Risk comes with any entrepreneurial activity.

In the process of project implementation, operational activities, investment activities and financial activities. All activities are associated with typical risks of any investment project.

The IP may provide for certain stabilization mechanisms that ensure the protection of IP participants in the event of an unfavorable change in the conditions for its implementation, measures to reduce the level of risks and compensate them. If it's about internal risks, then it is possible to reduce the degree of risk itself (due to additional costs for creating reserves and stocks, improving technologies and reducing the accident rate of production, due to material incentives for improving product quality, creating reserve capacities, etc.) due to material incentives for employees of the IT service and other employees involved in working with the new IS, as well as due to additional costs for creating reserves and stocks, conducting trial operation of IS, etc.

The use of any stabilization mechanisms requires additional costs, the amount of which depends on the conditions for the implementation of the project, the interests of its participants and assessments of the degree of risk. It is necessary to take into account different values ​​of the risk premium depending on the goals of the project and the factors influencing its implementation. The larger the implementation project (for example, the corporate IP implementation project), the higher the level of its risk.

All risks associated with the implementation of IP, depending on the sources of occurrence and possibilities for elimination, can be divided into external (objective, systematic, or non-diversifiable) and internal (subjective, non-systematic, or diversifiable).

External and internal risks are interrelated.

External risks do not depend on a particular enterprise or individual entrepreneur. These risks are present at all stages of IP implementation. They arise as a result of external events that affect the market as a whole, affect the income of all enterprises for all IP and cannot be completely eliminated by diversification.

External risks include: political, legislative, macroeconomic, risks of natural disasters (force majeure risks). Often, country risk is included in the discount rate to account for external risks.

Internal risks caused by factors specific to a given enterprise or individual entrepreneur. These risks affect the income of individual enterprises for individual IP and differ at different stages of IP. They can be largely eliminated through diversification.

For IP, the specific factors that cause the appearance of internal risks include the following:

exceeding the deadlines for putting the IS into operation, the implementation budget;

a significant increase in the implementation of IS;

change in the need for procurement of software and hardware, lack of human resources, etc.;

interruptions in the supply of purchased hardware, lack of consultants involved or the level of their competence;

loss of contracts as a result of incorrect debugging or interruptions in the operation of the IS;

accidents and failures in the operation of hardware or software, etc.

On a structural basis, internal risks include:

1 property risks associated with the probability of loss of property of an enterprise or individual entrepreneur for various reasons (due to theft, fire, negligence);

2 production risks associated with losses due to production shutdown due to various factors, and above all damage to fixed and working capital, as well as risks associated with the introduction of new equipment and new technologies into production (for example, the introduction of new IS);

3
commercial risks associated with losses due to delayed payments, refusal to pay during the period of transportation of goods, non-delivery of raw materials and components or their delivery with a deviation from the scheduled dates, etc.;

4 financial risks associated with the probability of loss of financial resources due to irrational investment of capital.

At different phases of the implementation of the IP for the implementation of IP, there are various internal risks.

Consider typical errors that occur at the decision-making stage on the implementation of IS.

1 Weak elaboration of the automation strategy (the company does not have a coherent long-term IT strategy corresponding to the scale and growth rate of its business).

2 Fascination with fashion trends in relation to certain products when choosing IP.

3 The search for an ideal that perfectly meets the specifics of the enterprise.

4 Lobbying for the introduction of IP by one of the divisions of the enterprise - the result may be a discrepancy between the system and the needs of other key divisions.

5 Incorrect compilation of the tender task - the task is not compiled according to the key requirements for IP, but by simply collecting and summarizing applications from all departments. This approach, as a rule, takes into account only the current requirements of the departments, and not the strategic goals of the company as a whole.

The most common mistake when choosing IP - enthusiasm for the technical side of things to the detriment of functional expediency, dictated by the ultimate goals of implementation. In order for the assessment not to be one-sided, it is necessary from the very beginning to involve employees of the "subject" departments, as well as top managers of the company, in the choice of the system.

At the stage of implementation The most significant risks of the project are as follows.

1 The unpreparedness of the top management of the enterprise for changes in the business processes of the enterprise and the organizational structure.

2 Unsuccessful selection of external consultants for the project (based on the principle of minimum cost or based on partnerships with a particular software vendor). When choosing a project contractor - a consultant, the following criteria must be observed: professionalism, reliability and predictability of results.

3 The influence of the human factor in the process of project implementation (changes in technology, work procedures and formats, the need to take into account the reaction of employees to implementation).

