I have seen some really horrible 70 page "cut-and-paste" and some really great 15 page project specific risk management plans. ISO31000 states that purpose of risk treatment plans is to specify how the chosen treatment options will be implemented so that arrangements are understood by those involved and progress against the plan can be monitored. It also requires that treatment plans should clearly identify the order in which risk treatments should be implemented (International Organization for standardization, 2018). These "arrangements" includes procedures, practices, assignment of responsibilities, sequence and timing of activities.
These plans basically tells the reader what the project context is, what type of risk management is going to be done, what processes and procedures will be used, what reports will be generated and who will do everything. Or in other words, who is going to do what, when, where, why and how, as all other project plans (execution, HR, Quality etc.) should tell you in any case.
I am not going to give an overview of what should be in risk management plans, as the following two excellent publications contains all that you need to know:
Developing a project risk management plan - International Recommended Practice 72R-12, (AACE INTERNATIONAL, 2013).
Project Risk Management Guidelines (Cooper et. al, 2014).
If you need examples of risk management plans, there are many different ones available on Google which you can review and adapt to your project. You may also be surprised on what is available in your company's Document Control System.
My contribution to this discussion is as follows:
1. Spend time in understanding the project context
The importance of this step cannot be overestimated and was discussed in https://www.kwanto.co.za/post/setting-the-project-context. And it may sound stupid, but a site visit has to take place, if possible. To see how general workers work on a railway project, in place like Richards Bay (South Africa), with high humidity, high temperatures and sometimes unpleasant wind, gives more respect for the workers and the work which needs getting done.
2. Include a tracking spreadsheet
Include a tracking spreadsheet in your risk management plan, stating the outputs (reports, meetings, HAZOP Studies, quantitative risk assessments, site visits, audits etc.) as well as the status of each of these activities. This spreadsheet can then be updated as the project continues to monitor and manage the project risk management activities. If you are a risk management consultant, it is also a convenient way of planning cash flow.
The example below contains the gate review requirements in the first column, a comment on requirements in the second and tracking information in the third. I included this table in all project reports for the following reasons:
It shows what needs to be done and what has been completed. As a side note, please remember that the gate review requirements are always negotiable and should reflect the complexity of the project. One does not need a schedule quantitative risk assessment on a procurement project where one needs to go and buy 10 new PCs. I am therefore very much in favor of having some kind of project rating system in place which would determine what extent of project risk management takes place for what type of project. I will discuss this in a later post.
Auditors love this type of tracking tool, because it shows them that "risk management is taking place", especially if it is aligned with Gate Review Requirements.
The above examples uses the company's gate review requirements as the outputs. In cases where the outputs are contractually stipulated, I would use those.
3. Remember a RACI table
I asked my colleague Quinton van Eeden (https://www.linkedin.com/in/quintonvaneeden/) what I missed in the above post and he said that he always includes a RACI table to show the participation by various roles in completing risk management tasks and milestones.
References
AACE INTERNATIONAL 2013. 72R-12 Developing a project risk management plan - International Recommended Practice.
COOPER, D., GREY, S., RAYMON, G. & WALKER, P. 2014. Project Risk Management Guidelines, Chichester, John Wiley & Sons Limited.
Copyright 2020 Dr. Francois Joubert