“Why didn’t we know about this sooner?”
Have you heard this question from a client and felt the stress build up inside you? Finding a solution to an issue after the fact may cause major delays and unnecessary budget increases and no one EVER wants that. What if you could shift your issue and solution management to be more proactive, rather than reactive?
Implementing risk registers into your project risk management process is a great leap in this direction. You’ll thank me later ;)
You may have a tight timeline and you're short on budget and probably wondering, “why should I use precious time and budget to create a risk register?”
As a PM, you are essentially a toolbelt equipped with all the PM basics and the many other tools or tricks you've learned along the way. Think of the risk register as one of these many tools to successfully PM a project. I'm Kelly Ostrowercha and have been collecting tools for my tool belt for 10+ years. I can tell ya, it is getting quite heavy but it is worth it.
Understanding the value of risk identification, risk mitigation, and having a contingency plan in place ahead of time, has saved me and my clients many uncomfortable conversations and has inevitably extinguished those project fires quickly (and helps me take Fridays off whenever possible!).
It allows me to rest easier knowing my team and I have assessed all the possible risks that may arise during the lifespan of the project.
It may in fact save you time and budget and get you to your relaxing weekend in a timely manner each week. Who doesn’t want that?
What Is A Risk Register In Project Management?
The Project Management Institute identifies a risk register as a document used to track and report on project risks and opportunities throughout the project's life cycle. It is an essential part of your risk management plan.
The plan outlines your process and approach to risk management so key stakeholders understand how it will apply to their project. The risk register is the place where you document this plan and identify all the risks or issues that may occur throughout the lifecycle of the project so the key stakeholders can be aware of any impact on their organization.
The contents of a risk log will vary based on a number of factors such as client needs, project scale and complexity, and the type of project.
Ask yourself these questions to determine what you may need in your risk register, and then keep reading because we have a more in-depth explanation of how to transfer this into an organized risk register.
- Is there a large or small client team?
- How many levels of decision-makers are there?
- Is there a board involved that needs continuous reporting on the project or has high-touch involvement in the decision-making process?
- Does this project impact others within the organization? If so, does your risk plan need to take into account these other impacts?
- Does your client have high attention to detail and want to be in the know about details, or do they trust you and your project team so they can be more hands-off?
- Is there a high or low level of complexity?
- Are there a number of business departments involved in the project?
- Is there a large number of resources involved? This may increase the probability of individual risk.
- Is there high attention to data and/or security requirements?
- How many user groups do you need to account for?
- Is there a large number of features required for the project?
- Has the client as has already stated there is a high level of identified risk before you even started?
What Is The Purpose Of A Risk Register?
As the project manager, you are responsible for planning for the worst and hoping for the best.
The purpose of the risk register is to allow the project managers to document foresight into potential risks and the impact of those risks, and help plan the critical path as well as various other pathways.
Your responsibility is to avoid or mitigate these identified risks (with the help of your team’s expertise) before they become catastrophic problems that are more difficult or impossible to fix during an in-flight project.
Clients appreciate (and sometimes require) this upfront planning to avoid unnecessary delays or budget increases. If they can be involved in the risk mitigation plans from the client side, there is a high level of trust and they are less likely to play the blame game if an issue does arise.
They can see the effort the project team has put in to make the project successful and mitigate as many risks as possible.
Risk Register Template
If this risk register sounds complex to you so far, have no fear. As always, The DPM experts have your back! Here is a risk register template with varying levels of complexity (you’ll need to be a member to access the template).
After a bit of practice using this risk assessment tool, you can start making this template your own to suit your agency and project process needs.
Barebones Risk Register
Use when the majority of the risks are within the control of the project and client team, and have low impact on other areas of the business.
- ID #: For ease of tracking, each specific risk should have a number attached to it for references in other tools and or status reports
- What could go wrong? This is the potential risk. For example, resource capacity issues within the team may slow our progress and create delays.
- What can we do about it? This is the solution or risk response plan. For example: Create a detailed week-by-week resource plan of when specific resources will be needed.
- Owner: This is the risk owner or risk manager, who is responsible to report on risk likelihood or risk impact. They are accountable to solve for the risk and identify the PM of any changes to the risk.
- Priority: Probability of occurrence. The tiers used in the template are urgent, high, medium, low, and no action required.
- Status: The statuses used in the template are open & planning, open & monitoring, closed, and realized.
Lightweight Risk Register
Use when there are low to mid-level areas of the business that might be impacted and you, your client, and your team have more control of the action plan. The lightweight register includes the same items as the barebones one with the addition of the risk description column. This is a description of what the impact of the risk would be.
