Risk Register User Guide

Risk Register User Guide

Important: this guide is specific to Risk Register for JIRA Server. Documentation for the JIRA Cloud version of Risk Register is provided within the installed product. You may access it by clicking on the "Risk registers" menu item, the clicking on "Get help".

This guide contains the following chapters -


 

Chapter 1: An Introduction to Risk Management

In this chapter, you will learn the following:

  • What a risk is
  • Why you need to manage risks
  • The general risk management process

What is a risk?

Before looking at risk management, we need to understand what a risk actually is. The PMBOK gives a good - “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives such as scope, schedule, cost, or quality.”

When describing risks, we usually want to the cause, the affected area, and the consequences. Let’s look at an example risk given in the PMBOK - “due to the forecast of high winds in our area, there is a risk that the roof of the barn will blow off causing our cattle feed to be ruined and loss of our livestock”. Here we see the cause (high winds), the affected area (barn roof), and the consequences (loss of livestock).

Let’s look at another example, this one perhaps more familiar. “Due to ongoing support demands, there is a risk that the Senior Programmer will be shifted from the project, causing a delay in the schedule”. Here we see the risk cause (ongoing support), the affected area (the Senior Programmer) and the consequences (a delay in the schedule).

Why manage risks?

Project managers are given the objective of delivering a project within scope, schedule, cost and quality constraints. Risks are those events which can directly impact upon those objectives. Therefore managing risk is an essential part of the project management process.

There is a saying amongst project managers – “control your risks, or they will control you.”

The risk management process

The risk management process consists of the following steps -

  • Identification
  • Analysis
  • Treatment
  • Monitoring

We will describe each of these in detail.

Risk Identification

Your first step is to identify all of the key risks in the project. You do this by consulting with stakeholders and Subject Matter Experts. If you have a Project Management Office in your organization, they may well have a list of common risks. Some typical project risks are list at the end of this document.

Risk Analysis

Your next step is to assess the severity of each risk. You do that by first assessing the likelihood of each risk. The likelihood of a risk is the probability it will occur. In Risk Register, the default likelihood scale is –

  • Unlikely
  • Likely
  • Very Likely

You must next assess the impact of a risk, which describes how big an impact the risk will have on a project if it is triggered. The impact almost always relates to the project scope, schedule, cost, or quality. In Risk Register, the default impact scale is –

  • Minor
  • Moderate
  • Major

Cross reference these on the following axis, to get an overall severity rating of Low, Medium, High or Extreme for each risk –

Risk Treatment

For each risk, you need to devise a treatment strategy. The options are –

Accept
Do nothing about the risk, and accept the possible consequences
Avoid
Don’t perform the activity that is causing the risk. For example, if a feature in a software development project looks like it might cause delays, you could choose to not develop that feature.
Mitigate
Devise a plan to reduce either the probability or the impact of the risk. For example, you could add extra resources to the project.
Transfer
Make another party responsible for the risk. For example, you could outsource the activity

Your treatment strategy will depend upon the severity of the risk. When you choose to avoid, mitigate or transfer a risk, you will need to provide details of how this will be accomplished.

For each risk, you should also define a contingency plan. This is a pre-defined set of actions that will be undertaken if the risk is triggered. An example contingency plan would be, “Schedule an immediate meeting of the Project Steering Group to resolve the problem.”

Risk Monitoring

Having identified, analysed and treated your risks, you will need to actively monitor them. The frequency of this monitoring will vary – for example, you might elect to monitor the list weekly. There are three steps to the monitoring process –

  • Close - Look through the risk list and determine if any of the risks can be closed. Risks can be closed when the conditions causing the risk are no longer present. For example, if a risk applies to a particular phase of a project, that risk can be closed once that phase is over.
  • Update - Check the open risks to determine if the probability or impact has changed. If so, modify the appropriate field and leave a comment explaining why.
  • Identify - Finally, determine if any new risks have arisen since you last monitored the list. If so, you will need to analyse and treat those risks, as per the instructions above

Conclusion

This chapter has given you a concise overview of the risk management process. Following these steps will help you reduce the impact that risks have on your projects. Risk management is essential for any professional project – however, it is also clearly time consuming. The following pages will show you how Risk Register from ProjectBalm can make risk management a snap.