4 Delegation of key management and executive powers to the IT department. The project team must necessarily include key employees of all "subject" departments, who will then work with the implemented system.

It should be noted that recommendations for overcoming difficulties in the implementation and operation of IS should be developed based on the specifics of a particular enterprise. First of all, the management of the enterprise and the IT service must be aware that in the future the enterprise will have to make constant efforts to improve the IS. The transition from the “design mode” of operation to the phase of improvement and modification is a significant problem for some enterprises, the solution of which requires careful study and planning. An important task in risk research is to determine the stage at which the occurrence of a particular risk is more likely to occur.

At the implementation stage the risks inherent in the previous stages of the project, the so-called staging risks, begin to fully manifest themselves. They are also supplemented by "cross-cutting" risks, which are realized at almost every stage of the project. The cross-cutting ones include, first of all, domestic political risks - often a project to introduce IP serves as a lever of political struggle in an enterprise. If the project affects the sphere of vital interests of large teams and senior managers who control property, product and cash flows However, even with perfect planning and organization of implementation, significant problems can arise.

There is also a cross-cutting risk associated with the distribution of workload between the client and the consultant. The proportion of work performed by consultants should decrease during the project, otherwise the customer enterprise will have difficulties in the further operation of the IS without consultants. The project may also develop poorly due to the influence of the human factor (staff resistance, psychological fatigue from the project), as well as due to inefficient communications established within the enterprise.

The rejection of the project by the staff, as a rule, arises from a lack of information: the management of the enterprise is not aware of what the project team is doing, and the employees do not see the point in implementation at all. The negative attitude of the staff can be overcome by timely and regular explanatory work, which should be the responsibility of the project team members.

After the completion of the project, long-term risks begin to appear that impede the effective use and further development of IP in the enterprise. The main long-term risks are generated by inadequate support for external and internal changes. An important long-term risk is associated with the human factor - the end of participation in the project of consultants. In addition, there is a risk of information security breach - a possible leakage of commercial information from the company.

Leadership among long-term risks (both in terms of the severity of damage and the complexity of minimizing) belongs to factors associated with the reorganization of the enterprise, as well as the loss of flexibility in business processes.

However, long-term risks have a secondary effect on life cycle IS. First of all, competent planning and successful implementation of IP is necessary.

The point of describing the risks of IT projects is to identify these risks in advance and take a set of preventive measures before the start of the project. It is advisable to single out the main measures aimed at preventing the occurrence risk situations in IT projects:

1 mandatory documentation of the objectives of the project, as well as all changes in the project documentation that arise during its implementation;

2 increasing employee motivation through financial incentives;

3 involvement of third-party qualified specialists;

4 training of team members and senior management of the enterprise in project management methodology, etc.

Among the risks typical for all IP implementation of IP, the following can be distinguished:

1 design risks when creating a system (embedded in the design of IS);

2 organizational risks (include the impact of the human factor on the process of implementation and operation of IS, as a result - incorrect interpretation of data processed using IS);

3 technical risks such as downtime, failures, data loss or corruption, etc.;

4 risks of business loss (business risks) associated with the operation of the system (arising from technical risks).

Project risks appear at the stage of design or delivery of IS. These may include, for example, the risk of obsolescence of certain software or technical solutions, as well as the risks of delaying the delivery of IS components. However, given the relatively short time required for the supply and implementation of IS, as well as the conditions for the implementation of such projects, where, as a rule, all issues related to the supply and implementation are decided by one supplier company, the likelihood of such risks is low.

It is possible to estimate the cost of organizational risks by expert means. Many of the organizational risks, with a sufficient probability of occurrence, can reduce the entire effect of automation to zero or even reveal the harm from automation, so their analysis must be approached with particular care.

The most obvious organizational risks include the following.

1 Personnel sabotage. This risk negates all efforts to introduce IP. It can arise for many reasons: for example, the fear of losing a job due to the planned staff reduction, the desire to hide the real results of the work of an employee, to avoid revealing incompetence, etc.

2 Erroneous conclusions based on the analysis of data obtained as a result of the operation of the IS, i.e. incorrect interpretation of the data processed in the IS.

