Purpose: The risk management Plan is a component of the Project Management Plan. It describes the approach for managing uncertainty, both threats and opportunities, for the project.
Methods and Approaches:
Describe the methodology or approach to risk management, Provide information on how each of the risk management processes will be carried out, including whether quantitative risk analysis will be performed and under what circumstances .
Tools and Techniques:
Describe the tools, such as a risk breakdown structure, and techniques, such as interviewing, Delphi technique, and so on that will be used for each process.
Roles and Responsibilities:
Define the role needed for risk management activities.
Describe the responsibilities associated with the risk management role.
Identify any categorization groups used to sort and organize risks. These can be used to sort risks on the risk register or for a risk breakdown structure, if one is used.
Stakeholder Risk Tolerance:
Describe the risk tolerance levels of the organization(s) and key stakeholders on the project.
Definitions of Probability:
List terms used to measure probability, such as High, Medium, and Low. Description:
Introduction: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. ...
Describe the ways of measuring probability and the difference between High, Medium, and Low. If using a numeric scale, identify the spread.
Likelihood that the event will occur:
Low [ 0 – 50% likelihood of occurrence ]
Medium [ 51% to 75% likelihood of occurrence ]
High [ > 76% likelihood of occurrence ]
Impact if the event occurs:
Low [ Less than 10% of the project budget ]
Medium [ Between 10% – 25% of the project budget ]
High [ More than 25% of the project budget ]
Sample Definitions of Probability
Definitions of Impact by Objective:
Specify terms used to measure impact, such as Very Low, Very High, or 01 to 10. Describe the ways of measuring each objective. Objectives other than the ones listed here can be used. Define the difference between very high and high impact on objectives. If using a numeric scale, identify the spread between bands of impact (.05, .1, .2, .4, .8, or 2, 4, 6, 8) Note that the impacts on individual objectives may be different if one objective is more important than another.
Risk Management Funding:
Define the funding needed to perform the various risk management activities, such as using expert advice or transferring risk to a third party.
Describe the guidelines for establishing, measuring, and allocating both budget contingency and schedule contingency.
Frequency and Timing:
Describe the frequency of conducting formal risk management activities and the timing of any specific activities.
Risk Audit Approach:
Describe how often the risk management process will be audited, which aspects will be audited, and how discrepancies will be addressed.