What does risk reporting look like in your business? It’s a simple question with a challenging answer: Risk reporting looks like whatever you need it to look like in order to get the required action and visibility.
This sounds vague but it’s actually a good thing: you can tailor your risk reporting approach to make sure it is fit for purpose and effective for what you need within your team or business.
There are several things to consider with risk reporting.
What frequency of reports do you need?
Most businesses start out with having on demand risk reporting. In other words, whenever there’s a meeting planned where risk is likely to be on the agenda, the meeting organizer will as the Project Management Office for a risk report. This could be, for example, in the week prior to a board meeting.
This is a good start, but your aim should be for risk to be included as a non-negotiable in the reports that the PMO produce. Seeing risk discussed in portfolio meetings should become second-nature for the execs around the table, and it should start to feel like a natural part of the reporting pack they expect to see. You can start to shift in this direction by including risk reporting in PMO regular reports.
What goes into the risk reports?
The answer is, as with so many things in project management: it depends!
It’s largely driven by the audience. A risk report going to the board would need portfolio level risks explained with an overview of total risk exposure for the business. A report produced for a program manager would need major risks by project. At project level, you’d want to see something more granular, probably focusing on risk owner per risk, management plans and current status.
It’s a good idea to prepare some standard risk report templates so that you can quickly pull together reporting at the required level of detail. These can evolve over time as your audience becomes more used to looking at the information.
The Risk Reporting Process
When you start out, risk reporting is likely to be manual. Ideally, you’ll want to move away from that situation as quickly as possible. Manual collation of spreadsheets from various project and program managers is not a good use of your team’s time. Look for software tools that will allow you to consolidate and export the right data as quickly as possible.
You may still have to tweak or present the information in the format agreed by your exec team, or the recipients of the reports, but at least you won’t have to manual produce the data. This should also help address errors in the data as it takes out the manual intervention.
Longer term, try to standardize reporting packs so that they can be automatically generated by your risk management tools with just a few clicks. This will make your data much timelier and therefore valuable to the people trying to use it.
Improving Data Quality
Risk reports will soon be discarded if readers find out that the data is inaccurate or out of date. One of your goals should be to ensure that the data presented is as accurate as possible, and prepared as quickly as possible to avoid the situation changing before the report gets to the right person.
Work with your project delivery teams to ensure data is captured as soon as possible and updated on a regular basis. When training staff on your project management methodology, make it clear what’s expected with regards to updating the risk register. As a minimum, this should be weekly when action has been taken, so that the downstream reporting can stay as up to date as possible.
Data quality can also be improved by moving away from narrative and towards methods of reporting that incorporate statistics and modelling. This can provide valuable standardization in the way risks are categorized, analyzed and talked about.
The narrative around the risk will always be useful for understanding the background and context, but it is limited in use when it’s the only data point provided in reports.
Tips for Risk Reporting
You’ll have to decide on the best format for risk reporting within your business, but here are some tips to help you finalize how you want your reports to be presented.
- Include graphics. Risk data can be dry – it’s not the most engaging of topics for senior management at the best of times, so don’t make it worse with unappealing lists of statistics. Use graphs, tables and charts as much as possible so that your data presentation is interesting and clear.
- Consider including risk trends. If you have this information, and you feel the management team would do something practical with it, then by all means include trends for risks across the portfolio. It isn’t something that adds a lot of value at a project level but for PMO reports it could be worth including.
- Provide guidance notes. These shouldn’t be onerous, but you should be conscious that some report recipients won’t be familiar with the notation or layout. Make it all as clear as possible with easy-to-understand headings. If you need to add extra information about what something means or why it is included, do so in the form of notes.
- Create a standard slide deck or presentation pack. The more you can standardize, the easier it is each time you need to report on risk. You can always shake up the report template over time to ensure it stays useful and informative, taking on board feedback from the recipients.
Risk reporting done well can make a huge difference to the fast adoption of a risk management culture within an organization. Done poorly, it will prompt managers to ask why they are investing time and money into building risk management approaches. Reporting should be valuable to the individuals receiving the information, and not too onerous for the people producing it. When those two things align, you’ll have a powerful formula for creating perfect risk reports that drive awareness and action.