RISK MANAGEMENT PLANNING

Risk management planning is the process of deciding how to approach, plan and execute the risk

management activities for a project. The risk management approach may include decisions about

the organization, staffing of the risk management activity, selection of the appropriate

methodology, the sources of data to identify risk, and the time frame for the analysis. It is

important to plan for the remaining processes of risk management so the level, type, and

visibility of risk management are commensurate with both the risk and importance of the project

to the organization.

A risk management plan involves risk identification, risk analysis, response planning, and

monitoring and control. Risk management planning is documented in a risk management plan

which indicates the following.

Methodology – defines the approaches, tools and data sources that may be used to perform risk

management on the project.

Roles and responsibilities – defines the lead, support, and risk management team membership for

each type of action in the risk management plan, assigns people to those roles, and clarifies their

responsibilities.

Budgeting – assigns resources and estimates costs needed for risk management for inclusion in

the project cost baseline.

Timing – defines when and how often the risk management process will be performed

throughout the project life cycle, and establishes risk management activities to be included in the

project schedule. Scoring and interpretation methods appropriate for the type and timing of the

risk assessment and quantification being formed. Methods and scoring must be defined in

advance to ensure consistency.

Risk categories – Provides a structure that ensures a comprehensive process of systematically

identifying risk to a consistent level of detail and contributes to the effectiveness and quality of

risk identification.

A definition of probability and impact – the quality and credibility of the qualitative risk analysis

process requires that different levels of the risks’ probabilities and impacts be defined.

Probability and impact matrix – Risks are prioritized according to their potential implications for

meeting the project’s objectives.

Revised stakeholders’ tolerances – stakeholders’ tolerances may be revised as they apply to the

specific project

Reporting formats – describes the content and format of the risk register as well as any other risk

reports required. Defines how the outcomes of the risk management processes will be

documented, analyzed, and communicated.

Tracking – documents how all facets of risk activities will be recorded for the benefit of the

current project, future needs, and lessons learned. Documents whether and how risk management

processes will be audited.

 Risk Identification

Risk identification determines which risks might affect the project and documents their

characteristics. The purpose is to locate risks before they become problems and to incorporate

this information into the project management process. It is not a one-time event and should be

performed throughout the project. It needs to consider internal (things the project team can

control or influence, such as staff assignments) and external (things beyond the control or

influence of the team such as a regulation) risks. Risk identification involves both opportunities

(positive outcomes) and threats (negative outcomes). It needs to be rigorously carried out for the

maximum benefit to be achieved. In many cases when projects have failed, investigations of

these projects have shown that risks were either present and known about from day one, risks

were built-in through the project team being unaware of the factors that gave risk to them and a

lack of a methodology to adequately identify and communicate risks, and risk identification was

not progressed on a tiered basis down to the lowest level on the project. Participants in the risk

identification process should include as many stakeholders as possible: the

project manager, project team, subject matter experts, customers, end users, outside experts, and

other stakeholders. Potential responses to risks may be identified during the risk identification

process.

Thus Risk identification involves capturing a statement of risk and capturing the context of risk.

Its objective is to locate risks before they become problems and to incorporate this information

into the project management process. It involves transforming uncertainties and issues about the

project into distinct or tangible risks that can be described and measured.
Risk Response Planning

The purpose of the risk response planning is to determine the method to respond to a risk. Risk

responses are planned by those who have the knowledge, expertise, background, and resources to

deal effectively with the risks. The planning process for individual risks or sets of risks is

basically the same.

Risk response planning is the process of developing options and determining actions to enhance

opportunities and reduce threats to the project’s objectives. It includes identification and

assignment of persons (the “risk response owner”) to take responsibility for each agreed-to and

funded risk response. Risk response planning addresses the risks by their priority, inserting

resources and activities into the budget, schedule, and project management plan, as needed.

Planned risk responses must be appropriate to the significance of the risk, cost-effective in

meeting the challenge, timely, realistic within the project context, agreed upon by all parties

involved, and owned by a responsible person. Selecting the best risk response from several

options is often required.