A project manager has many responsibilities within their organization, all of which revolve around initiating, planning, executing, monitoring, and controlling projects that deliver on various strategic goals.
While each of these discrete steps in the project life cycle is critical in its own right, the planning phase is perhaps the most impactful in how it can determine the success—or failure—of all of the phases that come after it. It’s for this reason that project managers are responsible for creating various plans for the projects they helm.
While the project plan is often considered the most important of these plans, it is not the only one. A number of subsidiary plans are also recommended and, in many cases, required.
The risk management plan is one of the most crucial of these subsidiary plans, as it forces the project manager to plan for potential disruptions and opportunities the project may encounter. Below, we define what “risk” means in terms of project management, take a look at what the risk management plan actually is, and walk through steps you can follow to create a risk management plan for your next project.
Download Our Free Guide to Advancing Your Project Management Career
Learn what you need to know, from in-demand skills to the industry’s growing job opportunities.
What is project risk?
When it comes to project management, the term “risk” specifically refers to factors or events which might influence the final outcome of the project.
Some of the most common project risks are those which impact a project’s constraints. This includes the triple constraint of a project’s cost or budget, its timeline or schedule, and its scope—all of which can affect the final quality or performance of the project. Yet there are many other kinds of risk that project managers should be aware of, as well, and the risk management plan is used to identify each of these potential disruptors.
While risk is often assumed to be a negative, it is important to note that project risk can also occasionally be positive, depending on how the event impacts the project.
For Example: Consider a project that is heavily dependent upon the price of oil. In creating their project’s budget, the project manager would likely look to oil’s historical prices, and use those figures to forecast the project’s budget. If the cost of oil were to suddenly and unexpectedly drop, however (as it did during the depths of the Coronavirus lockdowns), then the project would likely come in under budget. This is technically a positive risk, because it is an event which led to a positive outcome for the project.
Project manager’s should aim to understand not only the negative risks which might impact their project, but the positive risks as well, says Connie Emerson, assistant teaching professor for Northeastern’s Master of Science in Project Management program.
She explains that by understanding those potential positive events, project managers can take steps to increase the probability of them occurring so that the project can take advantage of that and realize the benefits.
What is a risk management plan?
A risk management plan is a subsidiary plan which is usually created in tandem with a project plan. This plan outlines the approach for how the project team is going to conduct risk work, or those tasks related to project risk.
“By creating a risk management plan, you are seeking to understand how you are rating risks, how much risk your stakeholders will tolerate, how you will pay for risks in the event they become a reality, and more,” Emerson says. “So it’s critical to have conversations about your general approach, as a team, to risk work and also making sure that your key stakeholders agree.”
Risk Management Plan vs. Risk Register
Emerson notes that it’s important for project managers to understand that, while some individuals will use the terms interchangeably, the risk management plan and the risk register are in fact separate documents, though they are related and each is important to the success of the project.
While the risk management plan outlines your team’s risk management process and approach to handling risk work, Emerson says that “the risk register is your list of risks, your analysis of those risks, and what you are planning to do about them.”
Emerson goes on to note that while you might apply your risk management plan to several different projects, the risk register should be tailored to the specifics of a given project.
How to Create a Risk Management Plan & Risk Register
1. Define your approach through the risk management plan.
The first step in creating a risk management plan is to outline the methods that you and your team will use to identify, analyze, and prioritize risk. You should aim to answer the following questions:
- How are we going to identify risks to the project?
- What techniques are we going to use to analyze those risks?
- How will we decide what to do in the event a risk becomes a reality?
- What is the communication plan for a risk event?
- Which stakeholders should be kept apprised of project risks?
You should also determine how you will communicate with key stakeholders about risk, as well as how you will respond to risk if and when it materializes.
Emerson notes that this is also the point in the process where you should identify the key stakeholders for your project and work to measure their levels of risk tolerance. Just as an investment advisor should tailor their investment strategy to the risk tolerance of their clients, a project manager should tailor their risk management strategy to the risk tolerance of their project’s stakeholders.
2. Use your risk management plan to create your risk register.
Once you have answered all of the questions above, crafted a risk strategy, and codified it in your risk management plan, you will then use that methodology to create a risk register for the project you are currently working on.