Trigger Look through the risk list and see if any of the risks have been “triggered” – that is, if the risk conditions have occurred. If so, you will need to execute the contingency plan

Reassess Look at each risk on your list, and determine if the probability and/or impact have changed. If the severity of the risk has increased, you may need to revisit your treatment plan


 

Chapter 2: Setting up Risk Register

In this chapter, you will learn the following:

  • How to install Risk Register
  • How to add a Risk Register to a project

Installing Risk Register

Risk Register is a JIRA add-on. To install it, follow these instructions –

  1. Log into your JIRA instance as an admin.
  2. Click the admin drop-down and choose Atlassian Marketplace.
  3. Click Find new add-ons from the left-hand side of the page.
  4. Locate Risk Register via search.
  5. Click Try free to begin a new trial or Buy now to purchase a license for Risk Register.
  6. Enter your information and click Generate license when redirected to MyAtlassian.
  7. Click Apply license. If you're using an older version of UPM, you can copy and paste the license into your JIRA instance.

Add a Risk Register to a project

To add a Risk Register to a project, follow these instructions –

  1. Select Administration - Add-ons
  2. Select Manage Add-ons
  3. Select Risk Register
  4. Click on Configure
  5. Click on Add a risk register
  6. Select your project name from the drop down list
  7. Click on Create risk register

 

Chapter 3: Using Risk Register

In this chapter, you will learn the following:

  • How to create a risk
  • How to view the risk matrix
  • How to modify a risk

In this section we will show you exactly how you can manage your project risks using Risk Register. To help us do this, we will share with you the story of Linda Williams, a new project manager at a large international firm.

Identify your Risks

The first step in the risk management process is to identify the key project risks. Let’s see how Linda does it.

Linda felt a little nervous as she sat in the meeting room at GlobalMegaCorp (GMC). Project Blue was her first major project, and she was keen to make a good impression. One of her first jobs as Project Manager is to identify the project risks, which is why she called this meeting.

She smiled as Andy Garcia and June Smith enter the room and take a seat. Andy is the Project Sponsor and Mary is the CIO - both have been at GMC for many years, and have been involved in many projects together. Experienced personnel are usually a good source of information about risks.

"Thanks for making time to meet with me today," said Linda. "As you know, Project Blue is kicking off this week, and I wanted to conduct an initial risk identification. What do you think are the major risks facing the project? I'm primarily interested in anything that might affect scope, budget, schedule or quality."

"Hmm," says Andy. "You have Hank Jones on the project team, don't you?"

"Yes," Linda replied. "He is one of my key technical resources and is on my critical path."

"Be careful there," says Andy. "Hank is an expert in the Legacy system, and often gets called off project work to help with support."

"The legacy system is a lot more stable this year," says June. "So I don't think it will be a problem week to week anymore. However, we are doing a big operating system upgrade in May, just as your project is hitting crunch time. Hank might be needed then."

"I can't afford for this project to be late," said Andy. "We need to hit our June 30 release date or the company will be in trouble."

"Sounds like we have our first risk!" said Linda, entering it into the system.

Let's enter the risk with Linda (we'll assume you have already created Project Blue) -

  1. Open JIRA, then select Projects – View All Projects
  2. From the list of projects, select Project Blue, and click on Risk Register
  3. Click on Create
  4. In the Issue Type field, select Risk
  5. In the Summary field type "HW is required to assist with Legacy OS upgrade"
  6. In the Description field "There is a risk that Hank Williams will be required to assist with the Legacy operating system upgrade in May, causing Project Blue to be late."
  7. Click on Create. The system will create the risk as PB-1
The meeting continued, and Linda identified several more risks. But her biggest concern was about Hank Jones, and the OS upgrade in May.

Analyse your Risks

After creating your initial list of risks in Risk Register, you need to analyse each one. You may need to consult different people for each risk. Let’s see how Linda goes about analyzing RISK001.

Linda called another meeting the next day, this one including Hank Williams, Andy Garcia and the Infrastructure Manager, Richard Davis.

“Thank you all for coming,” she said. “The reason for this meeting is that I’m currently analysing the risks for Project Blue, and one of them revolves around Hank’s availability. She pulled up Risk Register on the screen, and explained PB-1 to them.

