Activity 7
Risk register

Figure 1.10 The risk management cycle

Overview

A risk register or risk log is a common tool used within project management. It is used to record and manage all risks, actions and responsibilities in relation to a category project or programme. It is applied within category management as a way of understanding on a daily basis the potential likelihood and impact of each risk and ergo how it might be controlled or mitigated.

There are numerous formats available. The document may be either qualitative or quantitative, dependent upon the ranking method used; for example a qualitative approach may assess risk as either ‘high’, ‘medium’ or ‘low’, while a quantitative system will view risk more numerically, such as with probability percentages. It is possible to mix qualitative with quantitative assessment, although care must be taken in doing so, in order to ensure standardisation of the various analyses.

Elements

To establish a risk register, a facilitated workshop is considered best practice. This way, all category team members and wider stakeholders can assist in the identification of risks that may be associated with a particular category management programme and consequently could have an impact on cost, time or performance. Where possible, information from the team should also be obtained on the impact of the risk and the likelihood of its occurrence.

Once developed, the risk register should be made available to all category team members to actively encourage reporting and resolution activity. Ideally only a small number of individuals should be responsible for managing and updating the document itself. This ensures that an accurate tracking approach to risk is undertaken.

There are many variations and examples of risk registers. The majority contain the following elements at a minimum:

• Identification of risks – A short name or number to identify the risk quickly.
• Ranking – A priority list which is determined by the relative ranking of the risks.
• Status – A report on the current standing of the risk (i.e. whether the risk is increasing, decreasing, static, under review or dead).
• Description – A fuller description of the risk which should cover the main characteristics (e.g. how it is likely to proceed in terms of pace and severity).
• Metrics – Information relating to potential impact, probability and proximity.
• Responsibility – Named individuals attached to ownership/accountability, delegated responsibility and rectification.
• Mitigation action – The actions that need to take place in order to control the risk.
• Completion date – The date by which the mitigating action will have taken place.

Risk registers should be version controlled and reviewed on a regular basis if they are to be effective.

So what?

A structured approach to risk assessment can highlight areas of potential danger at an early stage in the category management process. This not only supports mitigation but also assigns visible ownership, placing pressure on those responsible to carry out the necessary activity as soon as it is practicable or at the very latest by the stated completion date in the risk register/log.

While it is important to involve as many stakeholders in the risk assessment process as possible, some category management authors also advocate that suppliers be involved, but this will clearly need to be based on the relevancy and maturity of the relationship.

Category management application

• Establishes a group consensus of potential programme risks
• Identifies and describes risks associated with the category management process
• Provides a mechanism for managing risks via allocation of ownership
• Fends off potential issues at an early stage

Limitations

Risk registers/logs are used not only within project scenarios but also within organisations more generally. They are widely acknowledged as a positive influence within the working environment; however, research has found that they can in some instances lead to an ‘illusion of control’, which can result in complacency and risks not being dealt with adequately.

There has also been much academic research and accompanying criticism in relation to the effort required to manage and administer the risk register – the main thrust of the argument being that it can become ‘an industry’ tying up many valuable resources. This appears to be especially true of organisations with a risk-averse culture.

It should be remembered that risk registers demand constant review, and unless a rigorous monitoring process is undertaken on a regular basis, the document can become nonfunctional with out-of-date information, which in turn may divert focus away from critical areas.

Template

The following template can be used to assess risks that may occur during a category project:

• Template 7: Risk register