Risk register: Difference between revisions
Content deleted Content added
Kenmckinley (talk | contribs) No edit summary |
→Criticism: - Added comma |
||
| (160 intermediate revisions by more than 100 users not shown) | |||
| Line 1: | Line 1: | ||
{{Short description|Document used as risk management tool, acting as a repository for all identified risks}} |
|||
A '''risk register''' is a tool commonly used in [[project planning]] and organisational [[risk assessments]]. It is often referred to as a '''Risk Log''' (for example in [[Prince2]]). |
|||
[[File:Hou710 RiskLog.svg|thumb|A '''Risk register''' plots the impact of a given risk over of its probability. The presented [[Risk register#example|example]] deals with some issues which can arise on a usual Saturday-night party.]] |
|||
A '''risk register''' is a document used as a [[risk management]] tool and to fulfill [[regulatory compliance]] acting as a repository{{sfn|Project Management Institute|2021|loc=§4.6.2 Logs and Registers}} for all risks identified and includes additional information{{sfn|Project Management Institute|2021|loc=§4.6.2 Logs and Registers}} about each risk, e.g., nature of the risk, reference and owner, [[wikt:mitigation|mitigation]] measures. It can be displayed as a [[scatterplot]] or as a table. |
|||
[[ISO]] 73:2009 Risk management—Vocabulary<ref>{{Cite web|url=https://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/04/46/44651.html|title=ISO Guide 73:2009|website=ISO}}</ref> defines a risk register to be a "record of information about identified risks". |
|||
This tool is widely used within [[Risk Management]] for identifying, analysing and managing risks. In this context a project risk is essentially an uncertain event that, should it occur, will have an impact on the project (this could be positive or negative). |
|||
==Example== |
|||
It contains the information on the identified and collected project risks that the project team identifies when estimating and adjusting the activity durations for risks. |
|||
Risk register of the project "barbecue party" with somebody inexperienced handling the grill, both in table format (below) and as plot (right). |
|||
{| class="wikitable" border="1" |
|||
|- |
|||
! Category |
|||
! Name |
|||
! RBS ID |
|||
! Probability |
|||
! Impact |
|||
! Mitigation |
|||
! Contingency |
|||
! Risk Score after Mitigation |
|||
! Action By |
|||
! Action When |
|||
|- |
|||
| Guests |
|||
| The guests find the party boring |
|||
| 1.1. |
|||
| low |
|||
| medium |
|||
| Invite crazy friends, provide sufficient liquor |
|||
| Bring out the [[karaoke]] |
|||
| 2 |
|||
| |
|||
| within 2hrs |
|||
|- |
|||
| Guests |
|||
| Drunken brawl |
|||
| 1.2. |
|||
| medium |
|||
| low |
|||
| Don’t invite crazy friends, don't provide too much liquor |
|||
| Call 911 |
|||
| x |
|||
| |
|||
| Immediately |
|||
|- |
|||
| Nature |
|||
| Rain |
|||
| 2.1. |
|||
| low |
|||
| high |
|||
| Have the party indoors |
|||
| Move the party indoors |
|||
| 0 |
|||
| |
|||
| 10mins |
|||
|- |
|||
| Nature |
|||
| Fire |
|||
| 2.2. |
|||
| highest |
|||
| highest |
|||
| Start the party with instructions on what to do in the event of fire |
|||
| Implement the appropriate response plan |
|||
| 1 |
|||
|Everyone |
|||
| As per plan |
|||
|- |
|||
| Food |
|||
| Not enough food |
|||
| 3.1. |
|||
| high |
|||
| high |
|||
| Have a buffet |
|||
| Order pizza |
|||
| 1 |
|||
| |
|||
| 30mins |
|||
|- |
|||
| Food |
|||
| Food is spoiled |
|||
| 3.2. |
|||
| high |
|||
| highest |
|||
| Store the food in deep freezer |
|||
| Order pizza |
|||
| 1 |
|||
| |
|||
| 30mins |
|||
|} |
|||
== Terminology== |
|||
The project team considers the extent to which the effects of risks are included in the baseline duration estimate for each schedule activity, particularly the risks with |
|||
high impact. |
|||
A Risk Register can contain many different items. There are recommendations for Risk Register content made by the [[Project Management Institute]] Body of Knowledge ([[PMBOK]]) and [[PRINCE2]]. [[ISO 31000|ISO 31000:2009]]<ref>{{cite web |url=http://www.iso.org/iso/home/standards/iso31000.htm|title= Risk management standards|website=www.iso.org|access-date=2020-08-10}}</ref> does not use the term risk register, however it does state that risks need to be documented. |
|||
==Example contents== |
|||