While it’s important to be thorough in creating your risk register, Emerson notes that perfection can sometimes be the enemy of progress. Instead of viewing risk work as an item which must be crossed off of a checklist before a project can begin, Emerson recommends that project managers view it as an ongoing, iterative process.
“You don’t just create your risk register and then be done with it,” Emerson says. “It’s something you actively manage and modify throughout your project. This keeps you agile, while also allowing the project to actually begin. If you approach your risk register like something that must be exhaustive before the project can kick off, you’ll be doing risk work forever, and the project will never get done.”
3. Identify risk events and the potential impact of those risks.
The next step is to actually go about identifying risk events for your project, which will form the basis for your project’s risk register.
“Ask yourself: What are the risks?” Emerson says. “Some people might say, ‘Well, we might miss a date, and that’s a risk.’ But that’s not really a risk. That’s an impact of a risk. So why might we miss the date? What’s the root cause for that impact? If you can understand the root cause that drives a risk event, it’s possible to preempt it before it becomes an issue.”
Emerson notes that it is important not just to think about potential risks, but also the impact that risk might have on the project.
“When I’m writing my risk statements, I’m usually thinking: Because of X [event], Y [risk] might occur, causing a Z [impact],” she says.
It’s important at this stage to also review your list of potential risks with other members of your team, key stakeholders, key vendors and suppliers, and even subject matter experts who aren’t a part of your team. Each of these individuals will bring their own point of view to the challenge of identifying risk, which can ensure that you haven’t missed anything with the potential to affect your project.
4. Analyze, prioritize, and assign risk.
Once you have built out a thorough list of all of the risks associated with your project, the next step would be to analyze those risks.
“There are lots of ways to analyze risk, both qualitatively and quantitatively,” Emerson says. “For many companies, qualitative analysis is enough because you’re just trying to decide if you need to actively do something about a risk, or if you can just keep an eye on it.”
Exactly how you analyze your project risks will be dependent on the situation you find yourself in. Emerson notes that many organizations will grade risks based on probability and impact, and use those two scores to determine which risks warrant the most effort to control. Those risks which score high on both probability and impact are logically often prioritized in risk management plans, while those that score low on both probability and impact are deprioritized.
Using this understanding, you might then assign each member of your team one or several risks which they are responsible for monitoring and assessing throughout the course of your project.
5. Plan your risk response.
Armed with your prioritized list of risks, it is now possible to plan the responsive action that you will take in the event that a risk becomes a reality.
“It’s a matter of using that analysis to guide what you do about the risk and trying to match your response to the risk,” Emerson says. “If it’s a little risk, you don’t want to spend millions of dollars dealing with it. At the same time, you don’t want to under-prepare either.”
Emerson notes that while risk work may seem reactive, a skilled project manager will be proactive in recognizing and minimizing risks before they become an active issue capable of derailing a project.
6. Monitor and adjust accordingly.
Once you’ve identified your risks, prioritized them, and planned your response, the final step is to monitor your risk throughout the course of the project, says Emerson. Keep your risk register up to date, adding or removing risk events as necessary as the project unfolds.
Additionally, after a project is completed, revisit your risk management plan and ask yourself: What worked? What didn’t? Is there anything that you can learn from the project that will allow you to adjust your risk management strategy to avoid similar issues in the future?
Emerson goes on to explain that if a risk event occurs, pay attention to it. Identify what happened, how you responded to it, how it impacted the project, etc. All of these insights can make you more effective at risk management in future projects.
Learning to Manage Risk
All projects will contain at least some level of risk. While a project manager cannot possibly prevent all risk events from occurring, it is the project manager’s duty to identify and plan for risk when possible. As such, risk management is a crucial skill for any current or aspiring project manager to develop.
It’s for this reason that the Master of Science in Project Management at Northeastern emphasizes risk management as a central piece of the core curriculum required to complete the degree. Paired with courses on project scope management, project quality management, and project scheduling and cost planning, the program aims to train students who will graduate ready to immediately put their education into action managing projects.
To learn how a master’s degree in project management can help advance your career, download our free guide to breaking into the industry below.