Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

Project Name: Agency: Project X

Agency ABC LMN Division

Business Unit/Program Area: Project Sponsor: Project Manager: Date: 08/21/08 Nancy W Joe P

Version:

1.5

Risk Management 1.
1.1.

INTRODUCTION
Purpose and Objectives
Risk Management is the systematic process of identifying, analyzing, and responding to project risks. It includes maximizing the probability and consequences of positive events and minimizing the probability and consequences of adverse events to project objectives. A risk management plan defines how a project team will handle risks to achieve that goal.

2.

RISK-RELATED DEFINITIONS
There are a number of terms used in risk management that need we need to define to ensure clear communications.

2.1.

Risk
An uncertain event or condition that, if it occurs, has a positive or negative effect on a projects objectives. Risk is often a measure of the inability to achieve overall project objectives within defined project requirements and constraints and has three components: (1) the probability of occurrence, (2) the impact of the risk on the program, and (3) the time horizon during which the consequences will occur if the risk is not mitigated.

Page 1 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

2.2. Probability of Occurrence
The following table defines the probability of occurrence.
Table 1 Risk Probability of Occurrence

Probability range 91% through 99% 61% through 90% 41% through 60% 11% through 40% 1% through 10%

Natural language expression Very likely to occur Probably will occur May occur about half of the time Unlikely to occur Very unlikely to occur

Probability value used for calculations 95% 76% 51% 26% 5%

Numeric score 5 4 3 2 1

2.3.

Risk Impact
The following table defines the risk impact categories and terms. For positive risks, consider the opposite of the impact description. The examples would remain the same except having a positive impact to the project.
Table 2 Risk Impact

Impact Description An event that, if it occurred, would cause project failure (inability to achieve minimum acceptable requirements) An event that, if it occurred, would cause major cost/ schedule increases. Secondary requirements may not be achieved. An event that, if it occurred, would cause moderate cost/ schedule increases, but important requirements would still be met.

Example * schedule adjustment >2 mo cost impact > 40% schedule adjustment >1 mo cost impact >20% schedule adjustment > 2wks cost impact > 10%

Natural language expression

Impact value used for calculations

Numeric score

Critical

Cost of variance

10

Serious

Cost of variance

Moderate

Cost of variance

Page 2 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

An event that, if it occurred, would cause only a small cost/schedule increase. Requirements would still be achieved. schedule adjustment > 1wk cost impact > 5% schedule adjustment < 2d cost impact <5%

Minor

Cost of variance

An event that, if it occurred, would have no effect on the project.

Negligible

Cost of variance

* These examples are simply rules of thumb and you should adjust them according to your specific project needs.

2.4.

Risk Score
The risk score is a value calculated that is the product of probability of occurrence and impact. You use the score to compare risks as part of the risk prioritization process. Table 3 is the matrix used to develop the risk score. The values range from 1 (very low exposure) to 50 (very high exposure). Although there are no specific break points in the risk exposure ranking, those risks with an exposure value of less than 20 are generally considered low risks, those risks with an exposure value between 20 and 39 are generally considered moderate risks, and those risks with an exposure value between 40 and 50 are generally considered high risks. The definitions of Low, Moderate, and High are as follows: Low Risk: Has little or no potential for increase in cost, disruption of schedule, or degradation of performance. Actions within the scope of the planned project and normal management attention should result in controlling acceptable risk. No response plans will be made for these risks. The project will monitor for them and manage them as they come up. Moderate Risk: May cause some increase in cost, disruption of schedule, or degradation of performance. Special action and management attention may be required to control acceptable risk. The project will do some response planning for these risks. High Risk: Likely to cause significant increase in cost, disruption of schedule, or degradation of performance. Significant additional action and high priority management attention will be required to control acceptable risk. The project will do in-depth response plans for these risks.

Positive risks can use the same table and descriptions except instead of trying to avoid the risk, we will endeavor to make the risk occur and gain the positive impact.

Page 3 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

Table 3 Risk Score Impact Probability Very likely to occur (5) Probably will occur (4) About 50% chance of occuring (3) Unlikely (2) Very unlikely to occur (1) Negligible (1) 5 4 3 2 1 Minor (3) 15 12 9 6 3 Moderate (5) 25 20 15 10 5 Serious (8) 40 32 24 16 8 Critical (10) 50 40 30 20 10

3.
3.1.

ORGANIZATION
This section defines the roles and responsibilities for risk management.

Project Management Office/Enterprise Project Management Office

The state of North Dakotas Enterprise Project Management Office (EPMO) has issued a project risk management supplement that this project will use to form the basis of the risk management process. The Information Technology Departments Project Management Office provides support to the project manager and has some additional processes and templates for Software Development projects that will be employed in this project.

3.2.

Roles & Responsibilities

Table 4 Roles & Responsibilities

Project Manager: The overall coordinator of the Risk Management Program.

