A Short Guide to Project Risk Management Plan

project risk management plan pmstudycircleIn my previous blog post, I discussed the basics of risk management; now is the time to move on to the project risk management plan.

Risk management is a process of identifying risk, planning responses to those risks, and monitoring them throughout the project life cycle. On the other hand, a risk management plan is a document which documents the detailed plan to identify risks, analyze the risks, developing responses, and how to manage the responses. It describes how the risk management activities will be carried out in the project.

Steps in a risk management plan are as follows:

  • Plan Risk Management
  • Identify Risks
  • Analyze Risks
  • Planning the Responses
  • Monitor and Control the Risks

Plan Risk Management

In the plan risk management process, you define how you’re going to conduct the various risk management activities.

You define how you’re going to identify the risks, and once they are identified, how they will be categorized.

In this process, you will lay down the formula which will determine the criteria to identify which risks are high, medium or low.

Identify Risks

In this process, you start collecting risks by using the techniques defined in your risk management plan. Some techniques extensively used in the process of identifying risk are as follows:

  • Documents review
  • Information Gathering Technique; e.g. Brainstorming, Delphi, etc.
  • Interview
  • Other techniques

Documents review involves review of historical records of old projects, and lessons learned etc. Review of these documents provides you with many risks.

Information gathering techniques such as brainstorming and delphi give you chance to interact with various stakeholders to collect the risks.

In brainstorming sessions, you ask experts to list as many risks as they can.

Delphi technique is a fantastic technique to receive responses from the experts who do not feel comfortable in expressing their opinion publicly.

In delphi technique, you circulate a questionnaire to experts anonymously and ask for their responses. Once you get the responses, you compile them and send the responses again to the experts for their review. You repeat this procedure until you get your job done.

Interview usually happens one to one. In interview, you approach to some very busy and important stakeholders with one of your team members. You ask some pre-selected questions during your conversation. The team member records all of these conversations.

You might use some other techniques defined in your risk management plan to gather some more risks.

Analyze the Risks

Once all risks are identified and noted in the risk register, you will start analyzing them. You will analyze them using Qualitatively and/or Quantitatively Risks Analysis process, as set in the risk management plan.

The Qualitative Risk Analysis process is performed on almost all projects, while the Quantitative Risk Analysis process is optional. The Quantitative Risk Analysis process is most likely to perform on complex, critical and important projects.

In the Qualitative Risk Analysis process, you determine the probability and impact of each risk, and then you prioritize the risks.

After completing the Qualitative Risk Analysis review, you move on to Quantitative Risk Analysis review.

In the Quantitative Risk Analysis process, you numerically analyze the risks and their effect on the project objective.

Expected Monitory Value Method (e.g. Decision Tree Method) is a widely used method for the Quantitative Risk Analysis Process. Here you numerically calculate the Expected Monitory Value (EMV) of each choice, and then select the best option.

Expected Monitory Value Analysis helps you determine the contingency reserve.

Monte Carlo simulation is another technique in the Quantitative Risk Analysis process that gives you probabilities of completing the project in different scenarios.

Monte Carlo simulation can be performed with either cost risk analysis or with schedule risk analysis, or with any other project objective.

Monte Carlo simulation gives you a graphical representation of the project objective vs its chance of being completed. For example, if you run the Monte Carlo simulation for schedule risk analysis, it may give you the information that there is 80% chance that your project will be completed within 24 months, and 90% chance is that your project will be completed within 26 months.

Expected Monitory Value method helps you calculate the contingency reserve, which you can use when any identified risk occurs. However, there is another kind of reserve which is known as management reserve, usually set by the management as some percentage of project cost; e.g. 5% of the total cost of the project.

This management reserve will be utilized when an un-identified risk occurs. You can not use this fund on your own, you will have to take management approval to use this fund.

Read: Contingency Reserve Vs Management Reserve

Planning Risk Responses

You have identified and analyzed risks, now you have to make a plan to manage these risks. This process is called Plan Risk Responses.

Risks can be divided into two categories: positive risks and negative risks. Positive risks are known as opportunities, and negative risks are known as threats.

The main objective of risk response planning is to lessen or avoid the probability of happening negative risks or their effects, and increase the chance of happening of positive risks or their impact.

Strategies for dealing with negative risks are different than the strategies used for positive risks.

Strategies used to deal with negative risks are as follows:

  • Mitigate: In mitigation, you try to reduce the chance of the risk occurring, or its impact.
  • Avoid: In avoid risk response strategy you take measures to completely eliminate the threat or its effect. For example, changing the project management plan.
  • Transfer: Here, you transfer the risk to a third party; e.g. insurance.
  • Accept: Here, you acknowledge the risk and document it, but do not take any action to mitigate it or its effect.

