School of Information Systems

Project Risk Management Plan

Project risk management focuses on identifying, analysing, and developing strategies for responding to project risk efficiently and effectively Effective risk management requires a systematic process and a commitment to follow that process by the project’s stakeholders. Following is framework that outlines six steps for managing project risk.

  1. Create a Risk Plan

Creating a risk plan is the first step and begins with having a firm commitment to the entire risk management approach from all project stakeholders. In addition, risk management should align throughout the organization by including all projects, the entire project portfolio, and, where one exists, the project management office. This commitment ensures that adequate resources will be in place to plan properly for and manage the various risks of the project. Resources may include time, people, and technology. Stakeholders also must be committed to the process of identifying, analyzing, and responding to threats and opportunities.

  1. Identify Risk

The next step entails identifying the various risks to the project. Both threats and opportunities must be identified. When identifying threats to a project, they must be identified clearly so that the true problem, not just a symptom, is addressed. Risk identification deals with identifying and creating a list of threats and opportunities that may impact the project’s measurable organizational value (MOV) and/or project objectives. Each risk and its characteristics should be documented to provide a basis for the overall risk management plan.

How to Identify Risk?

a. Identify Risks through a Project Risk Identification Framework

b. Identify Risks through Risk Identification Tools & Techniques (Nominal Group Technique, Risk Check List, Swot Analysis, etc)

  1. Analyze Risk

The framework and tools introduced in the previous section provide a beginning for identifying and understanding the nature of project risk. The next step requires that those risks be analyzed to determine what threats or opportunities require attention or a response. The purpose of this is to determine each identified risk’s probability and impact on the project and then to prioritize risks so that an effective risk strategy can be formulated. There are two basic approaches to analyzing and assessing project risk and each approach has its own strengths and weaknesses:

a. Qualitative Approach

i. Expected Value & Payoff Table

ii. Decision Trees

iii. Risk Impact Table & Ranking

iv. Tusler’s Risk Classification

b. Quantitative Approach

Quantitative Probability Distributions

i. Discrete: Binomial

ii. Continuous: Normal, PERT and TRIANG

  1. Develop Risk Strategies

The purpose of risk analysis and assessment is to determine what opportunities and threats should be addressed. Therefore, the risk strategy or response to a particular risk depends on:

a. The nature of the risk itself

b. Impact of the risk on the project’s MOV and objectives

c. The project’s constraints in terms of scope, schedule, budget, and quality requirements

d. Risk tolerances or preferences of the project stakeholders

In addition, a project manager may face opportunities that can have a positive impact on the project goal and objectives. In this case, one of the following strategies may be appropriate:

a. Exploitation: attempt to take advantage of the situation

b. Sharing of Ownership: e.g. joint partnerships or joint ventures with customers or vendors

c. Acceptance: PM and project team members’ minds are open in order to take advantage of opportunities as they arise

A response to a particular risk in terms of a threat may follow one of the following strategies:

a. Accept or ignore

b. Management reserves

c. Contingency reserves

d. Contingency plans

e. Avoidance

f. Mitigate

g. Transfer

  1. Monitor and Control Risks

Once the risk response plan is created, the various risk triggers must be monitored continually to keep track of the various project risks. In addition, new threats and opportunities may present themselves over the course of the project, so it is important that the project stakeholders be vigilant. Various tools exist for monitoring and controlling project risk. These include:

a. Risk audits

b. Risk reviews

c. Risk status meetings and reports

  1. Respond and Evaluate Response to Risks

The risk triggers defined in the risk response plan provide risk metrics for determining whether a particular threat or opportunity has occurred. A system for monitoring and controlling risk provides a mechanism for monitoring these triggers and for supporting communication among the various risk owners. The risk owners must be vigilant in watching for these triggers. When a trigger occurs, the project risk owner must take appropriate action. In general, the action is responding to the risk as outlined in the risk response plan.


  • Marchewka, J. T. (2015). Information Technology Project Management, 5th Edition. Chapter 05. Wiley.
Tri Nur Auliyaa