ProjectName
Test_PhaseTestPlan
Version1.0
Version_Date
ProjectName
RiskManagementPlan
TableofContents
1.
Introduction..................................................................................................................4
1.1.
UsingThisTemplate............................................................................................4
1.2.
Purpose................................................................................................................4
1.3.
IntendedAudience...............................................................................................4
1.4.
RiskManagementApproach...............................................................................4
1.4.1.
RiskIdentification.......................................................................................5
1.4.2.
RiskAnalysis...............................................................................................5
1.4.3.
ResponsePlanning.......................................................................................5
1.4.4.
RiskMonitoringandControl.......................................................................5
1.5.
2.
3.
4.
RolesandResponsibilities...........................................................................................6
2.1.
ProjectManager...................................................................................................6
2.2.
ProjectTeam........................................................................................................6
2.3.
SoftwareQualityAssuranceLead.......................................................................6
2.4.
ProjectSponsors..................................................................................................6
2.5.
ProjectStakeholders............................................................................................6
RiskIdentification.......................................................................................................7
3.1.
Background..........................................................................................................7
3.2.
Sources.................................................................................................................7
3.3.
Documentation.....................................................................................................7
RiskAnalysis...............................................................................................................9
4.1.
Background..........................................................................................................9
4.1.1.
QualitativeAnalysis.....................................................................................9
4.1.2.
QuantitativeAnalysis...................................................................................9
4.2.
5.
RevisionHistory..................................................................................................5
Documentation...................................................................................................10
ResponsePlanning.....................................................................................................11
5.1.
Background........................................................................................................11
5.2.
RiskStrategies...................................................................................................11
5.2.1.
Avoid.........................................................................................................11
5.2.2.
Transfer......................................................................................................11
Page2of17|Version_Date|Company_Name
RiskManagementPlan
5.2.3.
Mitigate......................................................................................................11
5.2.4.
Accept........................................................................................................11
5.3.
6.
7.
ProjectName
Documentation...................................................................................................11
RiskMonitoringandControl.....................................................................................13
6.1.
Background........................................................................................................13
6.2.
Timing................................................................................................................13
6.3.
Documentation...................................................................................................13
AppendixA:Definitions............................................................................................14
7.1.
RiskCategories..................................................................................................14
7.2.
RiskProbabilityDefinitions..............................................................................15
7.3.
RiskImpactDefinitions.....................................................................................15
7.4.
RiskProbabilityandImpactMatrix..................................................................16
TableofTables
Table1RiskCategories..................................................................................................14
Table2RiskProbabilityDefinitions..............................................................................15
Table3DefinitionofRiskImpactScales.......................................................................15
Table4RiskProbabilityandImpactMatrix..................................................................16
Company_Name|Version_Date|Page3of17
ProjectName
1.
RiskManagementPlan
Introduction
ProjectProjectName
CompanyCompanyName
VersionVersionnumberofthisdocument
VersionDateThedatethisversionwaspublished
Deletethisportion(Section1.1)onceyouvecompletedyourversionofthedocument.
Thiswork,unlessotherwiseexpresslystated,islicensedunderaCreativeCommons
AttributionNoncommercialShareAlike3.0License.
PleasegotoCarnegieQuality.comforquestionsorcommentsonthistemplate.
1.2. Purpose
Thepurposeofthisplanistodocumentpoliciesandproceduresforidentifyingand
handlinguncommoncausesofprojectvariation(i.e.risk).Riskshouldbethoughtofas
thepossibilityofsufferinganegativeimpacttotheproject,whetheritbedecreased
quality,increasedcost,delayedcompletion,orprojectfailure.
Page4of17|Version_Date|Company_Name
RiskManagementPlan
ProjectName
Author
BradKuhn
Date
06/11/2007
Comments
Template
Company_Name|Version_Date|Page5of17
ProjectName
2.
RiskManagementPlan
Foreachprojectrole,describetheresponsibilitiesinregardstorisk.Somerepresentative
rolesandresponsibilitiesaredefinedbelowinthetemplatetheseshouldbeaddedto
andtailoredforyourrespectiveorganization/project.
Page6of17|Version_Date|Company_Name
RiskManagementPlan
3.
ProjectName
Risk Identification
Thissectioncontainssamplecontentwhichshouldbeadaptedtoyourspecificproject.
3.1. Background
Duringriskidentificationpotentialsourcesofriskandpotentialriskeventsare
developed.Section7.1showsasampleriskcategorization.Predefinedriskcategories
provideastructurethathelpstoensurethatasystematicprocessisfollowedtoidentify
risks.Riskcategoriescanbetailoredovertime,asspecificprojectsdemand(additionsto
riskcategoriesshouldbemaintainedinthisdocumentforuseinfutureprojects).After
identifyingandcategorizingtheriskevent,itisenteredintotheriskregister.