3 Transfer of information accumulated in the system to competitors as a result of theft or betrayal by personnel, etc.

The planned work of the IT service of the enterprise, as well as the department of strategic development and planning, should include the development of recommendations to reduce the risks of the IP implementation project. It is also necessary to carry out trial operation of IS, work with qualified consultants and reliable equipment suppliers, and include in the preliminary cost estimate for the IS implementation project additional payments to employees involved in working with IS. Important factors for minimizing risks are also: the attentive attitude of top management to the IP on the implementation of IP and the preliminary development of a general strategy for enterprise automation

At the moment, there is no single classification of enterprise project risks. However, the following main risks inherent in the project of opening and developing a corporate training center can be identified.

Since considering all the risks of creating software tools on this stage opening an enterprise "It - progress" is inappropriate, then it is necessary to analyze the risks of opening an enterprise engaged in the development and sale of software.

Table 2.1 - Risks of opening a developer enterprise software

Continuation of table 2.1

The project risk register contains information in a tabular, human-readable form about known, identified project risks. The project risk register should always contain up-to-date information, the quality of the work of the project team with risks fully depends on this. Typically, the project risk register contains the following information:

• ID— unique project risk identification number. When used, this number must match the risk ID specified in the PMIS.
• Description of the risk — detailed description project risk.
• Category— risk category in accordance with KSUP. For example, investment risk, technological risk, risk associated with the project team, and so on.
• Type of— type of risk: positive or negative. Positive risks play into the hands of the project team and carry additional benefits that allow the project to be completed faster. Negative risks, on the contrary, reduce the likelihood of successful completion of the project.
• Influence- the degree of risk impact on one of the four key project parameters: cost, timing, scope or quality. Usually evaluated with values ​​0.05, 0.1, 0.2, 0.4, 0.8.

• General influence— the overall impact of the risk depends on the chosen model ( max- the maximum value is used, avg- the average value is used) and is determined based on the impact of risk on four parameters.
• Probability- the likelihood of a risk occurring. Usually evaluated with values ​​0.1, 0.3, 0.5, 0.7, 0.9.
• Meaning— in fact, the magnitude of the risk is calculated as the product General influence on the Probability.
• Strategy— risk response strategy. One of seven strategies is chosen. For negative risks: evasion, reduction, sharing. For positive risks: transmission, use, amplification. For all risks: Adoption.
• Events— a description of the measures to deal with the risk, in accordance with the chosen response strategy.
• Responsible— Name of the project team member responsible for managing the risk.

R 50.1.084-2012 Risk management. Risk register. Guidance for Creating an Organizational Risk Register

set a bookmark

set a bookmark

Risk management

RISK REGISTER

Guidance for Creating an Organizational Risk Register

risk management. risk register. Guidelines on construction of organization risk register

Introduction date 2013-12-01

Foreword

1 DESIGNED BY AUTONOMOUS non-profit organization"Research Center for Control and Diagnostics technical systems"(ANO "NIC KD")

2 INTRODUCED by the Technical Committee for Standardization TC 10 "Risk Management"

3 APPROVED AND PUT INTO EFFECT by Order of the Federal Agency for Technical Regulation and Metrology of November 29, 2012 N 1283

4 INTRODUCED FOR THE FIRST TIME

Information about changes to these recommendations is published in the annual index " Guidance Documents, recommendations and rules", and the text of changes and amendments - in the monthly information index "National Standards". In case of revision (replacement) or cancellation of these recommendations, a corresponding notice will be published in the monthly information index "National Standards". Relevant information, notification and texts are also located in information system general use - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet

Introduction

The risk register is one way to present and store information about hazardous events and risks. The presence of a risk register allows an organization to obtain information related to a specific hazard source, consequences, target of hazardous events, etc. However, the development of a risk register, especially when a large number sources of danger, requires a lot of effort, time, financial resources, as well as a large amount of information.

The need to develop and maintain a risk register is determined by the organization itself.

3.2 risk register(risk register): A form for recording information about an identified risk.

NOTE The term "risk log" is sometimes used instead of the term "risk register".

3.3 danger(hazard): Source of potential harm.

NOTE Hazard can be a source of risk.

3.4 risk manager(risk manager): A specialist in the identification, assessment, analysis, processing, monitoring of risk, as well as other activities in the field of risk management of an organization.

4 How to develop an entity risk register

4.1 General provisions

The organization should determine the need for development, stages, form and methods of maintaining a risk register. The main objectives of developing an organization's risk register, its place in the risk management system, the advantages and disadvantages of the risk register are established in GOST R 51901.21.

