Risk management plan

Last updated February 12, 2024

A risk management plan is a document that a project manager prepares to foresee risks, estimate impacts, and define responses to risks. It also contains a risk assessment matrix. According to the Project Management Institute, a risk management plan is a "component of the project, program, or portfolio management plan that describes how risk management activities will be structured and performed".^[1]

Moreover, according to the Project Management Institute, a risk is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives".^[1] Risk is inherent with any project, and project managers should assess risks continually and develop plans to address them. The risk management plan contains an analysis of likely risks with both high and low impact, as well as mitigation strategies to help the project avoid being derailed should common problems arise. Risk management plans should be periodically reviewed by the project team to avoid having the analysis become stale and not reflective of actual potential project risks.

Risk response

Broadly, there are four potential responses to risk with numerous variations on the specific terms used to name these response options:^[2]^[3]

Avoid – Change plans to circumvent the problem;
Control / mitigate / modify / reduce – Reduce threat impact or likelihood (or both) through intermediate steps;
Accept / retain – Assume the chance of the negative impact (or auto-insurance), eventually budget the cost (e.g. via a contingency budget line); or
Transfer / share – Outsource risk (or a portion of the risk) to a third party or parties that can manage the outcome. This is done financially through insurance contracts or hedging transactions, or operationally through outsourcing an activity.

(Mnemonic: SARA, for Share Avoid Reduce Accept, or A-CAT, for "Avoid, Control, Accept, or Transfer")

Risk management plans often include matrices.

Examples

The United States Department of Defense, as part of acquisition, uses risk management planning that may have a Risk Management Plan document for the specific project. The general intent of the RMP in this context is to define the scope of risks to be tracked and means of documenting reports. It is also desired that there would be an integrated relationship to other processes. An example of this would be explaining which developmental tests verify risks of the design type were minimized are stated as part of the test and evaluation master plan. A further example would be instructions from 5000.2D^[4] that for programs that are part of a system of systems the risk management strategy shall specifically address integration and interoperability as a risk area. The RMP specific process and templates shift over time (e.g. the disappearance of 2002 documents Defense Finance and Accounting Service / System Risk Management Plan, and the SPAWAR Risk Management Process).

Citations

1 2 Project Management Institute 2021, Glossary §3 Definitions.
↑ Special Publication 800-37 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS (revision 2 draft ed.). National Institute of Science and Technology. May 2018.
↑ CRISC Review Manual (6th ed.). ISACA. 2015. ISBN 978-1-60420-371-4.
↑ SECNAVINST 5000.2D 3.4.4.1

Related Research Articles

Earned value management (EVM), earned value project management, or earned value performance management (EVPM) is a project management technique for measuring project performance and progress in an objective manner.

Project management is the process of leading the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. The primary constraints are scope, time, and budget. The secondary challenge is to optimize the allocation of necessary inputs and apply them to meet pre-defined objectives.

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

A work-breakdown structure (WBS) in project management and systems engineering is a deliverable-oriented breakdown of a project into smaller components. A work breakdown structure is a key project management element that organizes the team's work into manageable sections. The Project Management Body of Knowledge defines the work-breakdown structure as a "hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables."

<span class="mw-page-title-main">Project Management Body of Knowledge</span> Body of knowledge for project management

The Project Management Body of Knowledge (PMBOK) is a set of standard terminology and guidelines for project management. The body of knowledge evolves over time and is presented in A Guide to the Project Management Body of Knowledge, a book whose seventh edition was released in 2021. This document results from work overseen by the Project Management Institute (PMI), which offers the CAPM and PMP certifications.

The Project Management Institute is a U.S.-based not-for-profit professional organization for project management.

Within quality management systems (QMS) and information technology (IT) systems, change control is a process—either formal or informal—used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into the system or undoing changes made by other users of software. The goals of a change control procedure usually include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change. According to the Project Management Institute, change control is a "process whereby modifications to documents, deliverables, or baselines associated with the project are identified, documented, approved, or rejected."

The V-model is a graphical representation of a systems development lifecycle. It is used to produce rigorous development lifecycle models and project management models. The V-model falls into three broad categories, the German V-Modell, a general testing model, and the US government standard.

Mitigation is the reduction of something harmful that has occurred or the reduction of its harmful effects. It may refer to measures taken to reduce the harmful effects of hazards that remain in potentia, or to manage harmful incidents that have already occurred. It is a stage or component of emergency management and of risk management. The theory of mitigation is a frequently used element in criminal law and is often used by a judge to try cases such as murder, where a perpetrator is subject to varying degrees of responsibility as a result of one's actions.

Software project management is the process of planning and leading software projects. It is a sub-discipline of project management in which software projects are planned, implemented, monitored and controlled.

A risk register (PRINCE2) is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g., nature of the risk, reference and owner, mitigation measures. It can be displayed as a scatterplot or as a table.

Disaster risk reduction (DRR) is a systematic approach to identifying, assessing and reducing the risks of disaster. It aims to promote sustainable development by increasing the resilience of communities to any disasters they might face. DRR is normally used as policies intended to "define goals and objectives across different timescales and with concrete targets, indicators and time frames." The concept is also called disaster risk management (DRM).

In the United States Department of Defense, the Integrated Master Plan (IMP) and the Integrated Master Schedule (IMS) are important program management tools that provide significant assistance in the planning and scheduling of work efforts in large and complex materiel acquisitions. The IMP is an event-driven plan that documents the significant accomplishments necessary to complete the work and ties each accomplishment to a key program event. The IMP is expanded to a time-based IMS to produce a networked and multi-layered schedule showing all detailed tasks required to accomplish the work effort contained in the IMP. The IMS flows directly from the IMP and supplements it with additional levels of detail——both then form the foundations to implement an Earned Value Management System.

A glossary of terms relating to project management and consulting.

The Analysis of Alternatives (AoA) in the United States is a requirement of military acquisition policy, as controlled by the Office of Management and Budget (OMB) and the United States Department of Defense (DoD). It ensures that at least three feasible alternatives are analyzed prior to making costly investment decisions. The AoA establishes and benchmarks metrics for Cost, Schedule, Performance (CSP) and Risk (CSPR) depending on military "needs" derived from the Joint Capabilities Integration Development System process. It moves away from employing a single acquisition source to the exploration of multiple alternatives so agencies have a basis for funding the best possible projects in a rational, defensible manner considering risk and uncertainty.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Within project management, risk management refers to activities for minimizing project risks, and thereby ensuring that a project is completed within time and budget, as well as fulfilling its goals.

A fixed-price contract is a type of contract for the supply of goods or services, such that the agreed payment amount will not subsequently be adjusted to reflect the resources used, costs incurred or time expended by the contractor. This contract type may be contrasted with a cost-plus contract, which is intended to cover the costs incurred by the contractor plus an additional amount for profit, and with time-and-materials contracts and labor-hour contracts. Fixed-price contracts are one of the main options available when contracting for supplies to governments.

Risk Control Strategies are the defensive measures utilized by IT and InfoSec communities to limit vulnerabilities and manage risks to an acceptable level. There are a number of strategies that can be employed as one measure of defense or in a combination of multiple strategies together. A risk assessment is an important tool that should be incorporated in the process of identifying and determining the threats and vulnerabilities that could potentially impact resources and assets to help manage risk. Risk management is also a component of a risk control strategy because Nelson et al. (2015) state that "risk management involves determining how much risk is acceptable for any process or operation, such as replacing equipment".

Human Systems Integration (HSI) is an interdisciplinary managerial and technical approach to developing and sustaining systems which focuses on the interfaces between humans and modern technical systems. The objective of HSI is to provide equal weight to human, hardware, and software elements of system design throughout systems engineering and lifecycle logistics management activities across the lifecycle of a system. The end goal of HSI is to optimize total system performance and minimize total ownership costs. The field of HSI integrates work from multiple human centered domains of study include training, manpower, personnel, human factors engineering, safety, occupational health, survivability and habitability.

References

Project Management Institute (2021). A guide to the project management body of knowledge (PMBOK guide). Project Management Institute (7th ed.). Newtown Square, PA. ISBN 978-1-62825-664-2.{{cite book}}: CS1 maint: location missing publisher (link)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[FOOTNOTEProject_Management_Institute2021Glossary_§3_Definitions-1] 1 2 Project Management Institute 2021, Glossary §3 Definitions.

[2] Special Publication 800-37 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS (revision 2 draft ed.). National Institute of Science and Technology. May 2018.

[3] CRISC Review Manual (6th ed.). ISACA. 2015. ISBN 978-1-60420-371-4.

[4] SECNAVINST 5000.2D 3.4.4.1

[1]

[2]

[3]

[4]