If you determine that a risk is important enough to list then you also need to have a predetermined method in place to handle it if it really does turn into a issue.
Risk: During the term of the project, we will be in negotiations with our labor union. If negotiations break down there is a good likelihood that we will lose 15% of our resources as those people are union workers and could likely strike.
Mitigation Plan:Should this risk be realized, we will contact our first three temp personnel agents and contract outside help. In the mean time the rest of the project members will be expected to work additional hours.
Contingency Plan: The catalyst for this risk will most likely be an unrest among the unionized workers, so if productivity drops off sharply and negotiation appear to be going bad, then the project deadlines be reevaluated in order to accommodate the loss of work and the training period for any temporary help as effected by the Mitigation Plan.
This is one example, more then likely a project will have risks which pertain to the application development itself, like the computer supplier may be unable to produce enough product to meet our goals. Or The objects chosen for the main interface screen do not work as advertised so we will have to develop our own custom objects.
All risks need a contingency plan in case they become real, whereas a Mitigation Plan as for how to neutralize the issue is also a needed piece of the action.
Having said this, I do not believe that risk assessment is normally part of a test plan, but is usually part of the project managers agenda. I could be wrong, but I know we do not have it in our test plan. We do list risks but that is all.
Success is the ability to go from one failure to another with no loss of enthusiasm.
~ Winston Churchill ~
Rich, I agree in the perfect world the risk assessment should be the project managers responsibility, but you should also no that the risk mitigation according to the project managers is to reduce the testing phase, as this "only costs time and money". Therefore I would always have a risk risk assessment in my testplans, to point out the risks if the time reserved to test is reduced and not all testcases are executed.
Therefore risk assessment, mitigation and test case prioritisation go hand-in-hand!