Risk Management Plan

Organisation TravelSafe

Risk Management Plan

Train SmartPass

Date: 14.12.2020
Doc. Version: 1.0.0

Buse Maria-Alexandra, 343A3

Popa Elena, 343A3

Template version: 3.0.1

This artefact template is aligned with the PM² Guide V3.0
For the latest version of the templates visit:
https://www.pm2alliance.eu/publications

The PM² Alliance is committed to the improvement of the PM² Methodology and of its supporting artefact. Project
management best practices and community contributions & corrections are incorporated in the
PM² Alliance’s artefact templates.
Join the PM² Alliance and visit the PM² Alliance GitHub to provide your feedback & contribution:
https://github.com/pm2alliance
 Risk Management Plan

Document Control Information

Settings Value
Document Title: Risk Management PlanRisk Management Plan
Project Title: Train SmartPass
Document Author: Alexandra Buse, Popa Elena
Project Owner: Popa Elena, Buse Alexandra
Project Manager: Popa Elena, Buse Alexandra
Doc. Version: 1.0.0
Sensitivity: Limited
Date:

Document Approver(s) and Reviewer(s):

NOTE: All Approvers are required. Records of each approver must be maintained. All Reviewers in
the list are considered required unless explicitly listed as Optional.
Name Role Action Date
Popa Elena Review
Buse Alexandra Approve

Document history:
The Document Author is authorized to make the following types of changes to the document
without requiring that the document be re-approved:
 Editorial, formatting, and spelling
 Clarification

To request a change to this document, contact the Document Author or Owner.

Changes to this document are summarized in the following table in reverse chronological order
(latest version first).
Revision Date Created by Short Description of Changes

Configuration Management: Document Location

The latest version of this controlled document is stored in
D:\METHODS\PM2SmartTrainPass\Documents\

Date: 14/12/2020 2 / 16 Doc. Version: 1.0.0

 Risk Management Plan

TABLE OF CONTENTS
1. INTRODUCTION.................................................................................................................................. 4
2. RISK MANAGEMENT OBJECTIVES........................................................................................................ 4
3. RISK MANAGEMENT PROCESS DESCRIPTION......................................................................................4
3.1. Risk Management Roles and Responsibilities...........................................................................................6
4. TOOLS & TECHNIQUES........................................................................................................................ 7
4.1. Risk Log......................................................................................................................................................7
4.2. Risk Likelihood/Impact Matrix...................................................................................................................9
5. RISK IDENTIFICATION ACTIVITIES........................................................................................................ 9
6. RISKS ASSESSMENT APPROACH........................................................................................................ 10
6.1. Escalation.................................................................................................................................................11
7. RISK RESPONSE STRATEGIES............................................................................................................. 11
8. RISK CONTROL ACTIVITIES................................................................................................................ 12
9. RELATED PM² PLANS........................................................................................................................ 13
APPENDIX 1: REFERENCES AND RELATED DOCUMENTS.........................................................................14

Date: 14/12/2020 3 / 16 Doc. Version: 1.0.0

 Risk Management Plan

1. INTRODUCTION
The Risk Management Plan defines and documents the Risk Management Process for a project. It
describes how risks will be identified and assessed, what tools and techniques can be used, what are
the evaluation scales and tolerances, the relevant roles and responsibilities, how often risks need to
be revisited, etc. The Risk Management Plan also defines the risk monitoring and escalation process
as well as the structure of the Risk Log which is used to document and communicate the risks and
their response actions.
The purpose of this document is:
 To outline the risk approach and process to be used for the project;
 To identify the roles and responsibilities related to risk management;
 To specify the methodology, standards, tools and techniques used to support risk
management.

2. RISK MANAGEMENT OBJECTIVES

Risk management brings visibility to risks and accountability as to how they are handled, and
ensures that project risks are proactively dealt with and regularly monitored and controlled.
The main objectives of project risk management are:
 Project risks are identified, assessed, approved and reported throughout the project;
 All major risks are reported to the Steering Layer;
 Risk response strategies are in line with stakeholders' risk appetite and approved risk level
thresholds;
 All risks are monitored and under control;
 Risk response actions are implemented effectively.

