7.14 Risk register

Recording risk

A risk register (or risk log) is a master document created during planning and updated throughout project delivery.

The risk register is a high-level, summary view of all project risks, their status, and their records:

  • A summary description of the risk
  • A risk owner – the person responsible for managing the risk
  • Its probability and impact ratings
  • A high-level summary of our risk treatment
  • Its last and next review dates, and
  • The status of the risk.

Once again, we can use traffic lights to highlight the current status of the risk. 

Intuitively, a green light means the risk is low and acceptable, yellow means the risk is medium, and red means that the risk is high and demands immediate attention, as per our organizational risk thresholds.


Risk dictionary

A risk dictionary further elaborates on each risk identified in the register.

Each dictionary entry should be written to a level of detail corresponding with the priority ranking and the planned response. 

Often, the high and moderate risks are addressed in detail; whereas risks judged to be of low priority are included in a ‘watch list’ for periodic monitoring.

Dictionary detail can include:

  • Identified risks, their descriptions, area(s) of the project affected (for example, WBS element), their causes, and how they may affect project objectives
  • Risk owners and assigned responsibilities
  • Outputs from the qualitative and quantitative analyses
  • Agreed response strategies
  • Specific actions to implement the chosen response strategy
  • Triggers, symptoms, and warning signs of risks occurring
  • Budget and schedule activities required to implement the chosen responses
  • Contingency reserves, plans, and triggers that call for their execution
  • Fall-back plans for use as a reaction to a risk that has occurred where the primary response proved to be inadequate
  • Residual risks that are expected to remain after planned responses have been taken, as well as those that have been deliberately accepted, and
  • Secondary risks that arise as a direct outcome of implementing a risk response.

As a rule of thumb, the dictionary should provide sufficient, up-to-date detail so that if the risk owner wins the lotto and flies to the Bahamas tomorrow, a new owner can step seamlessly into the role.


Fit for purpose

Ultimately, stakeholders’ perception of the effectiveness of risk management is conditioned by how risks are handled as they occur, and by the number or characteristics of such events.

It is, therefore, crucial that whenever a risk is realized, information about the event – as well as the progress and effectiveness of the responses – be communicated at regular intervals and in an honest manner adapted to the needs of each stakeholder.

Nevertheless, the degree, level of detail, sophistication of tools, and amount of time and effort applied should be in proportion to the characteristics of the project. 

A large project that consumes a significant amount of organizational resources will require a higher degree of proactive risk management than one that is smaller with flexible deadlines.

For that reason, project risk documentation should be scaled to be appropriate to the project.

Quizzes