Risk Register

A Risk Register is another fairly simple, but essential, tool. Make no mistake here; Risk Management is one of the main reasons that Project Managers get paid.

Like most things, you can engineer this tool to do anything, if you’re ace at automation, you can use the Risk Register to update Issue Logs, Learns Learned Logs or Action Trackers, you can even use your Risk Register to feed updates into a Project Schedule. That said, don’t forget the good old 1960’s US Naval principle; KISS (Keep It Simple, Stupid) and don’t go crazy.

The areas we want to capture here include:

  • A Risk Reference
  • The Project Phase
  • The Risk
  • What If.. (this is a very useful way of evaluating your Risks)
  • Impact
  • Probability
  • Severity
  • Mitigation
  • Owner
  • Updates
  • Status (open, closed, hold, due, or something similar)

For those of us that work on Programmes, multiple Projects or Projects with large and complex information flows, then you may also want to record a way of identifying the Project, Customer, Project Stream, etc.

So we might expect to be looking at something like this:

project-risk-register-template

I suggested that one of the areas you want to capture when fleshing out your Risk Register is the What If.. area. This is a very useful way of identifying your risks, and on that point it might be a good idea to just flag up a big difference between a Risk and an Issue.

A Risk is something that might happen, and if it happens, there will be some impact to your project. Whereas an Issue is something that has happened and has had some impact on your project.

Using the What If.. approach is a useful way of looking at your Risks, and we pose the question like this:

What If _____ happens, what would be impacted and to what extent?

This is not quite the same thing as What If Scenario Analysis (WISA) as that is more of a Scheduling tool, although the question can be used in the same way.

What can you use to record and manage Risks?

The structure of a number of the tools I talk about, such as Risk Register, Issue Log, Action Tracker and Assumptions Register are all quite similar, some of this might seem like duplication, but they all play an important role within Project Management.

For companies with SharePoint, you already have access to a great shared working space that you can use for a number of project documents. In fact I would suggest that if you do have SharePoint, then you create a ‘Site’ for each project and build out these documents in project specific Sites. SharePoint makes it easy to backup, audit, roll-back, track changes, build work-flows and issue notifications when a page or section is updated.

Microsoft Access is another awesome tool and one that allows you to use those unique references to link multiple project documents together. For example, identifying a Risk in your Action Tracker can be linked to your Risk Register using something like Access.

Oracle Apex; this is a fantastic system. If you have Oracle in your workspace, then using Apex to build web-front ends for your Oracle data allows you to build an interface that suits your project requirements and ensures tracking and data security.

Microsoft Excel; this is probably the simplest and easiest tool. You can ‘engineer’ the spreadsheet to meet every requirement your project has with ease and it offers a very smooth learning curve. This is my go-to tool for most list based documents. I can still use references to link into other documents which aid automation and I can use something like SharePoint to publish, share and track changes as needed.

There are custom apps, CRM’s, ERPs and Service Management tools that can all be used to produce Project documents. Furthermore, any use of Microsoft Excel can usually be replicated in Google Docs/Google Drive without issue.

How to build your own Risk Register

For the sake of simplicity, we’re going to use Microsoft Excel, we can build upon this later, but essentially we want the final product to look like this:

project-risk-register

Risk Reference & Project Phase

The Risk Reference is a unique reference in my document, this allows me to link to it from other documents, I can do this through automation, or manually with references, such as an Action Tracker reference that details a number of actions I may need to complete which are as a direct result of Risk PRJ-DD017-RR01 as an example.

Project Phase details the area that I might expect to encounter this Risk. In my example above, I’ve used broad phase descriptions, but in a real-world document this might be something more detailed, such as ‘Building New Server Room‘.

Risk, What If & Mitigation

What Risk have I identified? A Risk could be repeated multiple times with different unique references, the example I used above shows that missing documents during the merger of two companies could pose Risks to a successful on-boarding process, missing documentation could be a risk to more than just the Network team, so this Risk could be repeated with a number of different What If scenarios. The Risk could also be something like Schedule, Budget, Staffing, i.e. you can use the Risk column to detail What would be impacted by your What If scenario.

What If is our first chance to define a scenario that poses a Risk to our project, in this case we’re worried about merging two companies, we might not get access to the other companies Network documentation until after the sale has been completed, it is very likely that the Company B Network Team are not even aware that their company is being pursued like this at this stage, so simply asking for the documentation is not going to be possible. The next Risk and What If scenario concern the process of staff leaving during the process of Company A buying Company B, in both Risks, we have to think of some Mitigation.

The Mitigation is how we might avoid the Risk. That said, it should be understood that you can’t avoid all risks, in many cases, you simply need to define how you will reduce the Impact of any Risk to your project.

Impact, Probability, Severity & Risk Score

In my case, I use conditional formatting in Excel for these columns. For Impact, Probability & Severity, the cell colour will be based on the keyword of High, Low, Medium, Unknown. The colours don’t really matter, they just give you a visual overview of your risks.

The Risk Score is also conditionally formatted, but it is based on a formula. For High, Low, Medium, Unknown of the Impact, Probability & Severity cells, I have allocated the following scores:

  • Unknown (and therefore potentially the biggest risk) = 30
  • High = 25
  • Medium = 15
  • Low = 10

I then defined conditional formatting to the Risk Score cell on the following numbers:

  • Green = </= 30
  • Yellow = 40 – 74
  • Red = >/= 75

Owner, Updates & Status

The Owner is the person in my Project Team that will be responsible for this Risk, this isn’t about finding someone to blame, it is about finding someone to Manage the Risk. In Many cases, the Risk Manager will be the Project Manager, in other cases, the Risk Manager may be the head of the Network Team (for example).

I use the Updates column to track updates and Status gives me a visual overview of which Risks are Open, Closed or on Hold. A closed Risk could mean that the Risk came to nothing, it could mean that the Risk became an Issue or it could mean that your Mitigation steps avoided the Risk completely.