Risk & Safety Management

Risk Management Plan (RMP)

Advertisements
A Risk Management Plan (RMP) is prepared by a project manager to address risks, their
potential impact on a program and consists of ways to reduce these risks. The RMP tells
the government and contractor team how they plan on reducing risks to a certain level by a
certain time.

Advertisements
Definition: A risk management plan is a detailed document that explains an organization’s
risk management process.
Understanding Risk Management

Risk management is a continuous process that is accomplished throughout the life cycle of
a system and should begin at the earliest stages of program planning. It is an organized
methodology for continuously identifying and measuring the unknowns; developing
mitigation options; selecting, planning, and implementing appropriate risk mitigations;
and tracking the implementation to ensure successful risk reduction. Effective risk
management depends on risk management planning; early identification and analyses of
risks; early implementation of corrective actions; continuous monitoring and reassessment;
and communication, documentation, and coordination. It’s most effective if it is fully
integrated with the program’s Systems Engineering, Program Management, and Test &
Evaluation processes.

Advertisements
Figure: Risk Management Process
Risk Management Plan (RMP) Topics

The risk management plan should address the following continuous key activities as shown
above:

 Risk Identification
 Risk Analysis
 Risk Mitigation Planning
 Risk Mitigation Plan Implementation
 Risk Tracking
Risk Management Plan (RMP) Objectives

The goal of well-written RMP Objectives is to provide a repeatable process that reduces

risk on a project or program. The following are a few objectives of a risk management plan
that an organization can aim for.
Advertisements
 Reduce Schedule Impacts
 Reduce development cost
 Increase system performance
 Ensure proper communication
 Determine risk priorities
Risk Management Process in the Risk Management Plan (RMP)

The risk management process consists of eight (8) steps and should be detailed in the Risk
Management Plan.

 Step 1: Document the Risk Approach: The Program Manager (PM) and contractor

shall document the approach for managing risk as an integral part of the Systems
Engineering Process.
 Step 2: Identify and Document Risks:  Risks are identified through a systematic
analysis process that includes system hardware and software, system interfaces (to
include human interfaces), and the intended use of the application and operational
environment.
 Step 3: Assess and Document Risk: The severity category and a probability level of
the potential mishap(s) for each risk across all system modes are assessed.
 Step 4: Identify and Document Risk Mitigation Measures: Potential risk
mitigation(s) shall be identified, and the expected risk reduction(s) of the
alternative(s) shall be estimated and documented in the Hazard Tracking System
(HTS). The goal should always be to eliminate the hazard if possible. When a
hazard cannot be eliminated, the associated risk should be reduced to the lowest
acceptable level within the constraints of cost, schedule, and performance by
applying the system safety design order of precedence. The system safety design
order of precedence identifies alternative mitigation approaches and lists them in
order of decreasing effectiveness.
 Step 5: Reduce Risk:  Mitigation measures are selected and implemented to achieve
an acceptable risk level. Consider and evaluate the cost, feasibility, and effectiveness
of candidate mitigation methods as part of the Systems Engineering
Process and Integrated Product Team (IPT) processes. Present the current hazards,
their associated severity and probability assessments, and status of risk reduction
efforts at technical reviews.
 Step 6: Verify, Validate, and Document Risk Reduction: Verify the implementation
and validate the effectiveness of all selected risk mitigation measures through
appropriate analysis, testing, demonstration, or inspection. Document the
verification and validation in the HTS.
 Step 7: Accept Risk and Document:  Before exposing people, equipment, or the
environment to known system-related hazards, the risks shall be accepted by the
appropriate authority as defined in DoDI 5000.02. The system configuration and
associated documentation that supports the formal risk acceptance decision shall be
provided to the Government for retention through the life of the system.
 Step 8: Manage Life-Cycle Risk: After the system is fielded, the system program
office uses the system safety process to identify hazards and maintain the HTS
 throughout the system’s life-cycle. This life-cycle effort considers any changes to
include, but not limited to, the interfaces, users, hardware and software, mishap
data, mission(s) or profile(s), and system health data. Procedures shall be in place to
ensure risk management personnel are aware of these changes, e.g., by being part of
the configuration control process.
Risk Mitigation Strategies in the Risk Management Plan (RMP)

