Risk Management Plan


Prepared by: 

Approved by: 

Reference: <> Version: <> Date: <>


The purpose of this document is to describe a risk management plan for an information system upgrade. This document outlines the processes that will be used in the identification, recording, discussion, and response to risks as well as the roles of the project team. Inadequate attention to risk brings about cost overruns, inadequate technical performance and schedule delays. The project risk plan will record the team’s decisions on risk management to establish a clear standard way for the actions to be taken. Moreover, the plan will be utilized throughout the project life.

Risks are the potential events that may occur in the course of a project, and if they occur would adversely affect the project scope, schedule, quality and/or resources. Further, when risks occur they bring with them consequences. Conversely, risk management is the process with which risk management planning, identification, analysis, response and control is done on a project to mitigate its effects. The goal and objective of risk management is to reduce the chances and effects of adverse events to the project objectives (Garvey, 2000).

The project manager will be responsible in the creation and maintenance of this project risk management plan throughout the project to maintain the appropriate levels of risk to meet the project’s objectives. And as such the project team members who may have questions regarding the document may consult the risk management officer. The project director will be tasked with reviewing and approving the risk management plan and thus any changes will have to be authorized by the project director.

Project Description and Objectives 

The scope and objectives for the Project are; to identify the risks that will affect the information system upgrade to ensure that the numbers do not rise as the project matures. Moreover, the probability if occurrence will be ascertained, followed by the degree of effect to the schedule, cost, scope, and quality following a priority. The risks are expected to impact the project in various categories of impact. The probability of occurrence, the categories affected, and the scope of their impact will form the basis for assigning the priority of risk. All risks will be monitored on a scheduled basis by the project risk management team and reported in the status report.

Aims, Scope and Objectives of Risk Process 

The aim of information system upgrade project risk process will be to manage all the foreseeable risks using the Active Threat and Opportunity Management, ATOM in an effective, proactive and appropriate manner so that the project can meet its objectives, while keeping the exposure to risk at acceptable levels. Acceptable risk for the information system upgrade is the amount acceptable to stakeholders, such as project sponsor with regard to how high threats are present in the project, or the maximum acceptable threat P-1 score and minimum acceptable opportunity P-1 score, or the extent of allowable delay or additional cost (Hillson & Simon, 2012).

Moreover, the risk will aim to engage all project stakeholders applicably, enhancing ownership and buy-in to the project itself as well as to risk management actions. Information based on risk will be communicated to the project stakeholders appropriately and in a timely way for modification of the project strategy as exposure to risk intensifies. Further, the process of risk management will allow the project team and other stakeholders to the most risky project areas according to the ATOM module to achieve the project objectives. The process is intended to mitigate internal risks, program risks and business risks. Included in the project are the management, technical, and external risks.

During the project period, risk factors and events will be brought to the attention of the information system upgrade project manager via written communication. The project manager is responsible for logging the risk into the register, which would include; probability of event occurrence, schedule impact, which is the duration of time that a risk factor could affect the schedule due to delays in upgrade. Further, the register will include scope impact the risk will have on the project’s accomplishments. Quality impacts will also be recorded as work or project quality may go down during the process of engagement, for instance overruns may result in financing problems thus affecting the project size (Hillson & Simon, 2012). Cost impact of the risk event will also be registered in case it occurs as it affects the project budget.

The project risk management aims to identify, analyze, and respond to the imminent project risks. The project will endeavor to maximize the probability and consequences of positive events as well as mitigate the likelihood and significance of adverse events that project objectives (Garvey, 2000). Moreover, it will define how the project management team will handle the risks to achieve the goals.

Project Size 

The project is medium since it has a budget of less than $5million and more than $50,000 in the level of risk management process. However, criteria have to be generated to assess with the closest description selected and the corresponding score recorded. The project strategic importance will provide major contribution to business objectives thus a criterion value of 8. The commercial and contractual complexity will have a minor deviation from the existing commercial practices thus a criterion of 4.

