Risk Management Plan

<Template>

Risk Management Plan

DOCUMENT REVISION HISTORY

Change
Request#
(Optional)

Document
Version

Approval
Date

Modified
By

Section, Page(s) and Text Revised

Note: Template Revision History can be found in Hidden Text.

TEMPLATE REVISION HISTORY (HIDDEN TEXT)

Change
Request#

Template
Version

Approval
Date

Saved 11 March 2016

Modified
By

Section, Page(s) and Text Revised

Page 2 of 9

Risk Management Plan

TABLE OF CONTENTS:
1.
2.
3.
4.
5.

INTRODUCTION..................................................................................................................3
SCOPE..............................................................................................................................4
RISK MANAGEMENT PROCESS................................................................................................4
METHODS AND TOOLS FOR RISK MANAGEMENT.........................................................................4
RISK IDENTIFICATION.........................................................................................................5
5.1 Risk Sources and Categories.........................................................................................5

6 RISK ANALYSIS...................................................................................................................6
6.1 Risk Parameters and Attributes.....................................................................................6
7 RISK MITIGATION/HANDLING AND CONTINGENCY PLANNING......................................................8
8 RISK MONITORING..............................................................................................................9
8.1 Escalation..................................................................................................................9
8.2 Communicate Key Risks.............................................................................................10

Saved 11 March 2016

Page 3 of 9

Risk Management Plan

1. INTRODUCTION
A Risk is any kind of event known or unknown that could positively or negatively affect the project
objectives.
Risk Management is the systematic and explicit approach used for identifying, analyzing, and
controlling project risk. The main purpose of this document is to define the approach for identifying,
evaluating, controlling, reporting, managing, and monitoring risks.
Recognizing and managing potential risks before they impact the project are essential aspects of
project management activities. In fact, it should be carried out when real information is most lacking,
precisely because it is at this time that a risk analysis can be of most use to the project team in
gaining an understanding of the project itself.

Risk management is a proactive and iterative process,

which assists in controlling costs, meeting deadlines and producing quality results.
Effective risk management requires a thorough analysis of work before each activity begins. A
complete understanding of inherent risks enables preventive action to be taken against schedule
delays and cost overruns. Risk management is a continuous process that reduces risk to a
manageable level or eliminates it entirely. The project will use the processes described in this
document to track, assign, evaluate, communicate and potentially alleviate risks.

The fundamental objectives of the risk management process are:

Identify, assess, and document factors or events that may affect project cost, schedule,
performance and/or the objectives of the project
Plan and develop strategies to minimize the possible effects of those factors or events
Involve stakeholders in the Risk Management Process
Communicate risks and their status with all stakeholders
Periodically review existing risks and identify new risks
By definition Very Small Work or Small Work is low risk. Risk identification and some risk
mitigation are provided within the Manage Small Work process. In most cases this is
sufficient for Very Small Work or Small Work. More rigorous risk management may be
provided at the umbrella project level if it is needed.

2. SCOPE
This document applies to all programmes/projects/engagements.
Programmes/Projects/engagements/business functions that require a more robust risk management
should create their own Risk Management Plan based on this plan, as part of the tailoring process.

3. RISK MANAGEMENT PROCESS

Risk Management process is used to guarantee that risks that may cause a potential impact to an
existing project will be: identified, controlled and monitored throughout project life cycle. It includes
maximizing the results of positive events and minimizing the consequences of adverse events.
Risk Management is divided in four sub processes:

Saved 11 March 2016

Page 4 of 9
309121711.doc

Risk Management Plan

Risk Identification

Risk Analysis and Prioritization

Risk Response Planning

Risk Monitoring
Review risks on as needed basis with the delivery manager and the PM SME.
Identify individuals (project managers, risk owners, and other team members) that require
risk management training.

4. METHODS AND TOOLS FOR RISK MANAGEMENT

All projects within the organization should utilize the High-Level Risk Assessment and Technical Launch
Evaluation within the Risk Management Tool. Results for both are populated in H_Lvl&Tech Rslts Tab
with Recommendations and Technical launch decision. Results provide a general evaluation of the
degree of risk that the project faces based on overall project characteristics, and to create an initial
set of overall risks.

In addition to those some other assets available in use for supporting Risk Management activities

Risk Management Plan Pattern and examples

Risk Assessment / Handling Plan Shell and examples

Communication Management Plan Pattern and examples

5. RISK IDENTIFICATION
Risk identification is, a sub process of Risk management, used to determine which risks are likely to
affect the project and documenting the characteristics of each.
Risks are identified from the Project start up and planning phase and continuously throughout project
execution, during project status meeting, at end of major development phases, during project
milestones and others.Identifying risk is an iterative process and it begins in the very early stages of
the project, based on the limited information available at that time, continues at a more detailed level
when the work is being planned, and then continues as the project plan is executed until the project is
closed.

