Topic 7.14: Risk register
The risk register is a high level, summary view of all project risks and their status, and records:
A summary description of the risk
A risk owner – the person responsible for managing the risk
Its probability and impact ratings
A high level summary of our risk treatment
Its last and next review dates, and
The status of the risk.
Once again, we can use traffic lights to highlight the current status of the risk.
Intuitively, a green light means the risk is low and acceptable, yellow means the risk is medium, and red means that the risk is high and demands immediate attention, as per our organisational risk thresholds.
Each dictionary entry should be written to a level of detail that corresponds with the priority ranking and the planned response.
Often, the high and moderate risks are addressed in detail; whereas risks judged to be of low priority are included in a ‘watch list’ for periodic monitoring.
Dictionary detail can include:
Identified risks, their descriptions, area(s) of the project affected (for example, WBS element), their causes and how they may affect project objectives
Risk owners and assigned responsibilities
Outputs from the qualitative and quantitative analyses
Agreed response strategies
Specific actions to implement the chosen response strategy
Triggers, symptoms, and warning signs of risks occurring
Budget and schedule activities required to implement the chosen responses
Contingency reserves, plans and triggers that call for their execution
Fall-back plans for use as a reaction to a risk that has occurred where the primary response proved to be inadequate
Residual risks that are expected to remain after planned responses have been taken, as well as those that have been deliberately accepted, and
Secondary risks that arise as a direct outcome of implementing a risk response.
As a rule of thumb, the dictionary should provide sufficient, up-to-date detail so that if the risk owner wins lotto and flies to the Bahamas tomorrow, a new owner can step seamlessly into the role.
It is therefore crucial that whenever a risk is realised, that information about the event – as well as the progress and effectiveness of the responses – be communicated at regular intervals and in an honest manner adapted to the needs of each stakeholder.
Nevertheless, the degree, level of detail, sophistication of tools, and amount of time and effort applied should be in proportion to the characteristics of the project.
A large project that consumes a significant amount of organisational resources will obviously require a higher degree of proactive risk management than one that is smaller with flexible deadlines.
For that reason, project risk documentation should be scaled to be appropriate to the project.