Further, the external constraints and dependencies will have some external influence on the elements of the project at a criterion of 4. The requirement stability will entail some uncertainty and minor changes during the project at a criterion of 4. Conversely, the technical complexity will ensure a novel project with some innovation thus a criterion of 8. The project will entail a standard regulatory framework as market sector characteristics at a criterion of 4. Further, the project has a small value of less than $250,000 and a duration of 6 months thus a criterion of 2 and 4 respectively. The resources assigned will consist of a medium in-house project team and will have acceptable exposure to post-project liabilities at criteria of 4 on both. This project will thus be a medium hence a standard ATOM risk management process will be used.

The ATOM process to be used for the information system upgrade will consist of; initiation, which will start with a clarification and recording of objectives for the project on assessment, and a definition of the details of the risk process awaiting implementation, as well as documenting the results in a risk management plan (Hillson & Simon, 2012). This will be followed by identification. Identification consists of exposure and documentation of all risks likely to affect the project objectives in a positive or negative manner.

An assessment will be done in both qualitative and quantitative manner showing the risks individually for comprehension and prioritization and effecting of the risks on project outcome to ascertain the areas more prone risks respectively. Moreover, a response planning is necessary to ascertain the necessary strategies and actions for dealing with identified risks. A report will also be necessary to communicate the dynamic status of risk concerning the project to all the stakeholders. Thereafter, implementation should follow to check the effectiveness of the agreed response strategies and actions. After implementation, a review will be necessary involving an update the risk assessment at regular intervals through a series of major and minor reviews. A post-project review to see what lessons can be learned for risk management improvement as well as general project management (Bartlett, 2004). 

The initiation phase will be completed before the project starts followed by the other steps, which will be cyclic on a regular basis throughout the project life. The first risk assessment will be completed within the first month of the project start with reviews being performed subsequently on a weekly basis.

Risk Tools and Techniques

The following tools and techniques will be utilized in the support of the risk management process on the information system upgrade project. Initiation, risk management plan, identification of risks for both threats and opportunities and the following techniques will be used. The first will be brainstorming with all the project team members in addition to the representatives of the key stakeholders. An analysis of the project’s assumptions and constraints will be carried out as well as a review on the standard risk checklist (Turner, 2014).

Moreover, an ad hoc risk identification by the team members will be carried out at any stage during the project duration. Further, an initial risk register will be made to record the foreseeable risks for further assessment. In the critical assessment process, probability and impact assessment for the identified risks will be carried out with the project-specific scales. The risks will be categorized with use of the standard risk breakdown structure to ascertain the exposure patterns and the risk register update will be prepared to include assessment data.  

The tools and techniques for qualitative analysis will include; risk probability and impact assessment. This will be used in the investigation of the likelihood that each specific risk will occur and its potential impact on the information system upgrade project objectives, for instance quality, cost, performance, schedule while defining it in levels through interviews and meetings with the project stakeholders with documentation of the results being done.

Probability and matric impact will also be performed to rate the risks for further qualitative analysis with rules specified by the company. Another technique will be risk categorization to ascertain the areas of the project most vulnerable to risks. The risks will be grouped according to their root cause to aid in the development of effective risk responses. Risk urgency assessment will be done in combination with the risk ranking gotten from the probability and impact matrix to obtain the final risk sensitivity rating, whereby those risks that require a short-term responses will be addressed urgently. Moreover, expert judgment will be sought from the project director through an interview as he has handled more projects and is experienced (Garvey, 2000).

Data will be gathered and represented using interviews and probability distributions. The interviews will be carried out with a purpose to gather an optimistic, pessimistic and most likely scenarios. Moreover, the probability distributions will be continuous in simulation and modeling to represent the uncertainty in values, for instance task durations and project cost components. However, discrete distributions will also be used to represent the risky events. 

The quantitative risk analysis and modeling techniques to be used in the project will consist of; sensitivity analysis to determine the risks which may have the most potential impact on the information system upgrade project. The effects of varying the inputs of a mathematical model on the model’s output will be considered. Moreover, the effect of the uncertainty of the project elements to the project objectives holding other risky elements at the baseline values will be scrutinized. 

Further, the expected monetary value analysis will be conducted to calculate the average outcome in relation to future uncertainties with the positive values representing opportunities while the negative values represent threats and risks. Modeling and simulation will be conducted quantitatively to translate the specific detailed risks of the information system upgrade into their potential effect on project objectives using the Monte Carlo simulation (Bartlett, 2004).

