Creating a Risk Management Plan
A Risk Management Plan (RMP) is essential for adding value by describing the processes for mitigating and monitoring risks within your organization, project, or specific activities. It is not a risk assessment but rather a structured approach to risk mitigation. When done correctly, an RMP provides a framework for your activities, clarifies the application of your organization’s Risk Management Procedure, and ensures personnel understand the approach and expectations regarding risk management.
The purpose of an RMP is to explain your organization’s risk management techniques, applications, and implementation. Its complexity should match the subject matter, but effective plans are always well-structured.
Clear outputs from an RMP should include:
- Identification and mitigation of risks in each phase of activity development
- Improved procedures
- Enhanced safety during activities
- Reduced downtime
- Identification of improvement areas through knowledge transfer and risk assessment
- Regulatory compliance
Understanding the Basics
Risk Management Procedure vs. Risk Management Plan
- Procedure: A procedure is a specific method or series of steps followed to complete a task or process. The primary goal of a procedure is to ensure consistency and efficiency in the execution of a task
- Plan: A plan is a set of intended actions, or a strategy designed to achieve a specific goal or objective. The primary goal of a plan is to outline the approach and resources needed to accomplish a goal.
Both documents are critical to successful risk management. To generate a Risk Management Plan, you will need to have a Risk Management Procedure.
The Risk Management Procedure describes how your organisation manages risk, what processes are in place for risk management, how those processes work and are structured, and how your organisation evaluates, treats, and monitor’s risk. It should also be used to define when a Risk Management Plan is required to be developed.
A Risk Management Plan (RMP) outlines the overall strategy for managing risks in a particular project or organization. It includes the goals, resources, timelines, and methods to be used, and can be adjusted as the project progresses.
The content of a RMP is dependent on the complexity of the subject matter. A RMP provides structure to your activities and defines how your organisations Risk Management Procedure will be applied to successfully manage your activity. This can include procedures, processes, resources, allocation of responsibilities etc.
A critical element of the RMP is defining the risk assessment methods that will be applied to the stages of your activities.
At RISKUL, we use five methods of assessment, HAZID, HAZOP, HIRA, Task Risk Assessment, and Risk Register. We’ve produced guides for each of these methods on our website: https://riskul.com/category/resources/
We’ve put together a template RMP in Microsoft Word that can be modified and used. The sections below give more detail on the content and structure of the RMP.
Key Elements of your Risk Management Plan
Introduction
Clearly define the RMP’s scope, purpose, and expected outcomes. The RMP should add value by aligning with your organization’s objectives.
Use the introduction to explain the scope and purpose of the RMP. What it is there for, how it will be used, and what the expected outcome (purpose) of the RMP is.
The RMP is there to add value, if it doesn’t add value then what is the purpose?
We’ve put some suggested text in the RMP template with some strong examples of outputs. Use these if they align to your organisation and intent or update the content to be specific to your organisation.
Abbreviations & Terminology
Avoid confusion by listing and defining all acronyms and industry-specific terms used in the RMP.
There’s nothing worse than reading a document that’s full of acronyms or terms that don’t make sense. If you use an acronym or abbreviation, then add it to the table and provide a description of what it means. The same applies to terminology. Not everyone that reads your RMP will be familiar with industry or organisation terms, have clear definitions for content and terms used within the RMP.
References
Include a reference table for all documents, codes, and standards, both internal and external, that are relevant to your RMP.
If you’re referencing documents, codes, or standards (internally / externally produced) ensure that you include a reference table.
Documents can internal or external. Codes & standards are generally industry or regulatory documents that are applicable to your activities, consider documents such as ISO standards for example.
Workscope Overview & Risk Response
Provide a detailed breakdown of planned activities. Align the workscope with your risk response strategies such as avoidance, retention, transfer, and reduction.
The workscope overview is used to provide a detailed breakdown of the planned works. This should be relative to the RMP scope. The extent of detail is up to you, but it should reflect the complexity of the activities that the RMP is to cover. Ensure that the workscope aligns with the schedule for the planned activities.
Consider and use the Workscope Overview when working on the Activity Summary. There will be workscope content that can be grouped in the Activity Summary enabling risk analysis methods to be applied to activities which are similar or can be combined.
How you respond or treat risk is an important decision to take. Risk response is used to assist with identifying which strategies will be applied to mitigate risk. Strategies available include:
- Avoidance: Conscious decision to avoid a particular risk completely.
