The document must take into account the context of the work. For example, a risk management plan produced for a small stand-alone construction project will be quite different from one for a large IT project that is part of a business change programme.
The introduction will describe the background to the work and make it clear how this document relates to other relevant documents, such as a stakeholder management plan or the policies of the host organisation, parent programme or portfolio.
The risk appetite may be described to ensure an understanding of how much risk is acceptable in pursuit of the objectives.
- Roles and responsibilities
Allocation of responsibility for risk management may range from the project manager in smaller projects to a dedicated team of specialists in a large programme or portfolio. This section of the management plan must clearly describe which roles have which responsibilities for risk management.
It will also show paths of escalation and communication within the P3 organisation structure.
- Information management
The composition and format of a risk register will be defined here along with any other specialist risk management documents. It is important to tailor the scope of the risk register to the needs of the work. For example, some fields in the register are important if aggregating risk across multiple projects or programmes is necessary, but otherwise overcomplicate the document and appear to add bureaucracy.
Any required progress reports should be described together with their purpose, timing and intended recipients.
The criteria for successful risk management that will be used in any assurance reviews will be described here.
There are two financial aspects to risk management. Firstly, there is the budget for the management of risk (external resources, software, internal resources etc.). Secondly, there is the budget that covers the cost of risk responses.
The risk management plan will not contain these budgets but will describe whether they exist, how they are calculated, managed and where the figures are located.
Risk is inherent in all aspects of a project, programme or portfolio. Risk events and overall risk have links to documents on benefits, issues, stakeholders etc. How these interfaces and cross-references will be managed should be defined in this section.
This section will recommend the tools and techniques that should be used to identify risk events. These should reflect the nature of the work (e.g. routine or innovative) and the resources available.
Where lessons have been captured from previous work, they may be available as check lists and prompt lists of risk events or risk categories that need to be considered.
The field of risk assessment had a broad range of tools and techniques ranging from relatively simple qualitative analysis techniques to highly sophisticated quantitative analysis techniques and associated software applications.
Care must be taken in ensuring that this guidance includes those tools and techniques that are appropriate to the work being undertaken. Too much risk assessment can detract from making common sense decisions about the level and extent to which risk should be managed.
This section may also describe the parameters for the way some techniques are used, for example it may define the scales to be used for probability and impact in qualitative analysis, the statistical distributions to be used in Monte Carlo analysis or the preferred method for calculating expected value.
- Plan responses
The preferred responses to risk will depend upon the risk context and in particular the risk attitude of the organisation. For example, it may be corporate policy to transfer as much threat as possible through insurance or suitable contract terms with suppliers. Conversely, an organisation may prefer to retain control over all threats for security or confidentiality reasons and bias responses towards reduction and avoidance.
Approaches to opportunities will also vary. In some environments (e.g. a contractor delivering an output) it is far less important to invest resource into identifying opportunities than in others (e.g. a pharmaceutical research project).
- Implement responses
Guidance for the selection of risk owners and actionees will be described here. The way that response actions will be monitored and controlled will also be described, and this should ensure that the information required to complete the previously defined reports is collected.