The project risk management plan that gets used looks different from the one that gets filed. I’ve reviewed end-of-project risk registers where 11 of the 14 risks that actually materialised were in the original register — scored correctly, with plausible responses — but hadn’t been looked at since the kickoff meeting. Nobody maintained the process. This guide covers what goes into a risk management plan that functions as a live management tool, not a document that satisfies a governance checkpoint.
Table of Contents
What Is a Project Risk Management Plan?
A project risk management plan is the document that sets the rules for how risk management will run on a project — what probability scale you’ll use, who owns risks, how often you review, what gets escalated and to whom. Without it, the risk register becomes a document shaped by whoever fills it in first, with whatever scoring convention they happen to use. On a project with five people doing risk entries, you get five different interpretations of “high probability” unless something defines it upfront.
An unpopular view: most risk management on most projects is theatre. The register gets written, scores get assigned, responses get documented, and then the document sits. Teams run into problems that were in the register, with responses that were never implemented, and nobody connects the two. If a risk materialises and the response wasn’t executed, the register failed — not because it was wrong, but because nobody ran the process it described. The PMBOK Guide structures this into Plan Risk Management, Identify Risks, Perform Analysis, Plan Responses, Implement Responses, and Monitor Risks. The gap between “Plan Responses” and “Implement Responses” is where most projects lose the thread.
Skipping the plan and going straight to populating a register is like setting up a spreadsheet without deciding what the columns mean. The entries look like data; they aren’t consistent. A register built without a plan tends to have scoring that varies by who entered each row, ownership that defaults to the project manager, and no review dates because nobody defined a cadence.
What Belongs in the Project Risk Management Plan
The plan needs to define: the scoring system (probability and impact scales, consistently), the risk categories, who owns the plan and individual risks, the review cadence, and what level of risk score triggers escalation. That’s the minimum. Risk appetite and reporting channels should also be there. The things most often missing are review cadence and escalation thresholds — and those two omissions are what turn a plan into a document that nobody consults.
Identifying Risks — and the Sources Most Teams Miss
Risk identification is the process of finding, recognising, and documenting risks that might affect the project. The output is a list of risk events — specific things that might happen, not vague categories of uncertainty.
Risk identification techniques
Brainstorming workshops — the most common approach. Gather the project team, key stakeholders, and subject matter experts. Use prompt categories (see Risk Breakdown Structure below) to structure the conversation and ensure no area is missed. Brainstorming works best with a neutral facilitator who isn’t also trying to participate. The sessions that produce the most complete risk lists are the ones where someone’s job is to draw out what people know, not to contribute their own views.
Expert interviews — useful for technical risks that the project team may not be qualified to assess. A structural engineer on a building project will identify risks that a project manager won’t. Document the interviews and incorporate the findings into the register.
Lessons learned from similar projects — the most underused source. What risks materialised on the last three similar projects? What risks were identified but never occurred? Both lists are useful. Most organisations have lessons-learned records that nobody consults at the start of a new project.
Assumption analysis — the project plan is built on assumptions. List them explicitly. Each assumption is a potential risk if it turns out to be wrong. “Assumes client will provide design information by week six” is an assumption; the corresponding risk is “design information delayed beyond week six, causing downstream programme impact.”
On a healthcare IT implementation I was brought in to review midway through — PAS system replacement, NHS trust in the north of England, about 18 months in scope — the original brainstorming session had produced a thorough-looking list: integration risks, data migration risks, vendor dependencies, go-live cutover. What it hadn’t captured: the assumption that clinical leads would be available for two weeks of user acceptance testing in months 14–15. When the scheduling conflict surfaced, nobody could quite remember whether the availability had ever been formally confirmed or just assumed. The project slipped five weeks. Whether that would have been caught by a better assumption analysis, I honestly don’t know — but it wouldn’t have been a surprise.
Risk Breakdown Structure (RBS)
A Risk Breakdown Structure organises risk categories hierarchically, similar to a Work Breakdown Structure. Using an RBS in identification sessions ensures the team considers all relevant areas rather than converging on the risks that are most top-of-mind.
