Blame

d24334 Melisha Dsouza 2026-03-02 11:15:24 1
# **Risk and Opportunity Management**
2
3
_(Approval of the Risk and Opportunity Management Plan confirms that the stakeholders understand the objectives, scope, and contents of this document. By approving this procedure, all concerned individuals acknowledge and accept the defined roles, responsibilities, and business logic for the respective subsystems. This approval also authorizes the initiation of project planning activities and confirms the commitment of necessary resources in accordance with the Project Charter.)_
4
5
**Document Revision History**
6
7
| Version | Date | Change Information | Author | Approver |
8
| ------- | ---- | ------------------ | ------ | -------- |
9
| V1.0 | March 1, 2026 | Initial Draft | Melisha Dsouza | Pooja Thorat |
10
11
### **1. Introduction**
12
A risk is defined as an uncertain event or condition that, if it occurs, may have a positive or negative impact on a project’s objectives. Risk is inherent in all projects; therefore, it is essential for project managers to continuously identify, assess, and manage risks throughout the project lifecycle.
13
14
This document defines the procedures, roles, and responsibilities for effective Risk and Opportunity Management for the project Letscatchup, ensuring that potential risks are proactively addressed and opportunities are leveraged to achieve project objectives.
15
16
### **2. Process**
17
The Project Manager, in collaboration with the project team and project sponsors, shall ensure that risks are systematically identified, analyzed, planned for, monitored, and controlled throughout the lifecycle of the project.
18
19
Risks shall be identified as early as possible to minimize their potential impact on project scope, schedule, cost, and quality. The overall risk management process and its associated activities are detailed in the subsequent sections of this document.
20
21
The Project Manager (or designated authority) shall act as the Risk Manager for this project and will be responsible for maintaining the risk management activities and records.
22
23
### **3. Risk Identification**
24
25
Risk identification shall involve active participation from the project team and relevant stakeholders. The process will include the evaluation of internal and external factors such as organizational culture, environmental conditions, and elements of the project management plan, including project scope.
26
27
**Special attention shall be given to:**
28
- Project deliverables
29
- Assumptions and constraints
30
- Work Breakdown Structure (WBS)
31
- Cost and effort estimates
32
- Resource and staffing plans
33
- Schedule and milestone plans
34
- Other key project documentation
35
36
A Risk Management Log shall be created and maintained in Jira. This log will be reviewed and updated regularly to reflect newly identified risks and changes to existing risks.
37
38
Risks may be identified across multiple dimensions of the project. The following generic categories shall be used as guidance for risk identification:
39
40
**Risk Identification Aspects**
41
1. With respect to the **Project Team** (Skills, experience, availability, communication)
42
2. With respect to **Human Resources and Contractors** (Resource dependency, turnover, contractual issues)
43
3. With respect to the **Customer** (Availability, expectations, feedback delays)
44
4. With respect to **Products / Technology** (Technical complexity, tool limitations, integration issues)
45
5. With respect to **Project Management** (Planning accuracy, governance, decision-making)
46
6. With respect to **Requirements** (Clarity, completeness, stability)
47
7. With respect to the **Schedule** (Dependency risks, estimation errors, delays)
48
8. With respect to **Change Management**
49
- Requirement changes
50
- Plan or scope changes
51
52
### **4. Risk Analysis**
53
All identified risks will be assessed to determine the range of possible project outcomes. This qualification will be used to identify high-priority risks that require response planning and lower-priority risks that may be accepted or monitored.
54
55
- **Risk Identification**
56
- The responsible stakeholder shall identify both inherent and residual risks.
57
- **Inherent Risk:**
58
- A risk that exists assuming no controls are in place and that may negatively affect the achievement of organizational or project objectives.
59
- **Residual Risk:**
60
- The risk that remains after controls and mitigation measures are applied. Since risk cannot be completely eliminated, controls are designed to reduce the risk to an acceptable level aligned with the organization’s risk appetite.
61
62
- **Example 1** Fire in a production facility that may have catastrophic consequences represents an inherent risk. Controls such as fire extinguishers, sprinklers, and emergency evacuation plans reduce the likelihood and impact. The remaining exposure after these controls is the residual risk. Internal auditors evaluate the adequacy and effectiveness of these controls to ensure the residual risk is within acceptable limits.
63
- **Example 2: **
64
- **Inherent Risk:** A key developer may leave the project, which could delay the project schedule if no backup resource or knowledge transfer exists.
