Your Complete Guide to Developing an Effective Risk Management Plan

This explainer highlights the importance of establishing a risk management plan, outlines techniques for both identifying and prioritizing threats, and breaks down each checkpoint within this five-step process. It also provides sample risk management planning checklists from various industries to refer to when compiling your own. 

Note: Your new checklist should evolve organically as you complete projects and experience new risk events.

Table of Contents

Part I: (Statistics) Numbers Don't Lie: Good Risk Management Plans Save Projects

Part II: Five Steps to Developing a Risk Management Plan: 1. Identify 2. Analyze 3. Evaluate 4. Treat 5. Monitor

Part III: Overview

Part IV: Sample Risk Management Checklists (By Industry)

Numbers Don’t Lie: Good Risk Management Plans Save Projects

It's tempting to liken the concept of risk management in business to health insurance; its true worth is only evident if something goes wrong. However, there are several fundamental problems with this analogy.

Health insurance actions are reactive. Take a doctor's visit, for example. Even if your doctor were to administer an ongoing prescription for a chronic illness, its symptoms had to first present just to get you through the door for an assessment. That prescription is a direct reaction to your health risk event.

Project risk management, on the other hand, is inherently preemptive and proactive in the interest of minimizing or eliminating panicked reactive solutions to otherwise avoidable, risk-related problems.

The following passage from the nonprofit trade association Project Management Institute's chief set of global standards, rules, and guidelines informing the project management industry—The Project Management Body of Knowledge (PMBOK)—further expounds upon one of its core tenets: Risk management is more than just an attempt to prevent loss; it’s also an opportunity for gain:

“Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality,” it states. “A risk may have one or more causes and, if it occurs, may have one or more impacts. A cause may be a given or potential requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes. For example, causes could include the requirement of an environmental permit to do work, or having limited personnel assigned to design the project. The risk is that the permitting agency may take longer than planned to issue a permit; or, in the case of an opportunity, additional developmental personnel may become available who can participate in design, and they can be assigned to the project.”

Here are several startling statistics about risk management planning that demonstrate its role as an imperative ingredient to overall profitability:

• Gymnastic organizations are more likely than their traditional counterparts to have high levels of organizational agility and use standardized risk management practices, both of which are drivers of project success (PMI's Pulse of the Profession 2021).

• 47% of companies report having at least one failed project in the last year (PMI's Pulse of the Profession 2021).

• Most CEOs feel that risks are rising in the following areas: transformation adoption and technology; environmental, social, and governance (ESG); cybersecurity and data protection; health and safety; data governance; organizational culture, values, and compliance; human capital and talent management; third-party and supplier management; and regulatory compliance (PwC’s Pulse Survey 2021).

High-performing organizations typically utilize risk management planning best practices, while low-performing organizations often fall victim to risk. The most common causes of project failure are factors directly addressed in risk management planning best practices.

Risk management is critical to the success of your business.

The following is a useful outline of the five-step risk management planning process:

 

Step One: Identify

The road to finalizing a concise-yet-thorough risk management checklist is paved with good thought processes. Utilize proven methods of risk analysis to determine the most likely causes of loss-related risk, and subsequently, to devise a plan of action for each potential risk event.

The first set of risk management procedures involves identifying all risks that could get in the way of any team member completing the task at hand while also maintaining legal compliance standards. Then, enter all those risks into a document called a Risk Register to be referenced throughout the risk management plan's development.

It can be overwhelming for a project manager to delve into all that could go wrong throughout the course of an initiative, but putting in the time to think through all possible worst-case scenarios is a key component of effective risk management. While the project manager is the ultimate agent for change, the risk-managing power of thoughtful collaboration, especially in the nascent stages of project development, cannot be overstated.

Before choosing between different information-gathering techniques, consider the following questions regarding the scope of work, resources, timeline, budget, and project deliverability:

• What is the scope of work? Are all parts of the project familiar, or are you dealing with tasks that are new to you or your team? If there are new tasks, have you identified all the risks associated with them?
• Do you have adequate resources available to complete your project? Are your personnel trained, or will they require training? Have you completed background checks or utilized a vendor credentialing system?
• How long should this project take to complete? Are there any scheduling conflicts to resolve before beginning work? Is the timeline outlined in your contract realistic?
• How detailed is your budget? Are you at risk of overrunning your budget?
• Can you deliver this project? Are you making any promises you may not be able to keep? What could hinder your ability to deliver the project's goals?

Techniques for Gathering Information

Assumption Analysis

You know the adage: If you make assumptions, you’re prone to set yourself, and others, up for failure. (Or something like that.) To thwart the likelihood of falling victim to risks associated with wrongful assumptions, there's assumption analysis.

It includes the following three-step process:

First: Document all assumptions made during the project planning process.

Next: Identify all risks to the project from each assumption based on the potential inaccuracies or inconsistencies these may contain.

Finally: Determine whether each assumption is valid (worth the associated risks) or not.

Brainstorming

To brainstorm is to produce an idea or way of solving a problem by holding a spontaneous discussion.

