The Risk Register
The risk register is the document that will be used to manage the project risks, other names for this are risk log or risk schedule. The project risk register is a document managed by the Project Manager but should be used by the project team members and stakeholders. A classic example of a risk register is shown below:
An explanation of the elements in the risk register:
Risk number: A sequential number for referencing the risk
Date identified: The date the risk was identified and entered onto the risk register. This date is important as it gives a sense of how long the risk has been known to the project and can indicate whether the mitigating actions are being progressed too slowly
Identified by: The person who first identified the risk. The Project Manager should feedback progress on the risk to this individual who identified the item to demonstrate the risk is being managed
Details of risk and the potential outcome: A description of the item at risk and what could potentially happen if the risk isn’t managed. A succinct definition can usually be provided in one sentence.
If the item could generate several risks then it is best to split these out, as the mitigating actions will probably be different and managed by more than one person
Risk rating: The severity of the risk is calculated using the following formula
Risk rating = Probability of the risk occurring * impact of the risk
The reason it is important to value risks in this way is to highlight the importance of the risk and therefore focus on the higher rated risks. For example, using the simple scale of 1 to 5 for both probability and impact results in the following possible risk ratings:
Whilst the number chosen for the probability and the impact maybe arbitrary and subject to individual preference, the importance is the relative values of the risks — therefore the project can concentrate on the significant (higher value) risks
Mitigating actions: This is the area of the risk register where the action plans are defined that will tackle the risk. The actions should be clear and understandable. The actions must be allocated to an individual and have a date when it is expected to be completed. These last 2 characteristics (person and date) are then separated out into the remaining fields in the risk register to allow them to be reported on.
What other items maybe used with a risk register?
The risk register shown above is well suited to most business projects. However, some businesses may add the following items:
£value — to quantify the risk impact in financial terms to help with prioritising. It also helps when a risk is ‘monetised’ to see the genuine impact it can have on the financial performance of the business and this will get the attention of the Exec.
Materiality — for projects with many high risks, materiality can be used as a way of highlighting the important significant risks or those that need immediate attention
Guidance on ratings can be provided to ensure comparisons of risks on different projects are equitable. This guidance can be tailored to reflect the particular nature or scale of the business such as number of depots impacted could be an accelerator on the risk impact. Therefore a medium impact risk (value=3) that had a high probability (value=5) would ordinarily attract a risk rating of 15, but when the additional factor of 4 depots is applied it takes the risk impact to 60. Other comparative measures could reflect the relative importance of departments impacted, say, 5 for production and 2 for HR and Finance.
Conditional formatting can be used to show which of the risk actions are imminent, today or overdue — this formatting is applied to the Action date field.
