The Risky Business of Ignoring Plans: Ignoring or not properly implementing a risk management plan can lead to project failure. Involve stakeholders and ensure the strategy is taken seriously to avoid unwanted surprises.
Your Safety Net in Uncertainty: A risk management plan helps monitor and manage unexpected events. It helps you analyze risks, plan responses, and assign responsibilities, and it's essential for informed decision-making.
Key Ingredients for Your Plan: A well-prepared plan defines risk tolerance, ownership, mitigation strategies, and governance. Use tools like risk matrices, a risk breakdown structure, and risk management software to improve your risk management capabilities.
A clear and detailed risk management plan helps you assess the impact of project risks and understand the potential outcomes of your decisions. It can be a useful tool to support decision making in the face of uncertainty.
However, I have seen projects fail because stakeholders did not take the risk management plan seriously or because the project failed to implement a risk management strategy.
Read on to learn how you can avoid these mistakes for your projects.
What Is A Risk Management Plan?
A risk management plan, or RMP, is a document describing how your project team will monitor and respond to risks, issues, or other unexpected or uncertain events that could impact the project.
The risk management plan:
- analyzes the potential risks that exist in your organization or project
- identifies how you will respond to those risks if they arise
- assigns a responsible person to monitor each risk and take action, if needed.
The project manager, team members, and other stakeholders should collaborate on the project risk management plan after you as the project manager have started to develop a project management plan, but before the project begins.
What To Include In A Risk Management Plan
In its most minimal form, a risk management plan could be a handful of pages describing:
- at what point the project risk should trigger an escalation.
- how and when to assess risk
- the roles and responsibilities for risk owners

Start by asking yourself these questions:
- Why is project risk management important for the project’s success?
- What will the team do to identify, log, assess, and monitor risks throughout the project?
- What categories of risk will we manage?
- What methodology will be used for risk identification and to evaluate risk severity?
- What is expected of the people who own the risks?
- How much risk is too much risk?
- What are the risks, and what are we going to do about them?
Risk Management Approach
You need to detail your overall strategy and approach to risk management. This includes:
- Risk tolerance: Determine what level of risk you're willing accept on your project. Your organization might have larger guidelines for this that are standard across every project.
- Risk mitigation strategies: Define how you'll make use of methods like risk avoidance, risk transference, and risk sharing. This also includes tools like risk matrices, SWOT analyses, and probability and impact assessments.
- Risk governance: Determine ownership over individual risks and over risk management more broadly, and discuss the rules and conventions that you'll need to follow as you're managing risks.
RAID Log
A RAID log tracks risks, assumptions, issues, and dependencies so that the project team and sponsor can review and further discuss.
This is a more lightweight risk management approach than a formal risk register designed to calculate risk severity. For an even simpler approach, you might just maintain a risk list in your weekly status report.

This approach is useful for smaller, non-technical projects being executed by a team of 3-4 people in an organization that does not have a standard approach to risk management.
If your project goes perfectly, you’re a very lucky person. You’re going to have problems. You’re going to have challenges. Things can go wrong, things do go wrong. Use your RAID log to identify where things are going to go wrong. Plan how you’ll get those resolved in the quickest possible way to keep the project as on track.

Risk Matrix
An impact matrix, or risk assessment matrix, shows the relationship between risk factors in calculating risk severity. Risks that are high-probability and high-impact are the most severe.
When an organization has a culture of risk management, this a more thorough approach that demands a high level of detail. This might also include a full description of the methodology that the organization will follow to perform qualitative and quantitative risk analysis, along with an impact matrix.

You can also use this type of risk register to prioritize and assign numerical severity scores to measure the level of each risk.
Risk Breakdown Structure
You can create a risk breakdown structure to decompose higher-level risk categories into smaller, more specific risk subcategories

This isn’t about creating complexity for complexity’s sake—you and your team will be glad to have this level of detail on large enterprise projects that involve more teams, multiple stakeholders, and high stakes that could have a significant impact on the business.
Risk Management Software
Your risk management plan might also note your usage of software to manage risks. There are some great options available—many organizations favor spreadsheets as part of an enterprise business software bundle, but many providers support risk management planning specifically.
Two examples of risk management software are Wrike and monday.com. These tools integrate the entire risk management process with the wider project management plan.
The most important consideration is not the tool used, but rather the discussions you’ll have with your team and your project sponsor about how to navigate risks to increase the likelihood of project success.
How To Make A Risk Management Plan
Here are the steps in the process of creating a risk management plan. Don’t be afraid to tailor them to meet your specific project and organizational needs.
1. Prepare supporting documentation
Review existing project management documentation before you craft your risk management plan. This documentation includes:
- Project charter: This document establishes the project objectives, the project sponsor, and you as the project manager. It gives you the right to create a project management plan and then a risk management plan within that. If formal project charters aren’t used at your organization, you should at least have this documented in an email or a less formal brief.
- Project management plan: This document outlines how you’ll manage, monitor, and control your project, including what project methodology to use, how to report progress, how to escalate issues, etc. Your risk management plan is a subcomponent of the project plan. Looking to streamline your planning process? Our project plan template has everything you need for clear, efficient setup.
- Stakeholder register: Have a solid idea of who the project stakeholders are before assessing risk. Each of these stakeholder groups presents a different set of risks when it comes to people, processes, and technology. You can also invite stakeholders to identify risks throughout the project and even nominate them as risk owners!
2. Set the context
Once you have your supporting documentation available, use it to frame up the discussion around your risk management plan. Take the project description and objectives from the project charter and use them to outline the business value of the project and the negative impacts that would result should the project fail.
The introduction to your risk management plan should explain its intent and relationship to the overarching project plan. Use this context to drive a conversation about risk management with your team and your project sponsor.
3. Decide with your team how to identify and assess risks
Different methodologies are appropriate for different types of projects. The methods you choose also need to be sustainable for the team to perform throughout the project.
The key here is to have the right discussions and gather input to build consensus with your team and your stakeholders early in the project life cycle. Use these discussions to agree on risk categories, risk response plans, and ways to calculate risk severity.
4. Continuously identify risks
Hold a risk workshop—a group session involving your team, key stakeholders, the project sponsor, and subject matter experts to identify, evaluate, and plan responses to risks.
Here's a simple risk management plan example from a sample project. During the workshop, you’d discuss everything in columns E-R and make sure that you have clear, SMART outcomes to put in each of the boxes. (SMART stands for specific, measurable, action-oriented, realistic, and timebound.)
I like to keep a copy of the risk register on my desk during the workshop to make sure that each column is discussed and populated appropriately. After the workshop, add any supporting details to finalize the document.