A wide range of contents for a risk register exist and recommendations are made by the [[Project Management Institute]] Body of Knowledge ([[PMBOK]]) and [[Prince2]] among others. In addition many companies provide software tools that act as risk registers. Typically a risk register contains: |
|||
* A description of the risk |
|||
* The impact should this event actually occur |
|||
* The [[probability]] of its occurrence |
|||
* A summary of the planned response should the event occur |
|||
* A summary of the [[mitigation]] (the actions taken in advance to reduce the probability and/or impact of the event) |
|||
There are many different tools that can act as risk registers from comprehensive software suites to simple spreadsheets. The effectiveness of these tools depends on their implementation and the organisation's culture.{{citation needed|date=October 2015}} |
|||
==Useful terminology== |
|||
In a "'''qualitative'''" risk register descriptive terms are used: for example a risk might have a "High" impact and a "Medium" probability. |
|||
A typical risk register contains: |
|||
In a "'''quantitative'''" risk register the descriptions are enumerated: for example a risk might have a "£1m" impact and a "50%" probability. |
|||
* A risk category to group similar risks |
|||
* The risk breakdown structure identification number |
|||
* A brief description or name of the risk to make the risk easy to discuss |
|||
* The ''impact'' (or ''consequence'') if event actually occurs rated on an [[integer]] scale |
|||
* The ''[[probability]]'' or [[likelihood]] of its occurrence rated on an [[integer]] scale |
|||
* The ''Risk Score''{{sfn|Project Management Institute|2021|loc=§4.6.2 Logs and Registers}} (or ''Risk Rating'') is the multiplication of Probability and Impact and is often used to rank the risks. |
|||
* Common ''mitigation steps'' (e.g. within IT projects) are Identify, Analyze, Plan Response, Monitor and Control. |
|||
The risk register is called "'''qualitative''' if the probabilities are estimated by ranking them, as "high" to "low" impact. It is called |
|||
"'''quantitative'''" both the impact and the probability is put into numbers, e.g. a risk might have a "$1m" impact and a "50%" probability. |
|||
Contingent response - the actions to be taken should the risk event actually occur. |
Contingent response - the actions to be taken should the risk event actually occur. |
||
| Line 27: | Line 111: | ||
Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger) |
Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger) |
||
== |
==Criticism== |
||
Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota's risk register listed reputation risks caused by Prius' malfunctions but the company failed to take action.<ref name="Drummond">Drummond, Helga. "MIS and illusions of control: an analysis of the risks of risk management''. Journal of Information Technology (2011) 26, 259–267. {{doi|10.1057/jit.2011.9}}</ref> Risk registers often lead to ritualistic decision-making,<ref name="Drummond" /> [[illusion of control]],<ref>Lyytinen, Kalle. "MIS: the urge to control and the control of illusions – towards a dialectic". Journal of Information Technology (2011) 26, 268-270 (December 2011). {{doi|10.1057/jit.2011.12}}</ref> and the fallacy of misplaced concreteness: mistaking the map for the territory.<ref name="Budzier">Budzier, Alexander. "The risk of risk registers – managing risk is managing discourse not tools". Journal of Information Technology (2011) 26, 274-276 (December 2011), {{doi|10.1057/jit.2011.13}}</ref> However, if used with common sense, risk registers are a useful tool to stimulate cross-functional debate and cooperation.<ref name="Budzier" /> |
|||
==See also== |
|||
*[[Risk]] |
*[[Risk]] |
||
*[[Event chain methodology]] |
*[[Event chain methodology]] |
||
*[[Risk Breakdown Structure]] |
|||
*[[Risk management tools]] |
|||
*[[Issue log]] |
|||
*[[Failure mode and effects analysis]] |
|||
*[[Failure mode, effects, and criticality analysis]] |
|||
* [[PRINCE2]], utilizes a risk register |
|||
== |
==References== |
||
{{reflist}} |
|||
*[http://www.pmi.org PMI.org] |
|||
*[http://www.ogc.gov.uk/methods_prince_2.asp Prince2] |
|||
== |
==Further reading== |
||
*{{cite book |
|||
* [http://www.intaver.com RiskyProject] - Quantiative risk management using Event chain methodology by Intaver Institute Inc. |
|||
| author = Tom Kendrick |
|||
* [http://www.pertmaster.com Pertmaster project risk] - Project risk analysis by Pertmaster |
|||
| year = 2003 |
|||
* [http://www.palisade.com @Risk for Project] - project risk analysis by Palisade Corporation |
|||
| title = Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project |
|||
* [http://www.deltek.com Risk+ and WelcomRisk] - quantitative and qualitative risk management software by Deltek |
|||
| publisher = AMACOM/American Management Association |
|||
* [http://www.strategicthought.com StrategicThought] - quantitative and qualitative risk management software by StrategicThought |
|||
| isbn = 978-0-8144-0761-5 |
|||
| url-access = registration |
|||
| url = https://archive.org/details/identifyingmanag00tomk |
|||
}} |
|||
*{{cite book |
|||
| author = David Hillson |
|||
| year = 2007 |
|||
| title = Practical Project Risk Management: The Atom Methodology |
|||
| publisher = Management Concepts |
|||
| isbn = 978-1-56726-202-5 |
|||
}} |
|||
*{{cite book |
|||
| author = Kim Heldman |
|||
| year = 2005 |
|||
| title = Project Manager's Spotlight on Risk Management |
|||
| publisher = Jossey-Bass |
|||
| isbn = 978-0-7821-4411-6 |
|||
}} |
|||
*{{cite book |
|||
| author = Robert Buttrick |
|||
| year = 2009 |
|||
| title = The Project Workout: 4th edition |
|||
| publisher = Financial Times/ Prentice Hall |
|||
| isbn = 978-0-273-72389-9 |
|||
}} |
|||
*{{cite book |
|||
| author = Lev Virine and Michael Trumper |
|||
| year = 2007 |
|||
| title = Project Decisions: The Art and Science |
|||
| publisher = Management Concepts. Vienna, VA |
|||
| isbn = 978-1-56726-217-9 |
|||
}} |
|||
*{{cite book |
|||
|last=Project Management Institute |
|||
|title=A guide to the project management body of knowledge (PMBOK guide) |
|||
|date=2021 |
|||
|others=Project Management Institute |
|||
|isbn=978-1-62825-664-2 |
|||
|edition=7th |
|||
|location=Newtown Square, PA |
|||
}} |
|||
*{{cite book |
|||
| author = Lev Virine and Michael Trumper |
|||
| year = 2013 |
|||
| title = ProjectThink: Why Good Managers Make Poor Project Choices |
|||
| publisher = Gower Pub Co |
|||
| isbn = 978-1409454984 |
|||
}} |
|||
*[https://www.mudassiriqbal.net/riskregister-vs-riskreport/ Risk Register vs Risk Report (PMP/CAPM) by Mudassir Iqbal, February 8, 2019.] |
|||
{{Authority control}} |
|||
{{DEFAULTSORT:Risk Register}} |
|||
[[Category:Project management]] |
|||
[[Category:PRINCE2]] |
|||
[[Category:Risk management]] |
|||
Latest revision as of 15:34, 8 November 2024
A risk register is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository[1] for all risks identified and includes additional information[1] about each risk, e.g., nature of the risk, reference and owner, mitigation measures. It can be displayed as a scatterplot or as a table.
ISO 73:2009 Risk management—Vocabulary[2] defines a risk register to be a "record of information about identified risks".
Example
[edit]Risk register of the project "barbecue party" with somebody inexperienced handling the grill, both in table format (below) and as plot (right).
| Category | Name | RBS ID | Probability | Impact | Mitigation | Contingency | Risk Score after Mitigation | Action By | Action When |
|---|---|---|---|---|---|---|---|---|---|
| Guests | The guests find the party boring | 1.1. | low | medium | Invite crazy friends, provide sufficient liquor | Bring out the karaoke | 2 | within 2hrs | |
| Guests | Drunken brawl | 1.2. | medium | low | Don’t invite crazy friends, don't provide too much liquor | Call 911 | x | Immediately | |
| Nature | Rain | 2.1. | low | high | Have the party indoors | Move the party indoors | 0 | 10mins | |
| Nature | Fire | 2.2. | highest | highest | Start the party with instructions on what to do in the event of fire | Implement the appropriate response plan | 1 | Everyone | As per plan |
| Food | Not enough food | 3.1. | high | high | Have a buffet | Order pizza | 1 | 30mins | |
| Food | Food is spoiled | 3.2. | high | highest | Store the food in deep freezer | Order pizza | 1 | 30mins |
Terminology
[edit]A Risk Register can contain many different items. There are recommendations for Risk Register content made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2. ISO 31000:2009[3] does not use the term risk register, however it does state that risks need to be documented.
