Q 633. Risk Register is a popular project management tool. What is the criteria to enter or remove a particular risk item from it? Can it be used for process management? Provide an example to support your answer.

 

Note for website visitors -

• This platform hosts two weekly questions, one on Tuesday and the other on Friday. 
• All previous questions can be found here: https://www.benchmarksixsigma.com/forum/lean-six-sigma-business-excellence-questions/. 
• To participate in the current question, please visit the forum homepage at https://www.benchmarksixsigma.com/forum/.
• The question will be open until Tuesday or Friday at 5 PM Indian Standard Time, depending on the launch day. 
• Responses will not be visible until they are reviewed, and only non-plagiarised answers with less than 5-10% plagiarism will be approved. 
• If you are unsure about plagiarism, please check your answer using a plagiarism checker tool such as https://smallseotools.com/plagiarism-checker/ before submitting. 
• All correct answers shall be published, and the top-rated answer will be displayed first. The author will receive an honorable mention in our Business Excellence dictionary at https://www.benchmarksixsigma.com/forum/business-excellence-dictionary-glossary/ along with the related term.

• Some people seem to be using AI platforms to find forum answers. This is a risky approach as AI responses are error prone as our questions are application-oriented (they are never straightforward). Have a look at this funny example - https://www.benchmarksixsigma.com/forum/topic/39458-using-ai-to-respond-to-forum-questions/

• We also use an AI content detector at https://crossplag.com/ai-content-detector/. Only answers with less than 15-20% AI-generated content will be approved.

A risk register is a documented approach to identify and track risks that have the potential of impacting a project, it also helps to outline the possible solutions to mitigate those identified risks. Risk register is very much relevant to understand the business related threats and also to ensure those risks are mitigated proactively.

• Criteria to enter or remove a particular risk item from it : To create a risk register, clear criteria's need to define, which includes risk category, then to asses the risk need to identify it's probability and impact, accordingly rating to be given based on the qualitative or quantitative risk assessment method. Through this assessment only we can decide what are the risk to enter also what the vital few risk to focus first.
  If some identified risks that are already managed or avoided through some existing control, or that risk is no longer relevant based on the assessment, that particular risk can be removed from the risk register.
• Can risk register be used for process management : Yes, the risk register can be used in Process management in terms of process improvement, as this tool helps not only for a better risk assessment by identifying business risk and taking appropriate control, but also it helps in process improvements with sustainable action plan which gives impactful solutions to run the processes in a reduced risk environment.
  • Example : For example in my current organisation, which is pharmaceutical, there are several risks which not only can impact the company's profitability, but also the patent's health, hence the risk register may help the manufacturing team to asses and mitigate the risk in a better way also to ensure the litigation and compliances. The risk register may consider the concerns like what could go wrong that will harm patients, what may cause harm to the employees at shop floor, the risk of data integrity also stolen or lost data. Risk register tool can help to manage all these operational risk through reducing risk and improving performance

 All "known risks" before manifesting themselves as issues/problems would've been unknown once.  Such known risks after obtaining valuable insights from key stakeholders, domain experts and SMEs become part of a document known as Risk Register. In project management, this Risk Register is an output of a process called as "Identify Risk". 

 

The Risk Register is generated to document all the identified risks both positive (opportunities) and negative (threats) along with other details which more or less fall under the following heads:

 

 

Criteria to Enter a Risk Item:  It is important to identify as many risks, as early as possible at the beginning of a process or a project lifecycle so that you are better prepared to handle any unforeseen circumstances that might announce themselves as critical issues in the later stages.  Any uncertain event that if occurs results in a negative or positive impact on one or more parts of the project or a process can be a part of the risk register.

 

Criteria to Remove a Risk Item:  Irrespective of the number of risks identified at the beginning of the process or a project, the old risks might lose their sheen and are not relevant enough, probability and impact wise to be a part of the risk register.  Such risks that do not show any signs of manifesting themselves as issues or problems after having reached their corresponding risk triggers can be removed from the risk register.

 

Application of Risk Register in Process Management: 

 

In a process management, the Risk Register can be a source of all the identified risks so far.  These are then evaluated and rated with domain experts and SMEs on the following parameters:

 

>> Urgency - The speed with the risk response is to be applied.

>> Proximity - How imminent the risk is?

>> Dormancy - How soon do we feel/discover the impact of the risk once it would occur?

>> Manageability - How easily the risk response can be implemented?

>> Controllability - The degree to which the outcome of risk can be controlled?

>> Detectability - Ease with which it would be known that the risk is about to happen.

>> Connectivity - The degree to which a risk is connected to other risks. More the connectivity, higher the criticality.

