Understanding the Fundamentals of a Risk Register

A risk register is regarded as one of the most important documents and processes in operations management.  The risk register often seems simple; however, it contains some of the organizations most important and crucial information that enables management to understand the risks and required mitigation strategies.  It is important to understand that the risk register is a living document and will be continuously updated; therefore, risks and their mitigations will evolve and change over the life of a project, an asset, a cyber program, supplier and the enterprise.

The goal of risk management is to identify and control risks that are most likely to impact operations and this is where the Risk Register becomes heavily relied on.  A successful risk management process will have this in place to congregate risk information and map out a game plan before the risks are realized which will minimize negative impacts on the enterprise.

The first step is to identify risk categories and elements, followed by risk events with associated drivers and mitigation actions.  This is often a daunting tasks for managers because they are typically staring at an empty excel spreadsheet and have a million risk scenarios running through their mind.  With that said, being a well experienced manager will benefit greatly in getting the risk register started.  Inexperienced managers may consider reviewing old risk registers to gain a better understanding of how to properly complete a risk register.  Having a risk management software, such as ARETE’s Risk Assessment Profiler (RAP) provides a centralized online system to administer your organization’s risk registers.

Risk registers are likely to vary in size, complexity, and data collection between each company and sub-organizations.  It’s not a one size fits all solution. The terminology and data collected may be different, however the purpose of maintaining a risk register to manage and mitigate risks is constant for all organizations.  Having the ability to drill deep into each risk category/element/event gives the team the knowledge needed to make better informed risk management decisions.

The following are key attributes that all Risk Registers should have:

• Risk Category – This is where the categorical risks are identified from the initial assessment. As an example, for capital projects categories are scope, permitting, environmental, resources, construction, or other relevant risk categories. Using these categories helps classify each risk and groups them into relevant categories to reference.
• Risk Element – Risk Elements are broad in sense but is a further description of the risk. An example of a risk element for capital projects is site location, constructability, electrical design, climate, etc.

• Risk Event – The underlying event that causes the risk to be recognized. An example of a risk event is: disgruntled site owner that the company is trying to purchase land or right-of-way from.
• Risk Driver – The driving factor(s) that causes the risk event to materialize. An example of a risk driver is: site owner is unwilling to sell land or right-of-way to company at a reasonable cost.
• Consequences – The repercussions of the risk event if it comes to fruition. An example of a consequence is: need to consider alternative routes to complete project.
• Risk Type – Types of risk include schedule, budget, safety, and other.
• Risk Status – The current status of the risk event (i.e. In progress, completed, not started).
• Mitigation Actions – This is the mitigation actions to be taken by the project team to prevent the risk from occurring or steps that are planned to mitigate the risk. For example, identify all alternative routes, project alignments, and right-of-ways.
• Risk Owner – This is the person responsible for managing the risk and implementing the mitigation actions. Risk owners can be the project manager, project team member, project sponsor, or stakeholders.
• Impact – The potential schedule and budget impact on the project if the risk occurs. For example, 60 day schedule impact and $500,00 budget impact.

• Probability – The estimated likelihood or probability that the risk will occur at some point and become a project issue. These can be displayed in a qualitative or quantitative manner.  For example, Almost Certain (90%), Likely (70%), Possible (50%), Unlikely (30%), and Rare (10%).
• Class – This is where you would classify the risk as a threat or opportunity. It’s important to not only capture the threats that negatively impact a project but also the opportunistic threats that can save money and time.

The majority of risk register’s you’ll see today are administered and managed in spreadsheets.  After the project is complete the risk register typically collects dust in a file on someone’s computer and is never utilized again.  Having a software solution allows all members of the team to access, view, edit, and manage the risk register at any given moment.

“One has to look at the Risk Register as the cornerstone of a successful comprehensive risk program.  Successful risk programs utilize qualitative risk analysis, simulations, quantitative risk analysis, with the Risk Register as the foundation of the process.”  – Carlos Mendizabal, President of ARETE

For additional information on ARETE’s Risk Assessment Profiler software email us at info@arete-inc.com or call (888) 99-ARETE.