Risk management plan: Difference between revisions

Content deleted Content added

Inline

Revision as of 19:09, 19 December 2024

A risk management plan is a document to foresee risks, estimate impacts, and define responses to risks. It also contains a risk assessment matrix. According to the Project Management Institute, a risk management plan is a "component of the project, program, or portfolio management plan that describes how risk management activities will be structured and performed".^[1]

Moreover, according to the Project Management Institute, a risk is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives".^[1] Risk is inherent with any project, and project managers should assess risks continually and develop plans to address them. The risk management plan contains an analysis of likely risks with both high and low impact, as well as mitigation strategies to help the project avoid being derailed should common problems arise. Risk management plans should be periodically reviewed by the project team to avoid having the analysis become stale and not reflective of actual potential project risks.

Risk response

Broadly, there are four potential responses to risk with numerous variations on the specific terms used to name these response options:^[2]^[3]

Avoid – Change plans to circumvent the problem;
Control / mitigate / modify / reduce – Reduce threat impact or likelihood (or both) through intermediate steps;
Accept / retain – Assume the chance of the negative impact (or auto-insurance), eventually budget the cost (e.g. via a contingency budget line); or
Transfer / share – Outsource risk (or a portion of the risk) to a third party or parties that can manage the outcome. This is done financially through insurance contracts or hedging transactions, or operationally through outsourcing an activity.

(Mnemonic: SARA, for Share Avoid Reduce Accept, or A-CAT, for "Avoid, Control, Accept, or Transfer")

Risk management plans often include matrices.

Examples

The United States Department of Defense, as part of acquisition, uses risk management planning that may have a Risk Management Plan document for the specific project. The general intent of the RMP in this context is to define the scope of risks to be tracked and means of documenting reports. It is also desired that there would be an integrated relationship to other processes. An example of this would be explaining which developmental tests verify risks of the design type were minimized are stated as part of the test and evaluation master plan. A further example would be instructions from 5000.2D^[4] that for programs that are part of a system of systems the risk management strategy shall specifically address integration and interoperability as a risk area. The RMP specific process and templates shift over time (e.g. the disappearance of 2002 documents Defense Finance and Accounting Service / System Risk Management Plan, and the SPAWAR Risk Management Process).

Citations

^ ^a ^b Project Management Institute 2021, Glossary §3 Definitions.
^ Special Publication 800-37 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS (revision 2 draft ed.). National Institute of Science and Technology. May 2018.
^ CRISC Review Manual (6th ed.). ISACA. 2015. ISBN 978-1-60420-371-4.
^ SECNAVINST 5000.2D 3.4.4.1

References

Project Management Institute (2021). A guide to the project management body of knowledge (PMBOK guide). Project Management Institute (7th ed.). Newtown Square, PA. ISBN 978-1-62825-664-2.{{cite book}}: CS1 maint: location missing publisher (link)

External links

[FOOTNOTEProject_Management_Institute2021Glossary_§3_Definitions-1] Project Management Institute 2021, Glossary §3 Definitions.

[2] Special Publication 800-37 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS (revision 2 draft ed.). National Institute of Science and Technology. May 2018.

[3] CRISC Review Manual (6th ed.). ISACA. 2015. ISBN 978-1-60420-371-4.

[4] SECNAVINST 5000.2D 3.4.4.1

[1]

[2]

[3]

[4]

