Skip to content
hand using pen to point to graph

Your Complete Guide to Developing an Effective Risk Management Plan

When a risk becomes a problem, it typically isn’t the result of a solitary misstep but the culmination of a series of errors that could have been avoided by adhering to the core tenets of effective risk management planning. Non-compliance can carry adverse consequences, ranging from liability concerns and project delays to damaged relationships and profit losses.

Risk management strives to highlight and triage such threats, measure potential associated ramifications, and develop an effective strategy for resolution.

This explainer highlights the importance of establishing a risk management plan, outlines techniques for both identifying and prioritizing threats, and breaks down each checkpoint within this five-step process. It also provides sample risk management planning checklists from various industries to refer to when compiling your own.

Note: Your new checklist should evolve organically as you complete projects and experience new risk events.

Good Risk Management Plans Save Projects

It's tempting to liken the concept of risk management in business to health insurance; its true worth is only evident if something goes wrong. However, there are several fundamental problems with this analogy.

Health insurance actions are reactive. Take a doctor's visit, for example. Even if your doctor were to administer an ongoing prescription for a chronic illness, its symptoms had to first present just to get you through the door for an assessment. That prescription is a direct reaction to your health risk event.

Project risk management, on the other hand, is inherently preemptive and proactive in the interest of minimizing or eliminating panicked reactive solutions to otherwise avoidable, risk-related problems.

The following passage from the nonprofit trade association Project Management Institute's chief set of global standards, rules, and guidelines informing the project management industry—The Project Management Body of Knowledge (PMBOK)—further expounds upon one of its core tenets: Risk management is more than just an attempt to prevent loss; it’s also an opportunity for gain:

“Project risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, and quality,” it states. “A risk may have one or more causes and, if it occurs, may have one or more impacts. A cause may be a given or potential requirement, assumption, constraint, or condition that creates the possibility of negative or positive outcomes. For example, causes could include the requirement of an environmental permit to do work, or having limited personnel assigned to design the project. The risk is that the permitting agency may take longer than planned to issue a permit; or, in the case of an opportunity, additional developmental personnel may become available who can participate in design, and they can be assigned to the project.”


Reduce Liability with Third-Party Vendors

Third-party vendors, encompassing suppliers, contract manufacturers, and distributors, among others, are essential for many business operations, especially larger companies. However, these relationships introduce significant financial, operational, legal and regulatory risks.

Operational disruptions can lead to revenue loss, while legal conflicts can tarnish a company's reputation. Here are some effective vendor risk management strategies to help identify, assess, and mitigate vendor-related risks.

  • Certificate of Insurance Tracking: Verifying a vendor's insurance coverage through a certificate of insurance helps ensure compliance and protect the organization.
  • Safety Pre-Qualification: Pre-qualifying vendors based on health and safety standards mitigates legal and regulatory risks, such as labor rights violations.
  • Regulatory Screening: Screening vendors for compliance with federal and state laws mitigates legal and regulatory risks, requiring ongoing monitoring due to evolving regulations.
  • Document Management: Centralized management of critical documents, including agreements and purchase orders, streamlines processes and facilitates ongoing risk monitoring.
  • Financial Screening: Assessing vendors' financial stability through credit checks mitigates risks associated with poor financial standing, such as conflicts of interest or business continuity issues.

Ultimately, risk management is critical to the success of your business.

The following is a useful outline of the five-step risk management planning process:

Step 1: Identify

The road to finalizing a concise-yet-thorough risk management checklist is paved with good thought processes. Utilize proven methods of risk analysis to determine the most likely causes of loss-related risk, and subsequently, to devise a plan of action for each potential risk event.

The first set of risk management procedures involves identifying all risks that could get in the way of any team member completing the task at hand while also maintaining legal compliance standards. Then, enter all those risks into a document called a Risk Register to be referenced throughout the risk management plan's development.

