Documenting Risks

At any given point in time a Project Risk Register should articulate the risk environment across the end-to-end project. This includes deteriorating or emerging risks, issues, risks outside of appetite, risk mitigation and results from aligned Key Risk Indicators.  For this reason, it is almost always a key source of information collected and used during Internal and External Audits, Prudential Reviews, Insurance Program renewals and evaluating program governance. 

While each Risk Manager will likely have a preference on the layout and format of a Project Risk Register based on prior experience and personal preferences; one of the most under looked inclusions is a ‘Status’ column. This can help articulate key information used to monitor each risk but also assist in directing the focus and discussions of Workstream Risk Review sessions as well as provide a valuable audit trail that evidences the periodic review and management of risks. It also provides a 'bridge' to external stakeholders and those unfamiliar with the inner workings of the project to understand exactly what is going on across the project.

Re-arranging the monitoring / tracking fields to the initial few columns of a Risk Register can also help drive and manage discussions within the Workstream Risk Review sessions by bringing the context and background of risks to the forefront. Particularly useful for a large complex project that may have in excess of 200 + risks.

The below is an extract of a format that I personally find particularly useful and works for me.

Other risk monitoring / tracking fields that may be beneficial in a Project Risk Register include:

• Trend / Rating Change – Aside from providing a reference point on the trajectory of the risk, this field in a Risk Register allows the ability to 'filter' and identify risks that have deteriorated over the prior period and may need to be escalated in reporting.
  

• Red / Amber / Green (RAG) Status – By nature and in particular on large projects, certain risks will remain at elevated levels. These generally include High consequence / Low probability risks that while are assessed at comparatively higher levels than other risks, may not be an active concern and within appetite. The introduction of a RAG rating can help differentiate where a risk may be of particular concern. Again, the filtered view can also provide a good overlay to understand which risks may need to be escalated through risk reporting. Or which particular risks may require a focus during review meetings with stakeholders.

Ultimately, each Risk Manager will have their own preferences on what is the best way to track and monitor risks within the Project Risk Register. Some helpful perspectives to take in evaluating the adequacy of the approach include:

• Is it clear within the register the last time a particular risk was reviewed?
  

• Is there a clear articulation on the progress of key treatment actions in reducing potential risk exposure?
  

• If required to review a particular risk within the register, do I have sufficient clarity on the background and key factors influencing the risk?

• Would an external party reviewing the register understand the context / background or rational for a particular risk?