What makes a good risk register?

If you’ve ever read or had to put together a project plan, then you’ve probably come across a risk register. They usually look something like this:

A risk register does exactly what it says on the tin. There’s a column for describing each risk, two scores, one for likelihood and one for severity, and finally a summary of how the risk is being mitigated.

Often there are a few extra columns for keeping track of things like who’s responsible for each risk and when it was last reviewed. It’s also common to have a priority score made by multiplying the other two scores together. 3 × 3 is a big problem that’s very likely to happen so needs immediate action. 3 × 1 is either a big but unlikely problem or a small but likely one, and either way you needn’t be overly concerned.

I’ve produced several risk registers over the years, but it’s only more recently that I’ve been on the receiving end, and that has thrown some of their typical flaws into sharp relief.

Review regularly

The first problem is that risk registers are too often static things, one and done jobs that are produced at the start of a project and never looked at again. Instead they should be living documents that those responsible (the project manager, senior leadership, board etc.) should regularly revisit and review on something like a quarterly basis.

By ‘review’ I don’t mean glance at it once, I mean effectively redo it to confirm that the risks, scores, and mitigations are still accurate and appropriate. Ideally you’ll have taken some action on those mitigations since the last review and now the risks will be reduced or at least different.

Risk registers should be tools that guide decision-making and planning. If you have a project plan that is divorced from the project risk register, then it is not a good plan. The whole point of identifying and mitigating risks is so that you can produce a more robust plan that is more likely to be successful.

Assign ownership

A common mistake is to ask everyone to review everything. When you do that, most people will glance at just the first few risks and assume that someone else will look at them more thoroughly. (The same thing happens when an email is sent to a whole group – everyone assumes someone else will deal with it). The result is that nobody reviews the risks properly and those at the bottom of the register don’t get looked at at all.

A better approach is to assign a handful of risks to each responsible person to review, aligning with their expertise wherever possible. Finance should be reviewing financial risks and operations operational ones.

Prioritise function over form

But even if you only look at your risk register when you’re creating it, it can still offer substantial benefit. One of my favourite maxims (attributed to Eisenhower) is that ‘plans are worthless, but planning is essential’. The value in risk registers, business plans, and so on is very often not in the document itself, but in the exercise that produced the document. The thinking, the consideration of possibilities, the contingency actions that get prompted, and so on. It’s part of the reason I write these posts. I don’t imagine that they will hold much long-term value, but the process of creation helps me in clarifying and deepening my thinking.

This is all very well and good, but in practice risk registers and the like rarely succeed on either count. They are not useful documents and the creation process isn’t useful either.

Why? Because most of the time they are a form of cargo-culting, crude facsimiles of actually useful documents, produced because people think (or have been told) they should be produced without any consideration for what purpose they might serve or how they might be structured to best achieve that purpose.

So what is the purpose of a risk register? Twofold. First it’s to get a handle on your risks, get them all written down and assessed in one place for easy viewing. Second it’s to identify what needs to be done to deal with them.

When you’ve got lots to do and not much time it’s tempting to reduce everything to bullet points. Certainly the formatting encourages you firmly in that direction; a four column table on a portrait A4 page with reasonable margins gives you about 4cm per column. If you narrow the numerical columns a bit then you can eke out a few extra millimetres for your text, but you’re still constrained enough that anything more than 20 words becomes a multi-line monstrosity.

In theory we can give ourselves some more room with a landscape page, but despite Microsoft giving us the functionality 15 years ago, an alarming number of people are still unable to make just one page of a document landscape, so you risk 25cm long lines everywhere else. Landscape pages are also a pain for other reasons, forcing us to scroll left and right, a concept that we’re so ill at ease with that we’ve opted instead to make every single computer screen much wider than it needs to be.

But all of this discussion is irrelevant for the time being. We are putting the form of our register before its function. Maybe a table is the right format, maybe it’s not. That is something to decide based on the register’s intended content and purpose.

Don’t skimp on the detail

Let’s start with what we’re trying to achieve and worry about the formatting later. We want to understand the risk, and that means we need a good level of detail about it. You can do this with prose or bullet points plural, but not bullet point singular. If you’re short on time, focus on providing detail for the high priority risks over the minor ones.