As for positive risks, you can use any of the below given strategies:

  • Enhance: Here, you only try to increase the chance of happening of an opportunity or its impact.
  • Exploit: In this strategy, not only do you try to increase the probability of risks, but you also do everything to make sure that opportunity is realized.
  • Share: If you are not capable of realizing the opportunity on your own, or due to some other reason, you cannot go alone, you ask someone to join you to share the opportunity.
  • Accept: Here, you acknowledge the opportunity and document it, but do not take any action to realize it.

Accept is a kind of strategy that can be used with both type of risks; i.e. positive risk and negative risks.

Once you determine the strategy for each risk, you will update it in the risk register.

Monitor and Control Risks

You have identified risks, analyzed them and made a plan to manage them. Now your project is started, and you have to keep looking for these risks and control them when they happen.

During this process you will continuously watch for risk occurrences and manage them as per the plan, and record the outcome into the risk register.


The risk management plan is a subsidiary plan of the project management plan. To develop a sound risk management plan, your first step should be to collect as many risks as possible. You can do that with various information gathering techniques. The next important thing is to note that the Quantitative Risk Analysis process is not required in all projects. It is needed when the project is large and complex.

This was a brief of project risk management planning. In this blog post I have tried to cover some basics of Risk Management Plan.

Let me know if you have anything to add or need some discussion.

Kindly note that the way you calculate the reserve for the cost, you also have to calculate the reserve for the schedule. Here, contingency reserve may be known as time reserve or buffers. These reserves are included in the schedule baseline. However, management time reserve are not a part of the schedule base line but a part of overall time duration of the project.


  1. Syed Imaduddin says

    Dear Mr. Fahad,
    Ramadan kareem, Brother, i need some info regarding the pmp exam.

    Today i have taken my pmp exam and have unfortunately failed though the exam wasn’t hard.
    … i am planning to reschedule it again … but it may be late as the pmp exam is schedule to change after 31 st of this month. So my question is .. will my application be valid after 31st as it is as per PMbok 4.
    Can i be able to take exam after 31st on PMBOK 4 ? probably end of this year
    and other question,
    Will PMI give me details for my exam … like the questions and the answers which were incorrect ?
    i have also emailed this query to PMI and PMstudycircle and expect for quick reply from you.

    thanks and god bless
    Syed imad

    • Fahad Usmani says

      It is really bad news that you failed the exam. I hope you still have two chance left with you. This is the time for you to focus on your gaps.

      Regarding your doubts, answers are as follows:

      You are applicable for the exam until you cross your one year from the date you got your application approved.

      No, after this date you can not give exam based on the fourth version of the PMBOK guide.

      PMI will only give your result with proficiency level in each process group. No other details will be provided to you.

      • Shoaib Rehman says

        You content is great i loved it , this is my first time i visited your blog

        I am exactly like syed imad’s situation and he is absolutely right, exam wasn’t hard enough but i could n’t manage my time to review the marked ones

        I am trying again now but much concerned about the exam practice questions and material though i have pmbok 5 but that’s not enough. pmbok 4 stayed for 4 long years, so much is available to study and for practice but that’s not the case with pmbok 5

        Need you suggestion !


        • Fahad Usmani says

          There is not much difference between the fourth and fifth edition of the PMBOK Guide. Just review the latest edition and you are good to go.

          As of now many programs have been upgraded to latest edition of the guide, and many are in process of it.

          • Shoaib Rehman says

            Sounds Good but i heard that there is 30 40% difference in question

            Can i keep attempting questions of those knowledge areas which has no difference from pmbok 4 ? like risk and some of the others ?


            • Fahad Usmani says

              I don’t think that 30 to 40% questions are going to be changed.

              Of-course you can keep practicing it.

              I also suggest you buying any good updated questions bank for further practice.

  2. Samuel says

    Sir, i have difficulties when solving Earned Value Mgmt questions especially questions that involve Labor Hours. Pls assist me with formulas and work examples on it. Thanks.

  3. Muhammad Anjum says

    Dear Fahad,
    Assalam o Aleikum,

    I was searching good PMP site since long and now I found your web site which I feel very good to understand the concepts and I really enjoying reading your articles.

    Now, my questions are, could you please further explain;
    1) Qualitative & quantitative analysis process with examples?
    2) Expects Monitory Value (Decision tree method) & Monte Carlo Simulation processes with some other examples?

    3) Can I copy or print notes on your website (PMP Study Circle) ?

    4) Can I buy your books using debit card ?

    Please reply soon. Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *