Hierarchical Risk Registers

People often think of  risk registers as very simple: name, id, owner, probability and impacts, and little more. In reality, risk registers are usually much more complex and support the recording and tracking of many types of information. Organizations can decide what needs to be included in the risk register and in what order. For example, some organizations may consider the risk review date as an important property, others may want to show risk owner next to the risk name. The most common set of risk register properties include:

  • Risk name
  • Risk description
  • Risk probability, impact, score and cost before mitigation
  • Risk cost before mitigation
  • Risk probability, impact, score, and cost after mitigation
  • Cost of mitigation
  • Open or closed risk
  • Threat, opportunity, or both
  • Risk, issue or lesson learned

Risk registers can be based on risk status or categories and presented in a hierarchical format. In the example above ,this hierarchy is based in Open and Closed risks. In this case we have two groups: Open risks and Closed Risks. Hierarchies can be created using:

  • Risk categories – the most common risk hierarchy; please note that since one risk can belong to different categories, the risk can be repeated in different groups; for example “Bad weather” may appear in groups “Project duration or scope” and “Cost and income”
  • Open/Closed risks
  • Risk/Issues/Lessons Learned
  • Risks assigned to managers
  • Risks assigned to owners
  • Hidden and Visible risks – risks might not be visible to specific users and risk register administrators may want to see which risks are hidden or visible

These hierarchies that are based on risk categories are also referred to as Risk Breakdown Structures (RBS).

In addition to a hierarchical structure, risk registers can be sorted or filtered. For example, it is possible to sort based on risks, issues, lessons learned. It is also possible to filter risks using properties: for example, review date, mitigation cost, etc. Risk register sorting is usually done based on pre-mitigation or post-mitigation risk score, but it can be also done alphabetically to make it easy to locate risks using names or other properties.

So, we can see that risk registers are not simple lists of risks, but can be composed and complex sets of data that can be organized in many different ways depending upon how the risk data will be used to manage a project.