organization breakdown structure, etc.
Your organization likely has standard definitions for risk probability and impact, but you may need to customize them for your project. Attaching specific dollar amounts to each impact level, proportionate to your project budget, is common. For example, a low-impact risk might have a threshold of $10,000 in your project but a higher amount in a larger project.
A risk matrix is an essential risk management tool that calculates the risk level by cross-referencing the impact and probability. The matrix typically takes the form of a heat map, with each risk level given a color.
Understanding the risk tolerance of key stakeholders enables you to define how much risk your project can bear. Document this by way of strategies for dealing with various levels. For instance, the plan could specify that all low-level risks can be ignored, but high-level risks must be treated until they are medium-level or lower. If you use quantitative risk management, you can specify a numerical threshold for the risk appetite.
This section defines how you will communicate the outcomes of the risk management process. At a minimum, it must describe the risk register's contents; it should also specify the format, frequency, and audience of any risk summary reports.
The tracking section describes how risk activities will be recorded and audited. A risk management system typically handles the recording aspect, while a Project Management Office might be responsible for auditing, depending on the size of your organization.
An effective risk management system makes it easy to implement your risk management plan. This is one reason we created Risk Register by ProjectBalm.
Our goal was to automate best practice risk management techniques, and do so via an elegant, usable interface that works with you, and not against you. Risk Register will help you to identify, analyse, treat and monitor risks more easily and effectively than ever before.
If you are experienced at risk management, you will find in Risk Register a tool that works the way you want it to work. If you are new to risk management, our documentation and videos will take you through the whole risk management process, giving lots of useful examples.
Risk Register is fully compatible with risk management standards such as ISO 31000, and can also be used for governance, risk, and compliance (GRC) programs such as Sarbanes-Oxley and PCI. And, of course, Risk Register allows you to easily distinguish between opportunities and threats.
Over the last few years, we've grown to become the most popular risk management solution in the Jira marketplace and we are now an Atlassian Platinum Partner. Why not try out Risk Register by ProjectBalm for yourself?
Craig Schwarze _ProjectBalm_
Founder at ProjectBalm
ProjectBalm
Sydney
8 accepted answers
2 comments