For a risk management plan to provide the coverage your project needs, it should include six core elements. Here are the details.
Risk management plans help projects teams ensure that they have identified potential risks and developed the best strategies to deal with those risks. Depending on the complexity of your project, there are many elements that may be incorporated into a risk management plan.
Here are some core elements that you should be included in every risk management plan.
Start with an executive summary that provides a high-level overview of the project itself, the scope, and the overall approach in developing the risk management plan. This tells the stakeholder(s) what to expect when reviewing the plan and helps set their expectations.
Project and risk assumptions
Before diving into identifying risks, it is important to first identify and document any project assumptions that may have an impact or influence on the risk management strategies you select. These assumptions can be anything relating to budgets and resources, processes, technologies and techniques, timelines, or other facets of a project. The assumptions can also relate to internal or external factors. Identifying assumptions help to frame methodologies, the reasoning behind decisions, and again helps sets expectations.
SEE: IT project management: 10 ways to stay under budget (free PDF) (TechRepublic)
Risk methodology identifies and defines the approach that will be used as well as the resources, tools and techniques that will be deployed in developing and implementing the risk management plan. This helps to set expectations and ensures all stakeholders are on the same page when it comes to how risks will be effectively managed.
All identified potential risks
Risks can come from internal technical, management, commercial, or external sources. Technical sources might include scope requirements, estimates, constraints, processes, or technology. Management sources might include the organizational structure, the PMO, resources, communication, or the leadership. Commercial risk sources may involve contracts, vendors, customers, or partnerships. External sources could be regulatory, tax, financial, environmental, or competitive factors. To capture, identify, and document risks, a risk breakdown structure (RBS) can be used to categorize the sources for potential risk. Using an RBS helps ensure that all types of risks have been considered.
Qualitative and quantitative risk analysis
Once the potential risks have been identified, it is also important to conduct a qualitative and quantitative risk analysis. Qualitative analysis determines the probability and impact for each risk. This can be done using the matrix to capture and rate the impact from low to very high, as well as the probability, timing, cost and any other key factors. To do this, you may need to conduct a risk workshop to discuss the identified risks. Quantitative analysis requires the use of expert judgment and leveraging technology to gather business intelligence that will provide you with accurate data in order to complete this analysis. Quantitative analysis is not necessarily needed for all projects, but when conducted it is used to numerically analyze the effect or impact of risks and helps to identify the exposure of each risk to the project outcome. There are various quantitative techniques and tools that can be used. Here are just a few:
- Decision tree analysis, which identifies the impact of select one decision over another.
- Sensitivity analysis, which identifies the impact of a decision on a project.
- Three point estimate, which assigns an optimistic, neutral, or pessimistic value to a decision.
SEE: IT pro's guide to effective change management (free PDF) (TechRepublic)
Strategies selection and implementation
Your risk management plan should detail the risk strategies chosen, why they were chosen, how the strategy will be implemented - including who will be involved, what their roles are, timing, success criteria, and how the status and progress will be monitored. It is important to include a risk register for this that will help track each risk as well as the other details previously mentioned. Some common project risk strategies include avoidance, acceptance, transfer, escalating, and mitigating.
Due to the potential implications of any risk, it is essential to involve cross functional stakeholders who have tacit knowledge about their areas of business and any potential risks, as this will likely be vital to the success of the overall project.
- 6 essential documents for project management success (TechRepublic)
- IT project cost/benefit calculator (Tech Pro Research)
- How to develop a business case for your project (TechRepublic)
- How calculated risk can lead to big rewards (TechRepublic)
- Vendor selection: What needs to be in a good policy (ZDNet)
- 10 questions to ask management about your organization's cybersecurity policies (TechRepublic)