DoIT Project Management Advisor
Execute & Control
Close Project
Glossary   Skip to Main Content
Stage 3: Plan the Project


What it is How to Templates/
How to: Develop Risk Management Plan

Recommended actions and strategies


What to do

How to do it


Hold risk management planning kickoff meeting

Engage key stakeholders and risk management decision makers as identified in the Initiate Stage for every step in the Risk Management Plan development.

Prepare a straw model of Risk Management Plan components and key decisions based on the steps noted below.

Prepare an agenda to review the risk management strategy and key components to be decided for the Risk Management Plan.

Hold the risk management planning kickoff meeting, document outcomes, and determine additional steps and assignments to complete the Risk Management Plan.


Expand general areas of risk for the project into a detailed list of risks

Begin with the areas of risk identified in the Initiate Stage. Expand the list to identify all specific risks known within each area. Make the list as comprehensive as possible at this stage.
The list will be continually updated throughout the Execute and Control Stage of the project as more is known about additional risks or risks that are no longer pertinent.


Set guidelines for risk analysis approach

With reference to the organization’s general disposition toward risk likelihood and impact categories, set guidelines that define what type and level of analysis is needed.

Options for type of analysis include:

  • A qualitative analysis of a risk, which determines the factors that would cause the deviation, the likelihood of its occurrence, and the impact were it to occur.
  • A quantitative analysis of a risk, in which its likelihood is expressed as a probability and the impact of the deviation is expressed as a monetary value. Although the quantitative analysis of risk can be indispensable for highly complex projects, detailed discussion is beyond the scope of the PMA. See the references section below for sources of further information.

The option chosen for level of analysis depends on how comprehensive an assessment is needed for the particular project. Examples include:

  • Careful research or reliance on industry expertise regarding risks for projects of this nature.
  • General sense of the key stakeholders regarding the risks for this project.


Define risk likelihood categories

Risk likelihood categories can either be general “qualitative” measures, such as a scale from extremely unlikely to extremely likely, or specific “quantitative” ranges of probabilities.


Define risk impact categories

Risk impact categories can either be expressed as general “qualitative” measures, such as an indication of what areas of the project deliverables or organization would be impacted, or as specific “quantitative” measures, such as monetary impacts.


Establish risk likelihood and impact values for each risk

Assess and assign risk likelihood and impact values to each risk based on the categories defined. Document risk likelihood, impact, and type of analysis required (i.e., qualitative or quantitative) for each risk in a risk register.


Define the response for each risk

For each risk, judge the likelihood and impact and determine an appropriate response strategy. List the response strategy and a specific response action in the risk register.

Response strategies fall into four categories:

  • Avoidance. The avoidance strategy eliminates the possible deviation by changing the project deliverables against which the deviation is defined.
  • Mitigation. The mitigation strategy sets out to alter the likelihood or the impact of the risk.
  • Transference. The transference strategy transfers the impact of the deviation to a third party.
  • Acceptance. The acceptance strategy merely acknowledges the risk, but does not specify any immediate action to take in response to the risk, although a contingency plan should be defined.

Examples of specific response actions for each strategy include:

  • Avoidance: For a negative risk, one could decide not to undertake the deliverable. For a positive risk or opportunity, one could exploit the opportunity by incorporating it into the project as a planned deliverable.
  • Mitigation: For negative risks, take steps to reduce the probability that risk factors will cause a deviation from the project plan or to reduce the amount of deviation. For a positive risk, such as a cost savings opportunity, take steps to increase the likelihood or amount of the cost savings.
  • Transference: Purchasing insurance is a classic risk transference strategy. On the positive side, a plan to share possible cost savings with a vendor as an incentive is an example of transference.
  • Acceptance: Merely note that the risk is accepted.


Define risk management roles, responsibilities, and competencies

Typical roles include:

  • Risk manager
  • Risk response decision maker

Note any special expertise or level of responsibility associated with each role.

For large projects, responsibilities may be divided among several people based on their specializations.


Determine how aggressively to manage risk for this project

Identify significant risks for this project as follows:

  • Based on areas of risk so noted in the risk management strategy, identify specific risks for which there is a low tolerance or threshold and note this in the risk register.
  • Based on the likelihood and impact for each of these risks, determine how significant they are to the success of the project.
  • Determine if any of these risks are unacceptable and if there are implications for continuing the project.
  • Evaluate these findings with the risk management decision makers and recommend any pertinent actions.

Determine frequency to monitor for factors that could cause a risk to be realized and any associated response procedures.
Determine frequency for reviewing and updating the risk register.


Define logging, monitoring, and reporting requirements

Typical requirements include:

  • Components of a risk register record
  • Risk log mechanism (e.g., spreadsheet, automated system)
  • Risk factor monitoring and reporting frequency


Establish guidelines for communicating realized risks and responses to key stakeholders

Control of risks should be communicated clearly throughout the project. The plan that describes to whom and how this communication will occur should appear in the risk management plan and again in the project’s communication plan (if only by reference).


Estimate total effort to manage risk and adjust project budget and schedule

Estimate total project effort (e.g., staff, time, etc.) required to address the expected total impact of all risks. Incorporate estimates into the project’s staffing plan, schedule, and budget.


Additional resources - Bibliography

Note: These resources can also be found in the Project Management section of the DoIT Resource Center.

A Guide to the Project Management Body of Knowledge, 3rd edition. Project Management Institute. 2004.

Mulcahy, Rita, Risk Management: Tricks of the Trade for Project Managers, RMC Publications. 2003.

Wideman, R. Max, editor. Project & Program Risk Management: A Guide to Managing Project Risks and Opportunities. Project Management Institute. 1992.



printer icon Printer-friendly

<< Return to top

Updated March 1, 2007 - v2.1