The Introduction
Are you maintaining an up-to-date Project Risk Register for your projects?
Hopefully you are following what I wrote in my article on using a Risk Matrix and you downloaded my free risk assessment template. Because the risk register is what comes next!
A well-groomed and maintaining risk register is a cornerstone of risk management in any project. It helps project managers and risk owners to identify, assess, and respond to risks that threaten our projects.
But there’s one issue with most project teams risk register. It is not maintained, which leads to an ineffective risk register that does not serve the project well.
And this issue can easily be avoided through simple avoidance of various mistakes.
This article explores the critical role of a project risk register within a risk management plan. We will identify key mistakes that may cause your risk register to fall short, and provides solutions to enhance its effectiveness.
Understanding Risk Registers in Risk Management
The first step in developing an effective risk register is to understand the risk register.
Definition and Purpose
A risk register, sometimes known as the risk log (sound like The Risk Blog 😉) is an essential tool in the field of risk management. Defined by PMI in the PMBOK, 7th Edition as:
“A risk register is a repository in which outputs of risk management processes are recorded. Information in a risk register can include the person responsible for managing the risk, probability, impact, risk score, planned risk responses, and other information used to get a high-level understanding of individual risks.” (Pg. 180)
We can tell from this definition that the risk register is a spot to document:
Risk Owners
Probability/Impact
Risk Score
Risk Response
Risk Status
And all other elements related to the risks
The primary purpose of a risk register is to provide a structured approach to identifying and managing risks, ensuring that project teams are well-prepared to handle uncertainties. In the broader context of risk management, risk registers play a pivotal role in staying proactive over reactive in risk identification and response planning.
Components of a Project Risk Register
The risk register typically includes several key items:
Risk Identification
Risk Assessment
Response Strategies
Risk Monitoring and Controlling.
With each of these areas serving a specific purpose for the register.
– Risk Identification: Involves cataloging potential risks based on their risk assessment of likelihood and impact.
– Risk Strategies: Outlines the planning actions to the threats and opportunities by documenting the risk response plan.
– Monitoring and Controlling Risk: The risk owner monitors the risk. This involves tracking and managing the risk throughout the project’s lifecycle, looking for triggers and determining whether the risk turns into an issue.
So far, this seems simple, so what are the common mistakes that people make with their risk registers?
Common Mistakes in Managing a Risk Register
Inadequate Risk Identification
One of the most common mistakes when it comes to a risk register happens right in the beginning of the project.
And that is: Risk Identification.
Failing to identify enough of the risk risks puts the project and the risk register at immediate risk. This usually happens when the team looks at the most obvious (Known-Knowns) before them. And fail to consider the deeper, more significant risks unidentified.
Overcoming this: Project managers should ensure they and their team run through proper risk identification techniques:
Brainstorming
Checklists
Expert Opinion
Etc.
Involving stakeholders and engaging the whole project team (and even those outside the team) can help capture a broader spectrum of risks.
By taking risk identification seriously and making an effort to call in your team, you can easily build a risk register ready for project success.
Misclassification of Risks
Next, we have the frequent mistake in the misclassification of risks within the risk register.
This occurs when risks are not properly categorized by their risk assessment. In turn, you get an obscure idea of your risk picture, which could easily be above or way below the risk tolerance.
Project managers should establish clear criteria for categorizing and prioritizing risks to avoid this. This ensures that each risk is accurately described and assessed based on its potential impact and likelihood of occurring.
This clarity is crucial for making informed decisions about resource allocation and risk response.
Understanding the risk, its impact, and its overall classification is necessary to carry out an effective risk management plan.
Lack of Quantitative Risk Analysis
Too often, we, as project managers, rely too heavily on qualitative risk analysis. It’s quick and easy, and it allows us to prioritize project risks.
But this also can lead to a purely a subjective evaluation that lacks a complete understanding of the risk picture. To get a more accurate risk severity for the project, an objective comparison and prioritization is necessary for the the risks.
This is where Quantitative risk analysis becomes necessary for a project.
To address this, quantitative risk analysis techniques needs to be added into the risk register assessment. Doing so, you gain a deeper data-driven analysis for evaluating your risks – allowing for a more precise and actionable response to those risks.
A well-balanced risk management plan should incorporate both qualitative and quantitative assessments to provide a comprehensive view of potential risks.
Failure to Update the Risk Register
You wouldn’t check the weather on Monday for a boating trip on Saturday. The risk of bad weather could pop up before you ever got a foot on the ship.
The same happens to our risk registers. A static risk register that is not regularly checked in on and updated can quickly become outdated.
And you never want an outdated risk register that is, in basic term, ineffective in managing risks.
Even if the project environment is constantly changing, like in agile, a constant review of the risk register needs to be a high priority.
Simply reviewing the risk register, with the team and risk owners, can help keep track of new risks, status changes, and updated risk responses.
The project manager is responsible for ensuring these reviews are conducted. This does not have to be an extensive process. Simply get in, review the risks, and get out.
Just don’t pencil-whip anything. All changes need to be justified and planned out using qualitative and quantitative risk analysis.
This practice ensures that the risk management plan remains relevant and risk-responsive and stays accurate to the project’s evolving risk profile.