Maintaining this Risk Management Plan Maintaining the Risk Management Data Base and distributing updates Briefing the team on the status of risks Tracking efforts to reduce moderate and high risk to acceptable levels Providing risk management training Facilitating risk assessments and Preparing risk briefings, reports, and documents required for Project Reviews

Page 4 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

Project Team: Responsible for identifying, monitoring and managing risks Coordinate with SMEs to review and recommend to the Project Manager changes on the overall risk management approach based on lessons learned. Quarterly, or as directed, participate in the update to project risk assessments made during the previous review period. Review and recommend any changes to the risk assessments made and the risk mitigation plans proposed. Report new risks to the Project Manager via e-mail Ensure that risk is a required topic at each Project Meeting Accomplish assigned mitigation tasks and report status/completion of mitigation actions to the Project Manager for entry into the database. Review and recommend to the Project Manager changes on the overall risk management approach based on lessons learned. Quarterly, or as directed, participate in the update to program risk assessments made during the previous quarter. Review and recommend any changes to the risk assessments made and the risk mitigation plans proposed. Report new risks to the Project Manager via e-mail Accomplish assigned mitigation tasks and report status/completion of mitigation actions to the Project Manager for entry into the database.

Subject Matter Experts (SMEs): Responsible for implementing risk management tasks per this plan.

End Users

The end users will participate in the project through the SMEs. The End Users may identify risks and should pass the information through the SMEs or Project Team. All risk identification, tasking, and reporting will be handled through the project team member(s) assigned to the End User.

Page 5 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan 4. RISK MANAGEMENT STRUCTURE AND PROCEDURES

This section describes the risk management process and provides an overview of the risk management approach.

4.1.

Risk Assessment
Size: With a budget of $490,000, this project is a medium sized project

This project involves multiple divisions within the organization, but Complexity: does not involve any other agency or external organization. The project does work with complex formulas. We rate this medium complexity. Importance to This project is determined to be of high priority within the agency. Business: Visibility: While not directly public facing, delivers very important public information.

Agency Agency seldom does IT projects of this size or complexity History: Skill Levels ITD is updating an ITD based app. ITD has already done this with other Vendor: sections of the app, they are just moving the rest of the app off the mainframe system. Project Mgr.: Relying on ITDs internal PM. Agency staff has no formal PM experience.

Agency Project About 50% of the SMEs have done a similar project Team Summary Risk Management It has been determined that the project will spend a moderate amount Effort of time performing the following risk assessment activities. Decision:

Page 6 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

4.2. Identification
What Brainstorming/Affinity Diagram/RBS: The stakeholders will be divided into 5 groups of 6-8 people. One group will consist of impacted division management, including the sponsor. Three groups will consist of members of each impacted division (who are not part of the core project team) and should consist of at least 2 consumers and 2 SMEs from each division. Finally the last group will consist of the core project team. Each group will be brought in, given a brief overview of the project, then, using the brainstorming technique, they will be asked to identify any opportunities they see. We will then ask them to identify any risks. We will ask the groups to then perform an affinity diagram to categorize the risks and identify any missing risks/opportunities. In addition to the above, the core project team will perform a risk breakdown structure (RBS). This involves stepping through the Work Breakdown Structure (WBS) task by task and identifying risks & opportunities associated with the task. Delphi Technique: We will query each of the key EA architects to identify risks associated with this project. They will be given a week to respond. After they return all submissions, we will send the total risk list to them for a one-time only review. They will be given an additional week for review/response. E-mail: At the end of each of the above activities, everyone will be asked to e-mail the PM with any additional opportunities or risks that occur to them after the session. PM 4 hours management & documentation 3 hours effort per architect 2 weeks lag PM 2 hours PM John W will document session 1 Kevin N will document sessions 2 & 5 Bob N will document sessions 3 & 4 Owner Time Estimate 1-1 hour session 3- 2 hour sessions 1-4 hour session 16 hours documentation

Page 7 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

The project will use the following categories of risk in this process: Schedule Schedule Creation Timescale Budget Personnel Project Resources Contractors Project Management Change Mgmt Process Project Size and Duration Expectations End Users Customer/Sponsor Project Vendors Commitment Technological Objectives Product Requirements Environment Internal Organization and Management Development Environment Design and Implementation External Politics

4.3.

Qualitative Analysis
What Owner PM Time Estimate 2 hours to review 2 hours management 3 day lag

Review: The PM will ask the core team to review the risks to determine if they understand the risks enough to score. The team should notify the PM of any risk they are unsure of and the PM can clarify or get more information from the originator. The team will have 3 days to perform the review. Scoring: The project team will determine the impact and probability scores for each risk to calculate the risk score. They will use the tables in Section 2 of this document.

Project Team

2 hours

Page 8 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

What Threshold 1: Anything with a probability of very likely (5) will be considered a fact and managed in the project plan. Threshold 2: Any thing with a risk score of 20 or below will be included on the non-critical risk list. All risks not excluded by the above thresholds will be passed to Quantitative Analysis. Stage Gate: Meet with the Executive Steering Committee to review the key risks and get a go/no-go decision to proceed with planning. PM PM 1 hour 1 hour 2 hours prep PM Owner Time Estimate 1 hour

4.4.

