A Risk Management Plan (RMP) is a written process record, including how risks are found, evaluated, and dealt with. It also includes monitoring risk control, a cost-benefit analysis, and a look at the financial effects. A project manager prepares an RMP to address risks and their potential impact on a program and consists of ways to reduce them. The RMP tells the government and contractor team how they plan on reducing risks to a certain level by a certain time.
Definition: A Risk Management Plan (RMP) is a detailed document that explains an organization’s risk management process.
Understanding Risk Management
Risk management is a continuous process that is accomplished throughout the life cycle of a system and should begin at the earliest stages of program planning. It is an organized methodology for continuously identifying and measuring the unknowns; developing mitigation options; selecting, planning, and implementing appropriate risk mitigations; and tracking the implementation to ensure successful risk reduction. Effective risk management depends on risk management planning; early identification and analysis of risks; early implementation of corrective actions; continuous monitoring and reassessment; and communication, documentation, and coordination. It’s most effective if it is fully integrated with the program’s Systems Engineering, Program Management, and Test & Evaluation processes.
Purpose of a Risk Management Plan (RMP)
An RMP aims to establish a well-managed risk management process that provides a repeatable process that minimizes risk while balancing cost, schedule, and performance goals.
Risk Management Plan (RMP) Objectives
A well-written RMP aims to provide a repeatable process that reduces risk on a project or program and meets organizational Risk Management Objectives. The following are a few objectives of a risk management plan that an organization can aim for.
- Reduce Schedule Impacts
- Reduce development cost
- Increase system performance
- Ensure proper communication
- Determine risk priorities
Risk Management Plan (RMP) Main Topics
The risk management plan should address the following continuous key activities as shown above:
- Risk Identification: Risk Identification is the activity that examines each element of the program to identify associated root causes that can cause failure, begin their documentation, and set the stage for their management.
- Risk Analysis: Risk analysis is the activity of examining each identified risk to refine the description of the risk, isolate the cause, determine the effects, aid in setting risk mitigation priorities.
- Risk Mitigation Planning: Risk Mitigation (it used to be called Risk Handling) is the process that identifies, evaluates, selects, and implements options in order to set risk at acceptable levels given program constraints and objectives.
- Risk Mitigation Plan Implementation: A Risk Mitigation Plan Implementation is meant to ensure successful Risk Mitigation occurs and is based upon a program Risk Mitigation Plan (RMP).
- Risk Tracking: Risk Tracking (sometimes referred to as Risk Monitoring) is an activity of systematically tracking and evaluating the performance of risk mitigation actions against established metrics throughout the acquisition process and develops further risk mitigation options or executes risk mitigation plans, as appropriate.
Risk Management Plan (RMP) Development Steps
An RMP should be structured to identify, assess, and mitigate risks that have an impact on overall program life-cycle cost, schedule, and/or performance. It should also define the overall program approach to capture and manage root causes. It should be created before and after you create the Integrated Master Schedule (IMS), as it will be looking at the tasks in the Project Schedule and other factors for potential risk items.
Risk Management Plan (RMP) Templates
Starting with a good template is always recommended when developing an RMP. Utilizing a template will ensure you address all an RMP’s key areas. Below are a few of the RMP templates that I have used in the past.
Template: Risk Management Plan
Template: Project Risk Management
Template: Risk Management Plan
10 Steps in Developing a Risk Management Plan (RMP)
- Step 1: Establish the basic approach and working structure
- Step 2: Develop and document an overall risk management process (See Above)
- Step 3: Establish the purpose and objective
- Step 4: Assign responsibilities for specific areas
- Step 5: Describe the assessment/analysis process
- Step 6: Document sources of information
- Step 7: List potential risk and their impacts
- Step 8: Develop mitigation strategies
- Step 9: Establish reporting/tracking procedures
- Step 10: Write Plan
Risk Management Plan (RMP) Format
The risk management plan should follow a standardized format from the organization. An example RMP format: [1]
- Introduction
- Program Summary
- Risk Management Strategy and Process
- Responsible/Executing Organization
- Risk Management Process and Procedures
- Risk Identification
- Risk Assessment Matrix
- Risk Analysis
- Risk Mitigation Planning
- Risk Mitigation Implementation
- Risk Tracking
AcqNotes Tutorial
Risk Management Process in the Risk Management Plan (RMP)
The risk management process consists of eight (8) steps and should be detailed in the Risk Management Plan.
- Step 1: Document the Risk Approach: The Program Manager (PM) and contractor shall document the approach for managing risk as an integral part of the Systems Engineering Process.
- Step 2: Identity and Document Risks: Risks are identified through a systematic analysis process that includes system hardware and software, system interfaces (to include human interfaces), and the intended use of the application and operational environment.
- Step 3: Assess and Document Risk: The severity category and probability level of the potential mishap(s) for each risk across all system modes are assessed.