Picking the brains of your select, trusted group of team members in search of personally unforeseen risk threats/opportunities is often helpful, particularly if you’re working with new third-party contractors or completing a project with an unfamiliar scope of work. There's no limit to what you might learn by listening to others' ideas and experiences.

Event Inventories or Loss Data

Event-based inventory is a control method triggered by a specific event, and it entails completing physical counts for SKU items. 

For example: If a retailer's database is reporting inventory levels below respective reorder points, a physical inventory may be triggered to: 

• Calculate shrinkage
• Fix database errors
• Investigate possible root causes of the loss event

Note: This process is especially important in retail and manufacturing environments. Factors to consider when consulting your loss data might include:

• Susceptibility to theft
• Complexity of the year-end inventory procedure
• Prior-period misstatements

Expert Judgment

Consulting a risk management expert suggests humility, leadership, and compassion for stakeholders. Advice may be sought from any group or individual with specialized knowledge or training; just don't forget to consider the expert's potential biases the same way you would anyone else's when evaluating their input.

Facilitated Workshop

Facilitated workshops bring key stakeholders together with project managers to achieve team alignment. This method works on several levels:

• Facilitated workshops grant stakeholders the opportunity to talk through differences of opinion with a project manager present to backstop the conversation with unique area expertise. This can build trusting relationships, display competency, and improve communication within the organization.
• Workshops gather big players from different company departments (finance, marketing, operations, and human resources, for example) into the same room to work together to define cross-functional requirements.

Interviews, Self-assessments, Questionnaires & Surveys

Interviews: If you've ever dreamed of becoming a reporter, this is your time to shine. Experienced project team members, stakeholders, and industry experts all hold a wealth of knowledge just waiting to be tapped. What better way to identify risks than to ask the folks who have tried, failed, and learned from their mistakes?

Self-Assessments: This is only effective if the participant is self-aware and honest. To assuage inherent biases, utilize a pre-written self-assessment template.

Questionnaires/Surveys: Of all the methods outlined in this section, interviews may seem like the fastest, simplest route to the answers you're looking for. Here's the hitch, however: People can, and will, lie to your face to save face. Questionnaires and surveys can be kept anonymous and give participants more time to consider prompts, hopefully leading to more thoughtful responses.

Take your time and be thorough throughout the Identify component. This will help streamline subsequent risk management stages.

Step 2: Analyze

After you've identified all your risks—threats and opportunities—it's time to determine the severity and probability of each. To simplify this process, group all risks into appropriate categories based on perceived similarities around root causes.

At the end of this stage, you'll have an understanding of the nature of your risks and the likelihoods of occurrences. You can then begin making judgments about which should be addressed and with what level of urgency.

Techniques for Prioritizing Risk

There are qualitative and quantitative methods for assessing risk. Utilizing a mixed-method approach provides the most comprehensive framework on which to base your risk management plan.

SWOT Analysis

This maps and prioritizes an organization’s Strengths, Weaknesses, Opportunities, and Threats (SWOT). In the context of risk management, the process entails brainstorming for each of the four parts, then conducting an analysis to combine related factors into appropriate categories. Next, you’ll prioritize all of the items in a forced rank order. Finally, you’ll begin to define strategies that:

• Use strengths to take advantage of opportunities
• Use strengths to avoid threats
• Take advantage of opportunities by overcoming weaknesses
• Minimize weaknesses and avoid threats

Qualitative Risk Analysis

Before risk management plans can be developed and implemented, a risk narrative should be fleshed out. Qualitative risk analysis contributes to that narrative by describing specific risks as they relate to hazards, consequences (severity), probability, and final risk.

The results of your qualitative risk analysis may then be used for a Contingency Analysis (sensitivity analysis/if-then analysis), which seeks to plot actionable items to carry out in case of specific risk events.

Quantitative Risk Analysis

The purpose of a QRA is to translate qualitative concepts into measurable metrics to figure into protective plans for the project's budget and schedule. The quantified value assigned to a particular risk will then be added to the project cost or time estimate as a contingency value.

Methods for determining contingency values encompass: Heuristic Methods, Expected Value Methods, Probability Distribution Methods, Interdependency Models, and Empirical Methods.

Thorough quantitative risk analysis can get expensive, so QRA may be reserved for only those risks deemed a high priority. Once a value is assigned to a potential risk, the impact is labeled as either an increase or decrease in cost and/or time, or as a percentage range with a particular distribution, which is then factored into a final, quantifiable assessment of total risk.

In step two, we discussed analyzing risk based upon probability and severity, the combination of which ultimately constitutes total risk magnitude. In step three, you begin to make judgments regarding whether a given risk is imminent or costly enough to warrant preemptive treatment, or if it’s a risk you're willing to take.

A common tool used at this stage of risk management planning is a risk assessment matrix.

