6 The key components of an RMP
Context and Scope: In many cases, the scope of the activities needing risk management will be broadly defined by something else – a project plan, a set of objectives for a team, or the work of an entire business. In any of these cases, it is still worth referencing the scope of the activities in the RMP, just so it is clear. In doing so, you may also need to consider:
- Is there a budget for these activities? If so, what does the budget cover?
- What activities are you responsible for?
- What decisions do you have the authority to make (and which are outside your authority)?
- What is not included?
At this point it may help to visualise a governance structure, or a work breakdown structure.
Table 1 Key components of an RMP
|Roles and responsibilities||Who is accountable for risk management and are there any delegations of this accountability?|
|Risk reviews||How will they be carried out? When will risk reviews happen? Who is part of them? How will the output of them be communicated and to whom? Beyond that, levels depend on the size and complexity of the business or function.|
|Risk scoring scheme||The units of measurement and ‘graduations’ (these are, in effect, gradations of severity of a risk) by which risks will be measured and categorised. This is often referred to as a risk matrix or a Probability and Impact Diagram (PID). These concepts will be explored in greater detail in Session 4.|
|Communication and reporting||Understanding the organisational structure within the relevant business area is key to locating superseding RMPs and risk registers which you will need for escalations. But it is not just a matter of locating the superseding RMPs: it is also crucial to examine them and, in particular, to identify what level of risk(s) trigger an escalation of a risk management issue to these superseding RMPs.|
|Other logistical considerations||The RMP states where your risk register will be located.|
While this may seem like a lot of information, in reality for many areas much of the work is defined once in the organisation RMP and reused within the organisation. This is because the risk requirements flow down from the centre of the organisation to business units and functions, and from business units to sub-business units and projects, with lower levels expected to comply with the requirements set out in the higher-level documents. This means that typically only those things that are different need to be described, meaning the RMPs are often quick and easy to prepare. For example, consider the RMP example below.
Remember to open this link in a new tab so you can look at it in relation to the course, and get back to the course easily.