1. RISK MANAGEMENT PROCESS DESCRIPTION

The project risk management process defines the activities to identify, assess, prioritise, manage and
control risks that may affect the execution of the project and the achievement of its objectives. This
process is divided into four steps:
Step 1: Risk Identification
The purpose of this step is to facilitate the identification and documentation of risks that can impact
the project objectives.
Various techniques will be used for risk identification which typically focus on past trends or future
exposure, on a bottom-up or a top down analysis.
Some organisations have a Risk Typology that groups various types of risks into categories and it will
be used as reference.
The techniques that will be used for risk identification are documented in section 4. TOOLS &
TECHNIQUES.
Risks are continuously identified throughout the project lifecycle; however, very early during the
Initiating phase, an initial risk list will be created which is thereafter frequently updated. The same
process will be followed both for the creation of the Risk Log as well as for the inclusion of new risks
later in the project.
The Risk Log contains the risks identifier, risk name and short description, the risk category and
owner, as well as strategies, actions and timing which will facilitate the monitor and control aspects
of the project.

Date: 14/12/2020 4 / 16 Doc. Version: 1.0.0

 Risk Management Plan

Step 2: Risk Assessment

The purpose of this step is to assess the likelihood and impact of the identified risks in terms of their
influence to the project objectives. This assessment is necessary before any risk response planning
can be done.
Risks are assessed based on their likelihood of occurrence and the impact in project objectives. The
product of their likelihood and impact defines the Risk Level, which is then used as a reference for
their prioritisation and risk response development.
Depending on the stakeholders' risk appetite, evaluation scales and tolerances will be defined based
on which the most appropriate risk response strategies are chosen.

Step 3: Risk Response Development

The purpose of this step is to select the best risk response strategy and identify and plan the actions
to control the risks.
The selection of the risk response strategy will be based on the results of the risk assessment (risk
level), the type of risk, on the effects on the overall project objectives (e.g. schedule and costs), as
well as on the cost of the strategy and its benefits (cost/benefit analysis). The strategy (or strategies)
selected for each risk are documented in the Risk Log.
There are four strategies to be considered as risk responses: Reduce, Avoid, Transfer, or Accept a
risk. For the risks that have been accepted, contingency plans may be defined to help control their
impact in case they occur.
After the strategy for each risk has been selected, specific actions to implement the strategy will be
defined, described, scheduled and assigned, while a Risk Owner assumes the responsibility for its
implementation.
Actions will detail concrete activities, milestones and deliverables and will be documented in the
Risk Log. Moreover, they will clearly identify the target resolution date, as well as the estimation of
resources involved and dependencies. These actions (at least the most effort/cost consuming ones)
will be incorporated into the Project Work Plan, to have a consolidated view of all project related
activities.

Step 4: Risk Control

The purpose of this step is to monitor and control the implementation of the risk response activities
while continuously monitoring the project environment for new risks or changes (e.g. probability
and/or impact) in the risks already identified.
The Project Follow-up Meetings are used to revise the status of risks and related actions, and to
identify new risks that can impact project milestones, deliverables or objectives. The review of the
Risk Log also appears in the agenda of the Project Review Meetings. Risks will be revised at regular
predetermined intervals, but also after the occurrence of any event that might have a significant
impact on the project environment and hence the project risks. The updating of the Risk Log can
include adding new risks or actions, updating the status of response activities, changing risk levels
based on mitigation actions, changing the assignment of actions, etc.
The Risk Owner will report periodically the status of the risk and any response activities to the
Project Manager (PM).
The Project Manager (PM) will report to the Project Steering Committee (PSC) the status of the
major risks and to other project stakeholders (as per the project's communications plan). If any of
the identified risks occur, then the Project Manager (PM) will ensure the implementation of the
contingency plans and communicate the issue to the Project Steering Committee (PSC).

Date: 14/12/2020 5 / 16 Doc. Version: 1.0.0

 Risk Management Plan

The activities described above are performed by the Project Manager (PM) throughout the project
lifecycle in line with the Risk Management Plan.

Project Initiation

Risk Log
1. Risk Identification

Risk Log
2. Risk Assessment

Risk Log Project

3. Risk Response Development Work
Plan

Risk Log
4. Risk Control Project Reports

Project End

1.1. Risk Management Roles and Responsibilities

The following RASCI table defines the responsibilities of those involved in risk management:
RAM (RASCI) AGB* PSC PO BM UR SP PM PCT

Risk Management Plan I C A C I I R I

Manage Risks I C A S/C C I R C
*AGB: Appropriate Governance Body. <e.g. for IT projects, this is the IT Steering Committee>.

The contact details of each of the above stakeholders are documented in the Project Stakeholder
Matrix.
The Project Manager (PM) is responsible for identifying, assessing, managing and monitoring the
risks of the project, consulting the project team and other stakeholders, when appropriate (e.g.
Project Steering Committee (PSC), Project Owner (PO), Business Manager (BM), Solution Provider
(SP), and User Representatives (UR)). The Project Manager (PM) is also responsible for assigning
resources to the risk management process, with the approval of the Project Owner (PO).
The planning of risk management activities is performed by the Project Manager (PM) and
documented in the Risk Management Plan.
New risks and related actions, as well as changes to identified risks and actions are approved by the
Project Owner (PO) and reported to the Project Steering Committee (PSC), according to the
escalation procedure.

Date: 14/12/2020 6 / 16 Doc. Version: 1.0.0

 Risk Management Plan

Risks and related actions will be escalated to other Governance Bodies, when appropriate. The
Project Steering Committee (PSC) and the other Governance Bodies will validate the identified risks
and actions, and plan other actions, if adequate.

2. TOOLS & TECHNIQUES

The following techniques will be used for risk management:
 Chestionare;
 Analize de piață;
 Brainstorming;
 Workshops;
 Risk checklists;

The following tools will be used for risk management:

 Risk Management Plan;
 Risk Log;
 Risk Likelihood/Impact matrix;

2.1. Risk Log

The Risk Log for the project is using PM2 Risk Log template and no changes have been done to the
structure, fields or values, as following:

Risk Identification and Description

ID 1
Category Oameni

Title Reticența oamenilor

Description Există posibilitatea ca oamenii să fie reticenți când aud de un sistem
de recunoaștere facială. Acestia pot să nu aibă încredere în faptul că
datele lor vor fi în siguranță și pot chiar să decidă faptul că nu vor
folosi mijloacele de transport în comun ce folosesc această soluție

Status Approved
Identified by Avocat
Identification date 15.12.2020
Risk Assessment
Likelihood (L) 4
Impact (I) -5
Risk Level (L*I) 20
Risk owner Person1
Escalation Da
Risk Response
Risk response Strategy Reduce

Date: 14/12/2020 7 / 16 Doc. Version: 1.0.0

 Risk Management Plan

Action details  Baza de date va avea numeroase protocoale de protecție, iar călătorii
(effort & responsible) vor fi informați asupra faptului că datele acestora vor fi stocate doar
pentru o perioadă limitată
Target date 20.01.2021

Risk Identification and Description

ID 2
Category External

Title Supra-aglomerare
Description Supra-aglomerarea trenurilor poate duce la funcționarea eronată a
softului de recunoaștere facială

Status Approved
Identified by Person2
Identification date 03.12.2020
Risk Assessment
Likelihood (L) 5 - Medium

Impact (I) -5 - High

Risk Level (L*I) 25

Risk owner Person2
Escalation Yes
Risk Response
Risk response Strategy Avoid

Action details  În momentul în care cererea pentru o destinație este mare, se vor
(effort & responsible) adăuga vagoane suplimentare, nu se vor mai vinde bilete în picioare
Target date 23.03.2021

Risk Identification and Description

ID 3
Category People

Title Distrugere echipament

Description Anumiti calatori teribiliști, pot distruge în mod intenționat
echipamentul pentru a reusi sa calatorească fără bilet

Status Waiting for approval

Identified by Person3

Date: 14/12/2020 8 / 16 Doc. Version: 1.0.0

 Risk Management Plan

Identification date 16.12.2020

Risk Assessment
Likelihood (L) 2-Low

Impact (I) 2-Low

Risk Level (L*I) 4

Risk owner Owner
Escalation Yes
Risk Response
Risk response Strategy Reduce
Action details  Implementarea unui sistem de alarmă în cazul în care un sistem s-a
(effort & responsible) defectat concomitent cu reținerea imaginilor captate înainte de
defectare pentru a putea identifica motivul defecțiunii
Target date 03.04.2021

