Risk management plan
A risk is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives." Risk is inherent with any project, and project managers should assess risks continually and develop plans to address them. The risk management plan contains an analysis of likely risks with both high and low impact, as well as mitigation strategies to help the project avoid being derailed should common problems arise. Risk management plans should be periodically reviewed by the project team to avoid having the analysis become stale and not reflective of actual potential project risks.
Most critically, risk management plans include a risk strategy. Broadly, there are four potential strategies, with numerous variations. Projects may choose to:
- Avoid risk — Change plans to circumvent the problem;
- Control/Mitigate risk; — Reduces impact or likelihood (or both) through intermediate steps;
- Accept risk — Take the chance of negative impact (or auto-insurance), eventually budget the cost (e.g. via a contingency budget line);
- Transfer risk — Outsource risk (or a portion of the risk - Share risk) to third party/ies that can manage the outcome. This is done e.g. financially through insurance contracts or hedging transactions, or operationally through outsourcing an activity.
(Mnemonic: SARA for Share Avoid Reduce Accept, or A-CAT for "Avoid, Control, Accept, or Transfer")
Risk management plans often include matrices.
The United States Department of Defense, as part of acquisition, uses risk management planning that may have a Risk Management Plan document for the specific project. The general intent of the RMP in this context is to define the scope of risks to be tracked and means of documenting reports. It is also desired that there would be an integrated relationship to other processes. An example of this would be explaining which developmental tests verify risks of the design type were minimized are stated as part of the Test and Evaluation Master Plan. A further example would be instructions from 5000.2D  that for programs that are part of a System of systems the risk management strategy shall specifically address integration and interoperability as a risk area. The RMP specific process and templates shift over time (e.g. the disappearance of 2002 documents Defense Finance and Accounting Service / System Risk Management Plan, and the SPAWAR Risk Management Process).
- PMBOK Guide 3rd Edition, Glossary pg. 373.
- SECNAVINST 5000.2D 220.127.116.11 https://acc.dau.mil/CommunityBrowser.aspx?id=44705&lang=en-US
|This article needs additional citations for verification. (November 2007)|
- Georgia State University: Risk Management
- Creating The Risk Management Plan (template included)
- EPA RMP Rule page
- Risk Management Guide for DoD Acquisition (ver 6 - ver 5.2 more detailed but obsolete)
- Defense Acquisition University, System Engineering Fundamentals (see ch 15)
- US DoD extension to PMBOK Guide (see ch 11)
- Defense Acquisition Guidebook (DAG) - ch9 testing
- MSOffice template for Project Risk Management Plan
- DAU Risk Management Plan template
- Crosstalk magazine - Risk Management issue