Research has shown that well-designed risk management plans can decrease problems encountered on a project by as much as 90 percent. Combined with a world-class project management methodology, a good risk management process can be essential in diminishing unexpected project risks. A simple risk management plan is better than having no plan at all. Good companies recognize that risk management is part of the value-added function of project management.
Risk management planning should be completed early during the project planning stage since it is crucial to successfully performing the other project management phases (see Figure 1 above). The result of risk management planning is the risk management plan. The risk management plan identifies and establishes the activities of risk management for the project in the project plan.
According to Dictionary.com, a project is a large or major undertaking, especially one involving considerable money, personnel, and equipment. When money, people, and equipment are involved there is bound to be a considerable amount of risk involved. So, by definition, projects are a risky endeavor. They aim to create new products, services, and processes that do not currently exist. With that much at stake, a solid risk management plan is critical to the success of a project.
Writing a risk management plan can be accomplished in seven easy to follow steps. The difficult part is the actual implementation and use of the plan you develop. I will provide you with a practical seven-step process to guide you through this important undertaking.
Step One
The first step in writing a risk management plan is to assemble a team of key people in the organization. This team should consist of individuals who have strong backgrounds in project management. Then, each person on the team is to list ten risk items. Remember, every risk, whether typical or atypical should be listed, since they all have a probability of occurring.
Step Two
Depending on the size of the team and the type of project that the plan is being written for, the list of project risks will be substantial. Combine the risk lists from each member, then delete any duplicate entries, leaving a master list.
Step Three
This step involves three important characteristics of risk:
For every risk on the master list, assess each of the above characteristics. To do so, a rating scale from 1 to 4, or a subjective term such as low, medium, and high can be used (see Table 3-1 for an example 
). Assessing detectability is not as hard as it would seem.
For example, a risk of a political nature, such as a political disturbance that delays the start of the project, is harder to see, so it would be labeled a riskier item. Excessive reporting needs by the customer, a risk that is easier to detect, would be a lower risk item.
Step Four
Divide the risk management planning team into subgroups and assign segments of the master risk list to each subgroup. The job of each subgroup is to identify triggers, or warning signs, for each risk on its segment of the master list. Again, it is important to document all triggers associated with each risk. Three triggers per risk are standard.
Step Five
In Step Five, the subgroups are to identify and document preventive actions for the "threats" and enhancement actions for the "opportunities." Risks are unknown events that are inherently neutral. They can be characterized as either positive or negative. Unfortunately, a lot of time and energy is spent handling negative project risks, or "threats" rather than positive risks, or "opportunities", and therefore step five is very important. No organization should overlook the chance to benefit from any opportunities that present themselves.
Step Six
In Step Six, the subgroups are to create a contingency plan for most but not all project risks - a plan that includes the actions one would take if a trigger were to occur. This plan will be created for those risks scoring above a certain cut-off point, which is determined after looking at the total scores for all risks. This keeps the risk management process manageable. The risk management plan is not effective if it is so time-consuming that it is never used.
Step Seven
The last step in writing a risk management plan is to assign an owner of each risk on the master list. The responsibility of the risk owner is to watch out for the triggers and then to respond appropriately if the triggers do occur. The owners are to implement the contingency plan from step six. Although there are risk owners, the project manager is still ultimately responsible for risk management.
Proper documentation is important during every step of the planning process. A risk management plan should be incorporated into every project management plan. A generic list of risks and triggers can be generated from this initial plan. To apply the risk plan to future projects, simply add project-specific risks and triggers and assess the probability, impact, and detectability for each risk. This, in turn, will save time and help institutionalize the risk management plan into the project team's culture.