The project manager’s role during a risk workshop is to facilitate the meeting effectively. This involves brainstorming with stakeholders to evaluate both known risks and possible risks that may not have been considered. It could look something like this:

At the end of the workshop, your goal is to come away with stakeholder alignment on project risks, the desired risk response, and the expected impact of the risks. Stakeholder buy-in is critical for a successful risk response, so time in the workshop is likely to be time well-spent.
5. Assign risk owners
As you identify risks, you should work with the team to assign owners, including yourself, where necessary.
That being said, the project manager can’t own everything. Assigning risk owners can be difficult because it requires stakeholder accountability.
Make sure that risk owners have reviewed the risk management plan and are clear on their responsibilities. Follow up with them as you monitor risk throughout the project life cycle.
6. Populate the risk register
Following the risk workshop, finish populating any information required for the risk register. This includes a description of the risk, the risk response category, detailed risk response, risk status, and risk owner.

Make sure that the risk response reflects the severity and importance of the corresponding risk. You can then review the broader risk register to understand any wider correlations that might exist among risks.
7. Publish the risk register
Send around the updated risk register within 48 hours of the workshop to give everyone time to read and process the output.
You can also use the risk register within wider project discussions to explain or define the timeline for a project or specific actions that need to be completed. It’s important to be timely so that the output can be used in other project artifacts.
8. Monitor and assess risks continuously throughout the project
New risks are introduced to a project constantly. In fact, mitigating one risk might create another risk or leave “residual risk.”
If feasible within your project constraints, try to run risk workshops periodically throughout the duration of the project or incorporate risk register reviews into other recurring planning activities.
Nothing feels quite as deflating as when you swerve to avoid one risk only to drive blindly into another, much bigger risk.
9. Archive your risk management plan in a reusable & accessible format
After your project, it’s a good idea to archive your risk management plan for future reference.
There are many reasons why (in fact, it may be mandatory in your organization), but here’s the main one: while not every risk management plan suits every project, the risk and response strategies may remain applicable. Use past risks to create a foundation for your next project.
Examples Of Risk Management Plans In Action
Here’s a simple example of risk management that saved a project:
A colleague was working on a service design project that required in-person research, and on her RACI chart, she had clearly communicated to the client that it was the client’s responsibility to book a meeting space to conduct this research. She had logged a risk with her team that the client might not be able to secure a space.
Here's how this might look in your risk register:

Two days before the research commenced, the client informed her they weren’t able to secure the space. Luckily, her risk mitigation strategy on this particular risk was to book a backup space at the office, which she had done weeks ago.
Something that could have stalled the project for weeks had become nothing more than an email that said something like “All good, we’ll use our space."

Here’s another example:
An agency agreed to an aggressive timeline for a highly technical project. The team had raised concerns as the project was being initiated, but leadership still wanted to proceed. The project manager and technical architect logged the timeline risk before the project started, and their risk response strategy was to re-evaluate the project timeline using a Monte Carlo simulation.
After calculating a pessimistic, optimistic, and likely duration for every project activity on the critical path, they determined mathematically that the project had a 3% chance of hitting the deadline.
Here's a screenshot of how this might appear in your risk register:

The project manager raised this with the client, and the client agreed to re-scope the project and re-baseline the project before getting going. It was too big of a risk for them to take.

Risk Register Template
In the risk management plan template available in DPM Membership, we’ve tried to keep the risk register simple to ensure that you’re able to enter the relevant information for your project.
Here's how to use the risk management plan template:




Best Practices For Risk Management Plans
Consider these best practices to help you craft an effective risk management plan:
- Develop the risk management plan during the project planning phase, after you’ve developed the project charter and the project management plan, to give stakeholders the necessary context
- Adapt the format and level of detail of the risk management plan to align with the needs of the project, industry, and organization that you support
- Assign a risk owner to every risk identified in your risk register, and hold them accountable for the risk response
- Continuously identify risks throughout the project life cycle and update the risk register accordingly
- During project closing, archive your risk management plan and use it to inform risk planning on future projects.
What's Next?
Whether you’re a novice project manager or a seasoned pro, having a good risk management plan is vital to project success. And, the key to a successful risk management plan is adaptability. You need to make sure that, with every project you run, you can adapt the risk management plan to your project, industry, and organization.
Dive deeper into these strategies by enrolling in one of these comprehensive risk management courses.