Often when identifying a risk there is confusion about what should be captured in a risk register. The information actually captured in many organisations’ risk registers makes it very difficult to manage the risks.
There are a number of traps that organizations fall into:
#1 Trap for Players – the Broad Statement Risk Trap
Some organisations fall into the trap of capturing “risks” that are broad statements.
- Reputation damage;
- Compliance failure;
- Fraud; and
- Environment damage
These tell you nothing and cannot be managed – even at a strategic level.
#2 Trap for Players – the Causes as Risk Trap
The most common issue with risk registers is that many organisations fall into the trap of capturing “risks” that are actually causes.
The wording that indicates a cause as opposed to a risk include:
- Lack of …. (trained staff; funding; policy direction; maintenance; planning; communication).
- Ineffective …. (staff training; internal audit; policy implementation; contract management; communication).
- Insufficient …. (time allocated for planning; resources applied).
- Inefficient …. (use of resources; procedures).
- Inadequate …. (training; procedures).
- Failure to…. (disclose conflicts; follow procedures; understand requirements).
- Poor….. (project management; inventory management; procurement practices).
- Excessive …. (reporting requirements; administration; oversight).
- Inaccurate…. (records; recording of outcomes).
These also tell you little and, once again, cannot be managed.
#3 Trap for Players – Consequences as Risk Trap
Another trap that organisations fall into when identifying risk is the trap of capturing “risks” that are actually consequences.
- Project does not meet schedule;
- Department does not meet its stated objectives; and
- Budget overspend
Once again – these are not able to be managed. If these are the traps that organisations fall into, then what should our risks look like? The answer is simple – they need to be events/incidents.
When something goes wrong like a plane crash, a train derailment, a food poisoning outbreak, major fraud etc. it is always an event. After the event there is a post event analysis to determine what happened, why it happened, what could have stopped it happening and what can be done to try and stop it happening in the future. Risk management is no different – you are trying to anticipate and stop the incident before it happens.
If you would like to learn more, read my previous post: https://humanassetrm.wordpress.com/2014/05/28/cause-risk-effect-format-in-identify-risks/
Note: PMI, PMP, and PMBOK Guide are registered marks of the Project Management Institute, Inc