Risk Management Plan: How to Write
The word “risk” evokes many reactions. For some, it conjures a terrifying unknown. For others, it serves as an exciting motivator.
Regardless of your personal connotation of risk, every project manager needs to get comfortable planning for and confronting risk head on by creating a risk management plan.
Table of Contents
- Why write a risk management plan?
- Understanding project risks.
- What happens if I don’t create a risk management plan?
- Risk management plan process.
- The risk threshold.
- Get started with risk planning.
- Frequently asked questions.
Why write a risk management plan?
In his book, Done Right, Workfront CEO Alex Shootman points out that you can’t and won’t win all the time. “To succeed, you must face the risk of failure and be resilient to whatever comes out of left field...What keeps me going in tough times is the knowledge that success tomorrow lives on the other side of today’s failure. There’s always another chance to win.”
The resiliency that Shootman describes is made possible by having a project risk management plan.
We encounter and plan for risks in every part of our lives, from buying disaster insurance to practicing an evacuation plan. We can’t predict exactly what will happen, or when a risk will present itself.
But we can use our experience, wisdom, research, and foresight to remain as prepared as possible and keep our cool when risks materialize.
Understanding project risks.
To start writing a risk management plan and conducting a risk analysis, let’s first look at a helpful definition of project risk from A Guide to the Project Management Body of Knowledge (PMBOK®), 2000 Edition:
“...a risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective. Thus, a risk is not an event or occurrence which has already befallen a project. It is an event that might happen.”
Something that has already happened is a project issue that you must actively respond to. Contrarily, a project risk is something with the potential to occur that you must remain prepared for.
The 3 elements of every risk.
Gregory Becker distinguishes the risk event from two other crucial components to every risk:
- The risk itself is the event or condition that may happen. The risk should be clearly defined, so that the concern is made real and can be responded to.
- The consequence of a risk must also be defined so your team knows what is at stake. They also know the magnitude and level of urgency of the impact they may have to respond to, and the project areas that may be impacted.
- The probability of a risk must be estimated as accurately as possible. This is so your team allocates an appropriate and proportionate amount of time and energy to planning for, monitoring, and responding to a risk.
Anticipate good and bad risks.
Risks you want to be certain to anticipate and plan for are those which can impact timeline, budget, or quality of deliverables. Despite the often-negative connotation, risks can actually have a positive impact.
For example, there’s always a possibility that market prices will drop and suddenly put your project way under budget. Have you planned for how you might reallocate the money saved?
Distinguish the 3 kinds of risks.
All project risks are unplanned, but only some are unforeseeable. Risks fall into one of three categories:
- Known risk. Already recognized by team members and present early in the planning stages (opposition voices, budget overages, shortage of materials, resource limitations, etc.). These should be thoroughly documented in your risk management plan well in advance.
- Unknown risk. Not laid out in the planning stages and only known by a limited number of individuals. The primary focus of your research and risk management plan should be discovering these unknown risks.
- Unknowable risk. No one can be reasonably expected to anticipate this and it’s usually a surprise to most individuals. These can include a system failure, sudden illness, accident, etc.
The idea behind a risk management plan is to get ahead of any potential risks both good and bad. It's part of the project planning process that helps your team stay proactive rather than reactive and scrambling. The more you can pad your project plan with preparations for the unexpected, the less impact any surprises will have on your project.
What happens if I don’t create a risk management plan?
Poor or non-existent risk management can have a number of adverse effects not only on the success of a project, but on your business’ reputation and those of your clients too. If you don’t take a proactive approach to risk management, several impacts could be felt on your project.
Planning for risks means analyzing all the potential outcomes of your actions. If you don’t take the time to examine things from every angle using risk management, you might be missing out on an unseen opportunity.
For instance, this could be a time-saving device, like a new business tool or cost-cutting measure, such as a supplier discount. These are both things that planning ahead may have uncovered, but would ultimately be missed out on due to lack of planning.
Your whole team has a part to play in creating and maintaining a risk management plan. Assigning others with the task of monitoring developments associated with identified risks gives them accountability for the success of a task.
This has the added potential effect of increasing team members’ engagement. Without a risk management plan, you risk losing that day-to-day commitment from your colleagues to assess their actions and react accordingly.
Impact on client relationship.
Clients and other stakeholders will trust that you’re as prepared as possible. Without due consideration to the risks involved in a project, it can be difficult to instill the required level of trust, which may lead to communication problems down the line.
This can also have the knock-on consequence of affecting your team’s reputation among stakeholders too, something which is a precious commodity in any industry.
You risk the success of the project as a whole if you aren’t prepared to address the risks it faces. You may become too bogged down in timeline-altering events to complete the project or work too inefficiently to produce value from it.
Risk management plan process.
Now you know the importance of understanding potential risks and developing a strategy to mitigate these, it’s time to run through an example of how to create a risk management plan.
Step 1: Identify potential risks.
Before putting your plan to paper, you need to be aware of the kind of risks your project might face. With your entire team resource and all project stakeholders, come up with the potential risks for your risk management plan.
Each participant should thoroughly consider the project from the perspective of their role and identify everything within their scope that could be seen as a risk event or condition. Ask them to think about what can they see from their angle that others might not?
In this ideas meeting, encourage your team to speak up about any potential risks and involve all stakeholders. At this stage, all ideas should be on the table. It’s ultimately up to the project manager to distill and finalize the items that will go into the risk management plan.