>>Strategic Impact - If the risk has an impact that would affect the overall strategy of the organization.

>> Propinquity - Perception of the end user - Criticality of the risks perceived by a key stakeholder/end user.

 

After all the risks are passed through these parameters, a list of prioritize risks is generated.

 

Of these prioritized risks, negative risks can be addressed by using popular Risk Management tools such as FMEAs and Probability and Impact Matrix with a view towards reducing the probability and impact of those risks.  The more detailed and up to date your risk register is, the more value your can derive from these tools. 

 

For positive risks, all efforts should be made to increase the probability and impact of these risks.  Once these risks manifest, then they should be exploited to derive maximum value out of them. 

 

For Example:

1). Risk register containing a list of identified risks before rolling out a completely new process.

2). During process re-engineering all possible areas where things could go wrong can be listed as risks in a risk register.

3). In an established process, a risk register should be constanly refined by constantly re-visiting the risk items. New risks should be included, if any and old risks should be removed.

4)  During the pilot process in the improve phase of a DMAIC project, all risks can be included in the risk register.

5) The assumptions and constraints that are listed before rolling out a new process should be constantly revisited to check if any of them are leaning towards becoming a risk can be thus included in the risk register.  

 

Conclusion:  From a process management perspective, it is also important to note that risk identification in and of itself is an iterative process where new risks might get added to the risk register if the process steps are modified due to updates from the client or as a result of a process improvement.  Similarly, old and irrelevant risks might be removed from the risk register as the process matures.

 

 

 

 

 

In project and process management, navigating potential risks is critical for successful implementation. The risk register is a powerful tool that empowers project managers to identify, assess, and manage risks before these derail project efforts. 

 

Adding or removing a risk item from the risk register requires careful consideration. 

 

Here are some critical criteria:

 

Adding a Risk:

• Likelihood: Is it likely to happen? Even low-probability risks can be significant if their impact is high.

• Impact: Would the consequences be severe? Consider financial, reputational, or operational effects.

• Uncertainty: Is there enough information to understand the risk and its potential impact? Monitor it before adding if unsure.

• Controllability: Can you mitigate it? If not, it might be an unavoidable circumstance.

• Project Alignment: Does it directly affect project goals? If not, its relevance might be limited.

 

Removing a Risk:

• Reduced Likelihood: Has the probability significantly decreased due to changes?

• Reduced Impact: Have mitigation efforts or developments lessened the potential consequences?

• Irrelevance: Has it become irrelevant to project goals or the context?

• Duplication: Does another entry cover the same information? Avoid redundancy.

• Mitigated to Insignificance: Have mitigation strategies effectively reduced the risk to a negligible level? If yes, then remove the risk.

 

Beyond Projects - Risk Registers for Process Management:

 

The benefits of a risk register extend far beyond project management. It can be a valuable tool for process management as well. Here's how:

• Identify Process Risks: Brainstorm potential threats, map the process to pinpoint vulnerable areas, and analyze historical data for recurring issues. Even lessons learned can identify potential risks to manage in processes. 

• Assess Risks: Assign likelihood and impact scores, calculate a risk score to prioritize, and develop mitigation strategies like prevention, containment, or transference.

• Track and Manage: Assign risk owners, track progress, and regularly review the register to update mitigation efforts and communicate risks to stakeholders.

 

Example: Consider a risk register for a software development process. A potential risk might be "system downtime during deployment leading to revenue loss." The likelihood could be medium, and the impact high. Mitigation strategies include thorough testing, backups, and a rollback plan. This risk would be monitored closely and removed once the deployment is completed.

 

By applying these criteria and utilizing risk registers effectively, one can navigate project risks and optimize processes, ensuring smoother workflows and fewer disruptions, with more success. A proactive approach to risk management is key to unlocking the full potential of projects and processes.

A Risk Register is quite a valuable tool when it comes to identifying, assessing, and managing all those potential threats that could possibly have an impact on a project. The process of deciding which risks should be included in the register requires some careful thought and consideration.

 

Risk:

 

Risk is entering Is the chance of something happening high enough to require our attention? Even events that are unlikely but can have a big impact should be documented. Does the risk have the potential to cause significant harm to the project's goals? This includes considering potential financial losses, delays in the project timeline, damage to the project's reputation, and any other negative impacts that may arise. Can we effectively manage or shift the risk? Even if it is beyond our control, documenting it can increase awareness and readiness for unforeseen circumstances. Can we create a practical plan to effectively deal with the risk? If not, it is possible that the risk is too ambiguous or beyond our ability to manage. Removing a potential hazard or danger to prevent any unwanted consequences.