- Retention: Retain the risk.
- With knowledge – decision to meet any resultant loss.
- Without knowledge – decision taken with a lack of knowledge of existence of risk or with omissions about the risk.
- Transfer / Share: Transfer a risk to another party (i.e. insurance) or outsource (i.e. subcontract).
- Reduction: Apply mitigation to reduce the risk.
Identifying and applying strategies should be a continuous process as your activities develop. Circumstances can change and you need to be flexible with your approach to ensure the most suitable response strategy is applied.
Documenting how a response strategy is applied can be complex, you may decide to apply reduction techniques to a defined activity but transfer certain smaller elements of that activity. In the RMP template, risk response is shown in the workscope overview table as an example.
Responsibilities
Clearly define roles, responsibilities, and authority levels for risk management activities. Responsibilities should align with job descriptions and provide sufficient authority to fulfil them.
Be clear about the expectations, responsibilities, and level of authority that each person has in relation to risk management activities. This can be achieved by listing the roles / functions of personnel and providing an overview of their specific responsibilities.
Responsibilities should align with their role profile / job description. Ensure that assigned responsibility is accompanied with a sufficient level of authority considering personnel / subcontractor management, financial approval limitations etc. Do not assign a responsibility that cannot be fulfilled by the respective role.
Risk management cannot be assigned to a single person, it will not be effective, overseeing the risk management process however can be assigned to an individual providing the required level of support is available.
Risk Reduction Processes
Outline how existing risk management processes will be applied to your activities. This includes documentation, resources, meetings, internal procedures, and policies that ensure risk reduction.
Your organisation should have established risk management processes, this is likely the risk management procedure that we wrote about in the introduction. Think about how the existing processes are applied to manage risk in the context of the activities described in the RMP.
Internal processes in an organisation are there to ensure that activities are completed in a specified way, the specified way designed to ensure that the activity is completed safely, meeting quality requirements, within budget etc.
Example In a project, specific documentation will be developed, this could include operational procedures, execution plan, method statements, quality plan, health and safety plan, emergency plan, etc. All these documents will include specific activities / processes that are to be followed, each designed to explain a process, requirement, or expected standard. When followed, and assuming content is correct, risk reduction is inevitable. Provide an overview of activities that will reduce risk and not just focus on risk assessment methods that are applied directly to activities. Don’t limit thinking to documentation; consider resources, meetings, internal procedures, management, policies, information flow, onsite briefings, incident investigation & learning, experience transfer etc.
In the RMP template there is an additional table for ‘Specific Risk Reduction Management Activities’. This should be used to identify and list activities / processes which aren’t normally applied by your organisation but may be introduced due to a contractual requirement, operating permit condition, consent, local regulation etc.
Risk Management Principles
Detail the principles your organization will adopt, such as ALARP (As Low As Reasonably Practicable), and provide a risk classification matrix for evaluation.
Outlining the risk management principles that your organisation will adopt is important and links closely with the risk response. The following general principle hierarchy is included in the RMP template.
If your organisation practices the ALARP principle, then it should be explained.
Risk acceptance with ALARP will generally fall within Low > Medium ‘risk scores’.
In the RMP template there is a statement related to ALARP and an explanation of Risk Acceptance Levels. Don’t just state ‘Low Risk’ without explaining exactly what ‘Low Risk’ means in the context of your risk management process.
Include your risk classification matrix so evaluation and risk acceptance levels applied to your risk analysis methods can be understood.
Content for this section could be taken directly from your organisations Risk Management Procedure. In the template provided we’ve included the RISKUL default Risk Classification Matrix including the Probability & Consequence definitions to illustrate the content requirement. Ensure you identify Assessment Categories (what are you assessing against).
Risk Analysis Methods
Describe the risk analysis methods to be used, ensuring consistency with your organizational procedures.
Describe which risk analysis methods will be used for activities within the workscope and how each risk analysis method is applied to elements of the workscope to manage the identified risk.
An explanation of analysis methods should already be in place in your organisation, if so, use that. Don’t change or amend the definition of the methods used in your Risk Management Plan, it is important to ensure a consistent approach to risk management throughout all activities that align with your organisation procedures / processes.
Activity Summary
Identify all activities within the RMP scope and the corresponding risk assessment methods. Break down the workscope into logical steps and sub-steps to effectively manage identified hazards.
Identifying the activities that constitute your RMP is critical, in fact, it’s one if not the most important elements of your RMP and requires considerable thought for it to be effective.