3.2. Sources
Riskidentificationisdonethroughoutthelifecyclesofaproject,althoughamajorityof
therisksshouldbeidentifiedearlyonsoproperresponseplanningandmonitoringcan
occur.Thefollowingshouldbeconsideredastoolsandtechniquesforriskidentification:
Analysisofhighleveldeliverables
AnalysisoftheWBSandprojectschedule
Analysisofscopechangerequests
Analysisofprojectassumptions
Projectteaminput(whichcantaketheformofinterviews,brainstorming
sessions,and/orDelphitechnique)
Stakeholderandsponsorinput
Formalriskidentificationsessions
Previouslessonslearned
SQAauditsandreviews
Performanceandstatusreports
Diagrammingtechniquessuchascauseandeffectdiagrams,processorsystem
flows,andinfluencediagrams.
3.3. Documentation
Allidentifiedrisksshouldbedocumentedandenteredintotheriskregister(anExcel
spreadsheet),whichiskept<listlocationhere>.Duringriskidentification,thefollowing
informationisrequiredfordocumentation:
Riskcategory
Risktrigger
Company_Name|Version_Date|Page7of17
ProjectName
Potentialoutcome
RaisedBy
DateRaised
Source
RiskManagementPlan
Therisktriggeristheeventthatwouldneedtohappeninorderforthepotentialoutcome
tooccur.Risktriggersareusuallyexpressedwithsomesortofdependency,orqualifier.
Forexample,arisktriggermightbethataresourceontheprojectleaves.Thismight
easilybeaccountedforbyutilizingotherresources.Butifaresourcewithkeyskillsor
knowledgeleaves,thentheprojectmaybesignificantlyimpacted.Thisapproachis
suggestedinordertoclarifythethoughtprocessofidentifyingrisks.Whentherisk
triggeroccurs,theriskisnolongerarisk,buthasmaterializedintoaproblem/issuethat
needsresolution.
Page8of17|Version_Date|Company_Name
RiskManagementPlan
4.
ProjectName
Risk Analysis
Thissectioncontainssamplecontentwhichshouldbeadaptedtoyourspecificproject.
4.1. Background
Afterariskorgroupofriskshasbeenidentifiedanddocumented,riskanalysisshouldbe
performed.Duringriskanalysis,eachpotentialriskeventisanalyzedfor:
Theprobabilitythattheriskwilloccur
Theimpactoftheriskifitoccurs
RiskprobabilitiesaredefinedinSection7.2oftheAppendix.Riskimpactdefinitionsare
definedinSection7.3oftheAppendix.Impactscanbeassessedagainstprojectcost,
schedule,scope,and/orquality.Iftheriskeventaffectsmorethanonedimensionandthe
scoresaredifferent,thehigherimpactdefinitionshouldbeutilized.
Oncetheappropriateriskimpactandprobabilityareselected,theriskscorecanbe
determined.Theriskprobabilityandimpactmatrixisshowninsection7.5ofthe
Appendix.Thematrixshowsthecombinationofimpactandprobabilitythatinturnyield
ariskpriority(shownbythered,yellow,andgreencoloredshadings).
Riskpriorityisutilizedduringresponseplanningandriskmonitoring/control(see
Sections5and6).Itiscriticaltounderstandthepriorityforeachriskasitallowsthe
projectteamtoproperlyunderstandtherelativeimportanceofeachrisk.
Riskimpactanalysiscanbequalitativeorquantitative.
4.1.1. Qualitative Analysis
Qualitativeanalysisisaquickerandusuallymorecosteffectivewaytoanalysisrisks(as
opposedtoquantitativeanalysis).Analysisshouldbeperformedwiththegoalof
gatheringdataon:
Thelikelihoodoftheriskoccurring(usingdefinitionsfromSection7.2)
Thequalitativeimpactontheproject(usingdefinitionsfromSection7.3)
Thequalityoftheriskdatabeingutilized(e.g.howreliableisthedata?)
Theimpacttocostorscheduleforrisks
Theprobabilityofmeetingprojectcostand/orscheduletargets
Realisticprojecttargetsoncost,schedule,and/orscope
Company_Name|Version_Date|Page9of17
ProjectName
RiskManagementPlan
Qualitativeanalysisshouldoccurpriortoconductingquantitativeanalysis.Notevery
riskneedstogothroughquantitativeanalysis.Ifquantitativeanalysisistobeused,then
thissectionshouldcontaininformationon:
Definedcriteriaforwhichrisksgothroughquantitativeanalysis
Technique(s)tobeutilized
Expectedoutputsofquantitativeanalysis
4.2. Documentation
Theresultsofriskanalysisshouldbedocumentedintheriskregister.Thefollowing
informationshallbeenteredintheregister:
Riskimpact
Riskprobability
Riskmatrixscorecomputedbytheriskregisterspreadsheetafterimpactand
probabilityareentered
Riskprioritycomputedbytheriskregisterspreadsheetafterimpactand
probabilityareentered
Qualitativeimpactdescriptivecommentsaboutthepotentialriskimpact
Page10of17|Version_Date|Company_Name
RiskManagementPlan
5.