It can be overwhelming for a project manager to delve into all that could go wrong throughout the course of an initiative, but putting in the time to think through all possible worst-case scenarios is a key component of effective risk management. While the project manager is the ultimate agent for change, the risk-managing power of thoughtful collaboration, especially in the nascent stages of project development, cannot be overstated.

Before choosing between different information-gathering techniques, consider the following questions regarding the scope of work, resources, timeline, budget, and project deliverability:

  • What is the scope of work? Are all parts of the project familiar, or are you dealing with tasks that are new to you or your team? If there are new tasks, have you identified all the risks associated with them?
  • Do you have adequate resources available to complete your project? Are your personnel trained, or will they require training? Have you completed background checks or utilized a vendor credentialing system?
  • How long should this project take to complete? Are there any scheduling conflicts to resolve before beginning work? Is the timeline outlined in your contract realistic?
  • How detailed is your budget? Are you at risk of overrunning your budget?
  • Can you deliver this project? Are you making any promises you may not be able to keep? What could hinder your ability to deliver the project's goals?

Techniques for Gathering Information

Assumption Analysis

You know the adage: If you make assumptions, you’re prone to set yourself, and others, up for failure. (Or something like that.) To thwart the likelihood of falling victim to risks associated with wrongful assumptions, there's assumption analysis.

It includes the following three-step process:

First: Document all assumptions made during the project planning process.

Next: Identify all risks to the project from each assumption based on the potential inaccuracies or inconsistencies these may contain.

Finally: Determine whether each assumption is valid (worth the associated risks) or not.


Picking the brains of your select, trusted group of team members in search of personally unforeseen risk threats/opportunities is often helpful, particularly if you’re working with new third-party contractors or completing a project with an unfamiliar scope of work. There's no limit to what you might learn by listening to others' ideas and experiences.

Event Inventories or Loss Data

Event-based inventory is a control method triggered by a specific event, and it entails completing physical counts for SKU items.

For example: If a retailer's database is reporting inventory levels below respective reorder points, a physical inventory may be triggered to:

  • Calculate shrinkage
  • Fix database errors
  • Investigate possible root causes of the loss event

Note: This process is especially important in retail and manufacturing environments. Factors to consider when consulting your loss data might include:

  • Susceptibility to theft
  • Complexity of the year-end inventory procedure
  • Prior-period misstatements

Expert Judgment

Consulting a risk management expert suggests humility, leadership, and compassion for stakeholders. Advice may be sought from any group or individual with specialized knowledge or training; just don't forget to consider the expert's potential biases the same way you would anyone else's when evaluating their input.

Facilitated Workshop

Facilitated workshops bring key stakeholders together with project managers to achieve team alignment. This method works on several levels:

  • Facilitated workshops grant stakeholders the opportunity to talk through differences of opinion with a project manager present to backstop the conversation with unique area expertise. This can build trusting relationships, display competency, and improve communication within the organization.
  • Workshops gather big players from different company departments (finance, marketing, operations, and human resources, for example) into the same room to work together to define cross-functional requirements.

Interviews, Self-assessments, Questionnaires & Surveys

Interviews: If you've ever dreamed of becoming a reporter, this is your time to shine. Experienced project team members, stakeholders, and industry experts all hold a wealth of knowledge just waiting to be tapped. What better way to identify risks than to ask the folks who have tried, failed, and learned from their mistakes?

Self-Assessments: This is only effective if the participant is self-aware and honest. To assuage inherent biases, utilize a pre-written self-assessment template.

Questionnaires/Surveys: Of all the methods outlined in this section, interviews may seem like the fastest, simplest route to the answers you're looking for. Here's the hitch, however: People can, and will, lie to your face to save face. Questionnaires and surveys can be kept anonymous and give participants more time to consider prompts, hopefully leading to more thoughtful responses.

Take your time and be thorough throughout the Identify component. This will help streamline subsequent risk management stages.

Step 2: Analyze

After you've identified all your risks—threats and opportunities—it's time to determine the severity and probability of each. To simplify this process, group all risks into appropriate categories based on perceived similarities around root causes.