“It’s definitely a problem,” said Richard after she finished. “If last year is any guide, I’ll probably need Hank for about 3 weeks in May.”

“That would be enough to blow our deadline,” said Linda. “Richard, you said you would probably need Hank. How likely is it? Would you say unlikely, likely or very likely?”

Richard considered a moment then said, “Likely.”

“OK, thanks,” said Linda, and updated the Probability field for PB-1 to be Likely. After she finished, she turned to Andy. “I’ve got no slack available in Hank’s time – if I lose him for 3 weeks, the consequence will be whole project will be pushed back by 3 weeks. We’ll miss the deadline. What would be the impact of that?”

“It would be very bad,” said Andy. “We have a contractual obligation to our client to deliver by that date, and there are heavy penalties for even a minor delay. We simply cannot afford to run late on this.”

“OK,” said Linda. “I think we have to rate the Impact of this risk as Major. I’ll update the field in Risk Register. Look,” she said after she was done. “Risk Register has automatically calculated the Exposure of this risk – it is rated as High.”

“That doesn’t make me feel any better!” said Andy.

Let's update the risk with Linda -

  1. Open JIRA, then select Projects – All Projects
  2. From the list of projects, select Project Blue
  3. Click on Add-ons - Risk. The risk matrix and list will appear
  4. Select PB-1
  5. Click on the Analyze button
  6. Click on the Probability field drop-down and select Likely
  7. Click on the Impact field drop-down and select Major

Treat your Risks

Sometimes you will analyse all of your risks at the same time, and then treat them all at once. However, it is probably more common to treat the risks at the same time as you are analysing them. That is what Linda decides to do with PB-1.

“OK,” said Linda. “We need to come up with a treatment plan for this risk. We have four options – we can accept it, avoid it, mitigate it or transfer it. Andy, is it possible for us to accept the risk; that is, just do nothing about it and accept the consequences if they happen?”

"There’s no way,” said Andy. “If we are late, it will wipe out all of our profit on this project.”

“That’s what I thought,” said Linda. “OK, can we avoid this risk? Hank is working on the SuperSnazz module – can we ship Project Blue without it?

“I wish we could,” said Andy. “But it’s central to the whole system.” “How do you transfer a risk?” asked Richard

“One common way is to outsource the risky task,” said Linda. “Is that an option here – can we get another vendor to take care of SuperSnazz?

Andy sighed. “I don’t think so on these short time frames. This looks hopeless!” “Don’t give up yet,” said Linda. “Let’s see if we can mitigate the risk.”

“What does that mean?” asked Hank.

“It means we try and reduce the likelihood or impact of the risk. Tell me,” she said, turning to Richard, “why exactly do you need Hank? He hasn’t worked in Infrastructure for a couple of years now.”

“He still knows more about the OS than any of my engineers,” said Richard. “During upgrades, we need someone on hand who can fix things as quickly as possible.”

“Maria Anderson is very smart,” said Hank.

“I know, but she lacks your experience,” said Richard.

“What if Hank trained her – perhaps an hour a week until May,” asked Linda.

“That would work,” said Hank. “There are only about 5 or 6 key areas she needs to know about for the upgrade.”

Richard said carefully, “That could possibly work.”

“That’s our mitigation plan then,” said Linda, opening up Risk Register. “Let me record it.”

Let's add a mitigation plan with Linda -

  1. Open JIRA, then select Projects – All Projects
  2. From the list of projects, select Project Blue
  3. Click on Add-ons - Risk. The risk matrix and list will appear
  4. Select PB-1
  5. Click on the Treat button
  6. Click on the Treatment field drop-down and select Mitigate
  7. Click on the Treatment plan field and type in "Hank to provide training for Maria for one hour per week until May."
  8. Click on the Treat button

Monitor your Risks

Once you have created treatment plans for all of your risks, you need to actively monitor them. You need to determine if any of the risks have been triggered, if the severity has changed, or if you can close them. You also need to determine if any new risks have arisen.

It was Friday again, and that meant it was time for Linda to review her risks. She rather enjoyed this activity – she had put in place a number of good treatment plans, and it was satisfying to watch the risks be downgraded and closed off as the weeks went by.

All except PB-1. Hank had been training Maria and it had been going well, but Richard still insisted that he needed Hank for the upgrade. She decided to give Richard another call.

