Risk Management Plan – (IS05 – LP11)

RISK MANAGEMENT PLAN

Information Sheet

IS05-Z-004-LP11

©CIDB, Page 1 of 10
Risk Management Plan – (IS05 – LP11)

CONTENT

1.0 Introduction

2.0 Application

3.0 Content of Risk Management Plan

3.1 Risk policy and process

3.2 Risk responsibilities

3.3 Risk thresholds

3.4 Risk finances

3.5 Risk evaluation

3.6 Process timing

4.0 Approaches

4.1 Risk process

4.2 Risk responsibilities

4.3 Risk thresholds

4.4 Risk finances

4.5 Risk evaluation

4.6 Process timing

5.0 Consideration

©CIDB, Page 2 of 10
Risk Management Plan – (IS05 – LP11)

6.0 Risk Management Plan Format

7.0 Appendices

Appendix 1: A Risk Management Plan format (sample)

©CIDB, Page 3 of 10
Risk Management Plan – (IS05 – LP11)

1.0 Introduction

The risk management plan lays down the groundwork for how risk management will be
carried out in a project. It serves as guidance for the risk process, its thresholds, and its
formats, defining the roles and responsibilities of stakeholders in risk management. It is
notable that the risk management plan is not a listing of specific risks and is not used to
establish the particular strategies for risks, once they are identified.

2.0 Application

The risk management plan is shared with project stakeholders to clarify their roles and
responsibilities in the risk management process and to identify when specific potential
risks are truly of concern to the organization. It also outlines the risk budgeting process,
detailing how and when risk contingency funds may be allocated and applied.

3.0 Content Of Risk Management Plan

The risk management plan consists of basic information about how risk management will
be conducted during the project. It does not address specific behaviors associated with
specific risks, but instead forms a framework for the rest of the risk management process.

3.1 Risk Policy and Process

A Risk Policy sets the tone and importance of having a practical Risk Management Plan
for the project/organization. It can be a short statement which defines the purpose and
goal of the Plan.

Risk process may be as simple as two steps (e.g., assessment and response) or as
complex as six or seven steps (e.g., planning, identification, qualification,

©CIDB, Page 4 of 10
Risk Management Plan – (IS05 – LP11)

quantification, response development, and response control). The process should include
clarification on how each of the processes will be carried out and the level of depth of
information to be provided for each.

3.2 Risk Responsibilities

Just as the buyer and seller in project environments have different responsibilities for
deliverables, so do they have different responsibilities for risks. Those responsibilities
should be outlined here. Responsibilities may include information on who will identify
risks, as well as who should evaluate them and develop strategies for those that are of
the greatest significance.

3.3 Risk Thresholds

Thresholds represent personal and organizational tolerance for risk. They are the
definitions of tolerance in terms of budget, schedule, requirements, and other sensitive
cultural issues (e.g., politics, media exposure). They are normally expressed as ceilings
beyond which the project should not proceed, or as notification points for upper echelons
of management.

3.4 Risk Finances

This element of the risk management plan may address both funds set aside for risks
within the project (contingency reserve) and funds set aside within management control
for risks outside the project’s purview (management reserve). In both cases, this
component of the plan details how and when the project team may draw down funds from
those reserve accounts. Risk finances may also provide detail on how the amounts for the
reserve accounts will be established.

3.5 Risk Evaluation

Because evaluation protocols vary from project to project, the risk management plan
should include some detail on how risks will be scored and termed.

©CIDB, Page 5 of 10
Risk Management Plan – (IS05 – LP11)

Particularly for risk qualification, there should be some definition of terms for both the
probability of a risk’s occurrence and for the impact should it come to pass. Many
projects employ the high–medium—low (H-M-L) scheme for both impact and
probability. The risk management plan should define each of those terms.

3.6 Process Timing

High-risk projects may require frequent risk re-evaluation. Projects with lower risk may
not require such frequency. The risk management plan should include detail on the
frequency of risk identification, assessment, and response development, as well as the
appropriate application of any tracking processes or documentation.

4.0 Approaches

For each of the components of the risk management plan, the approaches may be widely
varied. The key is to ensure some measure of consistency from project to project within
an organization. One example is provided here:

4.1 Risk Process

Risks shall be identified during an initial brainstorming session engaging all available
team members. (Risks shall be identified using full sentences to clarify the nature of the
negative effect they may have on the project and/or the organization.)

