A Risk Management Plan (RMP) is prepared by a project manager to address risks, their potential impact on a program and consists of ways to reduce these risks. The RMP tells the government and contractor team how they plan on reducing risks to a certain level by a certain time.

Definition: A risk management plan is a detailed document that explains an organization’s risk management process.

Understanding Risk Management

Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction. Effective risk management depends on risk management planning; early identification and analyses of risks; early implementation of corrective actions; continuous monitoring and reassessment; and communication, documentation, and coordination. It’s most effective if it is fully integrated with the program’s Systems Engineering, Program Management, and Test & Evaluation processes.

 

Risk Management Plan (RMP) Topics

The risk management plan should address the following continuous key activities as shown above:

• Risk Identification
• Risk Analysis
• Risk Mitigation Planning
• Risk Mitigation Plan Implementation
• Risk Tracking

Risk Management Plan (RMP) Objectives

The goal of well-written RMP Objectives is to provide a repeatable process that reduces risk on a project or program. The following are a few objectives of a risk management plan that an organization can aim for.

• Reduce Schedule Impacts
• Reduce development cost
• Increase system performance
• Ensure proper communication
• Determine risk priorities

Risk Management Process in the Risk Management Plan (RMP)

The risk management process consists of eight (8) steps and should be detailed in the Risk Management Plan.

• Step 1: Document the Risk Approach: The Program Manager (PM) and contractor shall document the approach for managing risk as an integral part of the Systems Engineering Process.
• Step 2: Identify and Document Risks:  Risks are identified through a systematic analysis process that includes system hardware and software, system interfaces (to include human interfaces), and the intended use of the application and operational environment.
• Step 3: Assess and Document Risk: The severity category and a probability level of the potential mishap(s) for each risk across all system modes are assessed.
• Step 4: Identify and Document Risk Mitigation Measures: Potential risk mitigation(s) shall be identified, and the expected risk reduction(s) of the alternative(s) shall be estimated and documented in the Hazard Tracking System (HTS). The goal should always be to eliminate the hazard if possible. When a hazard cannot be eliminated, the associated risk should be reduced to the lowest acceptable level within the constraints of cost, schedule, and performance by applying the system safety design order of precedence. The system safety design order of precedence identifies alternative mitigation approaches and lists them in order of decreasing effectiveness.
• Step 5: Reduce Risk:  Mitigation measures are selected and implemented to achieve an acceptable risk level. Consider and evaluate the cost, feasibility, and effectiveness of candidate mitigation methods as part of the Systems Engineering Process and Integrated Product Team (IPT) processes. Present the current hazards, their associated severity and probability assessments, and status of risk reduction efforts at technical reviews.
• Step 6: Verify, Validate, and Document Risk Reduction: Verify the implementation and validate the effectiveness of all selected risk mitigation measures through appropriate analysis, testing, demonstration, or inspection. Document the verification and validation in the HTS.
• Step 7: Accept Risk and Document:  Before exposing people, equipment, or the environment to known system-related hazards, the risks shall be accepted by the appropriate authority as defined in DoDI 5000.02. The system configuration and associated documentation that supports the formal risk acceptance decision shall be provided to the Government for retention through the life of the system.
• Step 8: Manage Life-Cycle Risk: After the system is fielded, the system program office uses the system safety process to identify hazards and maintain the HTS throughout the system’s life-cycle. This life-cycle effort considers any changes to include, but not limited to, the interfaces, users, hardware and software, mishap data, mission(s) or profile(s), and system health data. Procedures shall be in place to ensure risk management personnel are aware of these changes, e.g., by being part of the configuration control process.

Risk Mitigation Strategies in the Risk Management Plan (RMP)

Understanding Risk Mitigation in Step 4 of the Risk Management Process is critical in developing an RMP. For each risk that is identified, the type of mitigation strategy must be determined and the details of the mitigation described in the RMP. The intent of the risk mitigation plan is to ensure successful risk mitigation occurs. The most appropriate strategy is selected from these mitigation options:

• Risk Avoidance: This is when it’s decided to perform other activities that don’t carry the identified risk by eliminating the root cause and/or consequence.  It seeks to reconfigure the project such that the risk in question disappears or is reduced to an acceptable value.
• Risk Controlling: This is when you control the risk by managing the cause and/or consequence. Risk control can take the form of installing data-gathering or early warning systems that provide information to assess more accurately the impact, likelihood, or timing of a risk. If a warning of risk can be obtained early enough to take action against it, then information gathering may be preferable to more tangible and possibly more expensive actions.
• Risk Transfer/Sharing: This is when you share the risk with a third party like an insurance company or subcontractor.
• Risk Assumption: Is accepting the loss, or benefit of gain, from a risk when it occurs. Risk assumption is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained.

Risk Management Plan (RMP) Development Steps

An RMP should be structured to identify, assess, and mitigate risks that have an impact on overall program life-cycle cost, schedule, and/or performance. It should also define the overall program approach to capture and manage root causes. It should be created before and after you create the Integrated Master Schedule (IMS), as it will be looking at the tasks in the Project Schedule and other factors for potential risk items.

10 Steps in Developing a Risk Management Plan (RMP)

• Step 1: Establish the basic approach and working structure
• Step 2: Develop and document an overall risk management process (See Above)
• Step 3: Establish the purpose and objective
• Step 4: Assign responsibilities for specific areas
• Step 5: Describe the assessment/analysis process
• Step 6: Document sources of information
• Step 7: List potential risk and their impacts
• Step 8: Develop mitigation strategies
• Step 9: Establish reporting/tracking procedures
• Step 10: Write Plan

Risk Management Plan (RMP) Format

The Risk management plan should follow a standardized format from the organization. An example RMP format: [1]

• Introduction
• Program Summary
• Risk Management Strategy and Process
• Responsible/Executing Organization
• Risk Management Process and Procedures
• Risk Identification
• Risk Assessment Matrix
• Risk Analysis
• Risk Mitigation Planning
• Risk Mitigation Implementation
• Risk Tracking

Template: Risk Management Plan

Template: Project Risk Management

Utilize the Risk Reporting Matrix

The risk management plan should detail how to use the Risk Reporting Matrix is used to determine the level of risks identified within a program. The level of risk for each root cause is reported as low (green), moderate (yellow), or high (red). 

Writing a Good Risk Management Plan (RMP)

The key to writing a good plan is to provide the necessary information so the program team knows the goals, objectives, and the program office’s risk management process. Although the plan may be specific in some areas, such as the assignment of responsibilities for government and contractor participants and definitions, it may be general in other areas to allow users to choose the most efficient way to proceed. [1]

Risk Management Plan (RMP) Updates

The Program Management Office (PMO) should periodically review and update the RMP at major acquisition events. At the end of each Acquisition Phase, risk planning should be used in preparation for the next phase. [1]

Risk Management Plan (RMP) in other Acquisition Documents

The plan is integral to overall program planning and should be addressed in the program Acquisition Strategy, and/or the Systems Engineering Plan (SEP). [1]

AcqNotes Tutorial

AcqLinks and References:

• DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisitions- Jan 2017
• (Old) DoD Risk Issue and Opportunity Management Guidance for Defense Acquisition Programs – June 2015
• [1] DoD Risk Management Guidebook – Section 8 – Aug 06 (Outdated)
• Risk Assessment Checklist
• Risk Assessment Worksheet and Management Plan
• Continuous Risk Management Guidebook by Carnegie Melon
• Template: Risk Management Plan
• Template: Project Rick Management Template

Updated: 12/29/2021

Rank: G10