Complex Risk Register
Use when there are various areas of the business that may be impacted or which are responsible for the risk. There is a high level of reporting, particularly based on financial impact and severity. The likelihood of these risks may be out of your control, but you need to account for them and gather details from the various owners to report on them.
Before we walk through this one you should understand the difference between inherent risk, residual risk, and secondary risk.
- Inherent risk: Are the risks identified to achieve a certain objective before responses or controls are actioned on.
- Residual risk: Risks that remain even after risk response or controls have been implemented
- Secondary Risk: A new risk that arises due to the implementation of risk response to another risk event
- Risk ID
- Area: The area of the business that will be impacted or that this issue falls under
- Risk Name: Description of the Inherent Risk
- Pre Mitigation Summary: Determined in the planning phase
- Mitigation plan: Detailed plan to avoid or lessen the impact of the risk identified.
- Residual Risk Summary:
- Residual Risk Description
- Severity #
- Severity ($)
- Probability (%)
- Residual #
- Residual ($)
Find more project management templates here.
How To Keep Risk Management Transparent
Depending on the PM tool your agency uses, you can incorporate the risk register probability and severity of impact numbers into a visible place for all parties to see on a regular basis.
For example, if you are using Asana, it could be added to the status report you sent to the client, or you can move out of a spreadsheet and create a risk register right in the tool as a linked project page.
Expert Tip: If you don’t need a complex risk register template, you can create a card on your project plan within whichever PM tool you use, and add the risks as sub-items for a lightweight way to track them. This way you can write comments back and forth in a cleaner way than a spreadsheet with your team to talk through solutions or if the level of severity or priority has changed.
Using the risk register as a risk logging exercise or checking in with your team and clients allows for more transparency, and keeps everyone in the know, which fosters trusting partnerships.
Treat risk as you would budget, time and scope. Regularly review it in your status meetings and make it part of your status report so all involved are aware of their accountabilities and there are minimal surprises for the client or team that cause a project to halt or a relationship to be tarnished.
Use a risk matrix to help you with the risk analysis and identify the level of impact. Our example here is a great place to start (you’ll need to be a member to access this download).
Steps To Create A Risk Register
The risk register is not only great for PMs to stay on top of the probability of impacts of the project but it is also a great way to elicit the skills and minds of your team to identify and complete a risk analysis. You may not have the expertise to identify all the potential risks that may occur, so make it a team exercise in the planning phase of the project.
Have a separate conversation with your client team and complete the same exercise. They can help to identify the risks coming from their side, including risk rating or risk score, risk category, a response plan, and additional risk information for the ones your team has identified. Getting everyone involved and thinking like a project manager and having a full understanding of the objectives and consequences is never a bad idea.
If getting in a room is an option, have a whiteboard session (I love a good sticky notes brainstorm session!), but there are many tools that are good for video exercises such as Zoom whiteboard and Miro.
Here’s a sample agenda for the risk register meeting exercise for client and project team.
Purpose of meeting: To identify risks, conduct a risk analysis to assess their probability and impact, brainstorm mitigation plans, and set a risk owner who will be accountable for each.
- Everyone to brainstorm potential risks on their own
- Come together to share risks and identify duplicates (duplicates are important as the most identified risks are likely to be the high impact risks)
- Set the impact level of each risk
- Identify the solutions or mitigation plan(s) for all risks
- Set an owner
Hot tip! Depending on the number of risks in your log, you could potentially categorize them by a phase when they have the highest chance to occur for a better organization.
I recommended completing a client and a team risk planning meeting separately. Once you have a fully vetted list, you can review it with your client and make any changes to the impact based on their own organizational knowledge and level of priority.
If you feel comfortable having the client and the internal team in the same session it is a great opportunity to start building trust on both sides for the client, and to allow them to see your team's expertise and strategic minds in action!
Our templates are a great place to start to kick-off these brainstorm sessions. Once you start using them you can identify any columns or labeling that would suit your agency language or process in a more unique way.
Ready, Set, Go!
As project managers we have the unique ability to hold information, make connections and plans, and adjust scenarios, sometimes all at once, in our organized brains. The risk register allows us to lighten that weight on our minds and log it, assess it with others, and document the accountability for everyone to see so it doesn’t weigh all on us.
Risk identification and risk analysis not only allows you to shift your planning approach to be proactive, but it also allows you and your project team to learn from mistakes and tackle them differently in the future. Issues happen. It is a part of every project, but putting the time up front will likely save you that precious time and budget later on.
Get your project and client teams involved in creating the risk log. It will go a long way in building trust and ensuring everyone knows what they are accountable for.
As always The DPM has your back! Here are some additional tools to add some weight into your PM toolbelt ASAP so those client WOWs start flowing in!
To continue to add to that PM toolbelt, subscribe to The Digital Project Manager newsletter.