65
- **Residual Risk:** To reduce this risk, management assigns a backup developer, maintains proper documentation, and conducts knowledge-sharing sessions. Even after these controls, there is still a possibility of temporary delays during the transition period. This remaining exposure is the residual risk.
66
67
The probability and impact of occurrence for each identified risk will be assessed by the project manager, with input from the project team using the following approach:
68
69
**Impacts:**
70
1. **Severe**: Business untenable.
71
2. **High**: Business operations severely impaired.
72
3. **Medium**: Some important business goals cannot be achieved.
73
4. **Low**: Some minor business goals are not achieved.
74
5. **Negligible**: Very minor business goals are not achieved
75
76
**Probabilities:**
77
1. **Almost certain:** Better than 95 percent chance of happening.
78
2. **Very likely**: Better than 75 percent chance of happening.
79
3. **Likely:** Better than 50 percent chance of happening.
80
4. **Unlikely**: Less than 50 percent chance of happening.
81
5. **Very unlikely**: Less than 10 percent chance of happening.
82
83
**Level of Risks:**
84
1. **Extreme**: Executive notification essential.
85
2. **High**: Considerable business disruption likely. Immediate attention required.
86
3. **Medium**: Monitoring and weekly reporting are recommended.
87
4. **Low**: An acceptable level of risk.
88
89
**Level of Risk= Impact * Probability**
90
91
![](./image-1772446916155.png)
92
93
- **Risk Analysis**
94
- Analysis of risk events that have been prioritized using the qualitative risk analysis process and their effect on project activities will be estimated. A risk register and matrix will be maintained in jira as below,
95
96
**Risk Register:**
97
98
![](./image-1772447042082.png)
99
100
**Risk Matrix:**
101
102
![](./image-1772447095912.png)
103
104
**Risk Statuses : (Identified Risks)**
105
106
- OPEN
107
- IN PROGRESS
108
- CLOSED
109
- NEVER OCCURRED
110
111
**Work Flow**
112
![](./image-1772447332984.png)
113
114
**Unidentified Issue(Risk) Statuses :**
115
- OPEN
116
- IN PROGRESS
117
- CLOSED
118
119
**WorkFlow**
120
![](./image-1772447378031.png)
121
122
### **5. Risk Response Planning**
123
Each major risk will be assigned to a project team member for monitoring to ensure it is actively managed.
124
125
**Risk response strategies include:**
126
- **Avoid**– Eliminate the threat by removing the cause or changing plans
127
- **Control/Mitigate**– Identify ways to reduce the probability or the impact of the risk
128
- **Accept**– Accept the risk and plan contingencies if it occurs
129
- **Transfer/Share**- Make another party responsible for the risk (buy insurance, outsourcing). Outsource risk (or a portion of the risk – Share risk) to third parties or parties that can manage the outcome. This is done financially through insurance contracts or hedging transactions, or operationally through outsourcing an activity.
130
131
For each risk that will be mitigated, the project team will identify ways to prevent the risk from occurring or reduce its impact or probability of occurring. This may include prototyping, adding tasks to the project schedule, adding resources, etc.
132
133
For each major risk that is to be mitigated or that is accepted, a course of action will be outlined for the event that the risk does materialize in order to minimize its impact.
134
135
### **6. Risk Monitoring, Controlling and Reporting**
136
Risks will be tracked, monitored, and reported throughout the project lifecycle. A Top 10 Risk List shall be maintained and included in project status reports.
137
138
All project change requests will be analyzed for their possible impact on the project risks.
139
140
All change requests will be assessed for their impact on existing risks. Management will be notified of significant changes through executive status reporting.
141
142
### **7. Tools and Practices**
143
A Risk Log shall be maintained in Jira by the Project Manager and reviewed regularly during project meetings. The format of the Risk Log should be defined in the Risk Management Plan. Risk management plan approval.
144
145
_The undersigned acknowledge they have reviewed the Risk Management Plan for the `Project Name` project. Changes to this Risk Management Plan will be coordinated with and approved by the undersigned or their designated representatives._
146
147
List the individuals whose signatures are desired. Examples of such individuals are a Business Owner, a Project Manager, or a Project Sponsor. Add additional lines for signature as necessary. Although signatures are desired, they are not always required to move forward with the practices outlined within this document.
148
149
### **8. Records of RSK**
150
151
| Record | Where to Get? |
152
|--------------------------------|---------------|
153
| Procedure Document | Google Drive |
154
| Risk Management Plan Document | Google Drive |
155
| Risk Register / Log | Jira Tool |
156
| Generic Risk Document | Google Drive |
157
| RSK Audit Checklist | Google Drive |
158
159
### **9. Policies**
160
161
- The project team shall recognize the importance of risk management
162
- The PRRT team should be committed to implementing risk management effectively
163
- If required, A training should be organized to understand risk management
164
- The PRRT team should be committed to monitoring performance and reviewing progress in risk management
165
166
### **10. Work Product**
167
Work product for the Risk Management area is
168
- Risk log/Register
169
170
### **11. Roles and Responsibilities**
171
The project should have a risk review team.
172
173
**Project Risk Review Team (PRRT):**
174
175
The risk management board comprises the Project Team, which includes the
176
- Project Owner
177
- Project Manager
178
- Lead developers
179
- QA Team
180
- Client
181
182
**Responsibilities include:**
183
184
- Reviewing and approving identified risks
185
- Ensuring approved risks are logged in Jira
186
- Seeking solutions and mitigation strategies
187
- Planning scenarios to avoid or minimize risks
188
189
| Role | Responsibilities |
190
|------|------------------|
191
| Project Owner / Seller (Project Sponsor) | • Chair all Risk Management Board meetings <br> • Approve issues requiring additional scope, time, or cost |
192
| Project Manager | • Overall responsibility for all project risk management activities <br> • Identify risks <br> • Communicate risk management activities to project stakeholders <br> • Participate in Risk Management Board meetings <br> • Re-baseline project items if impacted by risk management changes |
193
| Project Coordinator | • Participate in Risk Management Board meetings <br> • Update risks in the Jira tool |
194
| Testing Manager | • Participate in Risk Management Board meetings <br> • Identify and confirm risk closure status |
195
| Project Buyer (In-house Project) | • Participate in Risk Management Board meetings <br> • Identify and analyze risks from the client side <br> • Provide feasible solutions for identified risks |
196
197
### **12. Measurements**
198
199
- **Number of risks identified**
200
- This is a relatively easy measure.
201
- You can track the number of risks identified per project or program.
202
- There is no **‘right answer’** to how many risks a project should have identified.
203
- It completely depends on the **type of project.**
204
- A project you have carried out many times before will be **low risk**.
205
- A project with multiple areas of complexity using a methodology that is new to the team will inherently be riskier.
206
- However, this measure is useful for comparing projects where the PMO can apply some basic principles.
207
- If you know that **two projects are similar in many respects** (like duration, priority, complexity) then you can assume they would have around the **same number of risks**.
208
- If one project manager has identified **90 risks** and the other project manager has **identified 19**, you would be **justified in comparing** how robustly they are doing risk analysis on the project.
209
210
- **Number of risks that occurred (i.e. became issues) which were identified**
211
- You can also track the number of risks that materialize and turn into **real-life** issues on the project. Hopefully, there aren’t that many.
212
- However, this measure can also tell you that **risk analysis** is being done thoroughly.
213
- For example, if lots of risks are tracked that then turn into issues, you can give the team credit for spotting that these things might cause problems.
214
- If lots of **risks are tracked** but **none turn into issues**, this could be that the team is **tracking the wrong things** – issues pop up out of nowhere and never make it onto the risk log.
215
- As with all of these metrics, you need to consider the narrative around the metric to get the full picture.
216
217
- **Number of risks that occurred more than once**
218
- This can be a sign that lessons aren’t being learned.
219
- If a **risk occurs multiple times**, across the same project or several projects, it can show you that teams aren’t learning from past experience.
220
221
- **Number of risks that were not identified**
222
- _How do you track something you didn’t know was going to happen?_ This is a tricky one! Think of it as a way to track issues that occur that should have been flagged as a risk but weren’t.
223
- Look at the **number of issues** on the issue log that could have been **foreseen** but bypassed the risk stage.
224
225
- **Number of risks never occurred**
226
- Track **how many risks passed by without happening**, whether you took active measures to manage them or not. This can be a **counterbalance** to the number of risks identified.
227
- If you identify a lot and close a lot, you can work out the key risks facing the project. This measure is also a sign that **active risk management** is happening during the project.
228
- A large number of identified risks and **no closed risks** show that risk analysis was carried out at the **start of the project** and then **not followed** up throughout the project lifecycle.
229
- You can include risk management metrics in your **project closure report**, and you should.
230
- However, to be able to take any practical steps to better risk management, or for **spotting trends**, you should be looking at your key metrics long before you write the project closure report.
231
- Some of the metrics above can only be calculated at the **project shutdown**, but where you can track measures across a project or program on an ongoing basis, that is better.