At the end of this stage, you'll have an understanding of the nature of your risks and the likelihood of occurrences. You can then begin making judgments about which should be addressed and with what level of urgency.

Techniques for Prioritizing Risk

There are qualitative and quantitative methods for assessing risk. Utilizing a mixed-method approach provides the most comprehensive framework on which to base your risk management plan.

SWOT Analysis

This maps and prioritizes an organization’s Strengths, Weaknesses, Opportunities, and Threats (SWOT). In the context of risk management, the process entails brainstorming for each of the four parts, and then analyzing to combine related factors into appropriate categories. Next, you’ll prioritize all of the items in a forced rank order. Finally, you’ll begin to define strategies that:

  • Use strengths to take advantage of opportunities
  • Use strengths to avoid threats
  • Take advantage of opportunities by overcoming weaknesses
  • Minimize weaknesses and avoid threats

Qualitative Risk Analysis

Before risk management plans can be developed and implemented, a risk narrative should be fleshed out. Qualitative risk analysis contributes to that narrative by describing specific risks as they relate to hazards, consequences (severity), probability, and final risk.

The results of your qualitative risk analysis may then be used for a Contingency Analysis (sensitivity analysis/if-then analysis), which seeks to plot actionable items to carry out in case of specific risk events.

Quantitative Risk Analysis

The purpose of a QRA is to translate qualitative concepts into measurable metrics to figure into protective plans for the project's budget and schedule. The quantified value assigned to a particular risk will then be added to the project cost or time estimate as a contingency value.

Methods for determining contingency values encompass: Heuristic Methods, Expected Value Methods, Probability Distribution Methods, Interdependency Models, and Empirical Methods.

Thorough quantitative risk analysis can get expensive, so QRA may be reserved for only those risks deemed a high priority. Once a value is assigned to a potential risk, the impact is labeled as either an increase or decrease in cost and/or time, or as a percentage range with a particular distribution, which is then factored into a final, quantifiable assessment of total risk.

Step 3: Evaluate

In step two, we discussed analyzing risk based on probability and severity, the combination of which ultimately constitutes total risk magnitude. In step three, you begin to make judgments regarding whether a given risk is imminent or costly enough to warrant preemptive treatment, or if it’s a risk you're willing to take.

A risk assessment matrix is a common tool used at this stage of risk management planning.

Techniques for Developing Your Risk Assessment Matrix

There are four steps to developing a risk assessment matrix:

  1. Identify the risk universe
  2. Determine risk criteria
  3. Assess the risks
  4. Prioritize the risks

If you've completed steps one and two of risk management planning (Identify and Analyze), the processes for collecting metrics to plug into your risk assessment matrix should be well underway. By the time you reach the evaluation stage of risk management planning, you and your team should have already:

  • Identified all potential risk events that could negatively impact the progress of your project
  • Analyzed, categorized, and ranked all of the items in their respective matrix

Now, you’re ready to accept whatever message your findings happen to illustrate. For this, you’ll want to develop your own risk assessment matrix (or probability/impact matrix) that encompasses both your qualitative and quantitative reasoning. This includes cross-referencing all your newfound knowledge of risk severity with respective risk probability across multiple analytical methods to determine which risks are to be considered high, medium, and low priority.

Step 4: Address

Once you’ve created your risk assessment matrix, you should have a concrete idea about the high, medium, and low-priority risks your project faces, so you may begin crafting plans of action for risk avoidance as well as protocols for the inevitable instances when risk events occur.

This is also referred to as risk response planning.

Techniques for Risk Response Planning

1. Avoidance

One way to remove risk from a project is to eliminate its root cause. In project management, this means axing the tasks associated with the risk altogether.

This is not always a feasible option. Sometimes, you just have to do things you don't want to. For those instances, there are four other risk response planning strategies to consider.

2. Acceptance

You've likely heard or perhaps even repeated the mantra: "Give me the strength to accept the things I cannot change." Certain risks are simply unavoidable and come with no clear solution. This is what your risk management plan was built for! Go forth and plan the risk into the project!

