Risk Management Plan s3

Project Risk Management Plan

Document Instructions

) and are italicized. They are included to help you fill out the form. As you complete the form, delete these instructions.

Please follow this document naming convention to facilitate document search and retrieval:

All documents should be posted to the appropriate project folder in SharePoint. >

Document History

Versio Date Author Status Section Revision Description n 0.1 Initial Draft

1 First Published

Risk Management Plan v X.X Page 2 of 9 Printed: 5/29/2018

Table of Contents

1 Purpose of This Document

This document describes how the job of managing risks for the project will be performed and includes:  The process which will be used to identify, analyze and manage risks both initially and throughout the project lifecycle;  How often risks will be reviewed, the process for review and who will be involved;  Who will be responsible for which aspects of risk management; and  How risk status will be reported and to whom.

2 Glossary and Acronyms

Table: Terms and Acronyms Used in This Document Term/Acronym Definition PMM Project Management Methodology (example)

3 Executive Summary

[Enter the Executive Summary text here]

4 Introduction

Key to successful project management is identifying risks in advance and managing these risks throughout the project lifecycle. Experience has shown that risk management must be of concern, as unmanaged or unmitigated risks are one of the primary causes of project failure. Without proactive management, risks will induce chaos and failure into an otherwise well-planned and managed project.

Risk management is the job of identifying and managing risks for the project. Risk refers to future conditions or circumstances that exist outside of the control of the project team that will have an adverse impact on the project if they occur. Risk management planning sets forth a discipline and environment to make proactive decisions and actions to:  Assess continuously what can go wrong (risks);  Determine and prioritize what risks can be minimized or eliminated; and  Develop and implement responses to mitigate identified risks and contingency plans for high priority risks, to be implemented if those risks occur. The project manager and appropriate stakeholders will meet during the Strategy and Planning phase to identify project risks. Risks will be analyzed and documented using the Risk Management Log template. Plans will be created to mitigate the effect of the possible risk. The plans to respond to those risks will be included in the project schedule. During the Execution and Control phase, at regularly scheduled status meetings, the project manager and team members will review the status of identified risks and determine whether additional risk factors have surfaced. As new risk factors are identified, they are documented in the Risk Management Log, analyzed and planned for in the same manner as those risks identified during the Planning phase.

5 Risk Management Process The process for managing risk will consist of the following steps.

5.1 Risk Identification During the Strategy and Planning phases, risk identification sessions will be held to identify project risks. The project manager will determine participants from among appropriate stakeholders. Identified risks will be recorded in the Risk Management Log. Once a risk has been identified it will be categorized. Risk categories will include  Business Risks - organizational, management, business users, procurement, customer service, external environmental factors, etc.  Project Risks - schedule requirements, contractors, internal staff, stakeholders, scope management, process and funding.  Technical Risks - products, quality, technical complexity, requirements, design, implementation, environment, systems, security, etc. Within each of the risk categories, individual risks will be identified and analyzed using the Risk Management Log. 5.2 Risk Analysis Once a risk has been identified and categorized the following information will be analyzed for each risk:  Probability – The level of certainty that the risk event will occur. This will be measured on a scale of one (lowest) to 4. The probability of occurring calculation is 1 (1% - 24%), 2 (25% - 49%), 3 (50% - 79%), and 4 (80% - 100%).  Impact – Impact is the rating of the severity of the consequences if the risk were to occur. As with probability, impact is measured on a scale from 1 (lowest) to 4. The impact calculation is 1 (marginal), 2 (normal), 3 (critical), and 4 (catastrophic).  Risk Score – Risk probability and impact are weighted together to calculate the risk’s score. This score can be used to assign priority and

identify the risk response. The Risk Management Log will automatically calculate this value. A higher risk value is assigned a more aggressive risk response plan then one which has a lower priority. The following guidelines will be used to determine the level of risk response planning required.

Table: Project Risk Response  6 8 10 12 P r 5 7 9 11 o 4 6 8 10 b a 3 5 7 9 b  Impact  il it y  Where: 3 -5 Create a risk response 6 - 8 Create a risk response & outline a contingency plan 9 - 12 Create both a risk response & contingency plan

5.3 Risk Response Planning Risk response planning will involve determining first how to approach the risk base on the following four options:  Mitigate - Do something to reduce the risk impact  Transfer - Move all or part of the risk to another party and then setting up an agreement for that party to accept the risk  Accept - Acknowledge that the risk exists but make the decision to do nothing and accept the probability of the risk occurring.  Avoid - Change the Project Plan to eliminate the risk. Example: perform an extensive requirements gathering effort.

The risk response plans will be captured and maintained in the Risk Management Log along with the assignment of a person who is responsible for executing these plans. Risk triggers will also be identified to provide early indication that a contingency plan must potential be executed. Where possible, risk mitigation activities will be reflected in the project schedule. Risk Management Plan v X.X Page 7 of 9 Printed: 5/29/2018

5.4 Risk Monitoring and Control Following risk response planning, and throughout the project lifecycle, it is the responsibility of the project manager or designated risk monitor to conduct on- going risk response activities. For newly identified/analyzed risks it is necessary to formulate new response plans. For risks that have been fully mitigated it is necessary to record the results in the Risk Management Log and close the risk. For risks that have not been fully mitigated, it may be necessary to perform risk analysis again, reformulate the response plan, and/or re-assign to another responsible person. The consistent review and updating of the Risk Management Log during team meetings also supports this need.

6 Roles and Responsibilities

[Enter the roles and responsibility text here.]

Table: Risk Management Roles and Responsibilities Risk Item Reference Risk Management Log is maintained by: Persons/groups to be included in initial risk identification activity: Persons to be involved in risk review:

7 Risk Communication Strategy

[Enter the risk communication strategy text here]

Table: Risk Communication Roles and Responsibilities Risk Item Reference Risks will be reviewed: Risk Management Plan v X.X Page 8 of 9 Printed: 5/29/2018

Risk Item Reference etc.> Location of Risk Management Log