Understanding Risk Mitigation in Step 4 of the Risk Management Process is critical in

developing an RMP. For each risk that is identified, the type of mitigation strategy must be
determined and the details of the mitigation described in the RMP. The intent of the risk
mitigation plan is to ensure successful risk mitigation occurs. The most appropriate
strategy is selected from these mitigation options:

Advertisements
 Risk Avoidance: This is when it’s decided to perform other activities that don’t
carry the identified risk by eliminating the root cause and/or consequence.  It seeks
to reconfigure the project such that the risk in question disappears or is reduced to
an acceptable value.
 Risk Controlling: This is when you control the risk by managing the cause and/or
consequence. Risk control can take the form of installing data-gathering or early
warning systems that provide information to assess more accurately the impact,
likelihood, or timing of a risk. If a warning of risk can be obtained early enough to
take action against it, then information gathering may be preferable to more
tangible and possibly more expensive actions.
 Risk Transfer/Sharing: This is when you share the risk with a third party like an
insurance company or subcontractor.
 Risk Assumption: Is accepting the loss, or benefit of gain, from a risk when it
occurs. Risk assumption is a viable strategy for small risks where the cost of
insuring against the risk would be greater over time than the total losses sustained.
Risk Management Plan (RMP) Development Steps

An RMP should be structured to identify, assess, and mitigate risks that have an impact on
overall program life-cycle cost, schedule, and/or performance. It should also define the
overall program approach to capture and manage root causes. It should be created before
and after you create the Integrated Master Schedule (IMS), as it will be looking at the tasks
in the Project Schedule and other factors for potential risk items.

10 Steps in Developing a Risk Management Plan (RMP)

 Step 1: Establish the basic approach and working structure

 Step 2: Develop and document an overall risk management process (See Above)
 Step 3: Establish the purpose and objective
 Step 4: Assign responsibilities for specific areas
 Step 5: Describe the assessment/analysis process
 Step 6: Document sources of information
 Step 7: List potential risk and their impacts
  Step 8: Develop mitigation strategies
 Step 9: Establish reporting/tracking procedures
 Step 10: Write Plan
Risk Management Plan (RMP) Format

The Risk management plan should follow a standardized format from the organization. An
example RMP format: [1]

Advertisements
 Introduction
 Program Summary
 Risk Management Strategy and Process
 Responsible/Executing Organization
 Risk Management Process and Procedures
 Risk Identification
 Risk Assessment Matrix
 Risk Analysis
 Risk Mitigation Planning
 Risk Mitigation Implementation
 Risk Tracking
Template: Risk Management Plan

Template: Project Risk Management

Utilize the Risk Reporting Matrix

The risk management plan should detail how to use the Risk Reporting Matrix is used to
determine the level of risks identified within a program. The level of risk for each root
cause is reported as low (green), moderate (yellow), or high (red). 

Writing a Good Risk Management Plan (RMP)

The key to writing a good plan is to provide the necessary information so the program team
knows the goals, objectives, and the program office’s risk management process. Although
the plan may be specific in some areas, such as the assignment of responsibilities for
government and contractor participants and definitions, it may be general in other areas to
allow users to choose the most efficient way to proceed. [1]

Advertisements
Risk Management Plan (RMP) Updates

The Program Management Office (PMO) should periodically review and update the RMP
at major acquisition events. At the end of each Acquisition Phase, risk planning should be
used in preparation for the next phase. [1]
Risk Management Plan (RMP) in other Acquisition Documents

The plan is integral to overall program planning and should be addressed in the
program Acquisition Strategy, and/or the Systems Engineering Plan (SEP). [1]

AcqNotes Tutorial

AcqLinks and References:

 DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisitions-
Jan 2017
 (Old) DoD Risk Issue and Opportunity Management Guidance for Defense
Acquisition Programs – June 2015
 [1] DoD Risk Management Guidebook – Section 8 – Aug 06 (Outdated)
 Risk Assessment Checklist
 Risk Assessment Worksheet and Management Plan
 Continuous Risk Management Guidebook by Carnegie Melon
 Template: Risk Management Plan
 Template: Project Rick Management Template