There are many different tools that can act as risk registers from comprehensive software suites to simple spreadsheets. The effectiveness of these tools depends on their implementation and the organisation's culture.[citation needed]
A typical risk register contains:
- A risk category to group similar risks
- The risk breakdown structure identification number
- A brief description or name of the risk to make the risk easy to discuss
- The impact (or consequence) if event actually occurs rated on an integer scale
- The probability or likelihood of its occurrence rated on an integer scale
- The Risk Score[1] (or Risk Rating) is the multiplication of Probability and Impact and is often used to rank the risks.
- Common mitigation steps (e.g. within IT projects) are Identify, Analyze, Plan Response, Monitor and Control.
The risk register is called "qualitative if the probabilities are estimated by ranking them, as "high" to "low" impact. It is called "quantitative" both the impact and the probability is put into numbers, e.g. a risk might have a "$1m" impact and a "50%" probability.
Contingent response - the actions to be taken should the risk event actually occur.
Contingency - the budget allocated to the contingent response
Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger)
Criticism
[edit]Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota's risk register listed reputation risks caused by Prius' malfunctions but the company failed to take action.[4] Risk registers often lead to ritualistic decision-making,[4] illusion of control,[5] and the fallacy of misplaced concreteness: mistaking the map for the territory.[6] However, if used with common sense, risk registers are a useful tool to stimulate cross-functional debate and cooperation.[6]
See also
[edit]- Risk
- Event chain methodology
- Risk Breakdown Structure
- Risk management tools
- Issue log
- Failure mode and effects analysis
- Failure mode, effects, and criticality analysis
- PRINCE2, utilizes a risk register
References
[edit]- ^ a b c Project Management Institute 2021, §4.6.2 Logs and Registers.
- ^ "ISO Guide 73:2009". ISO.
- ^ "Risk management standards". www.iso.org. Retrieved 2020-08-10.
- ^ a b Drummond, Helga. "MIS and illusions of control: an analysis of the risks of risk management. Journal of Information Technology (2011) 26, 259–267. doi:10.1057/jit.2011.9
- ^ Lyytinen, Kalle. "MIS: the urge to control and the control of illusions – towards a dialectic". Journal of Information Technology (2011) 26, 268-270 (December 2011). doi:10.1057/jit.2011.12
- ^ a b Budzier, Alexander. "The risk of risk registers – managing risk is managing discourse not tools". Journal of Information Technology (2011) 26, 274-276 (December 2011), doi:10.1057/jit.2011.13
Further reading
[edit]- Tom Kendrick (2003). Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project. AMACOM/American Management Association. ISBN 978-0-8144-0761-5.
- David Hillson (2007). Practical Project Risk Management: The Atom Methodology. Management Concepts. ISBN 978-1-56726-202-5.
- Kim Heldman (2005). Project Manager's Spotlight on Risk Management. Jossey-Bass. ISBN 978-0-7821-4411-6.
- Robert Buttrick (2009). The Project Workout: 4th edition. Financial Times/ Prentice Hall. ISBN 978-0-273-72389-9.
- Lev Virine and Michael Trumper (2007). Project Decisions: The Art and Science. Management Concepts. Vienna, VA. ISBN 978-1-56726-217-9.
- Project Management Institute (2021). A guide to the project management body of knowledge (PMBOK guide). Project Management Institute (7th ed.). Newtown Square, PA. ISBN 978-1-62825-664-2.
{{cite book}}: CS1 maint: location missing publisher (link) - Lev Virine and Michael Trumper (2013). ProjectThink: Why Good Managers Make Poor Project Choices. Gower Pub Co. ISBN 978-1409454984.
- Risk Register vs Risk Report (PMP/CAPM) by Mudassir Iqbal, February 8, 2019.