# Risk Reviews, History Logs, and Audit

Risks in complex projects require constant monitoring because all information about the risks, including probability and impact may change during the course of a project. It is important that information about the actual status of risks is not ignored and slips through the cracks. Most changes occur as result of performance management: different management decisions or actual performance can cause the probability of some risks to change, risk owners can change, some risks may be closed, mitigation or response plans may be updated.

A common phenomenon in many movies is that they level of suspense constantly grows. For example, a standard movie scene is where one character has a hold of another’s hand to keep them from plummeting from a skyscraper, cliff, helicopter or other prop. To build up the suspense, at the beginning of the scene the grip is usually strong, then as time goes by the grip loosens and a long fall, scream and death seems imminent. Miraculously though, when all seems lost and the one character’s life starts to flash before their eyes, they are pulled up from danger. How, a sudden jolt of adrenalin, strong coffee, or a shot of steroids? Who knows, but everyone is safe and high fives all around. If this was a project “Pull character hanging from helicopter into safety” we would see that the probability of the risk is changes over the life of the project. At the beginning, the risk probability is low as the hero’s grip seems to be quite strong, but then as he or she starts to get tired and the grip weakens the probability increases gradually until it rises almost to 100%. Here is how your risk history log would look like

21:43:15 – Risk “Fall from the plane”, Probability 50%. Impact: instant death

21:43:16 – Risk “Fall from the plane”, Probability 70%. Impact: instant death

21:43:17 – Risk “Fall from the plane”, Probability 99.9%. Impact: instant death

21:43:18 – Risk “Fall from the plane”, Probability 0%. Impact: None. The risk is converted to lesson learned “When flying, make sure you are on the inside of the plane”.

If you find yourself in this situation, desperately clutching onto the hand of an unfortunate team member who has found themselves on the outside of an airborne plane, you can probably defer the updating of your risk’s status. However, when situations are not so dire and you have more time (and hands) to spare, if your risks are experiencing changes to probability or other attributes, you better to update them; otherwise, the results of any future risk analysis, including risk ranking may be incorrect.

Risk reviews can be conducted as part of regular project team meetings or individually by risk owners or risk managers. Usually risk management software sends a notification when risk needs to be reviewed. It can be done periodically, weekly, monthly, etc. All parameters of the risk should to be reviewed and updated if required. Risk reviews are usually augmented with information that describes the current project situation as it impacts the particular risk. For example, during a particular period risk mitigation activities are completed successfully. In this case, you need to update the risk to reflect any changes to probability or impact due to these activities. Each time a parameter of a risk is updated, a change record needs to be created, which becomes the risk history. This risk history is important auditing purposes as it will describe who, what, when, and, most importantly, why made the changes were made.

A risk audit is a review of some or all of the risks by an independent body. Risks are usually entered to the list by different people who have different perception of risks and different risk tolerance. Remember, the 1964 movie “Dr. Strangelove or: How I Learned to Stop Worrying and Love the Bomb”? Apparently Dr. Strangelove, the President’s scientific advisor and former Nazi, liked nuclear explosions, but others had different feelings about it. Because of individual differences in perception and risk tolerance, it is important to ensure consistency in all risk properties. Organizations usually have risk committees or a group of experts that are responsible for risk audits and overseeing other aspects of the risk management process. In many cases, risk committees also review and approve risks that have been identified  and entered into the system. In this case, until they are approved, they are not considered open and visible to anyone but members of the committee. The reason for this committee is that risks can be misnamed, misidentified, duplicated, or even irrelevant. For example, we often come across situations where the same risk has been given a different name, so in the risk register they appear as different risks, but are in actuality the same risk. One expert may identify a general risk as “Bad weather”, but another may identify it more specifically as “Frost can affect release of H-Bomb parachute”. It may be the first general risk needs to be broken down into smaller risks, frost being one of them. It is the job of the risk committee to ensure that risks are identified with correct level of granularity. In addition, the risk committee is responsible to review risk information to ensure all required properties have been added.

Risk Reviews, Histrory Logs, and Audit reports are part of risk attributes, which are saved in the Risk Register