This post discusses risk management plans. In this post, you will understand risk management plans and how to develop risk management plans for an organisation.

When you fail to plan, you are planning to fail. Poor planning is the cause of many project failures. Planning for positive outcomes (like milestones and success metrics) is easy, but it can be challenging to prepare for the worst. It is even more critical for small businesses to plan for risk than it is for larger organisations. We often like to think that our project will go smoothly, but sometimes ignoring potential risks is not overly optimistic. It is dangerous. Nearly half of all project failures are due to undefined risks! That is where a risk management plan comes in to help mitigate risks before they become problems.

WHAT IS RISK MANAGEMENT?

Managing business risk is one of the most critical aspects of top management. Risk management aims to address potential positive and negative impacts on organisations’ operations and projects. Risks are an inherent part of all organisations and projects. Hence, identifying, evaluating, managing and monitoring potential organisational and project risks is necessary. If one of the potential risks has passed the threshold, it can jeopardise the company and projects. Some risks are bound to become problem areas – like executing a project over the holidays and planning the project timeline around them. Hence, the risk management process should be proactive and reactive in identifying, analysing, and responding to risks that emerge within an organisation and its operations.

Creating a risk management plan for business continuity is necessary to ensure management makes the right decision. Often, business plans seem like a fantastic idea, but unexpected problems occur during execution, which ends up damaging the future of the business. Large organisations have dedicated risk personnel whose sole focus is on potential risks, but smaller organisations also need to plan for risk. Larger organisations can survive a small problem, but a similar situation can bring a small business to a standstill. 

WHAT IS A RISK MANAGEMENT PLAN?

A risk management plan is a well-defined document that articulates how to deal with specific risks and what actions must be taken against those risks to mitigate or remove threats to the project tasks and outcomes. In the most basic terms possible, a risk management plan is a document used by organisations and project managers to identify potential risks to the project, estimate the impact and the probability of them happening, and then define responses. The risk management plan gives teams a sense of measures they need to take to identify, analyse, and respond to all the risks running around within the project wheel. 

An organisation or project risk management plan is a document that helps identify, evaluate, and plan for potential issues within an organisation or during a project life cycle. It is like a roadmap that shows potholes and accident-prone aspects of a company’s operations. This plan is part of a typical risk management process during the whole life cycle. The risk management process brings together all the driving forces that cause the project management team to treat risks.

It is, however, necessary to emphasise that not all risks are bad. A risk is simply a moment of uncertainty. Risks can be uncertainties in scope, schedule, cost, or quality. Creating a risk management plan involves identifying those moments and creating a system to maximise the positive impacts and mitigate potential negative consequences. Studies have shown that we often overestimate our ability to influence events based on chance. In other words, we have more control over uncertainties than we do.

IMPACT OF COGNITIVE BIAS ON RISK MANAGEMENT PLANNING 

We might blame cognitive biases (mental shortcuts that influence our thinking) for this problem. Specifically, when imagining the outcomes of a project, it is easy to fall victim to the following:

1) Anchoring: This often occurs when we give less value to readily available information instead of thinking about less likely outcomes. 

2) Confirmation bias: This often occurs when we value information that aligns with our current position and devalues anything that contradicts it.

3) Survivorship bias: This often occurs when we give too much value to success stories and ignore all the ones of failure.

4) Groupthink occurs when we get sucked into a group’s decision and do not bring up objections – even if they are valid. and

5) The planning fallacy: This often occurs when we are overly optimistic about how much time or resources a project will take.

TYPE OF RISK TO BE CONSIDERED WHEN PREPARING A RISK MANAGEMENT PLAN

So, what type of risks and uncertainties should be considered when preparing a risk management plan? According to the Project Management Institute, most project risks can be classified into four categories:

1) Technical: This includes risks based on requirements, technology, interfaces, performance, and quality.

2) Management: This includes what might emanate from planning, scheduling, estimating, or communication.

3) Organisational: This includes the firm’s peculiar features, which can impact operations, projects, logistics, budget, and resources.

4) External risks: This entails risks that emanate from a firm’s customers, users, contractors, and the marketplace.

Each of these risks could result in a positive outcome. For example, a change in demand might result in a reduction in the company’s sales decline. Ideally, the company should consider how to take advantage of a sudden increase in its budget.

