You will meet with your team, risk experts, and technical experts to determine the best approach for each risk management process. If your organization does not have risk management templates and other tools and your team will need to develop these as part of risk management planning.
You should also define the PMP PMBOK risk roles and responsibilities, risk categories, and the techniques used to analyse risks.
Your risk management plan is a subsidiary plan of the overall project management plan and it describes how risk identification, analysis, and response planning will be conducted. It will need to be tailored to the needs of each particular project.
The PMP PMBOK risk management plan document describes how the project risk management will be structured and performed within the project. Information in the risk management plan varies by application area and project size.
The risk management plan is different from the risk register that contains the list of project risks, but the results of risk analysis, and the risk responses.
The typical content of the PMP PMBOK risk management plan would include:
Methodology. This defines the approach, tools and data that you use to manage risk
Roles and responsibilities. This describes the role the various stakeholders have for managing risk. This can include a risk manager for very large projects, or the responsibility the each team member has with regard to risk management
Budgeting. This will be an estimate of the funds needed for risk identification, analysis, and response. Also the approach will be defined for allocating, using, and recording contingency funds
Timing. This will identify the risk management activities that need to be added to the schedule and site how often they will occur. The approach will be defined for allocating, using, and recording contingency for the project schedule
Risk categories. The major categories of risk will be identified and decomposed into sub categories. An example would use technical, external, organisational and project management is the main categories. These could then be further decomposed to the next level.
You can also categorise risk by objectives, such as scope, schedule, cost, quality, or stakeholder risks. These would then be further decomposed. There are many other ways in which to categorise risks.
Definitions of probability and impact. In order to analyse risks effectively, a common method will need to be used to rate the probability of occurrence and the impact if it does occur.
Probability and impact matrix. This is a matrix plotting probability and against impact, usually categorised into low, medium, and high rankings.
As part of establishing your definitions for probability and impact, you are in essence, defining your threshold for action.
A threshold defines the point where you need to take action.
By identifying the combination of probability and impact that defines an event as low, medium, low or high risk, you are stating when you can merely observe the event compared with taking action to minimize the event compared with needing to avoid the event altogether.
Revise the stakeholder tolerances. If needed, update your risk tolerances as viewpoints that might have shifted while compiling the risk management plan
Reporting and tracking formats, this describes how risk will be recorded and reported during the project and can include a sample risk register, sample risk data sheets, and risk analysis templates.
Risk category. This is a group of potential causes of risk. Risk causes may be grouped into categories such as technical, external, organisational, environmental, or project management.
A category may include sub categories such as technical maturity, weather, or aggressive estimating.
Risk breakdown structure (RBS). This is a hierarchically organised depiction of the identified project risks arranged by risk category and sub categories of identifies the various areas and causes of potential risks. The RBS is often tailored to specific project types
Probability and impact matrix. A common way to determine whether a risk is considered low, moderate, or high by combining the two dimensions of a risk: the risk probability of occurrence and its impact on objectives if it occurs.