In the last post Part 1 we began a review of some sample risk registers which are publicly available and excerpted in this Risk Register-Risk Log Examples pdf.
The third risk register example, like the second, seems quite good as a practical tool. It does have a column beside the Likelihood and Consequence to calculate the resultant risk ranking (‘risk grade’ as they call it). I’m not sure about how they’re using risk category; also, there’s nothing on tolerance or controls.
But what jumps out at me is how they are using the Describe Risk column (circled). In the first item I count at least 5 issues that could be separate risk statements. That would be better, otherwise you don’t know what you’re assessing. If you compiled a list of 50 risks in a similar discursive manner, you would have a lot of text impossible either to rank accurately, or effectively manage.
In this case, where they are talking about developing courses overseas, some analysis offline might let them formulate precise risk statements addressing upstream causes. Then they could devise mitigation plans to engage with the foreign university and help ensure the viability of the offshore activity. But the concept of risk implied here is not one focused on objectives; but rather the traditional one of exposure to assets.
Back to our review of sample risk registers. The last one has the sixth column labeled Contingency/Action. There is a difference, and it’s helpful to sort out all the various ways to respond to risk. For example, people often characterize risk financing as a transfer of risk – it’s not.
In any case, these finer distinctions are not indicated in this particular risk register. Nor (like two of the others) does it have columns for controls, tolerance, and the valuation and allocation of residual risks, which you would need in a project management risk register.
In conclusion, this review of sample risk registers shows that risk managers need to pay attention to detail in two ways:
a. Number of Columns. The number of columns will generally indicate the depth of analysis and must correspond to the business requirements. Too few columns will give you just lists of general information, without incisive analysis to support decision-making, or ways to track progress on mitigation.
b. Column Labels. Column headings are telling, and the examples discussed revealed some confusion in the interpretation of terms. Your choice of headings should reflect a clear idea of the risk process.
The new Risk & Insurance Management Society online course Special Case Studies in Risk Management contains a fuller discussion of the risk register, its associated ERM tools and templates, and the implications for selecting ERM software. We provide a comprehensive risk register for project management and discuss each of the 17 columns of analysis in detail.