A risk register I reviewed recently included ‘Failure to recruit permanent or interim CEO rapidly’, scored as high impact and high probability with no further detail. This is useless to me. What is rapidly in this context? Is the risk different in the case of failing to hire an interim CEO versus failing to hire a permanent one? Why is it high probability? What does high impact mean in practice? Are we talking an existential risk to the organisation or just a delay in its plans? What’s led us to be in a situation where this risk has got so bad? Without answers to these questions it’s very hard to judge whether the mitigation is appropriate.

In other cases, the word ‘failure’ does a lot of work. ‘Failure to achieve objective’ can mean a lot of things from total disaster to being 1% short on a metric. It’s important to be clear about which failure modes we’re talking about so that we can properly assess their impact and likelihood.

The same applies to the mitigation notes. The mitigation for recruiting a CEO was to ‘Widen net of potential candidates’. We’ll overlook that in the fishing metaphor that’s being used here the candidates are a pool, not a net, so this sentence makes no sense, and focus on the meaning instead. What do we mean by widening the net? Widen how? By how much? What will be different from the current approach? Heck, what is our current approach? All of this assuming that the reason we might ‘fail to recruit rapidly’ is lack of applicants rather than, say, slow internal processes or lack of capacity. Is that a valid assumption? None of that is actually stated in the description of the risk itself.

You might argue that these bullet points are just a summary of thinking that has actually been done in more depth. If there is a document somewhere that goes into more detail about this specific risk then that’s great – provide a summary and a link and I’m happy.

If, however, this thinking is just in someone’s head then that’s pretty much equivalent to it not having been done. Risk registers are about sharing risk information. If you’re not sharing all the in-depth thinking you’ve done about a risk then you’re not just doing a bad job of creating a risk register, you’re actually adding a new risk – the risk that you will go on holiday, change jobs, or be run over by a bus, and take all your knowledge with you.

Most of the time though, I think that bullet points are a very accurate indication of exactly how much thinking has been done. Bullet point, surface-level thinking is enough for you to get by, often for a long time, but eventually something happens or someone asks you a question, and the total lack of any deeper thinking is revealed, usually with disastrous results.

We see it all the time in politics; a promise is made to ‘get Brexit done’ but no-one has actually grappled with what that means for the thorny issue of Northern Ireland’s border. To quote The West Wing’s President Bartlett in response for to ten-word bullet point answer from his opponent in a political debate:

Ten-word answers can kill you in political campaigns. They’re the tip of the sword. Here’s my question: What are the next ten words of your answer? Your taxes are too high? So are mine. Give me the next ten words. How are we going to do it? Give me ten after that.

Just writing bullet points is a false economy. Sure, you save a little time when writing the document, but you’re going to pay for it twice over when you get asked all the questions above and then have to go away and do all that thinking that you should have done in the first place. You’ll pay for it even more if the risk is realised and it turns out your mitigation was only surface level and ineffective.

I guarantee that doing the extra thinking required to write out a risk in detail, justify its scores, and explain its mitigation will give you a far better understanding of the risk and in many cases will make you realise that you were totally wrong about what the risk was.

Use formatting to add clarity

Okay, so let’s say that you’ve written lots of detail about every risk and now instead of a tidy table of bullet points that fits on one page, you’ve got five pages of prose. Isn’t that a bit much? Didn’t we say that the whole point of a risk register was to have them all in one place for easy viewing? Surely five pages of prose doesn’t achieve that?

Yes and no. The whole point of a risk register is to get a handle on our risks, and we’ve certainly done that. That means that now is the time to come back to the question of how form can complement and enhance function. How can we use formatting to help us achieve our purpose and make this risk register manageable without losing that all-important detail?

A table is certainly a good option here. Column one could be a bullet point summary for skimming, and column two could provide the detail. Alternatively (and this is the option I would lean towards) you could use a summary table and detailed prose. The table can act as a table of contents at the top of the document with links or references to the more detailed explanations that are in the body.

If you’re preparing a project plan or papers for the board, you can include your tidy summary table and add the detailed document as an appendix, something you can refer people to when then ask to see more detail.

Now we’ve got something much more useful than a basic table; we’ve got the detail we need to properly understand the risk and we’ve got a useful summary that reflects careful consideration rather than surface level thinking.

If you take one thing from this post, then let it be that with risk registers and anything else you produce, ask yourself ‘What would make this more useful to me?’ and not ‘What do other people do?’. By all means learn from the best that other people have produced, but make sure that what you produce serves your purpose, not somebody else’s.

J. Dudley
15 · V · 2022