Plan Risk Management
Introduction: Why This Matters
Every project carries uncertainty. Some risks present threats that can derail progress. Others represent opportunities that can accelerate success. The Plan Risk Management process defines how risk management will be conducted throughout the project. It creates a consistent framework so that risks are not handled ad hoc but are systematically identified, analyzed, and responded to.
On the PMP exam, this process is often tested by asking what the project manager should do before identifying risks or planning risk responses. The correct answer is to establish the Risk Management Plan. In practice, effective risk planning reduces surprises, improves stakeholder confidence, and increases project resilience (Project Management Institute, 2021).
Purpose and Objectives
Primary Purpose: Define the approach, tools, roles, responsibilities, and timing for risk management activities.
Key Objectives:
- Define the risk management methodology.
- Clarify roles and responsibilities for risk ownership.
- Establish a budget and schedule for risk management activities.
- Define categories of risks using a Risk Breakdown Structure (RBS).
- Define probability and impact scales for assessing risks.
- Document thresholds for risk escalation.
- Produce the Risk Management Plan.
Overview
Plan Risk Management sits early in the risk processes and establishes the “rules of the game” before the team begins identifying and analyzing individual risks.
- Focus: Define how risk will be managed, not the specific risks themselves.
- Position: It provides the framework that guides Identify Risks, Perform Risk Analysis, and Plan Risk Responses.
Inputs, Tools and Techniques, Outputs (ITTOs)
Inputs
- Project charter.
- Project management plan (scope, schedule, cost, stakeholder, communications).
- Stakeholder register.
- Enterprise environmental factors (industry risk guidelines, regulatory requirements).
- Organizational process assets (risk templates, lessons learned, historical data).
Tools and Techniques
- Expert judgment: Input from risk specialists, PMO, and industry experts.
- Data analysis: Stakeholder analysis and probability–impact frameworks.
- Meetings: Planning sessions with sponsor, team, and stakeholders.
Outputs
- Risk Management Plan.
What the Risk Management Plan Includes
The Risk Management Plan documents how risk management will be structured and performed throughout the project.
Typical components:
- Methodology: Approaches, tools, and data sources.
- Roles and responsibilities: Who identifies risks, owns risks, and approves response strategies.
- Budgeting: Resources allocated to risk management activities.
- Timing: When risk reviews will be conducted, such as phase gates or monthly cycles.
- Risk categories: Defined using an RBS (technical, external, organizational, project management).
- Definitions of probability and impact: Standardized scales, for example 1 to 5 scoring.
- Probability and impact matrix: Combines scales to prioritize risks.
- Risk thresholds: Acceptable levels of exposure and escalation criteria.
- Reporting formats: Risk register, risk reports, and dashboards.
- Tracking: How risks will be monitored, updated, and closed.
Risk Breakdown Structure (RBS)
A Risk Breakdown Structure (RBS) organizes risks into categories, similar to how a Work Breakdown Structure organizes scope.
Example categories:
- Technical: Requirements changes, technology failures, integration issues.
- External: Regulatory changes, supply chain disruptions, market volatility.
- Organizational: Staffing shortages, cultural resistance, funding delays.
- Project management: Estimation errors, poor communication, stakeholder conflicts.
Practical Example: Renewable Energy Project
Context: A utility company launches a project to install a large scale solar farm.
Risk Management Plan highlights:
- Methodology: Qualitative and quantitative analysis using probability–impact matrices and Monte Carlo simulation.
- Roles: Project manager coordinates risk management, technical leads own technical risks, and the procurement manager owns supplier risks.
- Budgeting: Five percent of total project cost allocated for risk reserves.
- Timing: Monthly risk reviews and updates.
- Risk categories: External (weather), technical (panel efficiency), organizational (union negotiations), project management (schedule slippage).
- Thresholds: Any risk with potential delay greater than two weeks or cost impact greater than 500,000 dollars is escalated to the steering committee.
Outcome: With a clear plan, the project team addresses risks proactively and reduces exposure to critical threats such as regulatory delays and weather related disruptions.
Common Pitfalls
Skipping the Risk Management Plan
- Pitfall: Teams jump directly into risk identification without a framework.
- Prevention: Always define the process before identifying risks.
No standardized scales
- Pitfall: Probability and impact are defined inconsistently by different team members.
- Prevention: Document clear scales and definitions in the plan.
Unclear roles
- Pitfall: Risks are identified, but nobody owns them.
- Prevention: Assign explicit risk owners in the risk plan.
Treating risk as a one time activity
- Pitfall: Risks are documented at kickoff and never revisited.
- Prevention: Define timing for ongoing risk reviews and updates.
Sensei Tip : Use an RBS during risk identification sessions to force the team to scan each category. This reduces the chance that entire classes of risk are overlooked.
Exam Alert : If a question asks what to do before identifying, analyzing, or responding to risks, the best answer is usually to Plan Risk Management or to develop/review the Risk Management Plan.
Exam Lens
Patterns on the PMP Exam:
- If asked what to do before identifying or responding to risks, the correct answer is Plan Risk Management.
- Some questions will test your understanding of the RBS and the probability–impact matrix.
- Expect situational questions about risk thresholds and when to escalate issues to higher levels of governance.
Sample Question
Question: During project planning, the sponsor asks how risks will be identified, analyzed, and reported. What should the project manager reference?
- Risk Register
- Risk Breakdown Structure
- Risk Management Plan
- Risk Report
Correct Answer: C. The Risk Management Plan defines how risks will be managed.
Quick Recap Table
| Concept | Description | Exam Watch Point |
|---|---|---|
| Risk Management Plan | Defines how risks are identified, analyzed, responded to, and monitored. | Must be created before risk identification and responses. |
| Risk Breakdown Structure | Categorizes risks to ensure comprehensive coverage. | Commonly tested structure for risk categories on the PMP exam. |
| Probability Impact Matrix | Prioritizes risks based on combined probability and impact scores. | Know how it relates to qualitative risk analysis. |
| Risk Thresholds | Define acceptable risk exposure levels and escalation triggers. | Expect situational questions on when a risk must be escalated based on thresholds. |
Key Takeaways
- Plan Risk Management defines the methodology, roles, timing, categories, and thresholds for risk management activities.
- The main output is the Risk Management Plan.
- An RBS ensures that risks are considered across technical, external, organizational, and project management dimensions.
- On the exam, always establish the framework through the plan before moving to risk identification or response planning.
- In practice, consistent risk planning builds resilience and reduces unpleasant surprises.
Next Step
With the risk framework defined, the next process is Identify Risks. In that process, the project team and stakeholders capture specific risks, opportunities, and uncertainties to populate the risk register.
Bibliography
Project Management Institute. (2021). A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (7th ed.). Project Management Institute.