What is a Risk?
You can think of a risk as a project issue that has not come true yet. The risk could be an opportunity, but more likely it is something that would have a negative impact on the project outcome if it were to eventuate. Good risk management is one of the keys to a successful project – if you identify early on the things that might go wrong, you can take steps to reduce their impact or avoid them altogether.
What is a Risk Register?
Very simply, it is a documented response to “What could occur that would stand in the way of successfully achieving the goals and objectives of my activity?”
The risk appetite for each activity needs to be determined. The risk appetite of the University defines its preparedness to accept and manage risk in any given activity. The concept recognizes that risk elements arising from proposed or actual developments may fall into one of three categories.
- Risk elements that are deemed to have a low risk and do not need to be managed
- Risk elements that have a medium or high risk and will need to be managed
- Risk elements have an extreme risk and therefore the activity should probably not proceed.
The Risk Register records details of all the risks identified for the activity and the University. Risks associated with activities and strategies are identified and then graded in terms of the likelihood of occurring and the seriousness of the impact.
A risk register is a part of risk management, which is the process of identifying potential threats, evaluating them, and taking preventative measures to lessen or eliminate their effects.
The Risk Register is essential for tracking any risks, your analysis of them, and the solutions you provide. Risk registers and risk management programs are already commonplace in many businesses. We advise you to include all disaster and emergency risks in your risk management plan and risk register if you currently have them.
A risk register is a project and risk management tool. It is used to identify potential risks in a project or organization, occasionally to satisfy regulatory obligations, but mostly to keep track of potential challenges that could thwart desired results. Even though the risk register is typically used during project implementation, project managers should start taking it seriously from the project planning stage.
There is no better time than now to start considering risk assessments for your project. Therefore, it is essential for risk management to have a project risk register on hand and accessible.
A risk register is a tool for risk management that needs to be used carefully during this phase even if it is typically employed throughout project implementation. There is no better time than the present to start considering risk in your project. As a result, risk management requires maintaining a risk register on hand and accessible.
The project risk register contains all the details about each risk that has been identified, including its nature, influence risk level, owner, and the efficient risk mitigation strategies that have been put in place to address it.
Risk registers should identify:
- a description of each risk and its potential consequences (operational and strategic) Factors that may impact upon the likelihood and consequence of the risk
- An assessed risk grade – Low, Medium, High, or Extreme
- Whether the risk grade is acceptable
- Actions and controls that currently exist to mitigate risks
- Early warning factors and upward reporting thresholds.
Risk registers should be maintained for all contract activities. It is expected that the Contract Owner will engage in risk assessment as part of the business development process and highlight emerging risk areas.
Why would you develop a Risk Register?
As a formal document, the analysis contained in a risk register can be used to document potential issues relating to the contracting activity. The register can also be used to notify senior managers of emerging risk exposures that warrant immediate attention.
Involving Contract Owners and Advisors in the process of compiling a risk register is likely to encourage a high level of ownership of, and commitment to, VIU’s processes and activities.
The process of identifying and analyzing risks should be a part of tactical decision-making and initial planning. The worth of business plans can be improved significantly if the risks associated with proposals are analyzed and where necessary, mitigated.
How to Develop a Risk Register
- an understanding of the key business and activity processes that may expose VIU to risk as they relate to the activity
- An understanding of the positive and negative risks associated with the activities and proposals. Identifying risks should involve consultation with colleagues and other key stakeholders and considering relevant contextual issues. At the risk identification stage, risks need not be assessed or prioritized.
Risk Registers Templates
The risk register template consists of some headings and a table that reflects the nature of the information that is to be addressed. The advantages of using a single template as a record of risk analysis, evaluation, treatment, and monitoring actions are conciseness and clear presentation of the logic which supports the decision-making process.
Where risk management action plans are required to be comprehensive it may be appropriate to supplement the applicable risk register entry with a separate, supporting risk mitigation or action plan.
The completed risk register should be brief and to the point, so it quickly conveys the essential information. It should be updated on a regular basis.
Steps to complete the register:
- Identify potential risks. See Examples of Risk Areas for potential sources of risk.
- Identify the consequences of the activity if the risk were to materialize
- Identify the likelihood and probability that the risk would result in adverse consequences. See Risk Assessment Ranking Tool to rank identified risks.
- For those risks that have been ranked as a medium, high or extreme, address them with mitigating actions:
- Medium: Mitigation actions to reduce the likelihood and seriousness should be identified and appropriate actions to be endorsed at a Divisional level.
- High: If uncontrolled, a risk event at this level may have a significant impact on the operations of a cost center or the University as a whole. Mitigating actions need to be very reliable and should be approved and monitored by the contract owner reporting to the responsible Dean or Executive Director. Even with mitigating actions in place, the Executor (contract signatory) should be advised of identified or potential risks which have been graded at this level.
- Extreme: Activities and projects with unmitigated risks at this level should be avoided or terminated. Mitigation actions for these types of risks may outweigh the benefits of the activity to the University. This is because risk events graded at this level have the potential to have significant adverse effects on the budget holder or the University.
- Identify if there are any controls currently in place to mitigate those risk
- If not, develop and document Risk mitigation actions. These could include:
- Planned actions to reduce the likelihood a negative risk will occur and/or reduce the seriousness should it occur (What should you do now?)
- Contingency actions – planned actions to reduce the immediate seriousness of a negative risk when it does occur. (What should you do when?)
- Recovery actions – planned actions taken once a negative risk has occurred to allow you to move on. (What should you do after?)
- Risk Transfer (Through the assignment of contractual responsibilities or insurance.
- Actions necessary to ensure the realization of opportunities (positive risks)