“Hi Richard - its Linda. I’m just ringing to see how Maria is going with her training?”

“It’s going really well,” said Richard. “In fact, I’m feeling pretty confident that we won’t need Hank for the upgrade in May.”

Linda was pleasantly surprised. “That’s great news!” she said. “But I’m wondering – what’s changed?”

“This training has really made a difference,” said Richard. “I don’t think I’d realized how much Maria now knows. I watched her perform a patch upgrade the other day, and I was really impressed. It was like watching Hank work in the old days.”

“I’m so pleased to hear that,” said Linda. “Anyway, I’ll give you a call in a week or two and see how things are going. Bye!”

Let's update the risk with Linda -

  1. Open JIRA, then select Projects - All Projects

  2. From the list of projects, select Project Blue
  3. Click on Add-ons - Risk. The risk matrix and list will appear
  4. Select PB-1
  5. Click on the Probability field drop-down and select Unlikely

And so we come to the end of the Linda Williams story. Your story, however, is only just beginning...


 

Chapter 4: Other Features

Here are some other things you can do with Risk Register -

Setting up a Dashboard

Risk Register lets you include a risk matrix as a dashboard gadget, which can be configured to include risks according to a filter that you have set up. See the following screen captures for an example. You can set up your filter in whatever way suits you best.

You add the Risk Matrix gadget to your dashboard.

You can configure the Risk Matrix gadget based on a single project, or based on a filter, which may span multiple projects.

Here is a filter that includes two sample projects, but you can include as many projects as you like. You could have multiple Risk Matrix gadgets on your dashboard, each one showing risks from a different project or group of projects.

Any risks that are added to projects ONE or TWO will be included on the risk matrix.

Adding a Custom Risk Field

Since Risk Register defines risks as a special kind of JIRA issue, you have at your disposal all of JIRA's mechanisms for adding new fields and categorizing issues. Below we demonstrate how to add a new field called "Risk scope".

Create the 'Risk scope' custom field.

Add the 'Risk scope' custom field to the 'Risk screen'.

Now you can specify the scope for each risk:

The risk scope appears against the details of the risk.

You can add as many custom fields as you wish.

Customising the Risk Matrix

You can customise the risk matrix, including the matrix dimensions, the impact and probability labels and the exposure level for each cell. Follow these steps -

  • Select Administration - Add-ons
  • Select Risk Model on the left hand menu

To change an impact or probability label, click on it. You can then type in the new label and press Save

To change the exposure level of a cell, click on it. A menu will pop up allowing you to select the new exposure level

To change the matrix dimensions, hover over the gray column selectors, and buttons will appear allowing you to insert or delete a column. You can then set the label and exposure level as per the instructions above

All changes take effect immediately


 

Appendix - Common Project Risks

Following are common project risks -

  • Client decision cycles slower than expected
  • Client feedback is of poor quality or non-existent
  • Client feedback is slower than expected
  • Delivery schedule is overly optimistic
  • Estimation errors due to hidden assumptions
  • Estimation errors due to hidden complexity
  • Estimation errors due to vague requirements
  • Excessive volume of change requests
  • Facilities are not available on time
  • Hardware failures
  • Hardware is not available on time
  • Infrastructure failures
  • Infrastructure is not available on time
  • Internal decision cycles slower than expected
  • Internal SME is not available when required
  • Key technical staff unavailable when needed
  • Loss of facilities/infrastructure
  • New client constraints are introduced after project starts
  • New development tools are not available on time
  • New development tools involve a longer learning curve than expected
  • New technology involves a longer learning curve than expected
  • Prerequisite client approvals are late
  • Prerequisite internal approvals are late
  • Prerequisite project is late
  • Prerequisite regulatory approvals are late
  • Prerequisite resources are late
  • Regulatory changes create additional work
  • Resources reallocated to another project
  • Restricted access to hardware
  • Restricted access to infrastructure
  • Scope changes significantly after project commences
  • Staff distracted by support obligations
  • Staff reallocated to another project
  • Staff recruitment takes longer than expected
  • Staff turnover
  • The technology is new and poorly understood
  • Unexpected integration problems
  • Vendor delivers components late
  • Vendor delivers components of unacceptably low quality
  • Vendor delivers services late
  • Vendor delivers services of unacceptably low quality