PDF download Download Article PDF download Download Article

Developing an effective Risk Management Plan can help keep small issues from developing into emergencies. Different types of Risk Management Plans can deal with calculating the probability of an event, and how that event might impact you, what the risks are with certain ventures and how to mitigate the problems associated with those risks. Having a plan may help you deal with adverse situations when they arise and, hopefully, head them off before they arise.

  1. Risk is the effect (positive or negative) of an event or series of events that take place in one or several locations. It is computed from the probability of the event becoming an issue and the impact it would have (See Risk = Probability X Impact). Various factors should be identified in order to analyze risk, including:
    • Event: What could happen?
    • Probability: How likely is it to happen?
    • Impact: How bad will it be if it happens?
    • Mitigation: How can you reduce the Probability (and by how much)?
    • Contingency: How can you reduce the Impact (and by how much)?
    • Reduction = Mitigation X Contingency
    • Exposure = Risk – Reduction

      • After you identify the above, the result will be what’s called Exposure. This is the amount of risk you simply can’t avoid. Exposure may also be referred to as Threat, Liability or Severity, but they pretty much mean the same thing. It will be used to help determine if the planned activity should take place.
      • This is often a simple cost vs. benefits formula. You might use these elements to determine if the risk of implementing the change is higher or lower than the risk of not implementing the change.
    • Assumed Risk. If you decide to proceed (sometimes there is no choice, e.g. federally mandated changes) then your Exposure becomes what is known as Assumed Risk. In some environments, Assumed Risk is reduced to a dollar value which is then used to calculate the profitability of the end product.
  2. In this article, let's pretend you are responsible for a computer system that provides important (but not life-critical) information to some large population. The main computer on which this system resides is old and needs to be replaced. Your task is to develop a Risk Management Plan for the migration. This will be a simplified model where Risk and Impact are listed as High, Medium or Low (that is very common especially in Project Management).
    Advertisement
  3. Brainstorm on risks. Get several people together that are familiar with the project and ask for input on what could happen, how to help prevent it, and what to do if it does happen. Take a lot of notes! You will use the output of this very important session several times during the following steps. Try to keep an open mind about ideas. "Out of the box" thinking is good, but do keep control of the session. It needs to stay focused and on target.
  4. From your brainstorming session, you gathered information about what would happen if risks materialized. Associate each risk with the consequences arrived at during that session. Be as specific as possible with each one. "Project Delay" is not as desirable as "Project will be delayed by 13 days." If there is a dollar value, list it; just saying "Over Budget" is too general.
  5. If you’re moving, for example, a car dealership’s computer system, then threats such as nuclear war, plague pandemic or killer asteroids are pretty much things that will disrupt the project. There’s nothing you can do to plan for them or to lessen the impact. You might keep them in mind, but don’t put that kind of thing on your risk plan.
  6. You don’t need to put them in any order just yet. Just list them one-by-one.
  7. For each risk element on your list, determine if the likelihood of it actually materializing is High, Medium or Low. If you absolutely have to use numbers, then figure Probability on a scale from 0.00 to 1.00. 0.01 to 0.33 = Low, 0.34 to 0.66 = Medium, 0.67 to 1.00 = High.
    • Note: If the probability of an event occurring is zero, then it will be removed from consideration. There’s no reason to consider things that simply cannot happen (enraged T-Rex eats the computer).



  8. In general, assign Impact as High, Medium or Low based on some pre-established guidelines. If you absolutely have to use numbers, then figure Impact on a scale from 0.00 to 1.00 as follows: 0.01 to 0.33 = Low, 0.34 – 066 = Medium, 0.67 – 1.00 = High.
    • Note: If the impact of an event is zero, it should not be listed. There’s no reason to consider things that are irrelevant, regardless of the probability (my dog ate dinner).

  9. Often, a table is used for this. If you have used the Low, Medium and High values for Probability and Impact, the top table is most useful. If you have used numeric values, you will need to consider a bit more complex rating system similar to the second table here. It is important to note that there is no universal formula for combining Probability and Impact; that will vary between people and projects. This is only an example (albeit a real-life one):
    • Be flexible in analysis. Sometimes it may be appropriate to switch back and forth between the L-M-H designations and numeric designations. You might use a table similar to the one below.

