A risk management plan is a vital part of your overall project management plan. This plan provides you with guidance on how to carry out risk management activities in your project.

Projects always have unexpected issues, and as a project manager, it is your job to identify events that cause issues and manage them proactively.

Risks do not always harm the project; sometimes, they can have a positive impact. Risks with positive effects are known as positive risks, and a risk management plan will help you identify and take advantage of them.

Without a risk management plan, your project has less chance of succeeding. 

Risk Management Plan

A well-developed risk management plan outlines how to identify, qualify,  monitor, and control risks throughout the project life cycle.

The Components of a Risk Management Plan

The following are the components of a detailed risk management plan:

  • Plan Risk Management
  • Identify Risks
  • Analyze Risks
  • Plan the Responses
  • Monitor and Control the Risks

Plan Risk Management

Here, you define how you will identify the risks and how they will be categorized, analyzed, and managed.

Additionally, you will outline the formula to determine risk ranking: high, medium, or low.

Identify Risks

In this process, you collect risks using the methods described in the risk management plan. A few risk identification techniques are:

  • Document Review
  • Information Gathering Techniques
  • Interview

In document review, you look over records of past projects, which will apprise you of any possible risks. The documents may include lessons learned, risk register, issue log, project files, and more.

In information-gathering techniques, you interact with various stakeholders to ascertain the risks. You ask experts to list as many risks as they can. This technique includes brainstorming and the Delphi technique, an anonymous questionnaire that helps you get responses from experts who are not comfortable expressing their opinions openly.

You repeat this procedure until you get your conclusive results. Afterward, you compile them and review the responses. 

In an interview, you approach busy and important stakeholders with a team member. You ask pre-selected questions during your conversation, and the team member records these conversations.

Analyze the Risks

You will analyze risks using qualitative and/or quantitative methods after risk identification is complete. 

You should always perform a qualitative risk analysis process. However, quantitative risk analysis is optional and is most likely to be performed on large and complex projects.

Here, you determine the probability and impact of each risk, and then you prioritize them. After completing the qualitative risk analysis review, you move on to the quantitative risk analysis review.

In quantitative risk analysis, you numerically analyze the risks and their effect on the project objectives. 

The Expected Monetary Value (EMV) Method is a quantitative risk analysis technique. Here, you calculate the EMV of each choice and then select the best option. EMV helps you to determine the contingency reserve, which is used to manage identified risks.

To manage unidentified risks, you use the management reserve. Management defines this reserve, and they can set this as a percentage of the project cost, for example, 5% or 10% of the project cost. A project manager needs approval to use the management reserve.

Note: Just like calculating cost reserve, you calculate the schedule reserve. Here, the contingency reserve is known as the time reserve or buffer, and they are part of the schedule baseline. The management time reserve is not included in the schedule baseline but is a part of the project duration.

Read: Contingency Reserve Vs Management Reserve

A Monte Carlo Simulation provides chances of completing the project under different conditions. You can run this technique with cost, schedule, or any other project objectives, and it graphically shows you a project’s objective vs. its chance of being completed under various conditions.

For example, if you run the Monte Carlo simulation for schedule analysis, you will know that you have an 80% chance of completing the project within 24 months and a 90% chance of completing it in 26 months.

Plan Risk Responses

After collecting and qualifying risks, you will develop the risk response plan. This plan describes actions that you should take when an identified risk occurs.

Risks can be positive or negative, and strategies for negative and positive risks are different.

Positive risks are known as opportunities, and negative risks are threats. The risk response plan aims to reduce the probability or impact of negative risks and increase the chance or benefits of positive risks.

You will assign a risk owner to each risk. They will be responsible for monitoring the risk, and if it occurs, they will implement the risk response plan.

Negative Risk Response Strategies:

You can use the following strategies to manage negative risks:

  • Mitigate: You try to reduce the chance of the risk occurring or its impact.
  • Avoid: You take measures to eliminate the threat or its effect, like changing the project management plan.
  • Transfer: You transfer the risk to a third party: e.g., insurance.
  • Escalate: You shift the responsibility of managing the risk to higher management.
  • Accept: You acknowledge the risk and document it but do not take any action to mitigate it or its effect.
  • Escalate: Managing risk is beyond your capability, so you ask your management to manage the risk.
Positive Risk Response Strategies

You can use the following strategies to manage positive risks:

  • Enhance: You try to increase the chance of an opportunity or its impact.
  • Exploit: You do everything to make sure that the opportunity is realized.
  • Share: If you cannot realize the opportunity on your own, so you ask someone to share in the opportunity.
  • Escalate: You transfer the responsibility of managing the risk to higher management.
  • Accept: You acknowledge the opportunity and document it but do not take any action to realize it.
  • Escalate: Managing risk is beyond your capability, so you ask your management to manage the risk.

You can use the accept and escalate risk response strategies with both types of risks

After completing the risk response strategy, make sure to update the risk register.

Monitor and Control Risks

You closely observe these risks once the project starts, control them when they occur, and record the outcome into the risk register.

The risk management plan has a tracking and reporting system for risk events. This helps the project manager analyze the efficiency of the risk management plan and record lessons learned for future risk events.

Further Reading: Risk Management Technique


The risk management plan is a subsidiary plan of the project management plan. Your project’s success depends on the risk management plan because a sound plan can help you complete the project within the approved schedule and budget. You must be proactive with risk management, so use experts’ help in developing a risk response plan.

How do you develop risk management plans for your projects? Please share it in the comments section.

This topic is important from a PMP and PMI-RMP exam point of view.