What is a Risk Management Plan?
The risk management plan defines how risk will be managed on this project — methodology, roles, categories (the RBS), probability/impact scales and the matrix, thresholds, reporting cadence, and reserve protocols. It contains no actual risks; those live in the register. Plan = the rules of the game; register = the players.
Its highest-value clause is the calibrated scales: when "high impact" is defined in dollars and days, two analysts scoring the same risk agree — and the whole downstream analysis stops being astrology.
Worked example
Before the first risk workshop, a program writes its plan: five-point scales ("major" = $1–5M or 1–3 months), risks over $5M escalate within 48 hours, register reviewed fortnightly, contingency drawn only against registered risks with sponsor sign-off. Six months later, an auditor asks why a $2M risk wasn't escalated to the board — and the plan answers: it didn't cross the written threshold. Rules first, arguments never.