How to Create a Risk Management Plan
The word “risk” evokes many reactions. For some, it conjures a terrifying unknown. For others, it serves as an exciting motivator. Regardless of your personal connotation of risk, every project manager needs to get comfortable planning for and confronting risk head on by creating a risk management plan.
Why write a risk management plan?
In his book, Done Right, Workfront CEO Alex Shootman points out that you can’t and won’t win all the time. “To succeed, you must face the risk of failure and be resilient to whatever comes out of left field...What keeps me going in tough times is the knowledge that success tomorrow lives on the other side of today’s failure. There’s always another chance to win.”
The resiliency that Shootman describes is made possible by project risk management. We encounter and plan for risks in every part of our lives, from buying disaster insurance to practicing an evacuation plan. We can’t predict exactly what will happen, or when a risk will present itself, but we can use our experience, wisdom, research, and foresight to remain as prepared as possible and keep our cool when risks materialize.
Understanding project risks
To start writing a risk management plan, let’s first look at a helpful definition of project risk from A Guide to the Project Management Body of Knowledge (PMBOK®), 2000 Edition:
“...a risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. Thus a risk is not an event or occurrence which has already befallen a project. It is an event that might happen.”
Something that has already happened is a project issue that you must actively respond to. Contrarily, a project risk is something with the potential to occur that you must remain prepared for.
The 3 elements of every risk
Gregory Becker distinguishes the risk event from two other crucial components to every risk:
- The risk itself is the event or condition that may happen. The risk should be clearly defined so that the concern is made real and can be responded to.
- The consequence of a risk must also be defined so your team knows what is at stake, the magnitude and level of urgency of the impact they may have to respond to, and the project areas that may be impacted.
- The probability of a risk must be estimated as accurately as possible so your team allocates an appropriate and proportionate amount of time and energy to planning for, monitoring, and responding to a risk.
Anticipate good and bad risks
Risks you want to be certain to anticipate and plan for are those which can impact timeline, budget, or quality of deliverables. And, despite the often negative connotation, risks can actually have a positive impact. There is, for example, always a possibility that market prices will drop and suddenly put your project way under budget. Have you planned for how you might reallocate the money saved?
Distinguish the 3 kinds of risks
All project risks are unplanned but only some are unforeseeable. Risks fall into one of three categories of knowability:
- A known risk is already recognized by team members and present early in the planning stages (opposition voices, budget overages, shortage of materials, resource limitations, etc.). These should be thoroughly documented in your risk management plan well in advance.
- An unknown risk is not laid out in the planning stages and only known by a limited number of individuals. Discovering these should be the primary focus of your research and risk management plan.
- An unknowable risk, which no one can be reasonably expected to anticipate, and is usually a surprise to most individuals (a system failure, sudden illness, accident, etc.).
The idea behind a risk management plan is to get ahead of any potential risks—both good and bad. It's part of the project planning process that helps your team stay proactive rather than reactive and scrambling. The more you prepare for the unexpected, the less any surprises will derail your project.
Whitepaper: The Complete Guide to Planning Creative Projects
Risk management plan process
Step 1: Identify potential risks
With your entire team and all project stakeholders, brainstorm potential risks for your risk management plan. Each participant should thoroughly consider the project from the perspective of their role, and identify everything within their purview that could be seen as a risk event or condition. What can they see from their angle that others might not?
In this brainstorm, encourage your team to speak up about any potential risks and involve all stakeholders. At this stage, all ideas should be on the table. It’s ultimately up to the project manager to distill and finalize the items that will go into the risk management plan. The project manager will also draw from research, past experience, other project managers, and similar projects.
Step 2: Evaluate and assess potential risks
Next, organize your comprehensive list of potential risks by likelihood (low, moderate, and high risk) and impact (low, moderate, and severe). This information can be compiled in what’s called a risk register. While it isn't part of the project planning phase, think of the risk register as a living document that you’ll return to and possibly change during the project.
Pro tip: One proactive risk management technique is communication. In Done Right, Workfront CEO Alex Shootman writes that in his experience:
“...all projects will have at least three disasters and they won’t be related to the technical tasks at hand. They will be rooted in communication. And it’s usually not how you avoid the disaster that matters. It is how you handle them realizing that the disasters likely stem from miscommunication, vagueness, or failure to share vital details and decisions at the right time.”
Step 3: Assign ownership for each potential risk
In assigning team members to oversee risks, have your list prioritized and know how many resources you’ll need on each risk. Designated team members will be responsible for jumping into action should the potential risk turn into an actual issue. Assigning risk ownership in your risk management plan ensures that someone is always keeping an eye out for each problem, and helps in resolving issues quickly and efficiently.
Step 4: Create preemptive responses
The project manager and owner of each risk should work together and use the risk register to determine the appropriate responses if and when a risk becomes an issue. You’ll decide which of the following four responses is appropriate:
Avoid: change your plans or approach to eliminate the risk.
Transfer: assign the risk to someone else within the team, within company, or outside (e.g., an insurance carrier or vendor).
Mitigate: reduce the probability and/or impact of the threat on the project.
Accept: allow for the risk and handle its consequences.
Your risk management plan should be visible across all team members so that everyone knows which risks to watch out for, and who to contact should one of them arise. In this digital age, you can easily connect your enterprise with a single enterprise work management solution.
Step 5: Continuously monitor risks
In addition to the risk you’ve already identified in your risk management plan, new risks are bound to surface. This is where a risk management system comes into play, as well as your ongoing monitoring and controlling of risks. Risk management requires tracking and reporting on triggering events that require your initiating your response plan(s). And it will mean analyzing the risk against your original assessment for learning and future planning.
Risk planning is a complex and ongoing part of solid project management. It is impossible to predict everything that will go wrong, but having a system in place when issues do arise will certainly improve your chances of success, and will improve future projects. Additionally, the practice of anticipating risk will only encourage your team to remain flexible and unafraid to try new things.
Whitepaper: The High Cost of Chaos
Whitepaper: The Unnerving Cost of IT Project Management
Get started with risk planning
Over time, effective project risk management can reduce overhead and get your teams working smarter. Project managers will get the help they need putting out fires, and problems that could have been major will be reduced to minor bumps in the road. As Shootman advises in Done Right, “accept that if you strive for the extraordinary, you will not always succeed. But also accept that you don’t become great at getting extraordinary work done by avoiding risk, surprises, or mistakes.”
Workfront simplifies the process of creating a project risk management plan. Collaborate with your team in one location, increasing communication and transparency throughout the project. Everyone will be able to provide input and watch out for potential problems together, minimizing the number of risks that turn into disasters. If you’re ready to start planning risks for your next project, take a product tour today.