The organization's risk register is a form of keeping records of identified hazardous events, assessment of the corresponding risk, methods and timing of its processing. When maintaining a risk register, it is necessary to take into account the relevant mandatory requirements, as well as other available information on the types of hazard and the risk of its occurrence. Depending on the characteristics of the organization, the form and content of the risk register can be changed or supplemented in relation to the standard form of the risk register shown in Table 1 GOST R 51901.22.

When developing an organization's risk register, consideration should be given to:

• policy, objectives and strategy of the organization in the field of risk management;
• features of manufactured products and services provided by the organization;
• main production processes and management processes of the organization;
• established and used methods of risk analysis and assessment;
• legal requirements;
• operating conditions of manufactured products.

Responsibility for risk management should be assigned to the accountable risk manager or risk management team, including responsibility for risk control and monitoring. Requirements for risk managers are established in GOST R 51901.21.

Development, approval, maintenance and updating of the risk register of the organization should be carried out in accordance with clause 5 GOST R 51901.22.

The exchange of information on the risk register and ensuring the confidentiality of information related to the risk register must be carried out taking into account the requirements of clause 6 of GOST R 51901.22 and the recommendations established in R 50.1.070.

An example of a simplified risk assessment method and the development of an abbreviated risk register small organization is given in Appendix A.

4.2 Steps in the organization's risk management process

The main steps in developing an organization's risk register should be consistent with the steps in the risk management process. At the same time, the content of the stages depends on the characteristics of the organization's risk management. Risk management principles are set out in GOST R ISO 31000. The main elements of the risk management process for small organizations are shown in Figure 1.

Picture 1 - General scheme risk management process

A description of the main elements of the risk management process for small organizations is given in R 50.1.069.

4.3 Organizational risk management process map

Based on the risk management process in accordance with GOST R 51901.21, an organization can draw up a map of the risk management process. When developing a process map for small organizations, it is recommended to retain the main elements of risk management (identification of hazardous events, quantitative risk assessment, risk analysis and comparative assessment, risk treatment, monitoring and review), while their content can be refined depending on the characteristics of the organization's activities.

4.4 Developing an organization risk register

4.4.1 General

The results of the actions performed at each step of the risk management process should be reported in the risk register. The rules for building a risk register are given in GOST R 51901.22. Standard form risk register is given in table 1 GOST R 51901.22.

The allocation of responsibility for the development and maintenance of an organization's risk register should be consistent with the steps in the risk management process, as information in the risk register should be entered and updated after each step of the risk management process is completed.

The main stages of developing an organization's risk register are described in paragraphs 4.4.2-4.4.6.

4.4.2 Establishing the purpose and scope of the risk register

The organization shall establish the organization's internal and external objectives, as well as risk management objectives, for the implementation of the remaining elements of the risk management process. Guidance on defining the scope of risk management is given in R 50.1.068.

When defining the objectives and scope of the risk register, the objects of the risk register are first defined. The objects of the risk register can be:

• organization as a whole, structural subdivision or part of it;
• product, service, process or activity;
• personnel or individual workers.

General requirements to determine the scope of the risk register are established in GOST R 51901.21.

4.4.3 Development of risk criteria

The organization shall establish risk criteria. The criteria should reflect the purpose and scope. They often depend on the interests of the parties involved, as well as on relevant legal and/or regulatory requirements. Risk criteria can be operational, technical, financial, legal, legislative, social, environmental, humanitarian and/or others.

general description decision criteria should be developed when establishing the scope of risk management. Risk criteria should be refined and/or revised after the identification of a specific type of risk and the choice of a risk analysis method. Risk criteria should be appropriate to the type of risk and how it is presented.

Risk criteria are usually included in the organization's risk register, but for smaller organizations, risk criteria may be established in the organization's documented procedures or other risk management documents.

4.4.4 Hazardous event identification

The identification of hazardous events should include the identification of phenomena and events that may affect the risk register items established within the scope of the risk register. General requirements for the identification of hazardous events for inclusion in the risk register are established in clause 4.2 GOST R 51901.21.

For small, small organizations, the identification of hazardous events can consist of three stages:

• definition of risk identification methods;
• identification of hazardous events;
• identifying the causes of a hazardous event.

The organization must first determine the methods for identifying the risk. The following methods can be used in risk identification: analysis of checklists, expert judgments, analysis of experimental and historical data, analysis block diagram reliability, brainstorming method, system analysis, scenario analysis, system design methods. These methods are discussed in more detail in GOST R ISO / IEC 31010. The choice of method depends on the type of risk, the scope and objectives of the organization's risk management, and the applicable and required controls and methods for managing the organization's risk.