The RMP should state the activities and the risk assessment methods that will be applied to each activity to manage identified hazards. This sounds complex but it’s quite simple to do. Review the workscope and break it down into a logical flow or steps. This information could be taken from an execution plan or a schedule. Each step could have a sub-step. For example:
A construction project could be made up of several steps or activities:
- Planning
- Site Mobilisation / Preparation
- Construction
- Site Demobilisation etc.
Each step / activity could have numerous sub-steps:
Planning
- Site Location A
- Site Location B – Etc
Site Mobilisation / Preparation
- Site A: Site Logistics
- Site A: Ground Clearance
- Site A: Etc
- Site B: Etc
To be effective, the correct risk assessment method needs to be applied to the identified activities.
It’s important to consider all the activities, processes, work packages etc that constitute each step / sub-step.
Example Ground clearance could include waste removal, survey, specialist clearance (contaminated ground, unexploded ordnance etc), excavation, trench shoring, use of specialised equipment etc. All activities should be subject to risk assessment / management either collectively or individually. A pre-construction HAZID could be used to identify the hazards associated with ground clearance, a site clearance HIRA can then be developed to identify, assess, and mitigate the identified hazards on a site basis. TRA is used to assess specific worksite hazards associated with individual activities or tasks.
In the RMP template the Activity Summary is shown in graphical and tabular formats but it’s up to you how to show your Activity Summary structure.
The image below shows the different risk analysis methods and how they can link and influence the next analysis method in the hierarchy or have input into the next activity.
Risk assessment methods follow a hierarchy but not each assessment method is right to apply. If you’re unsure, look at our guides for risk assessment methods and their application: https://riskul.com/category/resources/.
Your organisation may undertake risk analysis workshops with or without your client or other 3rd parties, these can also be shown in your Activity Summary (for example identified as Internal or External). The Activity Summary is a useful tool that allows you to plan the risk assessment method that will be used for specified activities. The Activity Summary should be updated as the project develops. It’s difficult to accurately identify which activities will be assessed when initially developing your RMP, the RMP should be considered as a live document that will evolve and change as the project progresses.
Schedule
Start risk management early and maintain consistent focus. Include dates for risk management activities and formal reviews. The RMP should be a live document that evolves with the project.
Effective risk management is accomplished when started at the earliest possible opportunity. It is reliant on the input from a Team. Team members bring a range of expertise and knowledge from their respective fields. Collaboration through the process is critical and requires consistent focus for the duration of the work scope. Too many organisations apply risk management processes to their activities at late stages or only focus on risk management processes at specified intervals with a client present.
Once you’ve drafted your Activity Summary you can identify the dates for your risk management activities / workshops. Dates can be indicative or added once decided. The RMP is a live document, simply add any specific workshop dates (if held), and / or a commencement date, dates when reviewed etc.
An organisations risk management processes are there to benefit the organisation, by default, that benefits the client. It’s important to schedule formal risk reviews for the risk analysis methods that have been conducted for your activities. These reviews should be used as additional input into the risk analysis / management process, they will provide confidence to all involved that risk management processes are effective, and that risk is considered at all levels throughout all stages of the activities.
Reporting
Specify the content, frequency, and distribution of risk management reports. Include completed worksheets, status updates, high-risk activities, mitigation measures, and opportunities for further assessment.
Specifying the report content and frequency is important. Many organisations will include risk management reporting as an element of weekly or monthly reporting. Your RMP should identify the frequency, extent of reporting, and report distribution list. A report could include:
- Completed risk assessment worksheets
- Status of activities
- Planned workshops
- Status updates
- Considered high risk activities, mitigation, & risk owner
- Opportunities that can be further assessed
Conclusion
A well-structured Risk Management Plan is vital for mitigating risks effectively. By following the outlined sections, your organization can ensure a comprehensive and consistent approach to managing risks. For templates and further guidance, visit RISKUL Resources.
RISKUL includes reporting options that can be used in your Risk Management Plan to provide a complete overview of your risk management activities and progress. In addition, RISKUL includes 5x risk assessment tools, HAZID, HAZOP, HIRA, Task Risk Assessment, Risk Register all with 40+ specific design and functionality features unique to RISKUL.
Take operational and strategic risk assessment | risk management seriously, try RISKUL free and with no obligation for 30 days.
Need advice on how to use RISKUL in your workplace or project, contact us.