Common top-level RBS categories for construction and infrastructure projects include: technical (design, materials, interfaces), external (regulatory, environmental, market), organisational (resource, funding, stakeholder), and project management (estimating, scheduling, communications). Software projects typically add: scope creep, integration, security, and vendor dependencies. The specific categories matter less than having categories that prompt the team to look in areas they wouldn’t otherwise consider.
Scoring Risks: Qualitative First, Quantitative When It’s Worth It
Once risks are identified, each one needs to be assessed for probability and impact. The purpose is to prioritise — the team can’t give equal attention to 40 risks, so the analysis determines which ones require active management and which can be monitored passively.
Qualitative risk analysis
Most project risk management plans use a qualitative approach: score each risk on a probability scale (typically 1–5 or 1–3) and an impact scale (cost, schedule, quality, or a combined score), then multiply to get a risk score. High scores get active management; low scores get logged and watched.
| Probability | Score | Impact on schedule/cost | Score |
|---|---|---|---|
| Very unlikely (<10%) | 1 | Negligible (<1% cost impact) | 1 |
| Unlikely (10–30%) | 2 | Minor (1–5% cost impact) | 2 |
| Possible (30–50%) | 3 | Moderate (5–10% cost impact) | 3 |
| Likely (50–70%) | 4 | Significant (10–20% cost impact) | 4 |
| Very likely (>70%) | 5 | Severe (>20% cost impact) | 5 |
The scoring scales need to be defined in the risk management plan before the team starts scoring — not improvised during the risk workshop. Without a consistent definition of what “likely” means, two team members scoring the same risk will produce different numbers. I’ve reviewed risk registers where the same probability descriptor — “likely” — had been applied to risks ranging from 15% to 65% likelihood depending on who entered the row. The heat map looks meaningful; the underlying data isn’t.
Quantitative risk analysis
For projects where cost or schedule uncertainty is significant — large infrastructure programmes, complex IT implementations — quantitative risk analysis adds a second layer. Monte Carlo simulation models the combined effect of multiple risks on project cost or schedule, producing a probability distribution of outcomes rather than a single-point estimate. The output: there’s a 70% probability of completing within £X and a 90% probability of completing within £Y.
Monte Carlo requires three-point estimates for each risk (optimistic, most likely, pessimistic duration or cost), a model of how risks interact, and someone who knows how to run and interpret the simulation. On a £500m infrastructure programme that’s a reasonable investment. On a £2m fit-out it’s disproportionate — you’ll spend more on the analysis than the analysis saves you. The PMBOK treats quantitative risk analysis as a separate process from qualitative; in practice most risk managers apply it only when a client requires a probabilistic cost estimate or when the project is complex enough that the aggregate risk picture matters more than individual risk scores. See the risk management overview for more on when to use each.
Building the Risk Register
The risk register is the central document of the project risk management plan — the living record of identified risks, their scores, owners, responses, and current status. Every risk identified goes into the register. Every review updates it.
Risk register fields
A functional risk register needs at minimum: a unique risk ID, a description of the risk event, the probability score, the impact score, the risk score (probability × impact), the risk owner, the planned response, any contingency action, the current status, and the date last reviewed. Additional fields — risk category, trigger conditions, residual risk score after response — add value without complicating the basic structure.
Risk descriptions are where quality problems most often start. “Resource risk” is not a risk description. “Key structural engineer unavailable for the foundation design phase due to competing project commitments, causing 3-week design delay” is a risk description. Vague descriptions produce vague responses. The more specifically a risk is described — what happens, when, what the impact is — the more actionable the response planning becomes.
Risk categories and the heat map
Most risk registers include a heat map — a probability/impact grid where each risk is plotted as a point, with colours indicating risk level (typically red/amber/green). Heat maps are useful for communicating risk status to project boards and stakeholders who won’t read a full register. They’re also susceptible to the averaging-out problem: a project with fifteen amber risks may look acceptable on a heat map while carrying more aggregate risk than a project with two red risks and everything else green.
A heat map is a communication tool, not an analysis tool. Use it to show the distribution of the register to stakeholders. Don’t use it as the primary mechanism for deciding what to act on — the register details and the trend data (is a risk’s score moving up or down over time?) are more informative.
Planning Risk Responses — and Choosing the Right Strategy
For each identified risk, the project risk management plan needs a defined response strategy. The PMBOK identifies four strategies for threats and four for opportunities.