Risk Identification and Description

ID 4
Category Oameni

Title Lipsă pregătire

Description Există riscul ca cei din echipă să nu fie suficienți de pregătiți din punct
de vedere tehnic pentru a implementa soluția, ceea ce va duce la
multe probleme
Status Assessing
Identified by Person4
Identification date 14.12.2020
Risk Assessment
Likelihood (L) 3
Impact (I) 3
Risk Level (L*I) 9
Risk owner Owner4
Escalation No
Risk Response
Risk response Strategy Reduce

Action details  Realizarea unei selecții căt mai atente a celor care vor implementa
(effort & responsible) soluția tehnică pentru a ne asigura că aceștia au cunoștințele
necesare, urmată de facilitarea de trainning-uri pentru anumite cazuri
Target date 12.01.2021

Risk Identification and Description

Date: 14/12/2020 9 / 16 Doc. Version: 1.0.0

 Risk Management Plan

ID 5
Category Oameni

Title Solutie greu de folosit de catre cei varstnici

Description Majoritatea persoanelor in varsta nu detin un dispozitiv cu camera
foto si astfel nu isi vor putea rezerva un loc in tren, de acasa. Pentru
acestia exista robotii din gari, dar exista posibilitatea ca acestia sa nu
se descurce sa ii foloseasca

Status Approved

Identified by Person5
Identification date 13.12.2020
Risk Assessment
Likelihood (L) 4
Impact (I) 4
Risk Level (L*I) 16
Risk owner Owner5
Escalation No
Risk Response
Risk response Strategy Accept

Action details  Va exista personal angajat in fiecare gara din tara, cu scopul de a-i
(effort & responsible) ajuta pe cei care au nevoie sa isi rezerve locul in tren. De asemenea,
procesul de rezervare va fi facut cat mai intuitiv posibil.
Target date 12.01.2021

Risk Identification and Description

ID 6
Category Echipamente hardware

Title Intarziere echipamente hardware

Description Exista posibilitatea ca echipamentele hardware necesare (roboti/
camera de supraveghere) sa nu fie livrate la timp.

Status Approved

Identified by Person6
Identification date 11.12.2020
Risk Assessment
Likelihood (L) 3
Impact (I) 4
Risk Level (L*I) 12
Risk owner Owner6
Escalation Yes

Date: 14/12/2020 10 / 16 Doc. Version: 1.0.0

 Risk Management Plan

Risk Response
Risk response Strategy Avoid

Action details  Daca dupa o saptamana de la trimiterea comenzii, echipamentul nu a

(effort & responsible) fost livrat, se va recurge la anularea comenzii si cautarea unui alt
distribuitor.
Target date

Risk Identification and Description

ID 7
Category Buget

Title Depășiri de costuri

Description Exista posibilitatea ca din cauza echipamentelor, din cauza
întârzierilor sau din alte motive să se depășească bugetul stabilit
inițial
Status Approved

Identified by Person7
Identification date 11.12.2020
Risk Assessment
Likelihood (L) 3
Impact (I) 4
Risk Level (L*I) 12
Risk owner Owner7
Escalation Yes
Risk Response
Risk response Strategy Avoid

Action details  Bugetul proiectului va fi realizat intr-un mod cat mai corect si atent.
(effort & responsible) Se vor lua in calcul toate costurile extra cauzate de scumpiri ale
echipamentelor, de întârzieri, defecțiuni tehnice sau angajați
indisponibili din diferite motive (concedii medicale, etc)
Target date 03.01.2021

The location of this artefact is found in the Appendix 1.

Date: 14/12/2020 11 / 16 Doc. Version: 1.0.0

 Risk Management Plan

2.2. Risk Likelihood/Impact Matrix

This project is using the PM2 Risk Likelihood/Impact Matrix, as following:
The risk level will be calculated by the product of likelihood and impact in the following way:
Impact

1=Very low 2=Low 3=Medium 4=High 5=Very high

5=Very high 5 10 15 20 Supra-

aglomerare=25
4=High 4 8 12 Solutie greu Reticența = 20
de folosit
pentru
Likelihood

varstnici=16
3=Medium 3 Incompatibilitate=6 Lipsă Intarziere 15
pregătire=9 echipamente,
Depasiri
costuri = 12
2=Low 2 Distrugere=4 6 8 10

1=Very low 1 2 3 4 5
Legend:

Risks can be accepted, contingency plans may be developed.

