Risk Management is an extremely important part of Project Management. In fact Risk Management is a very big industry in its own right. Depending upon the type of project, the significance put towards risk management seems to vary in the real world.
At the heart of Risk Management is an artifact called Risk Register. In this post we'll look at the basics of Risk Register, its various attributes and its progression through the various steps of management of the risks.
Primary Goals of a Risk Register
The Risk Register aims to do the following:
- Identify and record all risks related to a project.
- Gather relevant information on each of the risks.
- Capture derived information based on analysis and prioritization of the risks.
- Capture mitigation strategies planned for the risks.
- Track the status of each of the risks.
Attributes of a Risk (and Risk Register)
Based on the goals of a Risk Register (as identified above), it is clear that it captures various attributes of a risk through its management process, which may act as inputs to future stages of processing and mitigation of a risk. Thus we need to look at the attributes of a risk (both original as well as derived and assigned ones).
- Id - An identifier that uniquely identifies a risk.
- Name/Title - A name or title for easy addressing of the risk.
- Description – A detailed description of the risk, which should help in further processing of the risk.
- Status – The current status of the risk. For instance, “New”, “Prioritized”, “Closed” etc.
- Category – Categorization of the risk based on things like source, system, most probable time of impact, mitigation strategy etc.
- Probability/Frequency – A rating of probability or frequency of occurrence. For a simple case, you can use a scale of 0 – 5 (low to high).
- Impact - A rating of impact of the risk on the project in case it realizes. For a simple case, you can use a scale of 0 – 5 (low to high).
- Risk Composite Index – An index calculated based on a defined formulation using Probability and Impact ratings. For a simple case the calculation is Probability * Impact. The higher the value, the higher the priority that the risk gets for its planning, mitigation and/or resolution.
- Mitigation Action – This is the set of action to be taken to mitigate the risk.
- Contingency Action – This is the set of actions to be taken if the risk ever materializes.
- Owner – The current owner of the risk. This person is responsible for the Contingency action, should the risk come alive.
All these attributes constitute what we collectively call the Risk Register. The attributes essentially become entries into the Risk Register. Below is a sample Risk Register showing the attributes involved.
However, all the attributes are not collected at one time. They get collected and entered into the Risk Register through the various steps of Risk Management. In the next post, we’ll look into how the Risk Register is built by collecting and deriving information through the various steps of Risk Management.