Threat response strategies
Avoid — change the project plan to eliminate the risk entirely. Redesign a construction sequence to avoid a known unstable ground area. Choose a different supplier whose lead times are predictable. Avoidance removes the risk but may add cost or complexity elsewhere.
Transfer — shift the financial consequence of the risk to a third party. Insurance, fixed-price contracts for uncertain scope, performance bonds. Transfer doesn’t eliminate the risk; it allocates the cost of it to another party. The risk still materialises; it just costs someone else.
Mitigate — reduce the probability or impact of the risk. Investing in additional testing to reduce the probability of a quality failure. Building schedule float to reduce the impact of a delay. Adding a second supplier to reduce the impact of a single-supplier failure. Most active risk management is mitigation.
Accept — acknowledge the risk and take no proactive action. Appropriate for low-scored risks where the cost of mitigation exceeds the likely cost of the risk materialising. Active acceptance may include setting aside contingency. Passive acceptance means dealing with it if it happens.
Mitigation gets applied to nearly everything in the amber and red zones by default, which misses options that would serve better. Some risks are better transferred (that’s what insurance is for). Some are better avoided by changing the approach. And some — particularly external risks with low probability and low controllability — are genuinely better accepted than spent management time on. The choice of response strategy should follow the analysis, not precede it.
Opportunity response strategies
Risks can also be positive — opportunities that might benefit the project if they occur. The equivalent strategies are: exploit (take action to ensure the opportunity occurs), enhance (increase its probability or impact), share (partner with another organisation to capture it), or accept (take advantage if it occurs but don’t pursue it actively). Opportunities almost never appear in practice-run risk registers. Teams focus on threats. The opportunity strategies exist in PMBOK; they get ignored in most registers I’ve seen.
Assigning Risk Ownership in the Project Risk Management Plan
Every risk in the register needs a named owner — a specific person, not a team, department, or role. The owner is responsible for monitoring the risk, implementing the response, and escalating if the risk score changes or the response isn’t working.
Risk ownership is where the plan most visibly falls apart in practice. Risks get assigned to the project manager by default because nobody else wants to own them, or because the project manager didn’t enforce ownership during the risk workshop. A project manager who owns 30 of the 35 risks in the register is not managing risk — they’re holding a list. Meaningful ownership means the owner has the knowledge and authority to actually do something about the risk. A procurement risk should be owned by the procurement lead. A design risk by the design manager. A regulatory risk by whoever manages the relevant relationships.
Some organisations distinguish between the risk owner (the person responsible for the response) and the risk action owner (the person executing a specific mitigation action). This split is useful on large projects where the person best placed to monitor a risk isn’t the same as the person doing the mitigation work. Both need to be named in the register.
Keeping the Project Risk Management Plan Current
A risk register that isn’t regularly reviewed becomes a historical document. Risks are added at the start of a project and never updated. New risks that emerge during execution never get added. Risks that have passed or been resolved stay on the register unchanged. The review cadence defined in the risk management plan is what prevents this.
Review frequency
Monthly is a commonly cited minimum. Whether that’s the right cadence depends on the project phase and the current risk profile. During detailed design finalisation, procurement close, or commissioning, a month is a long time — a lot can change. Weekly reviews during high-risk phases aren’t unusual. On a slow-moving feasibility study with few active risks, quarterly might be defensible. The cadence should be decided based on what the project actually needs, not what the plan template says.
project-risk-management-plan-template
The most functional risk reviews I’ve attended had one thing in common: the project manager arrived with a prepared question for each high-scored risk. Not “any updates?” — but “the enabling works contractor was on site this week; any impact on the ground contamination risk?” That specificity forces engagement. The reviews that produce nothing are the ones where someone reads the list and everyone confirms nothing has changed, which is almost never true.
Emerging risks
New risks emerge throughout a project. Scope changes introduce new risks. Design decisions close off some risks and open others. External events — regulatory changes, supply chain disruptions, political changes — affect risk profiles in ways that weren’t foreseeable at planning. The risk register needs to be a genuinely open document — new risks added as they’re identified, not held until the next formal review.
