Posted on

Often when identifying a risk there is confusion about what should be captured in a risk register. The information actually captured in many organisations’ risk registers makes it very difficult to manage the risks.


There are a number of traps that organizations fall into:


#1 Trap for Players – the Broad Statement Risk Trap

Some organisations fall into the trap of capturing “risks” that are broad statements.

Examples include:

  • Reputation damage;
  • Compliance failure;
  • Fraud; and
  • Environment damage

These tell you nothing and cannot be managed – even at a strategic level.


#2 Trap for Players – the Causes as Risk Trap

The most common issue with risk registers is that many organisations fall into the trap of capturing “risks” that are actually causes.

The wording that indicates a cause as opposed to a risk include:

  • Lack of …. (trained staff; funding; policy direction; maintenance; planning; communication).
  • Ineffective …. (staff training; internal audit; policy implementation; contract management; communication).
  • Insufficient …. (time allocated for planning; resources applied).
  • Inefficient …. (use of resources; procedures).
  • Inadequate …. (training; procedures).
  • Failure to…. (disclose conflicts; follow procedures; understand requirements).
  • Poor….. (project management; inventory management; procurement practices).
  • Excessive …. (reporting requirements; administration; oversight).
  • Inaccurate…. (records; recording of outcomes).

These also tell you little and, once again, cannot be managed.


#3 Trap for Players – Consequences as Risk Trap

Another trap that organisations fall into when identifying risk is the trap of capturing “risks” that are actually consequences.

Examples include:

  • Project does not meet schedule;
  • Department does not meet its stated objectives; and
  • Budget overspend

Once again – these are not able to be managed. If these are the traps that organisations fall into, then what should our risks look like? The answer is simple – they need to be events/incidents.

When something goes wrong like a plane crash, a train derailment, a food poisoning outbreak, major fraud etc. it is always an event. After the event there is a post event analysis to determine what happened, why it happened, what could have stopped it happening and what can be done to try and stop it happening in the future. Risk management is no different – you are trying to anticipate and stop the incident before it happens.

If you would like to learn more, read my previous post:

Note: PMI, PMP, and PMBOK Guide are registered marks of  the Project Management Institute, Inc


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s