Do you know if your risk register is performative?
Risk management is supposed to keep projects out of trouble. But after 15 years providing oversight of major public sector projects, I can tell you: risk registers are often just theater.
Not sure if your project is falling into the same trap?
Below we’ll talk about how to recognize if your risk register has a purpose – or if it’s just there because it has to be.
Using Risk Registers As Wallpaper
These days, risk management doesn’t need to fight its way into project methodologies. There was a time when it was easily skipped or glossed over, but today it’s pretty rare to see any project manager completely ignore it.
But is it being used as a decision-driver?
Well, that’s a completely different question.
So many teams use a risk register as a kind of risk dictionary: it’s thorough, it’s descriptive – and it’s entirely static.
Conversations about the risks become quick “check-ins” that do little more than validate what’s already there. Maybe there will be a slight tweak to one or two, but there are no profound questions about whether or not the risks facing the project are the same as when the project began.
In short, many risk registers might as well be wallpaper: they might look pretty, but they can’t be used to support the structure of the walls behind them.
The Meeting That Looked Good – But Meant Nothing
One project from my career so perfectly encapsulated everything about the “theatrics” of a project risk register.
I had only just joined the organization in question, and I was almost immediately asked to attend a steering committee of a major organizational software development project.
I was quite surprised to see that review of the risk register was a standing agenda item. This group met every month, and they put risk register discussions right at the forefront every single time.
Fantastic! I thought that I’d finally stepped into a truly risk-aware organization.
The list was thorough, I’ll give them that – one might even say that it was exhaustive.
But it became immediately obvious that the risk register was nothing more than a repository in which people dumped whatever came to mind in the moment.
They added and they added and they added, and about five years into the three-year project (yes, you read that right), the risk register rivaled an old phone book from a small town.
Download Matt's Public Sector Health Check
Find out if hidden dangers are quietly putting your project’s success in jeopardy — or if you still have time to turn it around.
Reading With Eyes Wide Shut
Did that mean that the risk register was too big to ever be reviewed? One would imagine that, but – surprisingly – those steering committee meetings covered every single one, at least at a cursory level.
During that standing agenda item, the team lead would take the committee through every line on the spreadsheet, discussing what had changed.
Sure, some risks needed a few minutes and some needed only a few seconds, but no one could make an argument that the team was ignoring their risks.
Unless, of course, they expected anyone to actually be engaged in the conversation.
Because only moments into the debrief, it was obvious that everyone around the table had checked out.
It all became a monotonous din, with so many micro details spewing at the committee members, that no one knew where to even start.
And that wasn’t even the biggest charade of the “discussion.”
Even the “High” Risks Were Noise
I’d actually exaggerated a little bit above. Not that the risk register wasn’t huge, but that we didn’t go through every single risk at the committee meeting.
We just went through the risks marked in red as “High.”
And that was the list that was as big as a small-town phone book.
You see, they had given the impression that not only did the register cover every risk that could have implicated the project, but they’d still managed to analyze each one, label it, and curate the list for the steering committee.
But if the steering committee was exhausted just by looking at the list of supposedly “high” risks, how much time do you think they spent reviewing the medium- or low-risk entries? How much effort do you think they expended in trying to re-baseline the risks, based on a very long timeframe?
The answer to those questions, of course, was zero.
Sure, one or two of them might have prompted some discussions, but those conversations almost felt like somebody just wanted to say something out of obligation, not insight.
Good Intentions. Bad Results.
To be clear, that project team’s attempts to “manage” their risk register came from a good place.
They wanted to document all of their risks, and they wanted to make sure that they were as faithful to their project management methodology as they could be.
But that doesn’t mean that their process was anything close to productive.
Its budget had more than quadrupled, and its users (about three-quarters of the organization’s employees) still had to use Word and Excel to work around the major gaps and flaws in the new software.
After all of that effort, after all of that time, after all of those expensive steering committee members had spent hundreds of salary hours across many years, the project had still ignored its biggest risks.
In other words,it didn’t work.
Fix the Process Before It Fails You
So how did they get there? How did they spend so much time reviewing minor details, and miss the biggest picture of all?
The answer, funnily enough, is right in that very question.
If a project team spends all of their time looking through a microscope, they will never discover how everything fits together in the broader view.
Truly managing the risk register means one team member (or a very small group) regularly assesses the risks, recalibrates where they should be, and presents only the acute or urgent risks for discussion with senior leadership.
There’s the old expression that “treating everything as a priority means that there are no priorities.”
At the end of the day, we should only be tracking risks to determine whether or not something will get in the way of our objectives, or if it won’t. That’s it.
Risk registers are not meant to be records of all the work we did. They’re intended to drive real decisions, and to better prepare leadership for needed actions.
That’s all that a risk register needs to be, and it’s all a risk register should be.
Anything more, and it might just be another act in the long theater play of “risk management.”
Matthew Oleniuk
Matthew Oleniuk is the founder of The Risk Insider, where he helps public sector executives protect ambitious project outcomes by mastering real-world risk leadership. A former Chief Audit Executive, he has provided oversight of billions of dollars in government projects, specializing in uncovering the risks that threaten delivery long before they become public failures.
Download his free Public Sector Project Health Check at theriskinsider.com/healthcheck to find out if hidden dangers are quietly putting your project’s success in jeopardy — or if you still have time to turn it around.
The Risk Blog is a subset of 44Risk PM, LLC and a supporter of 44PM Training Academy.