Risk identification methods are usually entered in the organization's risk register, however, for smaller organizations, risk identification methods may be defined in documented procedures or other documents of the organization's risk management.

The next step is the identification of hazardous events, at which the organization must draw up a general list of hazardous events that can adversely affect its activities and the achievement of objectives. Based on the list, it is necessary to describe in detail each identified hazardous event that can occur. When compiling a list of dangerous events, the hazard classification given in Appendix A can be used. GOST R 51901.21.

The name of the hazardous event must be formulated in a clear phrase. For a hazardous event whose name is sufficiently long, a short name may be used.

After identifying possible hazardous events, it is necessary to consider the sources and causes of their occurrence, as well as the possible consequences for the organization's activities.

Hazardous events, their sources and possible consequences are included in the risk register of the organization (regardless of its size).

When carrying out the hazard identification stage, it is recommended to take into account the requirements of GOST R 51901.23.

4.4.5 Risk analysis

General requirements for the risk analysis of dangerous events for inclusion in the risk register are established in clause 4.3 of GOST R 51901.22.

Risk analysis includes the study of the sources of hazardous events, their consequences and the likelihood of these events occurring. At the same time, factors affecting the consequences and probability of the event should also be identified. The risk should be analyzed taking into account the combination of the consequences of the event and its probability. In addition, the organization should review and evaluate the controls and controls in place. The magnitude of the consequences of an event and its likelihood need to be assessed against the effectiveness of existing strategies, controls and management practices.

Organizational risk analysis can be carried out in varying degrees of detail depending on the nature of the risk, the purpose of the analysis, available data and resources. Risk analysis can be qualitative, quantitative or combined. For small organizations qualitative analysis usually used to get overall assessment risk and identification of problems associated with risk. If the organization decides that further detailed analysis is necessary, then quantitative or combined methods of risk analysis can be applied. A description of these types of risk analysis is given in R 50.1.069 and GOST R ISO/IEC 31010.

The way in which the consequences and likelihood of events are presented in the risk register should be chosen in such a way as to ensure that the objectives of the risk analysis are met.

Risk analysis needs to take into account the uncertainty and variability in estimates of the consequences and likelihood of an event, as well as the effectiveness of risk communication. When entering quantitative data into the risk register, the associated uncertainty should (if possible) be indicated.

4.4.6 Comparative risk assessment

General requirements for comparative risk assessment for inclusion in the risk register are set out in subsection 4.4 GOST R 51901.22.

aim comparative assessment The risk of a small organization is the adoption, based on the results of the risk analysis and risk acceptability criteria, of decisions on the need for risk treatment and on the prioritization of risk treatment.

When performing a comparative risk assessment, one should be guided by the requirements of GOST R 51901.23.

The results of a comparative risk assessment are usually entered into the organization's risk register, unless otherwise specified in the organization's documented procedures or other risk management documents.

4.4.7 Risk treatment

The general requirements for risk treatment for inclusion in the risk register are set out in subsection 4.5 of GOST R 51901.22.

At the stage of risk treatment, a risk treatment strategy is selected, consequences are assessed, the probability of a hazardous event and risk (taking into account the application of the chosen risk treatment strategy), risk treatment measures, deadlines and those responsible for their implementation are determined, and the results of risk treatment are evaluated.

For small organizations, the mandatory elements of the risk register associated with the risk treatment stage are the definition of risk treatment measures, the timing of their planned and actual implementation.

Typically, a small organization's risk treatment budget is limited, so treatment methods must also establish the order in which each risk is treated. The organization should compare the total cost of a hazardous event when no action is taken against the cost savings realized by treating the risk and applying preventive action.

4.4.8 Risk monitoring and review of the risk register

General requirements for risk monitoring and review of the risk register are set out in subsection 4.6 GOST R 51901.22.

The organization must ensure the continuity of the risk management process, therefore, it is necessary to regularly monitor all types of risk and review the entries in the risk register.

The results of risk monitoring are usually recorded in the organization's risk register, but for smaller organizations, these results may be identified in the organization's documented procedures or other risk management documents.

Annex A
(reference)

An example of a simplified risk assessment method and the development of an abbreviated version of a small organization risk register

A.1 General

The structure and composition of the risk register depends on the characteristics of the organization. A typical form of the risk register is given in GOST R 51901.22. Smaller organizations may use an abbreviated (simplified) form of the risk register, an example of which is shown in Table A.1.