ProjectName
Response Planning
Thissectioncontainssamplecontentwhichshouldbeadaptedtoyourspecificproject.
5.1. Background
Duringresponseplanning,strategiesandplansaredevelopedtominimizetheeffectsof
therisktoapointwheretheriskcanbecontrolledandmanaged.Higherpriorityrisks
shouldreceivemoreattentionduringresponseplanningthanlowerpriorityrisks.Every
riskthreatshouldbeassignedanownerduringresponseplanning.
5.3. Documentation
Theresultsofresponseplanningshouldbedocumentedintheriskregister.The
followinginformationshallbeenteredintheregister:
Company_Name|Version_Date|Page11of17
ProjectName
RiskManagementPlan
Responsestrategy(avoid,transfer,mitigate,oraccept)
Responsenotes(descriptionofplan)ifamitigationapproachistaken,specific
triggerpointsthatrequireaspectsofthecontingencyplantobeexecutedshould
bedocumented
Riskowner
Page12of17|Version_Date|Company_Name
RiskManagementPlan
6.
ProjectName
Thissectioncontainssamplecontentwhichshouldbeadaptedtoyourspecificproject.
6.1. Background
Plannedriskresponses(seeSection5)shouldbeexecutedasrequiredoverthelifecycle
oftheproject,buttheprojectshouldalsobecontinuouslymonitoredfornewand
changingrisks.Duringriskmonitoringandcontrolthefollowingtasksareperformed:
Identify,analyze,andplanfornewrisks
Keeptrackofidentifiedrisksandmonitortriggerconditions
Reviewprojectperformanceinformation(suchasprogress/statusreports,issues,
andcorrectiveactions)
Reanalyzeexistingriskstoseeiftheprobability,impact,orproperresponseplan
haschanged
Reviewtheexecutionofriskresponsesandanalyzetheireffectiveness
Ensureproperriskmanagementpoliciesandproceduresarebeingutilized
6.2. Timing
Discusshowoftentheriskmonitoringandcontrolprocesswilloccuroverthelifetimeof
theproject.
6.3. Documentation
Theresultsofriskmonitoringandcontrolshouldbedocumentedintheriskregister.The
followinginformationshallbeenteredintheregister:
Statusvalidstatusesare:
o IdentifiedRiskdocumented,butanalysisnotperformed
o AnalysisCompleteRiskanalysisdone,butresponseplanningnot
performed
o PlanningCompleteResponseplanningcomplete
o TriggeredRisktriggerhasoccurredandthreathasbeenrealized
o ResolvedRealizedriskhasbeencontained
o RetiredIdentifiedrisknolongerrequiresactivemonitoring(e.g.risk
triggerhaspassed)
TriggerDateiftheriskhasbeentriggered
Notes
Company_Name|Version_Date|Page13of17
ProjectName
Page14of17|Version_Date|Company_Name
RiskManagementPlan
RiskManagementPlan
7.
ProjectName
Appendix A: Definitions
Eachappendixcontainssamplecontentwhichshouldbeadaptedtoyourspecificproject.
Table1RiskCategories
Company_Name|Version_Date|Page15of17
ProjectName
RiskManagementPlan
Probability
Description
VeryHigh
0.90
Riskeventexpectedtooccur
High
0.70
Riskeventmorelikelythannottooccur
Probable
0.50
Riskeventmayormaynotoccur
Low
0.30
Riskeventlesslikelythannottooccur
VeryLow
0.10
Riskeventnotexpectedtooccur
Table2RiskProbabilityDefinitions
VeryLow
Low
Moderate
High
VeryHigh
0.05
0.10
0.20
0.40
0.80
Cost
Insignificant
costimpact
<10%cost
impact
1020%cost
impact
2040%cost
impact
>40%cost
impact
Schedule
Insignificant
schedule
impact
<5%
schedule
impact
510%
schedule
impact
1020%
schedule
impact
>20%
schedule
impact
Scope
Barely
noticeable
Minorareas
impacted
Majorareas
impacted
Changes
Product
unacceptable becomes
tosponsor
effectively
useless
Quality
Barely
noticeable
Onlyvery
demanding
applications
impacted
Sponsor
must
approve
quality
reduction
Quality
reduction
unacceptable
tosponsor
Table3DefinitionofRiskImpactScales
Page16of17|Version_Date|Company_Name
Product
becomes
effectively
useless
RiskManagementPlan
ProjectName
Threats
0.90
0.05
0.09
0.18
0.36
0.72
0.70
0.04
0.07
0.14
0.28
0.56
0.50
0.03
0.05
0.10
0.20
0.40
0.30
0.02
0.03
0.06
0.12
0.24
0.10
0.01
0.01
0.02
0.04
0.08
0.05
0.10
0.20
0.40
0.80
Table4RiskProbabilityandImpactMatrix
Company_Name|Version_Date|Page17of17