Since plan risk management activities have a bearing on other risk management activities, including scope, cost, schedule, and quality, risk planning should occur as early as possible
Plan Risk Management involves:
- Defining what risk management activities will occur.
- Establishing the allotted time and cost of risk management activities.
- Assigning risk management responsibilities.
- Deciding how risk probability and impact will be measured.
- Deciding on acceptable risk thresholds and tolerances.
Plan Risk Management Process Decomposition
Plan Risk Management Process: Inputs
- Project scope statement:
The project scope statement details the measurable goals, objectives, deliverables, and requirements of the project, and what the acceptance criteria of deliverables will be.
It also describes the work required to meet all objectives and deliverables of the project, and it also contains milestones, assumptions, risks, and costs.
The project scope provides an indication of the level of risk management that the project will require.
- Cost management plan:
The cost management plan is a part of the project management plan, and it provides guidance for all the cost processes.
It establishes how project costs will be planned for, estimated, organized, reported on, forecasted, and managed.
For planning of risks, the cost management plan defines how the financial costs of risk management activities will be budgeted for.
- Schedule management plan:
Part of the project management plan, the schedule management plan details how the project schedule will be managed and controlled.
For risk planning, it defines how risk management activities will be scheduled.
- Communications management plan:
The communications management plan is a subsidiary plan of the project management plan, and it details the communications needs and requirements of the project and of the stakeholders, assigns responsibility, details the frequency and methods for communication elements, and defines the escalation paths for issues.
For risk planning, it defines how data on risk will be communicated.
- Enterprise environmental factors:
Risk planning is affected by the risk tolerances of the organization and its stakeholders.
- Organizational process assets:
Risk planning is affected by the risk management methodology of the organization, standardized risk management templates (risk categories), and risk reporting formats.
Plan Risk Management Process: Tools and Techniques
- Planning meetings and analysis:
Risk management planning will involve meetings and discussions between the project manager, project team, stakeholders, and others within the organization as needed.
Plan Risk Management Process: Outputs
- Risk management plan:
The risk management plan is a component of the project management plan. It details and defines the risk management activities for the project.
The plan establishes the risk methodology, risk roles and responsibilities, risk categories, probability and impact scales, risk tolerances, frequencies of risk management activities and reporting, and the budget and schedule for risk management activities.
Risk Management Plan
Each knowledge area has at least one subsidiary plan focusing on a specific subject as part of the overall project management plan.
Preplanning is the purpose of these components, and these plans map out the specific requirements for the deliverables and project management processes that will take place in that knowledge area.
This preplanning may sound like a lot of work, but we can think of these subsidiary plans as being the scope statements for the knowledge area because they describe the who, what, where, why, and how of the project management work that will be performed for that section’s subject matter.
The risk management plan pre-plans for project risk management.
This plan establishes:
Risk management methodology for the project:
- Risk management methodology, describing the approaches, tools, and techniques that’ll govern how project risk management will occur
- Risk categories
- Common lexicon of risk terminology
- Probability and impact scales, definitions, and estimating techniques
- Formats and methods that’ll be used for risk reporting
Responsibilities for risk management activities:
- Risk roles as required for the project (risk manager, risk management team)
- Responsibilities for subsequent risk management processes (risk identification, qualitative and quantitative analysis, risk response planning, and risk monitoring)
Budget, schedule, and frequency of risk management activities:
- Activities needed for risk management (and incorporated into the project schedule)
- Resources and costs allocated to risk management and risk activities as later defined and incorporated into project cost baseline
- Frequency of risk management activities, such as risk reassessments and risk audits Tolerances, thresholds, and authority levels
- Stakeholder risk tolerances
- Tolerance levels and thresholds for risks
- Decision-making authority levels and escalation paths
Risk categories are general classifications that individual risks will be assigned to, and these categories are established as part of the risk management plan.
They are helpful for organizing risks, spotting trends, aiding risk identification, and for reporting.
These categories can be based on standards set by the organization or industry, or they may be specific to the project type.
Risk categories are shown on a risk breakdown structure, which is a hierarchical, graphical display of risk categories similar in appearance to the work breakdown structure having multiple tiers of related risk classifications.
Probability and Impact Scales
Later risk processes will prioritize and assess risks based on their probability and what kinds of impacts they’ll have on the project if they occur.
Those assessments need to use a consistent approach to be valid, so the risk management plan establishes what scales will be used to measure probability and impact.
The scales need to be clear and well understood by the people involved in the risk processes, and they should be complex enough to accurately represent the risk yet be simple enough so that they're meaningful.
For example, having a scale that runs from one to one hundred sounds like it would lead to better risk data, but it might only generate confusion since people could find it difficult to gauge what exactly is the difference between a ranking of say 63 and 68.
Scales also need to incorporate a weighting method for the importance of different project objectives.
For instance, if staying on the project is most critical then risks that could have a negative financial impact need to be weighted more heavily.
When establishing probability and impact scales, there are three types of scales that can be used:
- A relative scale (or ordinal scale) is the most simple and uses indicators such as low, medium, and high.
These types of scales are easy to understand but they may not be detailed enough for some projects. Relative scales are usually correlated to a linear or non-linear scale.
- A linear scale (or cardinal scale) is numeric and is commonly used to express the probability of the risk, so a rating of 1 would imply a very low probability while a rating of 9 would indicate a very high probability.
- A non-linear scale is also numeric, but the intervals between the designations aren't equal (e.g., 1, 2, 4, 8, 16).
Non-linear scales are used to give more or less weight to an objective or impact.
Probability and Impact Matrix
The probability and impact matrix provides a visual and textual, color-coded structure to the scale and scoring for the probability and impact of risks.
The matrix will be used later during qualitative analysis, but having a brief overview now helps us to understand more about how the probability and impact scales are used.
Key features of the matrix are that:
- It provides clear instructions, formulas, and examples for rating, scales, and scoring methods.
- It provides a legend for the risk's overall score, usually in the form of a RAG rating for red, amber, or green.
Even though at this stage we're not concerned with individual risks, the best way to fully understand the different scales and how they relate to risk scoring and rating is for us to see how all these pieces fit together into the final result.
As we look at this example, let’s remember that there is no single approach towards establishing scales, scoring formulas, or ranking methods, so what is shown here is only an illustration of a start-to-finish view of how a probability and impact matrix can be used.