Table A.1 — Simplified form of the risk register

When completing the risk register, the following scales can be used:

scale of consequences: 5 - catastrophic consequences, 4 - significant consequences, 3 - moderate consequences, 2 - minor consequences, 1 - insignificant consequences;

hazardous event probability scale: 5 - very high probability, 4 - high probability, 3 - medium probability, 2 - low probability, 1 - very low probability;

risk assessment: acceptable risk (0-4), controlled risk (5-8), significant risk (9-25);

risk treatment measures: (0) no risk, no action taken; (0-4) low risk, only low-cost actions are taken; (5-8) medium risk, actions are taken taking into account the time of their implementation and economic feasibility; (9-25) high risk, urgent need for risk mitigation; (16-25) high risk, application of immediate (emergency) actions to reduce the risk.

A.2 Risk matrix

A.2.1 General

The risk assessment method for hazardous events is given in GOST R 51901-23 *, however, small organizations can use simplified risk assessment methods, while taking into account the uncertainty of such risk assessments.

________________

*Probably an original error. Should read: GOST R 51901.23. - Database manufacturer's note.

Small organizations can use a risk matrix to assess the significance of a risk. For a systematic and consistent risk assessment, it is necessary to develop a risk matrix in accordance with the following steps:

• assessment of the likelihood of a hazardous event (A.2.2);
• assessment of the consequences of a hazardous event (A.2.3);
• compilation of a risk matrix (A.2.4);
• definition of risk treatment measures (A.2.5).

This example shows the simplest version of the risk matrix. The organization, depending on the conditions of risk assessment, can develop its own risk matrix.

A.2.2 Assessment of the probability of a hazardous event

In a small organization, depending on the object of the risk register, the risk manager must answer the question of what is the probability of a dangerous event occurring when applying the specified controls and methods of managing risk reduction measures. Table A.2 can be used for this.

Table A.2 — Estimation of the likelihood of a hazardous event

If there are doubts in the assessment of the probability of occurrence of a dangerous event, then the rank of the danger of the event is increased.

A.2.3 Assessing the consequences of a hazardous event

Depending on the area of ​​impact of a hazardous event, the risk manager must assess the consequences of a hazardous event with existing controls, management methods and risk reduction measures. Table A.3 can be used for this.

Table A.3 — Assessment of the consequences of a hazardous event

If there are doubts about the assessment of the consequences of a dangerous event, then the rank of this event is increased.

A.2.4 Compilation of the risk matrix

In this example, the simplest method of risk assessment is used - a qualitative assessment of the consequences and probability of a dangerous event. In this case, the risk is calculated as the product of the consequences by the probability:

The ranks of consequences and probabilities are determined according to tables 2 and 3.

The results obtained allow the construction of a risk matrix (Table A.4), which can be used as a basis for identifying acceptable and unacceptable risk.

Table A.4 — Risk matrix

For greater clarity in the risk register, the risk assessment can be highlighted in color:

green - acceptable risk (0-4);

yellow color - controlled risk (5-8);

red (dark red) is a serious and significant risk (9-25).

The identified types of risk can be ranked both in departments and throughout the organization. The ranking is based on a risk matrix (the product of consequences and likelihood) and makes it possible to identify most of the significant risks.

A.2.5 Determination of risk treatment strategy and measures

Depending on the risk assessment (see Table A.4), the actions to be taken for each risk recorded in the risk register should be determined. Table A.5 provides an example of actions to be taken based on risk assessment.

Table A.5 — Example of actions to be taken based on risk assessment

Risk reduction or risk treatment measures may be included in the risk register and/or may be developed as a separate document. In this case, a link to this document should be given in the risk register. In the example shown, the risk treatment activities are included in the risk register.

A.3 Additional provisions

Since the risk register is constantly updated, it is necessary to record the dates of the risk entries and any changes made. If the action plan is included in the risk register, the purpose and deadlines for completing the actions provided by the plan must be recorded.

The comments or notes column in the risk register allows you to link to relevant information, such as holding a meeting where the risk was discussed.

Delphi method similar to the brainstorming method, but its participants do not know each other. The facilitator uses a list of questions to get ideas about the risks of the project, collects answers from experts. Further, the experts' answers are analyzed, categorized and returned to the experts for further comments. The consensus and list of risks is obtained through several cycles of this process. The Delphi method eliminates pressure from colleagues and the fear of embarrassment when expressing an idea.