Maintaining your own project risk register
Managing risk on your project is as easy as maintaining a spreadsheet, along with a good communication strategy. The central deliverable in risk management is a "risk register" - a list of all risk that you have identified for the project.
A good risk register will include the following components:
- Risk ID. Uniquely identifies the risk
- Risk Title. Short descriptive name for the risk. This is how you will refer to your risk in executive status reports.
- Risk Description. Full description of the risk and its projected impacts.
- At Risk. Lists specific project milestones or estimates that are at risk. This allows you to quickly pivot your list on a particular milestone to obtain a "total risk" for a particular target date.
- Date Created. Date risk added to register or first identified.
- Date Modified. Date risk last modified. This is especially important when including risk updates on executive status reports or in a weekly status meeting with your team.
- Owner. Individual most directly responsible for risk and risk outcome. This is the person that will likely be advocating any proposed risk mitigation strategies.
- Risk Probability. Numeric characterization of the likelihood of the risk event occurring. Risks probabilities should typically range from 1 (least likely) to 5 (most likely).
- Risk Impact. Numeric characterization of the severity of the impact this risk event would have if it does occur. Risk impacts should typically range from 1 (least impactful) to 5 (most impactful).
- Risk Rating. Obtained by multiplying the risk probability by the risk impact. The value of the risk rating is indicative of the urgency with which this risk should be addressed.
- Status. Status of this risk. The list of values can be fine-tuned based on your particular project's needs, but should probably include "1 - Open", "2 - Mitigation Strategy Identified", "3 - Mitigation Strategy Executed", and "4 - Closed".
- Mitigation Strategy. Description of the strategy or strategies that have been determined will be utilized (or have already been utilized) to mitigate or address the risk's occurrence. Stategies should be identified for all new risks as they are identified, regardless of whether the risk has actually been triggered or not.
- Notes. Narrative risk updates, which should be captured as often as once weekly for significant risks
During the project, make it a point to review all open risks (risks with no identified mitigation strategy) with your project sponsors or steering committee. You should also regularly highlight the top risks and the status of each. Finally, be prepared to change the Risk Probability and Risk Impact values based on changing project conditions.