Techniques for Developing Your Risk Assessment Matrix

There are four steps to developing a risk assessment matrix:

1. Identify risk universe.
2. Determine risk criteria.
3. Assess the risks.
4. Prioritize the risks.

If you've completed steps one and two of risk management planning (Identify and Analyze), then the processes for collecting metrics to plug into your risk assessment matrix should be well underway. By the time you reach the evaluation stage of risk management planning, you and your team should have already:

• Identified all potential risk events that could negatively impact the progress of your project
• Analyzed, categorized, and ranked all of the items in their respective matrices

Now, you’re ready to accept whatever message your findings happen to illustrate. For this, you’ll want to develop your own risk assessment matrix (or probability/impact matrix) that encompasses both your qualitative and quantitative reasoning. This entails cross-referencing all your newfound knowledge of risk severity with respective risk probability across multiple analytical methods to determine which risks are to be considered high, medium, and low priority.

Step 4: Treat

Once you’ve created your risk assessment matrix, you should have a concrete idea about the high, medium, and low priority risks your project faces, so you may begin crafting plans of action for risk avoidance as well as protocols for the inevitable instances when risk events occur.

This is also referred to as risk response planning.

Techniques for Risk Response Planning

1. Avoidance

One way to remove risk from a project is to eliminate its root cause. In project management, this means axing the tasks associated with the risk altogether.

This is not always a feasible option. Sometimes, you just have to do things you don't want to. For those instances, there are four other risk response planning strategies to consider.

2. Acceptance

You've likely heard or perhaps even repeated the mantra: "Give me the strength to accept the things I cannot change." Certain risks are simply unavoidable and come with no clear solution. This is what your risk management plan was built for! Go forth and plan the risk into the project!

3. Monitor & Prepare

For risks too massive to accept with open arms, but too integral to the project to avoid, there's monitoring and preparing. This entails:

• Naming and documenting potential risk triggers and monitoring those contingencies closely
• Creating an airtight plan of action ahead of time that can be set in motion the moment the risk occurs

4. Mitigation

Here's a riddle: If you were afflicted with third-degree burns, and a genie offered you the magical power to dial those burns down to first-degree burns, would you accept?

Hopefully, third-degree burns are not listed on your risk register, but if they are, there's good news: Reducing the probability and severity of a given risk is possible, and usually doesn't even require a genie, or any magic at all, for that matter.

For example, to reduce the probability of burns, you might invest in a fire-resistant suit; to reduce the severity, perhaps you'd consider having a medical trauma specialist on call.

One best practice to follow is prioritizing reducing the probability of a risk ahead of planning for severity mitigation. It's more proactive to lessen the likelihood that a negative event will ever take place than to simply brace for impact.

5. Transference

Risk transfer means unloading the burden of risk onto another party. If you work with third-party contractors/contingent laborers, careful insurance documentation and vendor credentialing could save your company from detrimental worker's compensation and/or general liability suits.

Before agreeing to take on a project, review the suggested brainstorming questions at the beginning of this post. If the job is too big or unfamiliar for you and your team to fulfill the contracted project requirements and goals, outsource some or all of the project to someone better equipped for the job.

Step 5: Monitor/Review

Your risk register is full and contingency values have been figured into your project's budgetary and scheduling plans. It's time to put your risk management efforts to the test, but remember: Risk management is a perpetual practice of high-performing organizations, so your efforts should be ongoing.

Techniques for Continued Risk Management

Assessments & Meetings

Risk assessment should always be on the agenda at status meetings, including conducting ongoing reassessments of imminent risks and informing the team of any risks that are no longer threats.

Risk Audits

Review and document the efficacy of each risk response.

Variance & Trend Analysis

Compare planned results to actual results using performance data to control and monitor risk events.

Root Cause Analysis

Re-evaluate root causes of any risk events that occurred to identify the failed system,  implement protocols, and categorize the risks correctly during your next round of risk identification.

Risk Management Plan: Overview

Once your five-step risk management plan is complete, it should cover the following in great detail:

• Process - details each task within a project
• Budget - outlines the allocation of funds
• Risk Register - a repository for all threats identified, including additional information about each risk, such as its nature and mitigation measures, etc.
• Roles & Responsibilities
• Reporting Structure/Hierarchy
• Risk Categories
• Analysis or Anticipation Report of Likely Risks
• Solutions or Mitigation Strategies, Varying From High-Impact to Low-Impact Risks

Sample Risk Management Checklists for Various Industries

Healthcare (U.S. Centers for Disease Control and Prevention)

Agriculture (U.S. Department of Agriculture)

Transportation (New York State Department of Transportation)

Construction and Engineering (U.S. Army)

Real Estate (Financial Services Agency, Japan)

COVID-19 (U.S. National Institute of Environmental Health Sciences)

Creating a risk management checklist uniquely tailored to your industry and business model helps identify risks and avoid consequential mishaps. 

BCS

Business Credentialing Services (BCS) specializes in providing a diverse spectrum of risk management compliance services to businesses across a wide range of industries. From developing and implementing effective, solution-oriented risk management strategies to utilizing automated tracking software for certificates of insurance, regulatory screenings, and document management, BCS possesses the team and technology to ensure your business is well protected. Contact us today to learn more.