Risk triggers
For each high-scored risk, the project risk management plan should define a trigger — an observable event or condition that indicates the risk is about to materialise or has changed in probability. “Supplier hasn’t confirmed material delivery within 6 weeks of required date” is a trigger for a supply chain risk. Triggers make risk monitoring active rather than passive. Instead of reviewing the register and asking “has this happened yet?”, the team is watching for specific signals. The risk register article covers trigger fields in more detail.
Common Mistakes in Project Risk Management Plans
Writing the plan after the register. The sequence I see most often: risk workshop first, register populated, then someone produces the risk management plan document to satisfy a governance requirement. The plan references a scoring system that was improvised on the day and categories that emerged organically from the workshop rather than from any deliberate framework. It’s a description of what happened, not a framework for what’s about to happen. I’m not sure why this order persists — it’s easy to do it correctly — but it does.
Scoring that nobody recalibrates. Scores entered at the risk workshop in week two are still showing the same numbers in month seven, even as the project context has changed substantially. A risk that was “possible / significant” at planning may be “likely / severe” by the time procurement is running late — but the register still shows the original score because nobody updated it. Risk scores are estimates, not facts. They need revision at every review, not just at the start.
No residual risk assessment. A mitigation reduces a risk’s probability or impact — but by how much? Most risk registers record the original score but not the residual score after the response is implemented. Without a residual score, the register doesn’t show whether the mitigation is working. If a risk starts at probability 4, impact 4 (score 16) and the mitigation is supposed to reduce it to probability 2, impact 3 (score 6), those are two very different levels of remaining exposure — and they need to be tracked separately.
Treating the risk register as a compliance document. The signal: every risk has green status, all responses are “in progress”, and the last-reviewed date is two months ago. The register exists to pass the gate review. It has no operational value. I’ve sat in project board meetings where the risk register was presented as a slide — 12 green risks, 3 amber — and nobody asked a single question about any of them. That’s not risk management. That’s risk theatre.
Forgetting opportunities. The PMBOK has opportunity response strategies. Exploit, enhance, share, accept. Almost nobody uses them. I’m not sure why. Possibly because “risk” implies something bad and the framing never shifts. Possibly because there’s no governance pressure to track opportunities the way there is for threats. The tool exists. Teams don’t use it.
Risk Register Template
A basic project risk management plan risk register contains the following fields. Adapt as needed for project size and complexity.
| Field | Description | Notes |
|---|---|---|
| Risk ID | Unique identifier (e.g. R-001) | Never reuse IDs — closed risks stay in record |
| Risk description | Specific event + cause + impact | Format: “If [cause], then [event], resulting in [impact]” |
| Category | RBS category | Technical / External / Organisational / PM |
| Probability (P) | Score 1–5 | Use defined scale from risk management plan |
| Impact (I) | Score 1–5 | Separate scores for cost, schedule, quality if needed |
| Risk score | P × I | 1–25 on a 5×5 scale |
| Risk owner | Named individual | Not a team or role |
| Response strategy | Avoid / Transfer / Mitigate / Accept | |
| Response action | Specific actions planned | With deadlines and action owners |
| Residual P | Probability after response | Updated once response is implemented |
| Residual I | Impact after response | |
| Residual score | Residual P × Residual I | |
| Trigger | Observable early warning signal | Mandatory for risks scored ≥12 |
| Contingency | Action if risk materialises despite response | |
| Status | Open / Active / Closed / Occurred | |
| Last reviewed | Date | Flag if not reviewed in last 30 days |
The “If / then / resulting in” format for risk descriptions forces specificity. “If the ground investigation results show higher groundwater levels than assumed in the design, then the foundation specification will need to be redesigned, resulting in a 4-week delay to the detailed design programme and an estimated £80,000 additional cost.” That’s a risk description. It’s more work to write than “groundwater risk” — and substantially more useful when the risk review asks whether this risk is closer or further from materialising than it was last month.
For more on how the risk register fits into the broader project risk management framework, see the risk management overview and the risk register guide. For the relationship between risk management and project planning, the project life cycle article covers when each risk process runs.
Francois Simosa is the head of training for the Gragados Training Associates, which provides special project management and risk management training programs.
Thanks for the guide! I have some more tips for you