ELEMENTS OF RISK

According to Gregory Becker, the three aspects of every risk are:

1. The risk: refers to the event or condition that may happen. The risk should be clearly defined to ensure the concern is genuine and thoroughly addressed. 

2. Consequences of the risk: should be well defined to ensure that the risk management team knows what is at stake, the magnitude and urgency of the impact, and its implications on the organisation.

3. The probability of the risk occurrence: must be accurate and well-estimated to ensure that the team allocates an appropriate and proportionate amount of time and energy to plan, monitor, and respond to the risk. 

It is not possible to identify all risks on the surface. Hence, the level of the knowability of risks varies from organisation to organisation and project to project. Now, let us consider levels of the knowability of risks.

LEVELS OF KNOWABILITY OF RISKS

For each risk, there are three levels of knowability to consider. An organisation or project’s risks are unplanned, but that does not mean they are always unknown. 

There are three basic levels of the knowability of risks: known, unknown, and unknowable.

1) A known risk: A known risk is something that team members or stakeholders have recognised. 

2) An unknown risk: An unknown risk did not come up immediately and might only be known or recognised by a few people, such as an expert or specialist.

3) An unknowable risk: An unknowable risk cannot be reasonably expected or foreseeable, such as total system failure, a market crash, or an accident. An unknowable risk is a risk that no one can reasonably anticipate or expect but is usually a surprise to most individuals (such as system failure, sudden illness, and accident). 

BENEFITS OF CREATING A RISK MANAGEMENT PLAN

Risk management plans provide various benefits that make the document a worthwhile endeavour for every organisation. From helping businesses to identify the potential risks, they may face to treating them. Awareness of these risks allows companies to make plans and deal with them when they arise. The benefits of having a risk management plan, amongst others, are to:

1. Boosts results: Having a risk management plan will enhance a firm’s performance and project success. 

2. Ensures proactive and not reactive: A clear risk management plan will enable a firm to proactively reduce potential issues before they arise instead of a constantly fire-fighting approach. 

3. Helps evaluate the impact of risk exposures: With the help of a devised risk management plan, the company can assess the effect of tasks by mitigating exposure to risks and exploiting opportunities that capitalise on the company’s strengths. 

EFFECTIVE RISK MANAGEMENT PLAN

Creating a risk management plan follows a simple flow of identity, evaluating, planning, and monitoring. Risk management plans may vary from organisation to organisation. Hence, the need to highlight simple rules for creating a risk management plan. 

Here are five simple rules for creating an effective risk management plan:

1. Identify potential risks.
2. Understanding potential risks.
3. Prioritising the risks.
4. Determine the risks that require attention.
5. Mobilise resources to manage the risks to achieve business and customer objectives. 

STEPS TO CREATING A RISK MANAGEMENT PLAN

It is time to combine this into a proper risk management plan. 

Now, let us discuss the eight steps involved in creating a risk management plan:

Step 1: Define the risk management plan approach

Step 2: Identify potential risks and then document and prioritise risks. See the post on ’26 ways to identify risks in an organisation’.

Step 3: Evaluate and assess the consequence, impact, and probability of each potential risk

Step 4: Assign roles and responsibilities to each risk

Step 5: Develop preventative strategies for each risk

Step 6: Create a contingency plan in case things go wrong

Step 7: Measure risk thresholds and work with project stakeholders

Step 8: Continue to monitor and report on each risk.

BEST PRACTICES FOR MAINTAINING A RISK MANAGEMENT PLAN

Continue to evaluate and re-evaluate the risks and their scores and address risks at every project milestone. A risk management plan constantly evolves within an organisation or during a project’s life cycle. Risk management plans may fail due to several factors, including an insufficient budget, modelling errors, and ignoring identified risks. So, the best practices are to focus on the monitoring phase of the risk management plan. 

Project dashboards and other tracking features can also be a lifesaver for maintaining the organisation’s risk management plan. In addition to the routine tracking, at each milestone, the company should conduct another round of interviews with the checklist used at the beginning of the project to re-interview stakeholders, project members, customers (if applicable) and industry experts. Record their responses, adjust the risk matrix if necessary, and report all relevant updates of the risk management plan to key stakeholders. This process and transparency level will help identify new risks and determine if previous risks have expired.