Quantitative Analysis
What Owner Time Estimate

A moderate risk effort indicates that an Expected Monetary Value (EMV) Analysis will be performed for each of the risked passed onto this phase. Analyze: The project team and SMEs from the effected divisions will meet to perform a basic EMV for each risk. A decision tree will be developed for a risk as needed. Project Team SMEs 4 hours

4.5.

Risk Response Planning

What Owner Team SMEs Management (if needed) Time Estimate 4 hours 5 day lag

The top risks evaluated in the Quantitative Analysis will be assigned out to the core project team, SMEs, and management if necessary. Each risk owner will be assigned to develop strategies avoid, if possible, or mitigate/transfer the risk. These responses should be documented in the risk register. Risk owners are given 1 week to complete. Stage Gate: Meet with the Executive Steering Committee to review the key risks and get a go/no-go decision to proceed with planning.

PM

1 hour 2 hours prep

Page 9 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

4.6. Risk Monitoring and Control
What Monitoring: Risk owners are responsible for monitoring their risks and notifying the PM via e-mail when a trigger occurs and that the response plan has been initiated. New Risk Identification: Any stakeholder can identify additional risks. The stakeholder should notify the project manager of the new risk (or possible risk) via e-mail. Audits: The PM will be responsible for overseeing risk activities and ensuring the risk register is updated. Review: The project team will review the projects risks biweekly (in every other weekly team meeting). Reporting: Risks will be reported in two ways. 1st the PM maintain a Risk Log in the project repository. The Risk Log will contain a list of risks that are active on the project, the priority of the risk, the assignment, and a current status. 2nd the monthly Status report and the quarterly Large Project Oversight report will contain a summary of the Risk Log and any new risks identified and added to the Risk Register. Owner Risk Owners Time Estimate 4 hours

Stakeholders

1 hour

PM

2 hours per month 1 hour per month

Project Team

PM

1 hour per month

5.

RISK REGISTER
The projects risk register is located in the project repository at (insert link location here) and covers the following points. Date Identified The date the risk was identified. Status Identifies whether the risk is potential, active, or closed. Risk Description A description of the risk. Risk Probability The likelihood that the risk will occur. See the Evaluating Risk Probability section of the below for possible values. In this category the descriptive words Low, Moderate, or High will be used. Risk Impact The effect o the project objects if the risk event occurs. See the Evaluating Risk Impact section of the table below for possible values. In this category the descriptive words Low, Moderate, or High will be used.
Page 10 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

Risk Score Reflects the severity of the risks effect on objectives. The risk score is determined by multiplying the risk probability and risk impact values. The intent is to assign a relative value to the impact on project objectives if the risk in question should occur. Risk Assignment Person(s) responsible for the risk if it should occur. Agreed Response The strategy that is most likely to be effective. o Avoidance Risk avoidance entails changing the project plan to eliminate the risk or condition or to protect the project objectives from its impact. Transference Risk transference is seeking to shift the consequence of a risk to a third party together with ownership of the response. Transferring the risk simply gives another party responsibility for its management; it does not eliminate it. Mitigation Risk mitigation seeks to reduce the probability and/or consequences of an adverse risk event to an acceptable threshold. Taking early action to reduce the probability of a risks occurring or its impact on the project is more effective than trying to repair the consequences after it occurs. Acceptance This technique indicates that the project team has decided not to change the project plan to deal with a risk or is unable to identify any other suitable response strategy.

Risk Response Plan Specific actions to enhance opportunities and reduce threats to the projects objectives.

Page 11 of 12

Enterprise Project Management Office

State of North Dakota

Sample Risk Management Plan

5.1. Risk Register
Technology Risks Risks 1 through 9 are Technology Risks. They also deal with issues related to the potential for the system to evolve and function for an acceptable life cycle.

Risk ID

Date Submitted 7/5/2008 Risk Owner JG/CF

Status Potential Agreed Response Mitigation

Risk Event Business / Project Scheduling Conflicts

Risk Risk Probability Impact 50% Serious

Risk Score 24

Cost Risk Schedule Risk Quantification Quantification $30,000 2 Weeks

12

Quantification Comments Cost basis = 50%, $60,000 impact Schedule basis = 50%, 160 hrs

Description: There will almost certainly be general conflicts between project needs and normal business cycles of the agency. An example may be a cyclical peak in a given business process converging with a critical timeframe in system development or testing. Assessment: The project has not yet identified any conflicts of significance. The implementation plan and overall timeline have been developed to minimize these. However, testing and training will continue to require the involvement of various users, so scheduling will become critical in the later stages of each phase. Project management will monitor this issue and work with the business units and the Steering Committee to resolve any conflicts. Response Plan: Business process schedules and issues will be considered as part of the analysis leading to scheduling of future phases of the project. As specific conflicts arise during the life of the project, the project team will work with the affected business units to try to optimally balance the needs of both. Lessons Learned: This risk has not been active.

Page 12 of 12