Overlooking Risk Response Strategies
When the improvised explosive device struck the vehicle in my convoy in Afghanistan, every Marine knew what to do. We had a response plan built out, we discussed it, reviewed it, and trained for it.
The same needs to happen with our risk registers. All the work in doing qualitative and quantitative risk analysis could be in vain if a risk response is not built into the plan.
A proper risk register clearly states:
Who is the Risk Owner
What is the Risk Trigger
When to activate the Risk Response
This proactive over reactive approach ensures that the project team is prepared to address risks as they arise. In turn, the project can see a reduction in the likelihood of negative and an increase in the likelihood of positive impacts on project objectives.
Solutions to Enhance Your Risk Register
Just like a good risk register, we are going to provide the proactive way to avoid all the above mistakes.
Comprehensive Risk identification Techniques
Project managers should never employ just one technique for risk identification. Instead, they should explore each technique while planning their project to find the one that works for the team.
This is especially true when forming a new team. They all need to learn to work together, and the best way to get around the forming phase is to give them multiple ways to identify risks.
The techniques you can use are:
Brainstorming
Risk Checklists
Interviews
Delphi Technique
SWOT Analysis
Root Cause Analysis
Engaging various stakeholders, including team members, clients, and subject matter experts, can provide diverse perspectives and uncover less obvious risks. This inclusive approach helps build a more comprehensive risk register, capturing potential threats that may be overlooked.
Accurate and Clear Risk Descriptions
When describing risks, it is important to write the risk statement in a way that anyone can understand what it means and what has to happen. This is not a time to write in code-speak or to write in a way to “Impress Executive” (I have been told this).
Instead, you need to write down the risk accurately using the “Cause-Risk-Effect” method.
“Due to a lack of clarity in the risk register, the project might fall behind in risk management leading to possible delays in Scope, Time, and Cost”
Above is a clear and accurate statement. We all know that we have a risk around the risk register and need to correct this so the project does not increase costs while losing scope.
Project managers need to ensure that each risk is clearly articulated, specifying its nature, potential causes, and possible consequences. This precision helps develop targeted risk responses and ensures all team members understand the risks involved.
Integrating a Risk Management Tool
During qualitative risk analysis, tools such as heat maps and risk matrixes help build out the initial assessment of risks.
For quantitative risk analysis though, more technology is required to complete the analysis quickly. Examples of the types of Quantitative Risk Analysis are:
Sensitivity Analysis
Decision Tree Analysis
Monte Carlo Analysis
Scenario Analysis
Each of these tools for both qualitative and quantitative risk analysis offer structured ways to assess project risks. Using technology makes the process easier and usually more detailed in a shorter period.
The main goal in using this risk management tools is to update your risk register and to make communicating changes to your stakeholder more effective.
Technology helps bring speed, efficiency, and accuracy to our risk management process. But it up to you as the PM to interpret and present this data in a way for non-PM’s to understand and react to.
Establishing a Regular Review Process
While servicing in the Marine Corps, we had established “Battle Rhythms” for units. These were time blocks for specific meetings and events that happen every week, month, quarterly, etc. This plan was managed and consolidated so that everyone knew when updates were needed.
PM’s should establish a regular working review for their risks. This is essential for maintaining accuracy across the risk register.
These meetings allow you to
Reassess existing risks
Identify new and potential risks
Update risk response
The team should decide on how often risk are reviewed water it be weekly or bi-weekly. I do not recommend going more than three weeks in between meetings as risks and issues can materialize quickly. The longer you wait between, the more risk there is to missing a risk.
Regular reviews help keep the risk management plan aligned with the project’s current status and future outlook. So get those reviews on the calendar!
Developing a Comprehensive Risk Management Plan
The risk management plan is often skipped or completed through a simple “Copy & Paste” from an earlier (not thought out) plan.
A risk management plan is the key to unlocking effective risk management throughout your project. It details the HOW in your risk management procedures surrounding:
Risk Identification
Risk Assessment
Risk Response Planning
Risk Monitoring
Risk Register Template
Risk Meetings
Anything that involves managing risk
This plan is essential to your overall project management plan and framework for teams success.
A well-developed risk management plan provides a clear roadmap for managing risks throughout the project lifecycle. Its goal is to minimize uncertainty and exchange outcomes for your project.
If you need a sample Risk Management Plan, you can download mine HERE!
Conclusion - Maintain Your Risk Register!
In conclusion, a well-maintain risk register is vital to any successful risk management plan and operation.
Project Managers have an opportunity to enhance their risk management game through avoiding common mistakes such as:
Inadequate Risk Identification
Misclassification of Risks
Lack of Quantitative Risk Ananlysis
Failure to Update the Risk Register
Overlooking Response Strategies
By simply implementing clear and comprehensive risk management techniques into ones project like building and maintaining a robust risk register. PM’s can easily combat risk and issues within their project, leading to success and value for their organizations.
The Risk Blog is reader supported – Please consider contributing to the operating costs of running this blog!
An outstanding share! I have just forwarded this onto a colleague who was doing a little homework on this. And he actually bought me dinner simply because I found it for him… lol. So let me reword this…. Thank YOU for the meal!! But yeah, thanx for spending the time to discuss this matter here on your blog.