Designing a Risk Register
Project risk management is a hot topic here: it seems like every week there’s a world event or shift in the markets that could disrupt (or benefit) projects across a range of industries.
The core of all risk management across your organization is to have a robust risk register. But how do you create one?
Spoiler alert: The easiest way to create a project risk register is to use enterprise project management tools with built-in risk management features. That will save you the job of creating your own risk registers that are not integrated with your main project management tools.
What is a risk register?
A risk register is simply a log of all risks facing a project. At program and portfolio level, it is a log of all risks facing the program and portfolio. You can have risk registers at any level, in fact, including enterprise-wide registers.
The risk register is a dynamic document. It is created at project initiation, drawing on the main risks highlighted in the business case or project proposal. It’s kept up to date throughout the project as new risks are identified, risk management actions are completed and risks expire or are closed.
A risk management workshop will help the project team identify risks at the current point in the project. Workshops are helpful because they ensure a wide range of stakeholders has the opportunity to contribute to the risk data. Information from the workshop is then recorded in the risk register.
The design principles for your risk register should include:
- It has to be easy to use
- It has to be accessible by the right people
- It has to provide data in a format that helps decision making.
What’s the purpose of a risk register?
The risk register is an agreed record of the project risks at any given moment, along with the tasks being undertaken to manage those risks.
The risk register facilitates ownership of all risks. It ensures someone is taking responsibility for the management of associated actions. Whether the action is ‘do nothing’ and simply have a watching brief over the task, or to undertake detailed steps to mitigate the risk, someone has to be in overall control for that risk. They should be reporting progress on their actions back to the project manager, so that at a project level there can be confidence that risks are being adequately managed.
Tip: As a project manager, avoid taking responsibility for all the risk management actions. Ideally, these should be managed by subject matter experts who can report back.
Remember, risks can have a positive or negative affect on the project, so risk management actions could either be to enhance the risk should it happen, or to minimize the impact.
What goes into a risk register?
When designing your risk register, you should include the following elements:
- A unique identifier for the risk, typically a number or other short reference
- A title for the risk
- A description of the risk
- The results of the risk assessment and any Monte Carlo analysis
- The areas of the business or operations affected
- A categorization or classification for the risk (learn the 5 ways to classify risk)
- The action plan proposed and approved to manage the risk, along with updates tracking those actions have been undertaken as expected
- The dates the risk was opened and closed.
Most software for risk management will have these fields already created and ready for you to populate. You may also be able to create new fields to use to capture any information particularly relevant to your situation and not covered by the existing template.
What format to use?
Risk registers can take any format, as long as they cover the core data elements required and are accessible to the team who needs to use them. The two most common formats for risk register are spreadsheets and risk management software.
A spreadsheet is simple to set up and relatively easy to maintain. However, risk management software has the advantage that you lock down permissions. Access controls make it possible for only the appropriate people to go in and make changes. You could allow the project manager access to all records, and risk owners access to change their own records – but no one else can go into the risk data and amend it.
Risk management software also benefits from being easier to use for analysis. The data is typically stored in database tables behind the scenes so you can display the risk information in a number of ways. It can be easier to manipulate data and show, for example, number of risks per category. If you have many projects using the software, you could also aggregate risks across a number of projects to see the risk portfolio at a higher level.
The benefits of using the risk management features in enterprise project management software become quickly apparent if you want to aggregate risks from all projects, programs and portfolios to assess the risk profile of the enterprise.
You can still do that type of data analysis using the data from your risk spreadsheet, but it’s time consuming and requires data management skills that perhaps your project team do not have.
A risk management checkup can clarify if you could be using your software more efficiently and give you tips on how to improve the quality of your risk register.
The risk management process on projects, programs, at portfolio level and across your whole enterprise should be seen as a value-add service. The better prepared you are for what might happen, the easier it is to shift and pivot when challenges arise. A robust approach to risk management across the organization will help improve decision making and support successful project delivery.