But first, I want to point out that the material I've provided is just a starting point. There are entire books written about Risk Management, and I could probably start a blog about it and have material for a couple of years. Don't take the high level details I provide as the end all / be all of Risk Management. Read, learn, grow!
Back to the Risk Register. The Register is designed to track the identified Risks during a meeting, determine the potential impact of the risk, how each risk will be addressed through one (or more) of the four Risk Management Approaches (Accept, Avoid, Mitigate, or Transfer) and determine what the remaining risk is after the Risk Management Approaches. As much as I would like to identify this as a quantitative process, in many cases it is qualitative. Gut feel and educated guesses are a lot more involved than most people would like when it comes to Risk Management.
|I understand it is hard to read. Please be patient, look at the bottom of the post!|
Let's break down the individual columns of the Risk Register:
ID - Each Risk should be identified with a unique ID number, for tracking and quick reference purposes. Your team, group, organization, company, etc. can identify an Identification Convention (if required, i.e. this risk is electrical, so the ID number will start with an E), but at a minimum it should be a unique number.
Risk Description - What is the nature of the risk that could be encountered. Is it that a generator fails during operations, or that a there is a pressure build-up in a pipeline? On the software side, what about a critical integration not working, or a failed connection? Perhaps a server goes down, or a hurricane / earthquake hits the local area.
Risk Consequences - What is the most likely outcome if the risk occurs? What will it cost? Will other equipment be shut down? is there a potential for people to be hurt? Try to be specific, but remember you want to avoid Double Jeopardy (i.e. if this fails, this fails, and this fails, the entire facility will explode!). If team members start to talk in those terms, then each "fail" should be identified as an individual risk and addressed in that manner.
Probability Level - What is the Probability Level that this will occur, according to the Risk Matrix? Is it Almost Certain, Likely, Probable, Unlikely, or Rare?
Impact Level - What is the Impact Level that this will occur, according to the Risk Matrix? Is it Catastrophic? Critical? Moderate? Marginal? Negligible?
Risk Level - What level Risk is it, again according to the Risk Register? Minimum through Extreme.
Management Approach - Which of the 4 approaches will you use? Accept, Avoid, Mitigate, or Transfer
Management Activity - Describe the steps / tasks / activities required to implement the Approach. What items will need to be done prior to the risk taking place? What activities should be done if the Risk actually occurs? You may need to identify a separate document that details out an implementation plan for the risk, especially if the activities that need to occur are detailed.
Responsible Party - Who is responsible for making sure that the approach is implemented? A specific name / role should be identified (don't forget the lesson from If Everyone Is Responsible...).
Risk Outcome - If the Risk Management Activity is properly implemented, what is the expected outcome? Like the Risk Consequences section, identify what will happen now that a strategy has been identified to address the risk.
Probability Level - What is the adjusted Probability Level that this will occur taking into consideration the Risk Management Activity, according to the Risk Matrix? Is it Almost Certain, Likely, Probable, Unlikely, or Rare?
Impact Level - What is the Impact Level that this will occur taking into consideration the Risk Management Activity, according to the Risk Matrix? Is it Catastrophic? Critical? Moderate? Marginal? Negligible?
Risk Level - What level Risk is it taking into consideration the Risk Management Activity, again according to the Risk Register? Minimum through Extreme.
There may be additional columns you want to add to the register as well. Perhaps Department, Physical Location, Related Documents, Secondary and even Tertiary Management Approaches. I'm sure there are more columns that can be added. Look for the opportunities to add clarity, without creating clutter and adjust accordingly.
This Risk Register will probably be initially filled out during a Risk Management meeting, but will need to be maintained throughout the Project Life Cycle. As each Risk is closed out (i.e. no longer an issue) then the boxes could be grayed out to show that it is no longer a concern. The Risk Register should be distributed through-out the team and perhaps key stakeholders (i.e. clients / customers / government regulating bodies, etc.) in order to generate conversation and ensure all Risks are Identified and properly addressed. In addition, follow-on meetings will probably be required throughout the project to determine if the Risk Register needs to be updated.
Next week, we'll discuss the consequences of performing Risk Management, as we discuss Morey's Law #14: Risk Management Is A Risk Itself!
If you want to look at my version of the Risk Register, or download a version, then please click here.