How a risk register can save your project from disaster
January 14, 2022
If you want to be a master project planner, learn to anticipate what could go wrong. Every project comes with risks. The trick is being able to deal with them effectively. And the best way to do this? Prepare, plan, and mitigate. Here’s the core of why you should use a risk register: it’s not about preventing all problems from happening. It’s about being as prepared as possible.
If something does crop up, you’ll be equipped to deal with it efficiently. That way, you can fix things quickly and move on with minimum impact. Ready to create your own risk register? Read on!
So, what is a risk register?
A risk register is a mitigation tool project managers use to identify and monitor potential problems that could arise in a project. These risks are organized into groups, such as ‘likelihood’ and ‘impact.’
Why is this important? Well, if you already have an idea of problems that could develop, you can come up with potential solutions in advance. But not only that; it also helps project managers make important decisions, such as whether to move forward, delay a project, or divert resources to prioritize one risk over another. Let’s take a deeper look.
To start with — what is a risk?
A risk is any uncertain event or condition that could affect at least one aspect of the project if it occurs. To put it even more simply: a risk is anything that could go wrong.
Problems could arise from events within your organization’s control (like a budget change) or external sources (like unplanned delays). The reason they’re called ‘risks’ and not ‘problems’ is because, in many cases, they’re completely out of your hands. Nobody could have predicted them.
And not all risks are bad.
Imagine a product release that goes better than expected. Customers see an influencer using your product on TikTok, and suddenly, they start snapping it up. Your product organically reached a wider audience than you anticipated, meaning you need to up your production level fast. The risk event was positive, but it created a challenge that could affect customer satisfaction if you fail to meet the demand.
In short, if something goes wrong or something unexpected happens, this will affect the overall success of your project. Your options are to either to stop these risks from occurring, or at the very least, mitigate the effects should they occur.
What are the benefits of creating a risk register?
The goal of creating a risk register is to make sure you’re aware of problems before they happen. You’ll know what might go wrong, how it might affect your business, and how much the cost will be. This way, if an issue does arise, you’ll already have an idea of what actions to take to resolve it before it escalates.
Risk register examples
Here are a few common risks that could be included in a risk register:
- Unplanned delays
- Lack of communication between project teams
- Data security issues, such as data sent to wrong destinations, etc.
- Incomplete or inaccurate project specifications documentation
- Incorrect or missing data due to poor research or user input
- Theft of physical assets used in the project
These are just some examples from hundreds of possible issues. A full risk register should contain any threats and hazards associated with your project — and we mean every single one that you can think of.
To find out what other risks may affect your project, speak to colleagues in related fields or go online and read about similar projects. This will give you an idea of the types of risks to look out for, and it should inform your own risk strategy.
How do you create a risk register?
Creating a risk register is generally done at the beginning of the project. It contains all possible risks that could happen, how bad they would be if they did happen, and what needs to be done if they occur. A risk register should include the following:
- Risk identification
- Risk category
- Risk rating
- Risk analysis
- Risk mitigation
- Risk priority
- Risk ownership
- Risk status
Let’s take a look at each of these components in more detail.
Risk identification is a brief yet detailed explanation of what might happen. You should include as much relevant information as possible, such as the exact date and time of an event. Consider whether it can occur more than once and what steps are in place to prevent or control it.
The best way to do this is by asking the question: “What could go wrong?” Next, write down everything that pops into your head, no matter how big or small. Also, include a date with every entry. This allows you to keep track of when you added each risk to the list. As time passes, some events may become more or less likely to occur, so organizing them by date is helpful.
Sort the issues into risk categories. When other stakeholders read your report, it’ll be easier to find the correct information. Example categories include technology, communication, financial, operations, security, quality, and so on. The more you organize risks, the easier it’ll be to find and assess them later.
Here you’ll need to put a number on the likelihood of each risk occurring. This should be based on thorough research — intuition alone won’t do! Your scale could run from 1 to 5, 1 to 10, or ‘very likely’ through ‘not likely.’ Your grading system is up to you, but be consistent.
Top tip: a risk breakdown structure can help you organize your thoughts here
Now, think about the severity of a specific risk if it does occur. How will this problem affect your team or project resources? Will it delay the project? Does it require you to get new data, documentation, or approvals before moving forward?
Some factors to take into account are relative financial costs of different levels of damage, impact on the team, and impact on your customers or stakeholders.
Consider what pre-emptive and post-failure measures you can take to deal with a problem. Can you prevent it altogether or reduce the likelihood of the event occurring? If not, can you reduce the potential impact when the event does occur?
Make sure to prioritize your mitigation strategies; the most critical risk reduction steps should go first! Here’s what we recommend. List a solution for how to lessen the risk, a description of the likely outcomes, and each outcome’s effect on the project.
While some risks will be easy to mitigate, others require more thought. When the problem is more complex, you might want to get more people involved.
Assign the risk a priority level, based on its risk rating and analysis. The lowest-priority risks are ones that will have little or no effect on project objectives. A medium-priority risk could affect one of the main objectives, but may not prove fatal to its success. High-priority risks, however, would likely lead to serious consequences for at least one objective in the short term, and perhaps, in the long term too.
A common way of assessing priority is through scales such as ‘High,’ ‘Medium,’ or ‘Low.’ Use these labels when you’re sure about how probable they are (i.e., when they’re threatening events that are easily preventable).
However, these scales are less reliable when you don’t know the likelihood of an event or they’re highly subject to unpredictable changes. So, keep this in mind, and be flexible and adaptable. No risk is set in stone.
Who owns the risk? Who is responsible for resolving the risk, reducing its probability, or handling the consequences if it does happen? The key to dealing effectively with risks is having each person know what they must do in any given situation. By clearly defining everyone’s roles, you ensure a proactive, more focused response when your team is working under pressure.
Note the risk status to keep track of an issue and whether or not it’s been mitigated. Label a risk as ‘open’ if it’s in assessment and ‘in progress’ if you’re currently dealing with it. Once you successfully handle a risk, label it as ‘closed.’
Risk register best practices:
- Make it a team effort: one person can’t think of everything. The more people you involve in creating your risk register, the more complete it will be.
- Maintain closure: try to keep changes to your risk register to a minimum. If something has been completed or closed, go ahead and archive it. But try not to think about closed issues again unless they’re re-emerging as real risks for whatever reason.
- Keep it updated: risk registers only provide an accurate snapshot of problems that may arise if you update them regularly. For this reason, it’s important to revisit your risk register on a routine basis, even when you don’t have anything to add.
- Have a post-mortem meeting: Every success and failure is a lesson. After you’ve finished the job, gather the team to talk about what you’ve learned. Chances are, you’ll have vital information you can carry forward into your next big project.
If you’re building a risk register from scratch, start by asking your team what worries them most about meeting deadlines and completing tasks. Then, make sure these suggestions become part of your risk register. The more collaborative you can make this document, the better everyone will be at spotting, managing, and taking ownership of risks that could derail your project.
Developing and monitoring a risk register is so much easier with project management software. Since you can automatically update the risk register as the project progresses, you can see exactly how much work is going into mitigating each issue. In the future, you’ll also have a good starting point for managing risk in similar projects.