@@ Line 1: / Line 1: @@
+{{Short description|Multi-dimensionable matrix method for mitigating risks}}
-A '''risk management plan''' is a document that a [[project manager]] prepares to foresee risks, estimate impacts, and define responses to issues. It also contains a [[Risk matrix|risk assessment matrix]].
+{{More footnotes|date=July 2021}}
+A '''risk management plan''' is a document to foresee risks, estimate impacts, and define responses to risks. It also contains a [[Risk matrix|risk assessment matrix]]. According to the [[Project Management Institute]], a risk management plan is a "component of the project, program, or portfolio management plan that describes how risk management activities will be structured and performed".{{sfn|Project Management Institute|2021|loc=Glossary §3 Definitions}}
-A risk is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives."<ref>[[Project Management Body of Knowledge|PMBOK]] Guide 5th Edition, Glossary pg. 373.</ref> Risk is inherent with any [[project]], and [[project manager]]s should assess risks continually and develop plans to address them.  The risk management plan contains an analysis of likely risks with both high and low impact, as well as mitigation strategies to help the project avoid being derailed should common problems arise.  Risk management plans should be periodically reviewed by the project team to avoid having the analysis become stale and not reflective of actual potential project risks.
+Moreover, according to the Project Management Institute, a risk is "an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives".{{sfn|Project Management Institute|2021|loc=Glossary §3 Definitions}} Risk is inherent with any project, and project managers should assess risks continually and develop plans to address them. The risk management plan contains an analysis of likely risks with both high and low impact, as well as mitigation strategies to help the project avoid being derailed should common problems arise. Risk management plans should be periodically reviewed by the project team to avoid having the analysis become stale and not reflective of actual potential project risks.
-Most critically, [[risk management]] plans include a risk strategy.  Broadly, there are four potential strategies, with numerous variations.  Projects may choose to:
-* '''A'''void risk – Change plans to circumvent the problem;
+==Risk response==
-* '''C'''ontrol/Mitigate risk; – '''R'''educes impact or likelihood (or both) through intermediate steps;
+{{main |Risk management#Potential risk treatments}}
-* '''A'''ccept [[risk]] – Take the chance of negative impact (or ''auto-insurance''), eventually ''budget'' the cost (e.g. via a contingency budget line);
+Broadly, there are four potential responses to risk with numerous variations on the specific terms used to name these response options:<ref>{{cite book |title=Special Publication 800-37 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS |date=May 2018 |edition=revision 2 draft |publisher=National Institute of Science and Technology |url= https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft}}</ref><ref>{{cite book
-* '''T'''ransfer risk – Outsource risk (or a portion of the risk – '''S'''''hare risk'') to third party or parties that can manage the outcome. This is done financially through insurance contracts or hedging transactions, or operationally through outsourcing an activity.
+ |title=CRISC Review Manual
+ |date=2015
+ |edition=6th
+ |publisher=ISACA
+ |isbn=978-1-60420-371-4
+}}</ref>
+* Avoid – Change plans to circumvent the problem;
+* Control / mitigate / modify / reduce – Reduce threat impact or likelihood (or both) through intermediate steps;
+* Accept / retain – Assume the chance of the negative impact (or ''auto-insurance''), eventually ''budget'' the cost (e.g. via a contingency budget line); or
+* Transfer / share – Outsource risk (or a portion of the risk) to a third party or parties that can manage the outcome. This is done financially through insurance contracts or hedging transactions, or operationally through outsourcing an activity.
+(Mnemonic: SARA, for '''S'''hare '''A'''void '''R'''educe '''A'''ccept, or A-CAT, for "Avoid, Control, Accept, or Transfer")
-(Mnemonic: '''SARA''' for '''S'''hare '''A'''void '''R'''educe '''A'''ccept, or [[Avoid, Control, Accept, or Transfer|A-CAT]] for "Avoid, Control, Accept, or Transfer") <br />
 Risk management plans often include matrices.
+==Examples==