 

Removing the Risk:

 

The risk, has it mitigated effectively? Has the risk become obsolete due to project changes or circumstances, no longer relevant? Was the initial assessment, irrelevant or revealing the risk to be insignificant beyond the project's scope, inaccurate?

 

Applying Risk Register to Process Management:

 

The principles of managing risk can be utilized in any sort of procedure, not only projects.

 

Example:

 

A new process for software development is being implemented. Unfamiliarity risks delaying adoption by developers. For the team, this is a significant change and the likelihood is high. From developers, potential resistance, project delays, and missed deadlines are all impacts. Controllability is rated high in this situation. The ease of transition can be greatly facilitated by providing training, support materials, and user-friendly documentation. To address developer concerns, it is necessary to develop comprehensive training programs, create detailed guides, and establish a dedicated support team.

 

By proactively identifying and addressing risks like this, you can improve the success of process implementations and minimize disruptions.

The Risk Register is a log of risks that has the details of all risks that have been identified along with their analysis and plans to treat the same. This log captures risks along with their severity and the actions and mitigation steps to deal with the risk.

Criteria to add risk to the Risk Register.

A.      Identify the Risks – Perform a Risk assessment to identify risks. Collaborate with internal/ external stakeholders across the organization to hear what they believe the major risks are. Engage in a brainstorming session to generate inputs and leverage everyone’s expertise to identify potential risks in various areas of the organization.

B.      Define the Risks – Post identification of the risks, describe them with enough information for all team members to understand why the risk is included.

C.     Estimate the probability and impact – Basis the probability define and develop a strategy to deal with risks. Use the risk management methodologies to decide the likelihood of a risk.

D.     Create a Risk Response Plan - A response plan for each risk identified, described, and analyzed assures that the risk is managed effectively. Careful due diligence is required to be performed on all the possible risks identified. This provides an easy go-to document for the Risk Owner to refer to when a risk occurs

E.      Prioritize Risks - Risks with the highest likelihood and potential for impact in many areas will be given priority for mitigation and action plans. Each risk priority can be determined by combining the risk probability and risk analysis measurements

Criteria to remove a risk from the Risk Register.

Risks are closed when it’s

·       It has been accepted,

·       It’s caused a problem and is successfully mitigated

·       It’s no longer a risk to the project

·       Closing a risk has to be formally documented. Items for documentation should include any updates on risk information, closure rationale, and lessons learned.

Whilst closing a risk the lessons log has to be documented with  

1.      The rationale, how it was mitigated or what conditions have been met, for closing a risk for future reference.

2.      Provides a historical record of all risk management actions taken, responsible persons, as well as the cost and benefits of mitigation plans

A Risk Register can be used in a process to track the following risks

1.      Track the ongoing attrition

2.      Delays in the Resource onboarding

3.      Transactional volumes that relate with the revenue, lesser delivery of productivity leading to a dip in revenues

4.      Higher resource costs leading to dip in the margin

5.      Customer experience issues leading to a dip in the NPS

Risk register is used to identify and track potential project risks. Anything which effects the impact of project can be termed as risk.

 

The criteria to add or remove is based on the below guidelines

1. Risk Category (Internal/External Factors)

2. Probability of occurrence

3. Impact on the outcome

4. Priority rating of risk

5. Approach and Action towards the risk.

 

Risk register can be used in Process Management to mitigate the risks and assign role to a person responsible for mitigating the risk.

Data is key for any process to run smooth and the risk might be with the security of data and the way it is communicated - Having a plan for data security and sharing the right amount of data with right set of people is a mandate to mitigate risk.

 

 

Risk register is a tool that helps track issues and address if it arises. Risk register is an important component of risk management framework which needs to be created at the initial stage of the project as it records the risk which has been identified and analyzed along with the mitigation plan. The mitigation plan is based on the severity of the Risk.

 

Risks in register can be added or removed based on project requirement.

Additional risk can be added in exiting risk register including priority and severity of the risk.

If any specific risk is managed or no longer relevant, then it can be removed from risk register along with respective mitigation for that risk.

 

Risk register can be used for process management for the identification of risk, analyzing of risk such as severity, occurrence & Impact of risk and based respective mitigation plan is indicated as mentioned below.

 

 

Risk register is one of the most important part of risk management strategy, though sometimes it could be difficult to maintain risk register consistently but if maintained religiously, it can help to avoid or manage risks effortlessly. This may also result in saving more time which can be spent on learning, development of skills and innovation.

All the answers are great and a must read.

 

The best answer is from Pradeep Kandpal. Good job!