The project manager can also draw from:
- Industry research
- Their past experience
- Advice and guidance from other project managers
- Outcomes of similar projects in the past
These other sources of information may prove vital tools, to help you make sure no stone is left unturned in your search for potential risk factors.
Step 2: Create a risk assessment plan.
Next, evaluate and assess potential risks. Organize your comprehensive list of potential risks by likelihood:
- High risk
This information can be compiled in what’s called a risk register. It will tell you how likely a risk is to occur and illustrate the urgency of responding to it in relation to the rest of your workload.
While it isn't part of the project planning phase, think of the risk register as a living document that you’ll return to and possibly change during the project.
Pro tip: One proactive risk management technique is communication. In Done Right, Workfront CEO Alex Shootman writes that in his experience:
“...all projects will have at least three disasters and they won’t be related to the technical tasks at hand. They will be rooted in communication.
And it’s usually not how you avoid the disaster that matters. It is how you handle them realizing that the disasters likely stem from miscommunication, vagueness, or failure to share vital details and decisions at the right time.”
Step 3: Assign ownership for each potential risk.
In assigning team members to oversee risks, have your list prioritized and know how many resources you’ll need on each risk. Designated team members will be responsible for jumping into action should the potential risk turn into an actual issue.
You’ll also have an idea what kind of manpower and time you’ll need on an issue as it arises, so you can better plan for covering it.
Assigning risk ownership in your risk management plan ensures that someone is always keeping an eye out for each potential problem. It can also help resolve issues quickly and efficiently, ensuring deadlines aren’t impacted.
Step 4: Create preemptive responses.
The project manager and owner of each risk should work together and use the risk register to determine the appropriate response, if and when a risk becomes an issue. Your response should be proportionate to the impact of the issue.
Don’t overreact to a small problem. Likewise, don’t underreact to a large one.
As your risk response plan takes shape, you’ll decide which of the following four responses is appropriate:
- Avoid – Change your plans or approach to eliminate the risk entirely.
- Transfer – Assign the risk to someone else within the team, within the company, or outsource it, e.g., to an insurance carrier or vendor.
- Mitigate – Take the necessary steps to reduce the probability and/or impact of the threat on the project.
- Accept – Allow for the risk and adjust to be able to handle its consequences.
Your risk management plan should be visible across all team members, so that everyone knows which risks to watch out for, and who to contact should one of them arise. An enterprise work management solution can help you stay connected across the business.
Step 5: Continuously monitor risks.
In addition to the possible pitfalls you’ve already identified in your risk management plan, new risks are bound to surface. This is where a risk management system comes into play, as well as your ongoing monitoring and controlling of risks.
Risk management requires tracking and reporting on triggering events that require your initiating your response plan(s). It will also mean analyzing the risk against your original assessment for learning and future planning.
Risk planning is a complex and ongoing part of solid project management. It is impossible to predict everything that will go wrong. But having a system in place when issues do arise will improve your chances of success, and help future projects.
Additionally, the practice of anticipating risk will only encourage your team to remain flexible and unafraid to try new things.
The risk threshold.
The risk threshold is where enough risks are creeping over the line that you need to ask yourself if a serious rethink is needed on a project’s status. Lost time or profitability are the main factors which would give you pause.
Close and continuous monitoring of your projects should give you the most time and space to consider your options. Having this overview of the bigger picture can help you make an informed and measured decision on where to take things from there.
Read our whitepapers for more on the resources involved in project management.
Get started with risk planning.
Over time, effective project risk management can reduce overhead and get your teams working smarter. Project managers will get the help they need putting out fires, and problems that could have been major will be reduced to minor bumps in the road.
As Shootman advises in Done Right, “accept that if you strive for the extraordinary, you will not always succeed. But also accept that you don’t become great at getting extraordinary work done by avoiding risk, surprises, or mistakes.”
Adobe Workfront simplifies the process of creating a project risk management plan. Collaborate with your team in one location, increasing communication and transparency throughout the project.
Everyone will be able to provide input and watch out for potential problems together, minimizing the number of risks that turn into disasters. If you’re ready to start planning risks for your next project, and see some risk management plan examples, take a product tour today.
Frequently asked questions.
What is the definition of a risk management plan?
Risk management plans help project managers define, evaluate, avoid and monitor risks. They can also ensure they prepare the right response to that situation.
As a document, a risk management plan will include a detailed breakdown of potential risks to a project. It will also include the funds and approaches that will be used to overcome them.
What do I need to include in a risk management plan?
Your risk management plan should include:
- Identification – What are the risks and how will they affect your project?
- Planning details – On an ongoing basis, how will you identify and mitigate risk?
- Analysis – How severe are your risks, and how likely are they?
- Anticipated responses – How will you respond to risks if they materialize?
- Monitoring – How will you monitor your response to each risk?
Why is a risk management plan important?
A risk management plan is important for a number of reasons including:
- Anticipating risks
- Reducing the likelihood of risks
- Outlining your approach to risks
- Demonstrating sound planning
- Identifying your project’s strengths and weaknesses
As a result, risk management plans don’t just help keep projects on track. They’re also useful to get buy-in from stakeholders, colleagues and others. They show you have thought about the risks of your project, and how you will overcome them.