3. Monitor & Prepare

For risks too massive to accept with open arms, but too integral to the project to avoid, there's monitoring and preparing. This entails:

  • Naming and documenting potential risk triggers and monitoring those contingencies closely
  • Creating an airtight plan of action ahead of time that can be set in motion the moment the risk occurs

4. Mitigation

Here's a riddle: If you were afflicted with third-degree burns, and a genie offered you the magical power to dial those burns down to first-degree burns, would you accept?

Hopefully, third-degree burns are not listed on your risk register, but if they are, there's good news: Reducing the probability and severity of a given risk is possible, and usually doesn't even require a genie, or any magic at all, for that matter.

For example, to reduce the probability of burns, you might invest in a fire-resistant suit; to reduce the severity, perhaps you'd consider having a medical trauma specialist on call.

One best practice to follow is prioritizing reducing the probability of a risk ahead of planning for severity mitigation. It's more proactive to lessen the likelihood that a negative event will ever take place than to simply brace for impact.

5. Transference

Risk transfer means unloading the burden of risk onto another party. If you work with third-party contractors/contingent laborers, careful insurance documentation and vendor credentialing could save your company from detrimental worker's compensation and/or general liability suits.

Hold harmless agreements, which are commonplace in construction contracts, shield project owners from losses or damages resulting from a contractor's actions, inactions, or negligence. These agreements align with contractors' insurance policies and may activate contractor insurance if additional insured coverage fails due to incorrect endorsement language.

Before agreeing to take on a project, review the suggested brainstorming questions at the beginning of this post. If the job is too big or unfamiliar for you and your team to fulfill the contracted project requirements and goals, outsource some or all of the project to someone better equipped for the job.

Step 5: Monitor/Review

Your risk register is full and contingency values have been figured into your project's budgetary and scheduling plans. It's time to put your risk management efforts to the test, but remember: Risk management is a perpetual practice of high-performing organizations, so your efforts should be ongoing.

Techniques for Continued Risk Management

Assessments & Meetings

Risk assessment should always be on the agenda at status meetings, including conducting ongoing reassessments of imminent risks and informing the team of any risks that are no longer threats.

Risk Audits

Review and document the efficacy of each risk response.

Variance & Trend Analysis

Compare planned results to actual results using performance data to control and monitor risk events.

Root Cause Analysis

Re-evaluate the root causes of any risk events that occurred to identify the failed system, implement protocols, and categorize the risks correctly during your next round of risk identification.

Risk Management Plan: Overview

Once your five-step risk management plan is complete, it should cover the following in great detail:

  • Process - details each task within a project
  • Budget - outlines the allocation of funds
  • Risk Register - a repository for all threats identified, including additional information about each risk, such as its nature and mitigation measures, etc.
  • Roles & Responsibilities
  • Reporting Structure/Hierarchy
  • Risk Categories
  • Analysis or Anticipation Report of Likely Risks
  • Solutions or Mitigation Strategies, Varying From High-Impact to Low-Impact Risks

Sample Risk Management Checklists for Various Industries

Healthcare (U.S. Centers for Disease Control and Prevention)

Agriculture (U.S. Department of Agriculture)

Transportation (New York State Department of Transportation)

Construction and Engineering (U.S. Army)

Real Estate (Financial Services Agency, Japan)

Creating a risk management checklist uniquely tailored to your industry and business model helps identify risks and avoid consequential mishaps.


Business Credentialing Services (bcs) specializes in providing a diverse spectrum of risk management compliance services to businesses across a wide range of industries.

From developing and implementing effective, solution-oriented risk management strategies to utilizing automated tracking software for certificates of insurance, regulatory screenings, and document management, bcs possesses the team and technology to ensure your business is well protected. Contact us today to learn more.

Subscribe Now

Learn from the pros about risk-mitigation, document tracking, and more, with expert articles from bcs.

Leave a comment