A risk register is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository [1] for all risks identified and includes additional information [1] about each risk, e.g., nature of the risk, reference and owner, mitigation measures. It can be displayed as a scatterplot or as a table.
ISO 73:2009 Risk management—Vocabulary [2] defines a risk register to be a "record of information about identified risks".
Risk register of the project "barbecue party" with somebody inexperienced handling the grill, both in table format (below) and as plot (right).
| Category | Name | RBS ID | Probability | Impact | Mitigation | Contingency | Risk Score after Mitigation | Action By | Action When |
|---|---|---|---|---|---|---|---|---|---|
| Guests | The guests find the party boring | 1.1. | low | medium | Invite crazy friends, provide sufficient liquor | Bring out the karaoke | 2 | within 2hrs | |
| Guests | Drunken brawl | 1.2. | medium | low | Don’t invite crazy friends, don't provide too much liquor | Call 911 | x | Immediately | |
| Nature | Rain | 2.1. | low | high | Have the party indoors | Move the party indoors | 0 | 10mins | |
| Nature | Fire | 2.2. | highest | highest | Start the party with instructions on what to do in the event of fire | Implement the appropriate response plan | 1 | Everyone | As per plan |
| Food | Not enough food | 3.1. | high | high | Have a buffet | Order pizza | 1 | 30mins | |
| Food | Food is spoiled | 3.2. | high | highest | Store the food in deep freezer | Order pizza | 1 | 30mins |
A Risk Register can contain many different items. There are recommendations for Risk Register content made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2. ISO 31000:2009 [3] does not use the term risk register, however it does state that risks need to be documented.
There are many different tools that can act as risk registers from comprehensive software suites to simple spreadsheets. The effectiveness of these tools depends on their implementation and the organisation's culture.[ citation needed ]
A typical risk register contains:
The risk register is called "qualitative if the probabilities are estimated by ranking them, as "high" to "low" impact. It is called "quantitative" both the impact and the probability is put into numbers, e.g. a risk might have a "$1m" impact and a "50%" probability.
Contingent response - the actions to be taken should the risk event actually occur.
Contingency - the budget allocated to the contingent response
Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger)
Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota's risk register listed reputation risks caused by Prius' malfunctions but the company failed to take action. [4] Risk registers often lead to ritualistic decision-making, [4] illusion of control, [5] and the fallacy of misplaced concreteness: mistaking the map for the territory. [6] However, if used with common sense, risk registers are a useful tool to stimulate cross-functional debate and cooperation. [6]
Project management is the process of supervising the work of a team to achieve all project goals within the given constraints. This information is usually described in project documentation, created at the beginning of the development process. The primary constraints are scope, time and budget. The secondary challenge is to optimize the allocation of necessary inputs and apply them to meet pre-defined objectives.
Risk management is the identification, evaluation, and prioritization of risks, followed by the minimization, monitoring, and control of the impact or probability of those risks occurring.
A project plan, according to the Project Management Body of Knowledge (PMBOK), is: "...a formal, approved document used to guide both project execution and project control. The primary uses of the project plan are to document planning assumptions and decisions, facilitate communication among project stakeholders, and document approved scope, cost, and schedule baselines. A project plan may be sumarized or detailed."
The Project Management Body of Knowledge (PMBOK) is a set of standard terminology and guidelines for project management. The body of knowledge evolves over time and is presented in A Guide to the Project Management Body of Knowledge, a book whose seventh edition was released in 2021. This document results from work overseen by the Project Management Institute (PMI), which offers the CAPM and PMP certifications.
Risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed in a quantitative or qualitative fashion. Risk assessment is an inherent part of a broader risk management strategy to help reduce any potential risk-related consequences.
A Gantt chart is a bar chart that illustrates a project schedule. It was designed and popularized by Henry Gantt around the years 1910–1915. Modern Gantt charts also show the dependency relationships between activities and the current schedule status.
PRINCE2 is a structured project management method and practitioner certification programme. PRINCE2 emphasises dividing projects into manageable and controllable stages.
Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality Management System.
A risk management plan is a document that a project manager prepares to foresee risks, estimate impacts, and define responses to risks. It also contains a risk assessment matrix. According to the Project Management Institute, a risk management plan is a "component of the project, program, or portfolio management plan that describes how risk management activities will be structured and performed".
Project Management Professional (PMP) is an internationally recognized professional designation offered by the Project Management Institute (PMI). As of 31 July 2020, there are 1,036,368 active PMP-certified individuals and 314 chartered chapters across 214 countries and territories worldwide.
Event chain methodology is a network analysis technique that is focused on identifying and managing events and relationships between them that affect project schedules. It is an uncertainty modeling schedule technique. Event chain methodology is an extension of quantitative project risk analysis with Monte Carlo simulations. It is the next advance beyond critical path method and critical chain project management. Event chain methodology tries to mitigate the effect of motivational and cognitive biases in estimating and scheduling. It improves accuracy of risk assessment and helps to generate more realistic risk adjusted project schedules.
MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.
ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
A glossary of terms relating to project management and consulting.
In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value, often focusing on negative, undesirable consequences. Many different definitions have been proposed. One international standard definition of risk is the "effect of uncertainty on objectives".
Risk management tools help address uncertainty by identifying risks, generating metrics, setting parameters, prioritizing issues, developing responses, and tracking risks. Without the use of these tools, techniques, documentation, and information systems, it can be challenging to effectively monitor these activities.
Within project management, risk management refers to activities for minimizing project risks, and thereby ensuring that a project is completed within time and budget, as well as fulfilling its goals.
The following outline is provided as an overview of and topical guide to project management:
ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.
{{cite book}}: CS1 maint: location missing publisher (link)