232
- It gives you a chance to spot trends, compare projects on a more real-time basis and do something about the data you uncover to help improve risk management across the organization.
233
234
### **13. Verification and Validation**
235
- A periodic review should be conducted to verify and validate risks
236
- A risk plan should have details of the review
237
238
### **14. Process Flow**
239
Process flow helps to understand when a team should identify the risks of the project and management.
240
241
```mermaid
242
flowchart TD
243
244
%% Risk Planning
245
A[Project Start] --> B[PM Creates Risk Management Plan]
246
B --> C[Identify Risks & Define Mitigations]
247
C --> D[Log Risk in JIRA Issue Type Risk]
248
249
%% Risk Details
250
D --> E[Add Risk Details]
251
E --> E1[Risk Assessment Inherent/Residual, Probability, Impact]
252
E --> E2[Symptoms & Triggers]
253
E --> E3[Mitigation & Contingency Plan]
254
E --> E4[Risk Response Strategy]
255
256
D --> F[Risk Initially Unassigned]
257
258
%% Risk Occurrence Decision
259
F --> G{Risk Occurred?}
260
261
G -- No --> H[Continue Monitoring]
262
263
G -- Yes --> I[PM / Coordinator Assigns Responsible Person]
264
I --> J[Status In Progress]
265
J --> K[Status Closed]
266
K --> L[Resolution Reported]
267
268
%% Unidentified Risk Flow
269
G --> M{Was Risk Identified Earlier?}
270
M -- No --> N[Create Issue Type Unidentified Issue Risk]
271
N --> I
272
273
%% Periodic Review & Metrics
274
L --> O[PQA Periodic Audit]
275
O --> P[Collect Metrics from JIRA]
276
277
P --> P1[Total Risks Identified Count of Issue Type Risk]
278
P --> P2[Occurred Identified Risks Status In Progress Closed]
279
P --> P3[Risks Occurred More Than Once Linked as Duplicate]
280
P --> P4[Unidentified Risks Issue Type Unidentified Issue Risk]
281
P --> P5[Risks Never Occurred Status Never Occurred]
282
```
283
284
285
- **Risk Identification and Resolution**
286
- The project manager will create a **risk management plan**
287
- The project Manager will **identify** every **possible risk** associated with the project and mitigations.
288
- During Recording identified risk “**Risk**” Issue type will be used in Jira.
289
- **Identified risk should have,**
290
- Risk Assessment (Inherent or Residual, Probability and Impact)
291
- Symptoms
292
- Triggers
293
- Mitigation
294
- Contingency plan
295
- Risk Response Strategy
296
- Identified risks will be **unassigned** unless and until they are no longer occurring.
297
- Once a **risk occurs,** the coordinator or manager will **assign** it to the respective person. (Can assign it to self as well)
298
- The person who is responsible to resolve risk will change the status to In Progress ->Closed and report the same.
299
- **Unidentified Issue (Risk)**
300
- A risk that is unidentified and occurred will come under the Unidentified Issue(Risk) type.
301
- A project manager or coordinator will be responsible for recording and assigning it to the respective person.
302
- The person who is responsible to resolve risk will change the status to In Progress ->Closed and report the same.
303
304
- **Periodic Reviews**
305
- PQA will be responsible for periodic audits
306
- To record metrics
307
308
- **The process to get metrics from Jira**
309
- **Number of risks identified**
310
- A total number of “Risk” in Jira will be calculated as the number of risks identified.
311
- **Number of risks that occurred (i.e. became issues) which were identified**
312
- Risk which is “IN PROGRESS” and “CLOSED” status will be counted as an occurred risk.
313
- **Number of risks that occurred more than once**
314
- Several risks which are linked as duplicates will be counted as risks that occurred more than once.
315
- **Number of risks that were not identified**
316
- Risks with issue type “Unidentified Issue(Risk)” will be counted as not identified risks
317
- **Number of risks never occurred**
318
- An identified risk with the status “NEVER OCCURRED” will be counted as a risk that never occurred.
319
320
### **15. Entry and Exit Criteria**
321
322
- Entry Criteria
323
- Inputs and Start Criteria
324
- Risk Plan
325
- Risk Identification and Analysis
326
- Exit Criteria
327
- Completion Criteria
328
- Follow plan and mitigations
329
330
### **16. Definitions, Acronyms, and Abbreviation**
331
332
| Acronym | Abbreviation |
333
|---------|--------------|
334
| PRRT | Project Risk Review Team |