2.1 Plan Risk Management
Key Takeaways
- The Risk Management Plan defines HOW risk is managed (methodology, roles, funding, timing, categories, probability/impact definitions, matrix, reporting); it never lists actual risks.
- Plan Risk Management is the first risk process — its single output is the Risk Management Plan, completed early in the project before any risk is identified.
- Tailoring scales the plan to project size, complexity, and importance: a small low-risk project may need a light plan, a megaproject a formal one.
- Key inputs are the project charter (high-level risks, objectives), stakeholder register, and Enterprise Environmental Factors plus Organizational Process Assets.
- Probability and impact definitions and the probability-impact matrix are agreed in the plan so later qualitative analysis stays consistent and objective.
Purpose of Plan Risk Management
Plan Risk Management is the first process in project risk management. Its purpose is to decide HOW the team will conduct every later risk activity — identification, analysis, response, and monitoring — so the effort matches the project's importance and exposure.
It produces exactly one output: the Risk Management Plan. This is a subsidiary of the overall project management plan. The process answers questions like: What techniques will we use? Who is responsible? How much budget and time does risk work get? How will we rate and report risks?
A common exam trap is to confuse the plan with the risk register: the plan describes the process, while the register records the individual risks. The plan is written early, before any risk is identified, and is revisited if the project's nature changes. Doing this planning first prevents an ad-hoc, inconsistent risk effort later.
Contents of the Risk Management Plan
The plan documents the rules of engagement for risk. Memorize these standard contents — PMI-RMP questions often ask which element belongs in the plan versus the register or report. The first four elements set the operating model for the risk effort:
| Element | What it defines |
|---|---|
| Methodology | Approaches, tools, and data sources for risk work |
| Roles & responsibilities | Who leads, supports, and participates in each activity |
| Funding | Budget for risk activities; protocols for contingency and management reserves |
| Timing | When and how often risk processes run across the life cycle |
The remaining elements set the analytical and reporting standards the team will apply later:
| Element | What it defines |
|---|---|
| Risk categories | The Risk Breakdown Structure (RBS) used to group sources |
| P-I definitions | Agreed scales for probability and impact ratings |
| P-I matrix | The grid mapping probability times impact to priority |
| Reporting/tracking | Formats and audiences for risk reporting and audits |
Funding deserves special attention: the plan sets the protocols for establishing, accessing, and replenishing contingency and management reserves, but it does not yet size them — that comes later from analysis. Timing defines the cadence of risk activities so reassessment is not left to chance.
Why probability and impact definitions matter
Defining probability and impact scales up front is what keeps later qualitative analysis consistent. Without agreed definitions, one analyst's "high" impact is another's "medium," and prioritization becomes arbitrary. The plan typically sets numeric or descriptive bands — for example, probability of 0.1/0.3/0.5/0.7/0.9 and impact tied to thresholds on cost, schedule, scope, and quality.
A worked illustration: the plan might define impact on cost as 0.05 (under 1% overrun), 0.10 (1-5%), 0.20 (5-10%), 0.40 (10-20%), and 0.80 (over 20%). A risk with probability 0.5 and impact 0.40 then carries a score of 0.20, landing it in a high-priority zone defined by the matrix.
The probability-impact (P-I) matrix is built from these definitions. It assigns each probability-impact combination to a priority zone (often red/yellow/green), so a risk's score drives whether it gets detailed analysis or a planned response. Crucially, the matrix itself lives in the plan; the scored risks live in the register.
Tailoring to size and complexity
The plan is tailored — scaled to project size, complexity, strategic importance, and the organization's risk maturity. A small, familiar, low-risk project may need only a lightweight plan with informal reviews. A large, novel, high-stakes program demands a formal plan with quantitative analysis, dedicated reserves, and frequent governance touchpoints.
Under-tailoring wastes effort on trivial projects; over-tailoring leaves big projects exposed. PMI expects the risk professional to right-size the process, not apply a rigid template to every engagement.
Key inputs
- Project charter — supplies objectives, high-level risks, and the risk appetite of the sponsor.
- Stakeholder register — identifies who holds risk information and differing risk attitudes.
- Enterprise Environmental Factors (EEF) — organizational risk appetite, regulatory context, market conditions.
- Organizational Process Assets (OPA) — risk policy, templates, RBS, lessons learned, and historical risk data.
Expert judgment and meetings
Two tools support Plan Risk Management. Expert judgment draws on people experienced with similar projects, risk specialists, and the organization's risk function to shape methodology and roles. Planning meetings (often a kickoff risk meeting) bring the project manager, sponsor, team leads, and key stakeholders together to agree the plan's contents, especially the appetite, categories, and matrix. Their inputs feed directly into a credible, owned plan rather than a template imposed in isolation.
Exam-ready distinctions
Watch the boundary between the Risk Management Plan and the artifacts it shapes:
- The plan says risk categories will use this RBS; the register later places risks into those categories.
- The plan defines probability and impact scales; qualitative analysis applies them.
- The plan sets reserve protocols; reserve sizing happens during analysis.
If a question asks where roles, methodology, timing, or P-I definitions are established, the answer is almost always the Risk Management Plan — produced once, early, by the Plan Risk Management process. Treat the plan as the constitution for risk and every later artifact as evidence produced under its rules.
During project initiation, a risk professional is documenting the methodology, roles and responsibilities, funding for risk activities, timing, and the probability-impact definitions the team will use. Which artifact is being created?
Why does the Risk Management Plan establish probability and impact definitions before any risks are identified?