A cost risk analysis will be necessary to estimate the cost as input values chosen on a random basis according to the probability distributions of the values and the total cost calculated. Further, a schedule risk analysis will be done using duration estimates and network diagrams as input values chosen on a random basis too according to the probability distributions of the values with a calculation of the completion date done. The project director will also be consulted through interviews for expert judgment to identify the potential cost and schedule impacts, ascertain the probabilities. The expert judgment will also be used to interpret data, pinpoint the weaknesses of the tools and their strengths to ascertain the most appropriate tool according to the organization’s structure and capabilities.

Risk identification will be carried out by the project team, the appropriate stakeholders, whereby the environmental factors, project management plan and organizational culture will be evaluated for inclusion in the project scope (Kendrick, 2009). Moreover, keen attention will be given to the project deliverables, constraints, cost and effort estimates, assumptions, and the resource plan. Further, a risk management log will be created and updated as required and stored electronically at the company website.

Risk Reviews and Reporting 

The exposure of risk on the information system upgrade project will be on constant review during the project life on a monthly basis for major reviews and weekly for minor reviews. This will be appropriate in identifying and assessing new risks as well as reviewing the existing risks and a progress on the agreed action assessed too with new actions being performed where necessary. The risk process effectiveness will be reviewed to ascertain whether any alterations in approach, techniques and tools are necessary. As soon as the project director and risk manager agree on the process changes, the risk management plan will be updated and reissued to reflect the revision process. This will be done on weekly and monthly basis.

Moreover, the risk director will issue a risk report monthly to the project sponsor after subsequent reviews. The project team and the stakeholders will be furnished with a copy of the risk register after each subsequent review, with a list of the risks and actions for which each one is responsible. Upon information systems upgrade project completion, a project lessons learnt report will be prepare with a risk section, which will give details of the generic risks probable to affect other projects and the effective responses from the current project.  

Probability and Impacts of the Risk Management Plan

All the risks identified will be subjected to assessment to ascertain the range of possible project outcomes with qualification being used to determine the risks that require urgent response and the ones to be ignored (Garvey, 2000). Qualitatively, the probability and impact of occurrence for each identified risk will be assessed by the project director assisted by the project team members using; probability, whereby it will be denoted by high probability of greater than 70 percent, medium being between 30 percent and 70 percent, while low is below 30 percent probability of occurrence.

Impact will be also categorized as high for risks that have the potential to greatly impact the project cost, schedule and performance. Medium impact will be assigned to risks that have the potential to slightly impact the project cost, schedule and/or performance while the low impact will denote the risks with relatively little impact on project cost, schedule and/or performance. The risks that have high and moderate impact as well as high and moderate probability will have response planning which may involve both a risk mitigation and a risk contingency plan.

The assessment of risk event’s probability will reflect the team’s best judgment depending on the degree of belief that the risk is likely or unlikely to occur. Subjective probabilities are important in this project as such opinions change with time. The impact on cost will be the potential effect on the overall budgeted cost of the information system upgrade project. However, the cost impact area should consist of the considerations for the effect of the risk on continued sponsor funding. The impact on the schedule will entail the risk’s potential impact on the information system upgrade project schedule. Moreover, the technical performance impact area will be the risk’s potential effect on the ability of the project to achieve the overall functional and operational performance requirements (Larson & Gray, 2014).  

Risk Thresholds of the Risk Management Plan

The amount of risk that is acceptable in this project will be a minimum overrun in schedule and cost and other minor changes to the scope of the information system upgrade project. Any risk that increases the project’s cost by not more than 5 percent will be acceptable, but anything more than 5 percent will not be taken. The project team will use 5 percent as the measure of the level of risk exposure above which stringent action must be taken to address the risks and below which any risky event will be accepted (Kendrick, 2009). 

The risk thresholds will have to be determined to show when the project conditions will cross the 5 percent mark when a response is required. The thresholds will be determined urgently within the project plan to mitigate any chances of delays. However, the project team’s threshold may differ from that of the clients who need the software. However, establishing a preset value before the project can be implemented will save the project team time, frustration as well as additional delays and costs.


Leave a Reply