CISSP For Dummies
Book image
Explore Book Buy On Amazon

Your risk management plan is a subsidiary plan of the overall project management plan and is important to know for the PMP Certification Exam. It describes how risk identification, analysis, and response planning will be conducted. It should be tailored to the needs of the project.

Risk management plan. A component of the project, program, or portfolio management plan that describes how risk management activities will be structured and performed.

Information in the risk management plan varies by application area and project size. The risk management plan is different from the risk register that contains the list of project risks, the results of risk analysis, and the risk responses.

The PMBOK Guide provides a list of some of the elements that should be included in the risk management plan, such as

  • Methodology: Define the approach, tools, and data that you use to manage risk.

  • Roles and responsibilities: Describe the role that various stakeholders have for managing risk. This can include a risk manager for very large projects, or the responsibility that each team member has with regard to risk management.

  • Budgeting: Estimate the funds needed for risk identification, analysis, and response. Also, define the approach for allocating, using, and recording contingency funds.

  • Timing: Identify the risk management activities that need to be added to the schedule and cite how often they will occur. Define the approach for allocating, using, and recording contingency for the project schedule.

  • Risk categories: Identify the major categories of risk on the project and decompose them into subcategories. The PMBOK Guide has an example of an RBS using technical, external, organizational, and project management as the main categories. These are then further decomposed to the level that makes sense for the project. Some branches may have two levels, and others may go down further.

    You can also categorize risks by objectives, such as scope, schedule, cost, quality, or stakeholder risks. These would then be further decomposed. These are not the only approaches to developing an RBS, though. You should develop one to meet the needs of your project.

  • Definitions of probability and impact: To analyze risks effectively, use a common method of rating the probability of an occurrence and the impact if it does occur.

  • Probability and impact matrix: Include a probability and impact matrix (PxI matrix) to rate risks as a high, medium, or low risk. The low, medium, and high rankings are relatively balanced, as opposed to having more squares indicating high risk, as a risk-averse organization might show.


    As part of establishing your definitions for probability and impact, you are defining your thresholds for action. A threshold defines the point where you need to take action. By identifying the combination of probability and impact that defines an event as a low, medium, or high risk, you’re stating when you can observe the event compared with taking action to minimize the event compared with needing to avoid the event.

  • Revised stakeholder tolerances: If needed, update your risk tolerances as viewpoints that might have shifted while compiling the risk management plan.

  • Reporting and tracking formats: Describe how risks will be recorded and reported during the project. This can include a sample risk register, sample risk data sheets, and risk analysis templates.

Risk management is the least well-practiced discipline in project management. Having a robust risk management plan helps you integrate good risk management practices into your project.

Risk category. A group of potential causes of risk.

Risk breakdown structure (RBS). A hierarchical representation of risks according to their risk categories.

Probability and impact matrix (PxI matrix). A grid for mapping the probability of each risk occurrence and its impact on objectives if that risk occurs.

The PMBOK Guide presents one approach to the risk management plan. Of course, there are others. Ultimately, the needs of the project determine what should be in your risk management plan.

When answering questions in risk management, always keep in mind that prevention is preferred over reaction.

About This Article

This article can be found in the category: