Risk register

Developed by Jack Edward

Example of a Risk Register used by SURF ^[1]

The uncertainty surrounding any decision, action or unprecedented occurrence that may negatively affect a project’s success can be defined as a risk and knowing how to classify, identify and document these risks is essential to the success of any project. This is because risk uncertainty can be difficult to control and predict; being able to communicate risk likelihood and the impact of this risk to a project team in an efficient way allows the team to evaluate risks together and identify to what extent they can prevent these risks from happening. Documenting risks from an early stage streamlines a team’s goals and their perception of the project, working as a communication tool and a risk management tool simultaneously. The risk register is an efficient risk documentation tool when it is used correctly within project management.

What is a Risk Register?

Risk register within the project life cycle^[2]

A risk register is the baseline document for the process of managing risk ^[2]; it is a means of visualising a project’s risks within a table or template so that risks can be better understood and dealt with by a project team. It allows risks, their likelihood and preventive measures for each risk to be recorded ^[3]. The risk register should be in a centralised location for information to be stored and updated with respect to the risks that are affecting the company; it is key that the risk register is used constantly throughout a project process. As can be seen in Graham Winch’s risk process diagram on the left hand side, throughout the life cycle of how a risk is dealt with, the risk register is the tool that should be constantly updated and referred to; it is the centre of all processes and decisions.

Generally, risk registers are created within a company's intranet or online database where the register can be updated by any member of staff and can be seen by any relevant project stakeholders. The register would then be made using database or spreadsheet software. A risk register could also be made offline however, being drawn on a whiteboard at a company meeting for example as a quick and efficient tool for motivating the meeting. The register must always be in a visual format however; visualisation is key to the success of the risk register tool.

Whenever an important decision is made within a project, the risk register is referred to. Whenever something unfamiliar is being dealt with within a project, again the risk register should be referred to. This is how the risk register should be used, as a familiar tool that any member of a project team can come back to to ensure they can make the right decisions with a clear and focused mindset and without the need for a boss or authoritative figure being at hand. It therefore also reduces the time needed for project teams to carry out tasks, improving the efficiency of workers.

The risk register cannot only be used as a motivating risk management tool; it also has further uses as a documentation tool. Documenting information that is flowing into a project is incredibly important to manage risks affecting a current project, however it also works as a means of storing historical data. Ensuring that information is quickly available to you may be entirely necessary if a past client requires information about a past project for example^[4]. Having a shared risk register would provide access to this information. It is also crucial in preventing future failures as risk registers become more and more effective as they are used more frequently within a company. Information about the uncertainty of a previous risk would allow a project manager to make a more educated decision about how to deal with the risk, therefore increasing their own knowledge about these risks.

Implementation Advice

To use the risk register correctly, it is essential that the risks associated with the project are identified properly using a risk management plan ^[3]. A risk management plan should consist of utilising the help of relevant stakeholders and project team members to gather all risks, prior to the risk register being created. Consulting everybody before the risk register is created increases the efficiency of the risk register; everyone who uses it is involved in its creation and all relevant risks should be covered and correctly recorded, provided everybody has an input from their respective departments and expertise.

Risk Impact/Probability Chart^[5]

According to Winch (reference Winch), it is important to remember that one of the key ways to identify risks is to rely on those with more experience. Consulting older project stakeholders on what risks are most relevant, where risks could occur or how risks could be dealt with is essential to define risks for the risk register. Furthermore, tools can be used to ensure that risks are being identified in the right way.

Probability/Impact Matrix

Risks should be prioritised. By prioritising risks in the correct way, a risk register becomes more relevant to the project and gives the user a clear understanding of how problems are being dealt with within the project. Categorising risks by how likely they are to happen and how much they will affect the organisation is a common practice that assists project managers in prioritisation of their risks. Using a tool such as the Probability/Impact Matrix allows the manager to define these risks by where they stand within the two dimensions. Risks closer to the lower left hand corner should be ignored whilst risks at the top right hand corner are of critical importance; they are likely to happen and will have a large impact on the project. Those in the top left hand corner generally are lower impact risks that happen often. These should try to be reduced, however they should not affect the company strenuously if they are unavoidable. Bottom right hand corner risks are unlikely to happen, however they will have a high impact on the company if they do occur- having a back up plan to deal with a risk like this would be wise. This is how the table categorises risks and from this, their risk likelihood can be transferred to the risk register.

Risk Matrix

A risk matrix ^[6] works in a similar way to the probability/impact matrix as the two dimensions used are identical. This matrix helps to define priority of risks in that it is colour coded. If the risk is in red then it should be treated with more importance than a risk in green. The risk can then be assigned a number taken by multiplying its probability value with its impact value. This tool is perfect to use in conjunction with a risk register as this number can then be transferred to the risk register, where it can easily be read by the user.

Using these tools, risks are properly identified and categorised. They can then be transferred to the risk register for use by the whole project team.

Layout

The key to a strong layout ^[7] for a risk register is that it must be easily comprehensible and concise. That way, any stakeholder can update the risk register or take information from the risk register quickly. There are a number of things that must be included within a risk register to convey information efficiently and quickly, however a risk register can be expanded to include more information depending on the type of project that is being dealt with. A larger scale project that has more of an impact on the company may require an expanded risk register with further headings to indicate all required information to a user. For projects that are shorter and possibly smaller in scale and impact, only the necessary headings may be used.

Necessary Headings

1. Risk name/number- A title, a number or a couple of words conveying what the risk is quickly. Much shorter than the description.
2. A brief description of the risk- A sentence or two or possibly a paragraph explaining what the risk is and what or who it would affect.
3. Likelihood of the risk occurring- Its probability of happening, taken from previous findings. Should be marked on an appropriate scale, eg a percentage scale perhaps.
4. Impact of risk- It's impact on the company were it to happen, taken from previous findings. Should be marked on an appropriate scale, eg a percentage scale perhaps.
5. Risk severity level- A combination of both likelihood and probability showing how important it is that the risk is dealt with. Should be marked appropriately, eg colour coded, words such as "high", "very low" etc.
6. Risk time- A date by which the risk should be dealt with or evaluated by; this allows the risk register to be more of an organisational tool.
7. Risk ranking- A heading that quickly portrays the importance of each risk with respect to each other.
8. Completion of the risk- A tick/cross or green/red indicating that the risk is active within the register.

Further Headings

1. Risk reduction plan- Any notes or plans that will reduce the likelihood of the risk occurring. This can be edited by any stakeholder as the project develops and risk reduction plans become more apparent.
2. Risk contingency plan- A solid plan on what to do in the occurrence of a risk. This is more beneficial as a heading for risks that are in the top right hand corner of a probability/impact matrix (likely to happen, high impact).
3. Further description- Explicit details on which stakeholders would be affected and how the risk would affect QCT values.
4. Familiarity- A brief paragraph on how the risk has been dealt with in the past or whether or not the risk is unfamiliar to the project stakeholders. This information is vital if the risk is completely new and likely to occur.
5. Risk links- An explanation of whether or not the risk is codependent on another risk and whether or not this is relevant to the nature of the risk itself.

This is an example of how the risk register may be created however, due to project management being such a vast subject there may always be additional headings required or possibly even fewer headings required; it all depends on the nature of the project. However, this is certainly a good example of how a risk register should be designed if it is necessary to convey information about each risk quickly and visually. The layout may vary in that a user may decide to use quantitative or qualitative information solely as opposed to using a combination of the two ^[8]. This decision comes down to how quickly information needs to be conveyed or how clear the project stakeholders want to be when describing the risks.

Utilisation

The risk register should be used in conjunction with the entire life cycle of a project; at the beginning, the middle and the end of the project. During all processes of the project, the risk register must be updated and referred to constantly.

At the beginning of any project, the risk plan can be used to identify and classify risks. A meeting will be held to determine this and during the meeting a probability/impact matrix can be used along with a risk matrix to correctly identify the weight of each risk. The meeting can either utilise a drawn risk register (on a whiteboard or A3 sheet) or an online one, through the medium of a projector, for all stakeholders to see. If the meeting utilises a hand drawn risk register, it is important that the project is either on a very small scale or the risk register is then transferred to an online project database.

Throughout the project, an online project database is one of the most important tools to use in conjunction with the risk register ^[7]. The project database firstly allows any stakeholder to edit the risk register as they please, allowing the risk register to be contemporary and consistently relevant. When used correctly, this then allows the risk register to be used as a strong communication tool. Furthermore, the database can be programmed in the same manner as a spreadsheet; automatic calculations can be made to figure out the severity of each risk and their respective rankings, saving time and increasing the overall efficiency of the risk register. Figuring out the perfect formula for a risk register may take some experience from using them in past projects. Using a database system opens up the potential for archiving information.

Once the project is finished, the risk register also has the potential to archive information. Either by documenting information manually or automatically, information can be stored directly from the risk register with ease. This is useful both for assistance in current project work and general archiving purposes, however is also useful for future risk registers as the database can take past risk outcomes into account. Certain algorithms can be integrated into the database to calculate new probability or impact factors that may previously have been formed from an educated guess. As the risk register is used more and more frequently, it is possible that the upkeep of previous information will improve future performance of the risk register.

The Risk Register Database System was developed on MS Access ^[7] and is widely available to many organisations. This is a good example of strong risk register database software as it contains templates of risk registers and mitigation plans alike. It also contains a section on who owns each risk within the company however this section is not often appropriate for project management as it is required on a larger scale eg program or portfolio management.

Evaluation

Using the correct risk register for a given project has a lot of documentary benefits; it allows any stakeholder to see relevant risks at any given time and is useful as an archiving tool. However, it could be argued that, in some cases, the risk register is a waste of time with respect to documentary purposes. Perhaps if the project is particularly small in scale, this may be the case but generally, it is a perfect tool for communicating information to the whole project team and is, therefore, very useful to the project. The risk register's ability to archive could also be argued to be cluttered and difficult to follow. Under the right organisation however, previous projects can be divided into sub categories and, using the right algorithms, previous information should be easy to obtain.

It is arguable that a risk register is flawed in that it only works if the risks are calculated properly ^[9]. If a project team incorrectly calculates the probability or impact of a risk and then relies on the risk register solely, the risk register may become redundant. This is not a direct flaw of the risk register itself, rather it is a flaw in the risk identification and assessment process; again the risk register itself is useful as a visualisation tool assuming the visuals it provides are relevant.

The risk register works best when it has been properly considered what is necessary of it and it is suitably customised to the project at hand. A lot of criticism of the risk register is in that it does not convey codependency between risks, or that it does not convey enough information in general. When a project is on a large enough scale, information can still be added to the risk register for users to see. Perhaps, if the register is too cluttered, the information could be stored within an external link which would free up the space on the risk register whilst still having the information available to the user if necessary. It must be noted, however, that risk dependencies on each other are not as easily visualised within the body of the risk register, making this a notable flaw in the risk register layout.

An interesting potential flaw in the risk register lies within the connotations of the word "risk" itself. A risk implies something negative; it may lead to companies overlooking decisions that would provide a positive benefit, however, these positive uncertainties should also be included in the risk register. These negative connotations may lead to anxiety or worry, possibly effecting some of the stakeholder's performances. This links into a psychological human behavioural aspect of the risk register. A proposed solution to this may be to rename the risk register; something surrounding the word "uncertainty" implies more neutral decisions are being made. Moreover, a risk register only deals with two outcomes of an event; it happens or it does not happen, there is no middle ground. This is certainly a major flaw in the documentation system: perhaps another heading could be added to the risk register to determine exactly what the outcome of an event was, for future or current reference.

Conclusion

From the report, it can be concluded that the risk register is perfect for documenting information in a constant stream, throughout the entire project life cycle. It is further useful following the end of a project to build upon the probability and impact factors of reoccurring risks. It is efficient at managing and visualising risks, provided it is used with common sense: poorly documented risks could mislead coworkers. Additionally, in conjunction with a database system the risk register is remarkably improved in communication and efficiency. Regarding the risk register's inability to provide visualisation of dependencies between risks, software could be developed to visualise links in a more concise and efficient manner. Despite this flaw, the register does its job of communicating information relevant to the project. Whether the project is on a large or a small scale, the benefits of visualising the constantly changing and developing uncertainties surrounding a project in an efficient manner, organising information concisely and comprehensively and working as a sound risk management tool are undisputed, and when used correctly, the risk register can perform as such.

Notes and Citations

1. ↑ http://survivors-fund.org.uk/annual-reports/annual-report-2010/risk/
2. ↑ ^{2.0 2.1} Graham Winch (2009), Managing Construction Projects 2nd Edition, Retrieved from DTU Library
3. ↑ ^{3.0 3.1} http://www.brighthubpm.com/risk-management/3247-creating-a-risk-register-a-free-excel-template/
4. ↑ http://www.mindtools.com/pages/article/data-information-management.htm
5. ↑ http://www.mindtools.com/pages/article/newPPM_78.htm
6. ↑ http://www.sagecrm.com/blog/detail.php?id=27403/Risk-management-in-the-agile-world
7. ↑ ^{7.0 7.1 7.2} http://www.sciencedirect.com/science/article/pii/S0263786301000400
8. ↑ http://en.wikipedia.org/wiki/Risk_register
9. ↑ http://www.workinginuncertainty.co.uk/whenreg.shtml