They shall be evaluated using the H-M-L scheme defined herein by the project manager
and/or his or her designee. Those risks achieving a score of M-H or greater shall be
posted on the team watch list, and strategies will be determined for each.

©CIDB, Page 6 of 10
Risk Management Plan – (IS05 – LP11)

Strategies will become tasks embedded in the team activity list and will be assigned to
individual team members. They will be tracked as activities in the project management
software in a risk table and will be updated to reflect current status. The process shall be
updated at least once every 2 months.

4.2 Risk Responsibilities

The project manager shall serve as the risk coordinator. Another member of the project
team will serve as the team’s risk archivist both in updating the project management
software and in providing risk reports to management on an as- needed basis. Other team
members shall be responsible for their assigned risk activity. Minutes from all risk
meetings should be documented and disseminated within 3 days of the meetings’
conclusion.

4.3 Risk Thresholds

Any individual risks that (if they come to pass) will exceed these thresholds should be
escalated to the project manager’s attention immediately for further dispensation.

4.4 Risk Finances

Risk contingency for this project is established at a percentage (say, 8%) of the total
project budget. These funds may be allocated by identifying the specific nature of and
rationale for the allocation. Completed forms should be submitted to the Accounting
Department.

4.5 Risk Evaluation

The common evaluation criteria are as follows:

©CIDB, Page 7 of 10
Risk Management Plan – (IS05 – LP11)

a. Probability
High—Happens frequently. Few projects don’t have this occur.
Medium—As likely as not. (Default for uncertain risks.)
Low—Could happen. It has been seen on at least one project before.
Remote—Very unlikely. Never been seen, but still plausible.

b. Impact
High—Cost: More than RM10,000. Schedule: Affects a critical path task.
Requirements:
Visible to the customer or changes nature of the deliverable. Medium—Cost:
RM1,000–RM10,000. Schedule: Affects any task with less than 3 days of total
float. Requirements: Visible internally, no change to the nature of the
deliverable.
Low—Cost: Less than RM1,000. Schedule: Affects tasks with 3 days of total
float or more. Requirements: Invisible to all save the original developer.
All medium–high (probability–impact) items will be evaluated for risk strategies
and added to the tracking list.

4.6 Process Timing

The process shall be conducted at least once every other month.

5.0 Considerations

Because risk management plans are designed to encourage some measure of consistency
in risk management practice, they can often be recycled or reused from project to project.
If that’s done, the key is to ensure that the risk thresholds are appropriate for the current
project and that the responsibility assignments are updated to reflect the members of the
current project team.

©CIDB, Page 8 of 10
Risk Management Plan – (IS05 – LP11)

6.0 Risk Management Plan Format

It can be in many formats, but the plan should be practical and follows the Risk
Management Model mentioned earlier. There are basically 7 major sections:

 Project summary and system description

 Approach to risk management
 Application issues and problems
 Other relevant plans
 Conclusions and recommendations
 Approvals
 Appendices

7.0 Appendices

APPENDIX 1: A RISK MANAGEMENT PLAN FORMAT (SAMPLE)

1. PROJECT SUMMARY AND DESCRIPTION

1.1 Project Summary
1.1.1 Project and organizational objectives
1.1.2 Operational and technical characteristics
1.1.3 Key functions
1.2 Project description
1.2.1 Requirements
1.2.2 Schedule
1.2.3 Cost

2. APPROACH TO RISK MANAGEMENT

2.1 Definitions
2.2 Risk Policy
2.3 Overview of methodology
2.4 Risk Process and Timing

©CIDB, Page 9 of 10
Risk Management Plan – (IS05 – LP11)

2.5 Risk Responsibilities

2.6 Risk Thresholds
2.7 Risk Finance

3. APPLICATION
3.1 Risk assessment
3.1.1 Risk identification
3.1.2 Risk quantification
3.1.3 Risk prioritization
3.2 Risk response development
3.3 Risk response control
3.3.1 Control evaluation
3.3.2 Control documentation

4. OTHER RELEVANT PLANS

5. CONCLUSIONS AND RECOMMENDATIONS

6. APPROVALS

7. APPENDICES

©CIDB, Page 10 of 10