-The United States Department of Defense, as part of acquisition, uses risk management planning that may have a Risk Management Plan document for the specific project.  The general intent of the RMP in this context is to define the scope of risks to be tracked and means of documenting reports.  It is also desired that there would be an integrated relationship to other processes.  An example of this would be explaining which developmental tests verify risks of the design type were minimized are stated as part of the [[test and evaluation master plan]].  A further example would be instructions from 5000.2D<ref>[https://acc.dau.mil/CommunityBrowser.aspx?id=44705&lang=en-US SECNAVINST 5000.2D 3.4.4.1]</ref> that for programs that are part of a [[system of systems]] the risk management strategy shall specifically address integration and interoperability as a risk area.  The RMP specific process and templates shift over time (e.g. the disappearance of 2002 documents Defense Finance and Accounting Service / System Risk Management Plan, and the SPAWAR Risk Management Process).
+The United States Department of Defense, as part of acquisition, uses risk management planning that may have a Risk Management Plan document for the specific project. The general intent of the RMP in this context is to define the scope of risks to be tracked and means of documenting reports. It is also desired that there would be an integrated relationship to other processes. An example of this would be explaining which developmental tests verify risks of the design type were minimized are stated as part of the [[test and evaluation master plan]]. A further example would be instructions from 5000.2D<ref>[https://acc.dau.mil/CommunityBrowser.aspx?id=44705&lang=en-US SECNAVINST 5000.2D 3.4.4.1]</ref> that for programs that are part of a [[system of systems]] the risk management strategy shall specifically address integration and interoperability as a risk area. The RMP specific process and templates shift over time (e.g. the disappearance of 2002 documents Defense Finance and Accounting Service / System Risk Management Plan, and the SPAWAR Risk Management Process).
 == See also ==
@@ Line 18: / Line 31: @@
 * [[Project management]]
 * [[Project Management Professional]]
+* [[Risk evaluation and mitigation strategy]] (REMS)
 * [[Risk management]]
 * [[Risk management tools]]
 * [[Risk management framework]]
+* [[Gordon–Loeb model]] for cyber security investments
-==References==
+==Citations==
 {{Reflist}}
-{{refimprove|date=November 2007}}
+==References==
+*{{Cite book|last=Project Management Institute|title=A guide to the project management body of knowledge (PMBOK guide)|date=2021|others=Project Management Institute|isbn=978-1-62825-664-2
+|edition=7th|location=Newtown Square, PA}}
 == External links ==
-* [http://www2.gsu.edu/~wwwpmo/risk_management.html Georgia State University:  Risk Management]
 * [http://www.pmhut.com/project-management-process-phase-2-planning-create-risk-management-plan Creating The Risk Management Plan (template included)]
 * [http://www.epa.gov/rmp EPA RMP Rule page]
-* [http://www.dau.mil/pubs/gdbks/risk_management.asp Risk Management Guide for DoD Acquisition (ver 6 - ver 5.2 more detailed but obsolete)]
+* [https://www.acq.osd.mil/damir/documents/DAES_2006_RISK_GUIDE.pdf Risk Management Guide for DoD Acquisition (ver 6 - ver 5.2 more detailed but obsolete)]
-* [http://www.dau.mil/pubs/gdbks/sys_eng_fund.asp Defense Acquisition University, System Engineering Fundamentals (see ch 15)]
+* [https://apps.dtic.mil/dtic/tr/fulltext/u2/a387507.pdf Defense Acquisition University, System Engineering Fundamentals (see ch 15)]
-* [http://www.dau.mil/pubs/gdbks/pmbok.asp US DoD extension to PMBOK Guide (see ch 11)]
+* [http://www.risk-services.com/DoDExtPMBOKJune2003.pdf US DoD extension to PMBOK Guide, June 2003 (see ch 11)]
+* [http://everyspec.com/DoD/DoD-PUBLICATIONS/DoDExtPMBOK-June2003_3293/ US DoD extension to PMBOK Guide (see ch 11)]
-* [https://acc.dau.mil/CommunityBrowser.aspx?id=504118&lang=en-US Defense Acquisition Guidebook (DAG) - ch9 testing]
+* [https://www.dau.edu/tools/dag US Defense Acquisition Guidebook (DAG) - ch8 testing]
-* [http://www.office.microsoft.com/en-us/templates/project-risk-management-plan-TC001145558.aspx MSOffice template for Project Risk Management Plan]
-* [https://acc.dau.mil/CommunityBrowser.aspx?id=25644&lang=en-US DAU Risk Management Plan template]
+* [https://www.dau.edu/tools/t/Risk-Management-Plan-Template-2017 DAU Risk Management Plan template]
-* [http://www.crosstalkonline.org/storage/issue-archives/2005/200502/200502-0-Issue.pdf Crosstalk magazine - Risk Management issue]
 [[Category:Project management]]
 [[Category:Systems engineering]]
+[[Category:Risk management]]