4 - Implement and manage

  • Monitor and control the mitigating actions to actively manage the risks and to minimise any residual risks occurring. 

    Ensure regular review and oversight by the Project Board.

    Keep horizon scanning for any change to risk assessment and for new risks.

  • What to do

    • Implement the planned risk responses.
    • Monitor the effectiveness of the action and consider further action where the original response does not achieve the expected result.
    • include all your red risks in every highlight report to ensure close monitoring.
    • when new risks are raised add them to the risk register and take them to your project board to discuss and agree risk analysis and response. Make sure you feedback to whoever raised the risk if they are not on the project board.
    • Reassess risk at regular intervals, including at all key milestones or if in exception
    • Check whether the Business Case Key Risks need updating after each review.

    Tips on how to do it

    • Anybody can raise a risk, they may need advice on expressing it appropriately as a risk but it should be included, however unlikely or low impact you think it is, for your board to consider.
    • Risks are never removed from the register. If the time has passed where they might occur the status can be changed to ‘closed’ with agreement of the board.
    • The Risk Register is a working tool of the Project Manager. Access to amend the register should be restricted to the Project Manager and Project Administrator to avoid any possibility of unapproved amendments and to ensure that the Project Manager is aware of and considers every update.

    For effective management of risk in a project environment it is important that risks are clearly and unambiguously expressed. They may therefore contain and be explicit on confidential information that is personally, politically or commercially sensitive. For this reasons Risk Registers should always be kept confidential to the project board members. It is a working tool and not a document for publication. If you break this rule once because you feel your current project is not sensitive, how will stakeholders react on your next project when you don’t publish the risk register?