Risks cannot be accepted, a risk response strategy should be developed (avoid, reduce, transfer/ share)

Unacceptable – immediate risk reduction or avoidance response

Risk appetite

Figure 1: Risk Likelihood/Impact matrix.

3. RISK IDENTIFICATION ACTIVITIES

The purpose of this section is to describe the specific risk identification activities and tools that will
be used for this project.
Initial risk identification was first performed when preparing the project's Business Case (for high
level business risks) and then again in the Project Charter (for high level project risks). So, these are
the starting points of this step.
The identification of risks resulted from: desk reviews, interviews, project team brainstorming, PSC
meetings, feedback of the users' workshops, questionnaires, risk checklist analysis, and assumptions
analysis.
The following risk categories have been included in the risk identification analysis, considering the
type of the project:
 Business: related to policy decisions, strategy and business processes and services;
 IT: related to infrastructure, system development, security, business continuity and
availability of IT services;
 People and organisation: related to project staffing, competences and coordination
between teams;
 External: related to outsourced activities, external partners and macro environment;
 Legal: related to laws, regulations and rules;

Date: 14/12/2020 12 / 16 Doc. Version: 1.0.0

 Risk Management Plan

 Communication and Information: related to communication methods and channels and to

the quality and timeliness of information.
The PM2 Risk Log is the tool used to register and update risks and related risk management actions.

4. RISKS ASSESSMENT APPROACH

The purpose of this section is to describe the specific risk assessment activities and tools that will be
used for this project.
The project will use the Risk Likelihood/Impact Matrix referred in section 4.2. The Risk
Likelihood/Impact Matrix represents the different combinations of likelihood and impact of project
risks on a scale from 1 to 5 and defines risk levels that suggest risk response strategies.
Risk level scale details:
Likelihood:
 Very low: less than 5% change of occurrence;
 Low: between 5% to 10% chance of occurrence;
 Medium: between 10% to 25% chance of occurrence;
 High: between 25% to 50% chance of occurrence;
 Very high: more than 50% chance of occurrence.
Impact:
 Very low: less than 1% of project budget affected, or/and other project baselines are nearly
not impacted, or/and few individuals affected (only internal to project team), or/and no
reputational impact or/and easy and quick capacity to react and resolve the issue.
 Low: 1% to 2% of project budget affected, or/and low impact in other project baselines,
or/and only one milestone affected, or/and projects stakeholders may be affected, or/and
reputational impact in the organisation or unit or/and sufficient project competencies to
resolve the issue (if risk occurs).
 Medium: 2% to 5% of project budget affected, or/and medium impact in other project
baselines, or/and one or more milestones affected, or/and projects stakeholders will be to
some extent affected, or/and project objectives may be affected, or/and reputational
impact amongst technical staff in other organisations or units, or/and formal complaints,
or/and limited project competencies to resolve the issue (if risk occurs).
 High: 5% to 10% of project budget affected, or/and high impact in other project baselines,
or/and several milestones affected, or/and projects stakeholders will be
affected/concerned, or/and project objectives will be affected, or/and reputational impact
in several organisations or units, or/and formal and legal complaints, or/and insufficient
project internal competencies to resolve the issue (if risk occurs).
 Very high: more than 10% of project budget affected, or/and very high impact in other
project baselines, or/and several milestones affected, or/and projects stakeholders will be
very affected/concerned, or/and the overall project will be affected, or/and external
reputational impact, or/and significant formal and legal complaints, or/and external
competencies are needed to address the issue (if risk occurs).
Risk levels thresholds:
 Green: risk level <=2;
 Yellow: risk level >=3 and <=16;
 Red: risk level >=20.
The Project Steering Committee approved / stated that the project risk appetite is limited to risk
level <=2, likelihood <10% and potential losses < x€.

Date: 14/12/2020 13 / 16 Doc. Version: 1.0.0

 Risk Management Plan

4.1. Escalation
The risk escalation:
 All new risks, proposed risk response strategies and proposed actions are approved by the
Managing Layer, if the risk level is< 2;
 If the risk level is>= 3 and <16, new risks, proposed risk response strategies and proposed
actions are approved by the Project Owner (PO);
 If the risk level is>= 20, new risks, proposed risk response strategies and proposed actions
are approved by the Project Steering Committee;
 Depending on the risk category, higher risks (risk level is>= 20) will be reported to:
o E.g. an IT Governance Committee: risks related to IT;
o Management meetings: risks related to business domains and that have dependencies
with other projects or departments / organisations or units;
o Vendors meetings: risks related to outsourced activities are discussed with vendors and
agreed upon necessary actions;

5. RISK RESPONSE STRATEGIES

The purpose of this section is to define the available risk response strategies to be used for this
project.
The risk response actions are documented and updated in the PM 2 Risk Log throughout the project
lifecycle (and then incorporated in the Project Work Plan) and revisited at least, in the weekly Project
Follow-up Meeting.
The possible risk response strategies are:
 Avoid: risk avoidance, working the project or project plan around those conditions or
activities which introduce the risk;
 Reduce: risk mitigation or reduction through the proactive implementation of risk reduction
activities;
 Accept: acceptance of the risk (the impact/loss is accepted if the risk occurs). When
accepting risks, there are two possible reactions:
o Acceptance of the risk and no special action required, except continue to monitor
the risk (passive acceptance);
o Accept and develop contingency plans in case the risk occurs (active acceptance).
 Transfer/Share: transfer a risk to, or share a risk with other entities, e.g. through
insurances, sub-contracting, partnering etc.
The following table describes the risk response approach for this project:
Scenario Risk Response Strategy
Very high impact and high or very high likelihood or Avoid or implement an immediate
high or very high impact and very high likelihood. reduction
Very high impact and very low likelihood. Avoid/Reduce
All other risk levels. Reduce
Low or very low likelihood and very low impact or Accept
very low likelihood and low impact.

6. RISK CONTROL ACTIVITIES

The purpose of this section is to define the activities performed for monitoring and controlling risks,
as well as their frequency.

Date: 14/12/2020 14 / 16 Doc. Version: 1.0.0

 Risk Management Plan

The Project Manager (PM) monitors and controls risks based on Project Follow-up Meetings or on
information received from other project stakeholders, in result of:
 Identification of new risks by the Project Core Team (PCT) or by other project stakeholders,
in consequence of changes in the project environment;
 New proposed ways to deal with a risk (adding/changing actions);
 Implementation of any of the given actions or on general events or developments that will
change the values for likelihood and/or impact of the identified risks;
 Other changes.
Frequency of Revisiting the Risk Log: The PM2 Risk Log is updated at least once a week, after the
Project Follow-up Meetings, by the Project Manager (PM).
Additionally, before each Project Steering Committee (PSC), there is a procedure in place to collect
the status of each risk and action and the comments related to the effectiveness, quantification of
resources spent, difficulties, potential problems and dependencies of the actions. This information is
consolidated and updated in the Risk Log, and presented to the PSC. The project review planned at
the end of each milestone also includes a deep review of the Risk Log.
The Risk Communication activities are part of the project Communications Management Plan.
The communication items identified are:
 Collection of new risks or changes to risks/actions in the weekly Project Follow-up Meeting;
 Report of risks (risk level>=3) and related actions status in the monthly meeting of the
Project Steering Committee (PSC);
 Request of risk or action approval to the Project Owner (PO) or to the Project Steering
Committee (PSC) (risks with a risk level >=10);
 Report risks list in the yearly Project Progress Report;
 Communication of the risks that have turned into issues (had occurred) in the monthly PSC
meeting.

Date: 14/12/2020 15 / 16 Doc. Version: 1.0.0

 Risk Management Plan

7. RELATED PM² PLANS

Communications Management Plan
The Communications Management Plan helps to ensure that all project stakeholders have the
information they need to perform their roles throughout the project. It defines and documents the
communication items content, format, frequency, the audience and expected results. The location of
this artefact is referred in the Appendix 1.

APPENDIX 1: REFERENCES AND RELATED DOCUMENTS

ID Reference or Related Document Source or Link/Location

1 Communications_Management_Plan.1 D:\METHODS\PM2SmartTrainPass\Documents\
3-01-2021.V.1.0.docx

Date: 14/12/2020 16 / 16 Doc. Version: 1.0.0