This high-level risk assessment will be done at the beginning of the project planning phase, and as per
the project schedule, and when major re-planning is done.
The project teams will utilize the Risk Checklist provided in the Risk Management Tool to determine an
initial list of risks. All the risks will be stored in the Risk List tab of the Risk Management Tool. New
risks will be added to the risk list as they are identified throughout planning and execution.
Although the primary responsibility falls to an individual or group of individuals identified in the Roles
and Responsibilities Definition for the management of risk, everyone on the team is responsible to
communicate any risks they become aware of.

Saved 11 March 2016

Page 5 of 9
309121711.doc

Risk Management Plan

5.1 RISK SOURCES AND CATEGORIES

Risk Categories reflects the bins for collecting and organizing risks. A reason for
identifying risk categories is to help in the future consolidation of the activities in the risk
mitigation plans.
The High Level Risk Assessment will be used to document categories identified.
Risk Sources are the fundamental drivers that cause risks within a project or organization.
Risk sources identify common areas where risk may originate. There are many sources of
risk, both internal and external to a project.
The High Level Risk Assessment will be used to document those sources identified. This list
can be used when identifying risks to help ensure that all risk sources have been considered
and it can be used later to help determine how to manage those risks.
Organization will use the risk sources and categories listed in High Level Risk Assessment and
Risk Check List within the Risk Management Tool (H_Lvl Asmt and Risk Chklst tabs).
List of project risks will be further refined through team meetings and project review sessions,
where brainstorming may be the primary method of identification.
Risks will remain open as long as they exhibit probability of occurrence and potential impact to
the project. A risk may be closed when the project stakeholders jointly agree that (1) the risk
will never be realized, (2) the risk will not actually deter the project in any way or (3) the risk
was reduced and is no longer a risk. The risk may be closed if the risk event occurred and
action was taken. A risk with a status of CLOSED should not be deleted from the Risks List.
The Project Manager has the responsibility for maintaining the status of risks on a regular
basis for the life of the project.

6. RISK ANALYSIS
Risks must be analyzed to ensure that risk-handling activities are appropriately planned and invoked.
Analyzing risks entails determining how likely they are to occur and how severe the consequences
might become. The risks are then given a relative priority. Each risk is documented and
independently assessed to:

Determine the impact to the project

Determine the probability, or likelihood, the risk will occur
Determine the priority in relation to other risks
Select an approach for the handling of the risk

6.1 RISK PARAMETERS AND ATTRIBUTES

Use the following definitions when using the Risk List in the Risk Management Tool:

Level For production support projects, indicate to what change request the risk is related
to. For other projects, indicate if the risk is related to the Program or Project.
ABCD
Methodology

Traditional
Methodology

0.10

0.50

0.75

1.00

Very low

Low

Medium

High

With routine
management,
likely to solve itself

May occur if not

addressed

Will occur if special

attention is not paid
to it

Guaranteed to
become a problem
unless action is
taken

Parameter
Probability Likelihood of
becoming a
problem?

Saved 11 March 2016

Page 6 of 9
309121711.doc

Risk Management Plan

ABCD
Methodology

Traditional
Methodology

0.10

0.50

0.75

1.00

Very low

Low

Medium

High

Negligible impact;
no attention from
management

Noticeable impact
at the higher
levels of
management

Serious impact at all

levels of
management

Very serious impact;

potential Corporate
attention

Remote; a
peripheral activity

Some effect on
the main
programme.
Mainly near the
margins

Serious impact on
the main
project/programme
activities

Potential to bring the

main
project/programme
to a halt

There is time to
analyze and plan
risk mitigation

Late within the

current scope

Impact or action
needed soon

Impact will be felt

very soon, or action
needed now

Parameter
Impact - What is
the overall impact,
considering all
factors?
Define the values
to use for the
severity of adverse
consequences if
the risk does occur
Proximity (or
Criticality) - What
is the effect if we
don't find out for
sure?
Defines how close
a risk is to the
core objectives of
the project.
Time - How soon
must action be
taken?
Identifies how
much time there is
to manage the risk
Note: remember to
take into account
the length of the
project

Risk Exposure (Traditional) The cell will be colored based on the product of the
Probability and Impact values. (The Risk Exposure value is also used in the calculations to
determine the Risk Rating.)

Green values between 0 - 0.33

Orange values between 0.34 - 0.65

Red values between 0.66 -1.0

Risk Rating (Traditional) This field will indicate if the risk is Low, Medium or High. High
risks have the highest priority.

7. RISK MITIGATION/HANDLING AND CONTINGENCY PLANNING

Risk mitigation/handling plans are developed and implemented to proactively reduce the potential
impact of a risk occurring. Mitigating risks may require developing alternative courses of action,
workarounds, and fallback positions. Contingency plans address the impact of risks that may occur,
despite attempts to mitigate them, and define the actions to be taken once the risk has occurred or its
occurrence is imminent. The execution of these two plans is usually based on exceeding the
established triggers.
Saved 11 March 2016

Page 7 of 9
309121711.doc

Risk Management Plan

The plan may utilize any of the following approaches for Risk Response:

Accept accept the risk with a clear understanding of the potential impact(s)

Transfer transfer the risk to another group or individual that can better address the risk

Mitigate take steps to avoid, prevent, or minimize the possibility of the risk occurring

Avoid risks that cannot and will not be managed but still need to be documented as a risk

Mitigation/handling plans and contingency plans will be documented in the Risk Assessment/Handling
Plan shell.

The Risk Management Tool will automatically recommend the creation of Risk Assessment/Handling
Plan, based on the values of risk parameters and attributes, for risks with Risk Rating (Traditional) or
Risk Exposure (ABCD) rated as Medium or High. In any other case, whenever the Project Manager
considers necessary, risk mitigation/handling plans will be developed and implemented to proactively
reduce the potential impact of a risk occurring.
Assigned responsibility will be documented within the Risk Assessment/Handling Plans.
Make sure to reference the handling plan being created in the Risk Management tool by providing file
name (and path). Also evaluate including in a separate tab for each handling plan being created (using
the Risk Assessment/Handling Plan template).
All plans will be monitored regularly, according to the monitoring frequency documented in the plan.
All actions taken on the mitigation/handling and contingency plans must be documented within the
Risk Assessment/Handling Plans.

8. RISK MONITORING
Risks are monitored and controlled according to the plan. Risk mitigation/handling and contingency
plans are reviewed to determine if action must be taken. New risks are documented and analyzed.
The risk list is reviewed regularly according to the Risk Management Plan.
During the reviews, risks are examined to determine if the status has changed, and to ensure the
current analysis of the risk is valid. The impact, probability, and approach are reviewed and updated
including the creation of Risk Assessment/Handling Plans, if necessary.
Risk Assessment/Handling Plans are reviewed according to the documented frequency within the plans
to determine if the risk symptoms or contingency triggers and actions are current. If the risk
symptoms or contingency triggers for these plans have been exceeded, the appropriate actions are
taken and the status of these plans is monitored.
The following table defines the typical follow-up frequency that needs to be done to each risk item
based on the Risk Exposure index:
Risk Exposure (ABCD)
Risk Rating (Traditional)

Follow-up frequency

Low

Monthly

Medium

Weekly

High

Daily

If new risks are identified, they are analyzed and documented in the risk list. All new and modified
information is documented in the appropriate fields within the risk tool and the Risk
Assessment/Handling Plans.

Saved 11 March 2016

Page 8 of 9
309121711.doc

Risk Management Plan

8.1 ESCALATION
If a risk cannot be managed at any particular level of the project, it must be escalated to ensure
the risk is brought to the attention of appropriate parties and managed effectively.
Determine whether or not the risk needs to be escalated according to the following criteria:
Risks escalated for visibility or information only

All risks which affect more than one project

Any other risk which the Project Manager considers leadership needs to have an
awareness of

Risks escalated for leadership action or resolution All risks for which an effective risk
response cannot be developed at the project manager level
All risks for which a Risk Assessment/Handling Plan has not been formulated with an
acceptable timeframe (e.g., risk event is to occur in 30 days, the plan must be in place
within 7 days; or, a risk event is to occur in 6 months, the risk plan should be in place
within 30 days of the date the risk was identified)
An identified risk has not been acted upon within a maximum of two weeks from the
date identified
If escalation is considered necessary, notify leadership according to the projects escalation
path, defined in the Communication Plan. Indicate if the risk is being escalated for action,
resolution, visibility or information only. Update the Risk List and the Risk Assessment/Handling
Plan with the name and date that the escalation occurred. Track the risk until closed.

8.2 COMMUNICATE KEY RISKS

All risks are communicated as documented in the Communication Management Plan.
If a risk is realized, notify appropriate stakeholders. Contingency plans, as defined in the Risk
Assessment/Handling Plan, should be implemented immediately.

Saved 11 March 2016

Page 9 of 9
309121711.doc