- Step 4: Identity and Document Risk Mitigation Measures: Potential risk mitigation(s) shall be identified, and the expected risk reduction(s) of the alternative(s) shall be estimated and documented in the Hazard Tracking System (HTS). The goal should always be to eliminate the hazard if possible. When a hazard cannot be eliminated, the associated risk should be reduced to the lowest acceptable level within the constraints of cost, schedule, and performance by applying the system safety design order of precedence. The system safety design order of precedence identifies alternative mitigation approaches and lists them in order of decreasing effectiveness.
- Step 5: Reduce Risk: Mitigation measures are selected and implemented to achieve an acceptable risk level. Consider and evaluate the cost, feasibility, and effectiveness of candidate mitigation methods as part of the Systems Engineering Process and Integrated Product Team (IPT) processes. Present the current hazards, their associated severity and probability assessments, and status of risk reduction efforts at technical reviews.
- Step 6: Verify, Validate, and Document Risk Reduction: Verify the implementation and validate the effectiveness of all selected risk mitigation measures through appropriate analysis, testing, demonstration, or inspection. Document the verification and validation in the HTS.
- Step 7: Accept Risk and Document: Before exposing people, equipment, or the environment to known system-related hazards, the risks shall be accepted by the appropriate authority as defined in DoDI 5000.02. The system configuration and associated documentation that supports the formal risk acceptance decision shall be provided to the Government for retention through the life of the system.
- Step 8: Manage Life-Cycle Risk: After the system is fielded, the system program office uses the system safety process to identify hazards and maintain the HTS throughout the system’s life-cycle. This life-cycle effort considers any changes to include, but not limited to, the interfaces, users, hardware and software, mishap data, mission(s) or profile(s), and system health data. Procedures shall be in place to ensure risk management personnel are aware of these changes, e.g., by being part of the configuration control process.
Risk Mitigation Strategies in the Risk Management Plan (RMP)
Understanding Risk Mitigation in Step 4 of the Risk Management Process is critical in developing an RMP. For each risk that is identified, the type of mitigation strategy must be determined and the details of the mitigation described in the RMP. The intent of the risk mitigation plan is to ensure successful risk mitigation occurs. To address various risks, a business can have a variety of risk management strategies in their RMP. The most appropriate strategy is selected from these mitigation options:
- Risk Avoidance: This is when it’s decided to perform other activities that don’t carry the identified risk by eliminating the root cause and/or consequence. It seeks to reconfigure the project such that the risk in question disappears or is reduced to an acceptable value.
- Risk Controlling: This is when you control the risk by managing the cause and/or consequence. Risk control can take the form of installing data-gathering or early warning systems that provide information to assess more accurately the impact, likelihood, or timing of a risk. If a warning of risk can be obtained early enough to take action against it, then information gathering may be preferable to more tangible and possibly more expensive actions.
- Risk Transfer/Sharing: This is when you share the risk with a third party like an insurance company or subcontractor.
- Risk Assumption: Is accepting the loss, or benefit of gain, from a risk when it occurs. Risk assumption is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained.
Utilize the Risk Reporting Matrix
The risk management plan should detail how to use the Risk Reporting Matrix is used to determine the level of risks identified within a program. The level of risk for each root cause is reported as low (green), moderate (yellow), or high (red). 
Best Practices for Writing a Good Risk Management Plan (RMP)
The key to writing a good plan is to provide the necessary information so the program team knows the goals, objectives, and the program office’s risk management process. Although the plan may be specific in some areas, such as the assignment of responsibilities for government and contractor participants and definitions, it may be general in other areas to allow users to choose the most efficient way to proceed. A few of the best practices in writing a RMP are: [1]
- Build a strong culture that is aware of risks
- Make sure there are strong lines of risk communications
- Set clear policies for taking care of risks
- Establish Transparent risk monitoring processes
- Simple to understand and read, avoid complexities
Risk Management Plan (RMP) Updates
The Program Management Office (PMO) should periodically review and update the RMP at major acquisition events. At the end of each Acquisition Phase, risk planning should be used in preparation for the next phase. [1]
Risk Management Plan (RMP) in Other Acquisition Documents
The plan is integral to overall program planning and should be addressed in the program Acquisition Strategy, and/or the Systems Engineering Plan (SEP). [1]
AcqLinks and References:
- DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisitions- Jan 2017
- (Old) DoD Risk Issue and Opportunity Management Guidance for Defense Acquisition Programs – June 2015
- [1] DoD Risk Management Guidebook – Section 8 – Aug 06 (Outdated)
- Risk Assessment Checklist
- Risk Assessment Worksheet and Management Plan
- Continuous Risk Management Guidebook by Carnegie Melon
- Template: Risk Management Plan
- Template: Project Rick Management Template
Updated: 2/16/2024
Rank: G36.2