A risk register is a project management and risk management tool. It is used to spot potential risks associated with a project or organization, occasionally to meet regulatory requirements, but usually to stay on top of concerns that could derail desired goals.
While the risk register is primarily used during project execution, it is also a component of your planning phase, which project managers must consider throughout the planning phase. In addition, it is never too early to begin considering risk assessments in your project. As a result, having a project risk register on hand and available is critical for risk management.
While the risk register is primarily used during the project's execution, it is also a risk management tool that must be considered during the phase. It is never too early to start considering risk in your project. As a result, having a risk register on hand and available is critical in risk management.
The project risk register contains all information about each detected risk, including its nature, level of impact risk, who owns it, and the risk response mitigation mechanisms in place to address it.
You will never be able to accurately predict every likelihood of occurrence that could happen in a project. Still, by performing your due diligence, you will be able to put in place a risk management plan that allows you to respond fast before project risks turn into genuine issues that ruin the entire project.
Any project plan should include a risk log to document project hazards, whether in the form of a simple spreadsheet or as part of a more complex project management software solution. Risk is inevitable in everything and managing a project with many moving elements is no exception.
Purpose of a Project Risk Register
A risk register's goal in project management is to keep track of all hazards that have been discovered and their evaluation and plans for dealing with them.
It is a log that lists risks, their severity, and the activities and steps that must be followed to reduce the risk. Project managers can use the risk register data as a management tool to keep track of the project's risk management operations. The project manager's job is to guarantee that the risk register is reviewed as needed. The project control function is normally in charge of updating the risk registers.
If you understand risk management, you will understand that the next step in risk management is to work strategically to control the potential difficulties most prone to occur when managing a project.
As a result, you should have a risk analysis system in place to collect prospective risks and then draw out a plan to manage those risks and get the project back on track if they materialize.
Components of a Risk Register
Depending on the company and the project, risk registers may differ. Most risk register templates, on the other hand, have the following aspects in common:
• A name or ID number that can be used to identify a danger.
• A clear summary of the danger is provided in the risk description.
• Risk breakdown structure: A risk breakdown structure is a table that allows you to categorize and identify all your project hazards. Schedule, money, technical, and external hazards are just a few of the risk categories that might affect a project.
• Risk analysis is used to estimate the likelihood and consequence of the risk. Qualitative risk analysis and quantitative risk analysis are both viable options.
• Danger probability: You must calculate the probability of each risk and provide a qualitative or quantitative value to it. Risk priority is established by assigning each risk a risk score, which is calculated by multiplying the risk impact and likelihood values. You will need to prioritize risks with the highest impact and probability if you are utilizing qualitative measurements.
• Risk response: To limit the impact of each risk on your project, you will need a risk response for each one. A risk response strategy also documents those risk responses.
Risk Management Process
Risk identification is the first stage in the risk management process. Of course, each project is unique, but for businesses that conduct similar projects year after year, historical data may be available to detect common risk categories for those projects accurately.
Furthermore, some project risks can be predicted based on market forces (for example, supply and demand hazards), common project management challenges, or even the weather.
You will need project management software to put your risk register into action once you have identified and tracked risk incidents. Then, as your team is working to resolve the risks, the Project Manager provides Kanban boards and Gantt charts to show the workflow. As a result, project managers gain visibility into the risk management process while empowering their teams to manage their backlogs and sprint planning.
Gather information about the project's risks.
Collecting the potential hazards that may arise when working on a project necessitates a systematic strategy to ensure thoroughness. A project risk register is a tool that can monitor that risk if it arises and analyze the steps you have taken to address it.
When you record these risks on a risk log spreadsheet or in your project management software, you have a location to put all this information and track the specific risk event throughout the project. This lets you see if the risk response efforts you have implemented to mitigate the risk are effective. As a result, a risk monitoring record keeps project hazards on close watch so that they do not derail your project.
Make a list of the project's risks.
The use of a risk register to document project hazards is critical to project success. It allows you a specific location to identify risks, track their history (from when they first appeared to when they were fully resolved), and even assign the risk to the worker who noticed it and is responsible for its management. In addition, you may keep track of the risk score, how probable the risk is to affect the project and much more on the risk log.
Keep an eye on the project's risks.
You can allocate risks to your team members in your project risk register, as previously indicated. That individual is then in charge of monitoring the risk and directing any risk response steps necessary to lessen the effect of the risk event or address it if it has become a problem.
By noting this procedure in a project risk register, you will be less prone to losing track of project risks during the duration of a busy project, ensuring that risks do not grow into real concerns that threaten the project's finance or schedule, jeopardizing the success of any project.
Resolve the Hazards
Finally, you can close the project risk once it has been resolved. There is nothing quite like crossing a danger of your risk record as no longer a project issue. Furthermore, if the risk event has been resolved, you do not want to waste resources on a problem that no longer exists. It simply gives you greater control over your risk management strategy and allows you to communicate more effectively with your key stakeholders.
How to Create a Risk Register
Let us go over the processes for creating a risk register so you can get the most out of the risk management tool.
1. Create a risk management plan to define your approach.
The first step in developing a risk management strategy is defining how you and your team will identify, analyze, and prioritize risk. The following questions should be addressed:
• How are we going to recognize project risks?
• What methods will we employ to assess those dangers?
• How will we determine what to do if a threat materializes?
• What is the risk event's communication strategy?
• Which project should stakeholders be informed about project risks?
You should also figure out how you will communicate risk to important stakeholders and how you will respond to risk when it arises.
It is important to note that this is the stage in the process where you should identify the project's main stakeholders and assess their risk tolerance.
A project manager's risk management approach should be tailored to the risk tolerance of the project's stakeholders, just as an investment advisor's investment strategy should be modified to their client's risk tolerance.
2. Create your risk register using your risk management strategy.
You will use that process to construct a risk register for the project you are working on once you have answered all the above questions, created a risk strategy, and documented it in your risk management plan.
While being thorough while building your risk register is crucial, it is good to know that perfection can often be the enemy of progress. Therefore, project managers approach risk work as an ongoing, iterative process rather than something that must be checked off a checklist before a project can begin.
You cannot just take a risk register, and then forget about it. It is something you actively manage and change as your project progresses. This allows you to remain flexible while still allowing the project to get started. If you treat your risk register like a checklist that must be completed before the project can begin, you will be conducting risk work indefinitely, and the project will never be completed.
3. Recognize risk events and their potential consequences.
The next stage is to begin defining risk occurrences for your project, which will serve as the foundation for the risk register.
Consider the following questions: What are the risks? 'Well, we might miss a date, and that's a risk,' others might remark. But that is not truly a risk. That is the effect of risk. So, what makes you think we will forget the date? What is the source of that effect? It is possible to prevent a risk occurrence from becoming an issue if you can figure out what is causing it.
It is critical to consider potential risks and the impact such risks may have on the project.
It is also a good idea to go over your list of potential risks with other team members, relevant parties, key suppliers and customers, and even subject matter experts who are not on your team at this point. Each of these people will offer their distinct perspective on the task of finding risk, ensuring that you have not overlooked anything that could have an impact on your project.
4. Assess, prioritize, and allocate risk.
After you have compiled a comprehensive list of all the hazards related to your project, the following step is to examine them.
Risk can be analyzed in several ways, both subjectively and quantitatively. For many businesses, qualitative analysis is sufficient since they are attempting to determine whether they need to take action to mitigate risk or whether they can simply monitor it.
How you assess your project risks will be determined by the circumstances. Many businesses will assign risk ratings based on probability and impact and then use those values to determine which hazards require the greatest attention. Risks with high probability and impact are emphasized in risk management plans, whereas risks with low probability and impact are lower.
Because no two risks are the same, it is critical to rate them according to their likelihood and cost. Some hazards, such as your office building collapse due to an earthquake, will be ranked extremely low.
As a result, it will not make the cut in your risk register's cost-benefit analysis. Other hazards, such as budget overruns, will be prioritized and require a response strategy. It all boils down to how much each risk is worth.
How to Conduct a Risk Assessment
Rather than giving advice, it would be more beneficial to explain how to do a risk analysis. A score-based system of 1 to 10 is commonly used.
The following is the formula for calculating the risk value:
Risk Value (RV) = Risk Occurrence Probability (P) x Risk Cost (C)
Estimate your probability and cost parameters using previous project experience, brainstorming meetings with your team, or case studies of similar initiatives.
Assume you have calculated a 20% possibility of losing electricity in your building for a week due to ongoing renovations and development. A two-day downtime might cost you two days of work. Calculate the risk value for these outages using the following formula:
0.2 (P) × 2 (C) = 0.4 days (RV).
Consider the possibility of a loss of worker productivity. You estimate that you have a 40% risk of losing someone on your staff for a week while they recuperate, based on your research and the flu season. This equates to a five-day loss of output. You would do the math like this:
2.0 days = 0.4 (P) x 5 (C) days = 2.0 days (RV)
The second risk value is greater than the first, and it should be prioritized in your risk register. Based on these data, you would prefer avoiding lost productivity due to illness over the danger of losing power in your building.
Using this knowledge, you may then allocate one or more risks to each person on the team, which they will be responsible for overseeing and analyzing during the project.
5. Make a risk response plan.
With your prioritized list of risks in hand, you can now design your response strategy if a risk materializes.
It is a matter of guiding what you do about the risk with that analysis and trying to match your response to the danger. If it is a minor danger, you do not want to waste millions of dollars on it. You do not want to over-prepare, but you also do not want to under-prepare.
While risk management may appear to be reactive, a professional project manager will proactively identify and mitigate risks before they become serious problems that could jeopardize a project.
6. Monitor and adjust as needed.
After you have identified your risks, prioritized them, and devised a response strategy, the last stage is to keep an eye on them throughout the project. Then, as the project progresses, keep your risk register up to date by adding or eliminating risk events as needed.
Review your risk management plan when a project is completed and ask yourself, "What worked?" What went wrong? Is there anything you can take away from the project that will help you alter your risk management strategy in the future to avoid similar problems?
Pay attention if a risky situation arises. Determine what happened, how you managed it, and how it affected the project. These insights can help you manage risk more effectively in future initiatives.
7. Determine who oversees risk.
Finally, assign each risk to an owner. If you do not assign a risk owner to every potential risk, you may not be aware of it until its consequences are irrevocable.
There is one more column in your risk register where you can keep any remarks that do not fall into any of the other categories. But, again, it is critical to have a location to store these thoughts, so they do not get lost in the never-ending churn of the project.
Risk Breakdown Structure
A risk breakdown structure is useful for identifying and prioritizing risks so that you can determine which will have the most impact. The first step in planning, controlling, and mitigating risk in your initiatives is to identify it.
A risk breakdown structure is a tool for managing risks, which are any unforeseen or unexpected events.
In a project, there are four types of risk. Although they can be further broken down, most risk breakdown structures divide risk into four categories:
Risks that are beyond your control, such as those related to the environment, regulations, suppliers, and rivals.
Risks that arise within your company, such as a lack of resources, funding delays, or prioritization errors.
This category includes scope, requirements, and other technical difficulties.
Threats to your planning, communication, and control, among other things.
You will require project management software to effectively manage risk in a project. This is cloud-based software that monitors your work in real time so you may discover a problem as soon as it arises, rather than after it has caused considerable damage.
How to Create a Project Risk Breakdown Structure
A risk breakdown structure is a simple grid that starts with a general statement of the risk and progresses down the grid to more specific classifications. It can also be set up as a spreadsheet, with the risk increasing as you walk from left to right.
The three stages below should be followed when creating a risk breakdown structure.
1. Determine the RBS's risk categories.
The first step is to figure out which risk categories are the most important. The risk breakdown structure's primary categories are external, internal, technical, and management, as previously stated. These top-line risk identification categories are, in general:
Generating ideas with your team, workshops, and interviews to examine historical data, completing strengths, weaknesses, opportunities, and threats (SWOT) analysis, and more are all examples of risk identification methods. It is also a good idea to create a RACI chart (responsible, accountable, consulted, and informed) to aid with stakeholder risk management.
2. Identify and categorize specific risks in the RBS
The next step is to divide the level-one categories into level-two categories: This entails beginning with a broad topic and narrowing it down to smaller and smaller chunks.
For example, you may divide down the client category into smaller issues like the client team, the project team, targets, funding, and approaches.
Then, under the project team, you can notice that there are not enough resources to do the tasks, or that your team is inexperienced and needs further training to fulfill their tasks properly.
Three levels of risk are sufficient. More than that, and you risk becoming engrossed in detail with little to show for your efforts.
3. Determine the level of risk and impact.
After you have broken down the risks, score them to see which ones will have the biggest influence on the project. This is where your risk assessment begins. You can determine which risks require immediate attention and which may wait or even be avoided by prioritizing risk.
This is accomplished by assigning a score to each risk based on the likelihood of it occurring and, if it does, the potential impact on the project. The project manager can decide how to rank each of these criteria, but a decent rule of thumb is to divide likelihood into four categories:
• Very high (80-100 percent)
• High-medium (60-80 percent)
• Low-medium (30-60 percent)
• Probability is low (0-30 percent)
Impact is divided into three categories: high (critical), medium (moderate), and low (minimal). Your findings will be included in your risk reporting, and team members can be assigned to be on the lookout for these threats. If any of the risks look to be difficulties in the project, put them all in a risk register after you have a risk score.
Because it documents all identified hazards in the project, a risk register is integral to the entire risk management framework. The risk registers are created as part of the Identify Risks process. They also drive other risk processes like Perform Quantitative Risk, Plan Risk Responses, Perform Qualitative Risk Analysis, and Monitoring and Control Risks, according to the PMBOK Guide.
Find out how to manage your business' health and safety better
Many employers are concerned about their reporting obligations for COVID-19/Coronavirus/SARS-CoV-2 under RIDDOR in the ongoing pandemic. You may be pleased to know that you do not have to report everything to the Health and Safety Executive (HSE). We'll provide more info about when, what, and how to report.
The most common concern we've seen recently from employers is whether they need to report all COVID-19 and coronavirus testing results to the HSE. The short answer is no. According to the HSE: “There is no requirement under RIDDOR (The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013) to report incidents of disease or deaths of members of the public, patients, care home residents or service users from COVID-19. The reporting requirements relating to cases of, or deaths from, COVID-19 under RIDDOR apply only to occupational exposure, that is, as a result of a person's work.”
Generally speaking, the ordinary RIDDOR rules already cover COVID-19. You should only make a report under RIDDOR when one of the following circumstances applies:
• an accident or incident at work has or could have caused the release of coronavirus (SARS-CoV-2). (Report as Dangerous occurrence)
• a worker is diagnosed with COVID-19 due to occupational exposure. (Report as Disease)
• a worker dies because of occupational coronavirus exposure. (Report as Work-related death due to exposure to a biological agent)
The bottom line is that existing rules cover most COVID-19 measures, and most of the COVID-19 guidance comes from public health authorities rather than the HSE. The environment remains chaotic, but you can minimize your legal exposure by continuing your existing compliance steps. This will include communicating with your insurer about risks, following public health guidance, and communicating regularly with your workers or unions on any of their concerns.
© Gavin Coyle, 2021
© Gavin Coyle, 2021