How do I monitor risk?Category: EvaluationName: Dawn Sellers, Project Officer
“It’s important to monitor the potential risks to your project to ensure sufficient mitigation is put in place”
There may be risks/constraints that pose a threat to the successful delivery of your project and objectives. These can relate to things like economic risks, social risks, political/governance risks or project management risks. It’s good to explore the potential risks at the design stage of a project.
For example, the following things were identified as a risk to the Celtic Seas Partnership at the beginning of the project:
- Budgetary constraints in the public sector in all countries is impacting on their capacity and willingness to engage in the project (economic risk)
- Stakeholders do not have inclination, time or skills to engage with the project (social risk)
- A greater reluctance by UK officials to push or put time into EU co-operation projects now that the UK is leaving the EU. This could also lead to reduced engagement from stakeholders. (political risk)
- Change of staff in project team, associated beneficiaries (project management risk)
Once the risks have been identified, it’s good practice to monitor them on a regular basis. One way you could do this is to develop a ‘risk register’. The identified risks can be plotted into the risk register and risk ‘scores’ are generated for each one, based on a calculation of the potential likelihood of the risk occurring and potential impact if that risk were to become reality. From this you can see which risks pose the greatest threat to your project, and you can put suitable mitigation in place to reduce the risk.
Step by Step
- Identify the potential risks to the project at the design stage
- Input the risks onto a risk register template
- Ensure sufficient mitigation is put in place for each identified risk in order to reduce the likelihood and impact into a ‘retained risk’.
- Review the risk register regularly (quarterly) to monitor the risks and identify which risks still need further action and adaptive management
The risk register should be reviewed regularly, say quarterly. At a glance, the risk register allows a project manager (and steering group if applicable) to see what the biggest risks are and which ones still need further action to mitigate the risk.
Here are some suggested headings for the risk register:
- The ‘gross risk’ rating is what the risk would be if there are no control measures in place to reduce it, i.e. the worst case scenario. It’s calculated by taking into account the likelihood (x) and impact (y), using the following formula: xy+y. The ‘likelihood’ and ‘impact’ are given a score between 1-5 (see the figure below).
- ‘Mitigation’ are measures put in place to reduce the likelihood and impact of the risk.
- The ‘retained risk’ is what the actual risk is – when the mitigation is in place. This is calculated using the same formula as above, but using the likelihood and impact ratings with the mitigation in place. Based on the score calculated, the retained risk is given a rating (again as seen in the figure below).
- The ‘risk target’ is where we want to be – the acceptable risk score you are willing to live with.
- ‘Further action required’ outlines what measures could be put in place to reduce the retained risk further, but are not being fully implemented yet. Once the action has been complete you can move it to the ‘mitigation’ column.
- ‘Accountable person’ is the person who is accountable for the risk.
If you have identified a high number of risks (the Celtic Seas Partnership identified 22 risks) and have a limited amount of time to go through each and every risk – at a steering group meeting for example – then you could focus on the highest risks first, and then go back to the rest if there’s time. The most important thing is to have mitigation in place to reduce the highest risks to the project.
Spend a couple of hours as a team to identify the potential risks to your project. An hour entering in the risks to a risk register. Half a day as a team to fill out the rest of the risk register with mitigation measures and actions and 20-30 minutes to review the risk register quarterly.
Somebody to lead/own the risk register. The whole team to input into the monitoring of the risk register
You will need Microsoft Excel