Another highlight (IMHO) of the Risk Symposium was Eldon F. Jones’ presentation on “Risk Register – What is it and How is it used?”
What is a Risk Register?
A Risk Register is a document that lists “all identified risks, including description, cause, probability of occurring, impact(s) on objectives, proposed responses, owners, and current status” per Mr. Jones. It is an output of the Risk Management Plan.
I have used a variety of Risk Registers and it can be as simple or detailed as you need it to be, depending on your project. If you want to start doing some Risk Management, I suggest that these are minimum features of the register:
- Description of Risk
- Level of Impact on the objectives (rated Low, Medium, High)
- Probability of Occurring (rated Low, Medium, High)
- Mitigation (What we’re doing now to prevent / what we will do if occurs)
It’s just enough to identify what to look out for and not so much to overwhelm anyone you show the register to, especially upper management!
Elden Jones’ approach would be good for a very large project / program, since he recommends Risk categories such as:
- Technical, Quality, Performance (Hardware, software, integration) risks
- Project management risks
- Organization risks
- External risks
He also includes scales for qualitative risk analysis, where the values are “placeholders – the scale levels are only rank ordered”. Probability scales are only “indicators… or guesses, not true probability values.”
Risk Impact, he suggests, should also be scaled, with the ranges of probability linked to quantitative ranges of cost, scope, time and quality. For example, if the impact on cost is 5 – 10% change, then the probability may be greater 15 up to 45% (equivalent to Medium Risk Impact).
Mr. Jones’ Risk Register includes WBS IDs, Risk Category (such as Client, Human Resource, Mother Nature, Technology), Risk Status, Impact (Scope, Cost, Time, Quality) and Response.
One interesting approach to Response is to distinguish the risk as a Threat or an Opportunity, since different responses would be used. For a Threat, the strategies would be to either Accept, Avoid, Transfer or Mitigate. For an Opportunity, the choice would be to Accept. Exploit, Share, or Enhance. As the Register is regularly reviewed, the risks events are evaluated for probability estimates and the Responses.
Risks should be retired once the threat has passed – would that be great to cross it off the list?
Next: More on Project Opportunities and Risk from Tom Kendrick