As organizations begin new projects they begin operating in an area of uncertainty that comes along with developing new and unique products or services. By doing so, these organizations take chances which results in risk playing a significant part in any project. The purpose of the risk management plan is to establish framework in which the project team will identify risks and develop strategies to mitigate or avoid those risks. However, before risks can be identified and managed, there are preliminary project elements which must be completed. These elements are outlined in risk management approach.
This project is considered a medium risk project as it has an overall risk score of 24 on a scale from 0 to 100. The project risk score is the average of the risk scores of the most significant risks to this project. A risk score below 16 is low risk project, a score between 16 and 45 is a medium risk project and a score above 45 is a high risk project.
Before risk management begins it is imperative that a foundation is established for providing structured project information, thus, the following project elements were completed and defined prior to developing this Risk Management Plan:
Top Three Risks
It is important to explicitly state the top three risks to the project in the Risk Management Plan. This will make management aware of the top risks for the project and the nature of the risks.
The top three high probability and high impact risks to this project are:
Delay in Server Equipment
Fiber Optics Connection Not Completed
Network Operations Center ( NOC ) Not Appropriately Staffed
Risk Management Approach
This section of the Risk Management Plan provides a general description for the approach taken to identify and manage the risks associated with the project. It should be a short paragraph or two summarizing the approach to risk management on this project.
The approach we have taken to manage risks for this project included a methodical process by which the project team identified, scored, and ranked the various risks. The most likely and highest impact risks were added to the project schedule to ensure that the assigned risk managers take the necessary steps to implement the mitigation response at the appropriate time during the schedule. Risk managers will provide status updates on their assigned risks in the bi-weekly project team meetings, but only when the meetings include their risk's planned timeframe. Upon the completion of the project, during the closing process, the project manager will analyze each risk as well as the risk management process. Based on this analysis, the project manager will identify any improvements that can be made to the risk management process for future projects. These improvements will be captured as part of the lessons learned knowledge base.
Here the Risk Management Plan explains the process by which the risks associated with this project were identified. It should describe the method(s) for how the project team identified risks, the format in which risks are recorded, and the forum in which this process was conducted. Typical methods of identifying risks are expert interview, review historical information from similar projects and conducting a risk assessment meeting with the project team and key stakeholders.
For this project, risk identification was conducted in the initial project risk assessment meeting. The method used by the project team to identify risks was the Crawford Slip method. The project manager chaired the risk assessment meeting and distributed notepads to each member of the team and allowed 10 minutes for all team members to record as many risks as possible.
Risk Assessment Meeting
Historical Review of Similar Projects
Risk Qualification and Prioritization
Once risks are identified it is important to determine the probability and impact of each risk in order to allow the project manager to prioritize the risk avoidance and mitigation strategy. Risks which are more likely to occur and have a significant impact on the project will be the highest priority risks while those which are more unlikely or have a low impact will be a much lower priority. This is usually done with a probability – impact matrix. This section explains risks were qualified and prioritized for this project. For more information on how to qualify and prioritize risks refer to our Risk Assessment Meeting Guide.
In order to determine the severity of the risks identified by the team, a probability and impact factor was assigned to each risk. This process allowed the project manager to prioritize risks based upon the effect they may have on the project. The project manager utilized a probability-impact matrix to facilitate the team in moving each risk to the appropriate place on the chart.
Once the risks were assigned a probability and impact and placed in the appropriate position on the chart, the recorder captured the finished product and the project manager moved the process on to the next step: risk mitigation/avoidance planning.
This section of the Risk Management Plan should discuss how the risks in the project will be actively monitored. One effective way to monitor project risks is to add those risks with the highest scores to the project schedule with an assigned risk manager. This allows the project manager to see when these risks need to be monitored more closely and when to expect the risk manager to provide status updates at the bi-weekly project team meetings. The key to risk monitoring is to ensure that it is continuous throughout the life of the project and includes the identification of trigger conditions for each risk and thorough documentation of the process.
The most likely and greatest impact risks have been added to the project plan to ensure that they are monitored during the time the project is exposed to each risk. At the appropriate time in the project schedule a Risk Manager is assigned to each risk. During the bi-weekly project team meeting the Risk Manager for each risk will discuss the status of that risk; however, only risks which fall in the current time period will be discussed. Risk monitoring will be a continuous process throughout the life of this project. As risks approach on the project schedule the project manager will ensure that the appropriate risk manager provides the necessary status updates which include the risk status, identification of trigger conditions, and the documentation of the results of the risk response.
Risk Mitigation and Avoidance
Once risks have been qualified, the team must determine how to address those risks which have the greatest potential probability and impact on the project. This section of the Risk Management Plan explains the considerations which must be made and the options available to the project manager in managing these risks.
The project manager has led the project team in developing responses to each identified risk. As more risks are identified, they will be qualified and the team will develop avoidance and mitigation strategies. These risks will also be added to the Risk Register and the Project Plan to ensure they are monitored at the appropriate times and are responded to accordingly. If necessary, the Risk Management Plan will be updated.
The risks for this project will be managed and controlled within the constraints of time, scope, and cost. All identified risks will be evaluated in order to determine how they affect this triple constraint. Project manager, with the assistance of project team, will determine best way to respond to each risk to ensure compliance with these constraints.
In extreme cases it may be necessary to allow flexibility to one of the project's constraints. Only one of the constraints for this project allows for flexibility as a last resort. If necessary, funding may be added to the project to allow for more resources in order to meet the time (schedule) and scope constraints. Time and scope are firm constraints and allow for no flexibility. Again, the cost constraint is flexible only in extreme cases where no other risk avoidance or mitigation strategy will work.
Risk Register Every project must maintain a risk register in order to track risks and associated mitigation strategies. This section describes the risk register criteria as well as where the risk register is maintained and how these risks are tracked in the project schedule.
The Risk Register for this project is a log of all identified risks, their probability and impact to the project, the category they belong to, mitigation strategy, and when the risk will occur. The register was created through the initial project risk management meeting led by the project manager. During this meeting, the project team identified and categorized each risk. Additionally, the team assigned each risk a score based on the probability of it occurring and the impact it could potentially have. Risk Register also contains the mitigation strategy for each risk as well as when the risk is likely to occur.
Based on the identified risks and timeframes in the risk register, each risk has been added to the project plan. At the appropriate time in the plan—prior to when the risk is most likely to occur—the project manager will assign a risk manager to ensure adherence to the agreed upon mitigation strategy. The each risk manager will provide the status of their assigned risk at the bi-weekly project team meeting for their risk's planned timeframe. Risk Register will be maintained as an appendix to this Risk Management Plan.