  10. List all the elements you have identified from the highest risk to the lowest risk.
  11. Here is where numbers will help you. In Table 6, you have 7 risks assigned as H, H, M, M, M, L, and L. This can translate to 0.8, 0.8, 0.5, 0.5, 0.5, 0.2 and 0.2, from Table 5. The average of the total risk is then 0.5 and this translates to Medium.
  12. Mitigation is designed to reduce the probability that a risk will materialize. Normally you will only do this for High and Medium elements. You might want to mitigate low risk items, but certainly address the other ones first. For example, if one of your risk elements is that there could be a delay in delivery of critical parts, you might mitigate the risk by ordering early in the project.
  13. Contingency is designed to reduce the impact if a risk does materialize. Again, you will usually only develop contingencies for High and Medium elements. For example, if the critical parts you need do not arrive on time, you might have to use old, existing parts while you’re waiting for the new ones.
    • Depending on your business type, some risks are created by external factors that are not controllable. That said, there are still ways to diversify your options and offerings to minimize risks. Try to think out of the box.
  14. How much have you reduced the Probability and Impact? Evaluate your Contingency and Mitigation strategies and reassign Effective Ratings to your risks.
  15. Now your 7 risks are M, M, M, L, L, L and L, which translate to 0.5, 0.5, 0.5, 0.2, 0.2, 0.2 and 0.2. This gives an average risk of 0.329. Looking at Table 5, we see that the overall risk is now categorized as Low. Originally the Risk was Medium (0.5). After management strategies have been added, your Exposure is Low (0.329). That means you have achieved a 34.2% reduction in Risk through Mitigation and Contingency. Not bad!
  16. Now that you know what your risks are, you need to determine how you’ll know if they materialize so you’ll know when and if you should put your contingencies in place. This is done by identifying Risk Cues. Do this for each one of your High and Medium risk elements. Then, as your project progresses, you will be able to determine if a risk element has become an issue. If you don’t know these cues, it is very possible a risk could silently materialize and affect the project, even if you have good contingencies in place.
  17. Advertisement

Expert Q&A

Ask a Question
      Advertisement

      Video

      Tips

      • In situations where the Project Manager may become overloaded with the Risk Management function, the analysis could be limited to the project's critical path. In that event it is advisable to calculate multiple critical paths with, perhaps, additional lag time to more proactively identify tasks that are likely to land on the critical path. This is especially appropriate when a single PM is controlling multiple projects. Risk Management needs to be considered as a part of the project, but not overshadow the other planning and control functions (see Warnings).
      • Reduction = Risk – Exposure. In this example (and assuming a $1,000,000 project estimate) your Risk is 0.5 X $1,000,000 ($500,000) and your Exposure is 0.329 X $1,000,000 ($329,000) which means the value of your Reduction = $171,000. Use that as an indication of how much you can reasonably spend on managing the risks – that should be a part of the revised project estimate (like Insurance).
      • Plan for change. Risk Management is a fluid process because risks are always changing. Today, you might assign some risk with a high probability and a high impact. Tomorrow, the probability or the impact might change. Also, some risks might drop completely off the table while others come into play.
      Show More Tips
      Submit a Tip
      All tip submissions are carefully reviewed before being published
      Name
      Please provide your name and last initial
      Thanks for submitting a tip for review!
      Advertisement

      Warnings

      • Consider what might happen if two or three things go wrong at the same time. The probability will be very low, but the impact can be extreme. Nearly every major disaster involved multiple failures.
      • Do not let politics interfere with your assessment. This happens a lot. People don’t want to believe things they control could go wrong and will often fight you about risk levels. "Oh that could never happen" could be true, but then again it might be someone's ego talking.
      • Do not ignore Low risk items completely, but don’t spend much time with them. Use High, Medium and Low to indicate how much effort you will put into monitoring each risk.
      • Do not get too intricate for the project. Risk Management is an important part of the project but it shouldn’t overshadow the actual work to be done. If you’re not careful about this, you can start chasing irrelevant risks and overload your plan with useless information.
      • Do not assume you have all the risks identified. The nature of risk is that it is unpredictable.
      Advertisement

      Expert Interview

      Thanks for reading our article! If you’d like to learn more about developing a risk management plan, check out our in-depth interview with Ksenia Derouin .

      About This Article

      Thanks to all authors for creating a page that has been read 919,286 times.

      Reader Success Stories

      • Charlene M.

        May 11, 2016

        "I found this very helpful in terms of developing a risk management plan for a single project; however, my interest ..." more
      Share your story

      Did this article help you?

      Advertisement