The Risk Report in Project Management

Project management is most frequently associated with the topics of cost, quality, and time. Yet, those three legs of project management are all directly impacted by risk. Risk management is crucial in all projects; whether an opportunity or threat, all risks should be identified and planned to increase the possibility of a successful outcome for a project. Project managers (PMP) conduct risk analysis work, maintain a risk watch list, and generate a risk report as part of overall risk management work.

---

---

Risk Report PMP

The Project Management Professional (PMP)® certification exam seeks to assess one’s knowledge of all things project management, including risk management tools, activities, and documents. Depending on the industry, the type of project management methodology used, and the specific project management tools employed by an organization, there can be different levels of formal risk tools and documents used. However, there are foundational aspects of risk management that through the standards measured by Project Management Institute (PMI)’s PMP exam and their A Guide to the Project Management Body of Knowledge (PMBOK® Guide), all PMP credential holders know.

Purpose of a Risk Report PMP

Searching for the difference between the risk report, risk analysis, and risk register can be frustrating. If the project manager is conducting risk analysis and maintaining a list of identified risks in the risk register, what is the need for a risk report? The answer lies in understanding stakeholders and the ongoing communications required for any project.

For example, the team members are actively using the risk register to capture risks and potential mitigation strategies for each, as they should. The risk register may end up being quite lengthy (images of small font sizes and excel files that require seemingly endless scrolling could be flashing in your mind). The CEO, a primary stakeholder, asks the project manager, “what is the status of the project’s risk? Are we at high risk for any problems?” If the project manager only shows the CEO the risk register in response, trying to convey how risk is being managed, there is a failure to communicate the overall status of risk management. The risk of only using the risk register to convey the status of risk is the stakeholders will lose confidence in the work and that can lead to a lack of support. This is where the risk report fits into the overall project management strategy – it is a risk summary reflecting the potential impacts to the budget, timeline, and deliverables which can convey key points to stakeholders.

Risk	An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. (Source: https://www.pmi.org/pmbok-guide-standards/lexicon)
Risk Report	A summary of risk reflecting risks that have occurred, actions taken for risks, and the potential impacts to budget, timeline, and deliverables.

The difference between a risk register and a risk report is the register is an ongoing document used throughout the project to make informed risk management decisions whereas the risk report is a snapshot of risk management work in a given moment.

Basics of a Risk Report

By definition, a risk report is a communication tool within risk management. The report should be clear, concise, and indicate actions taken, preparation for other risk-related actions, and any inputs needed by stakeholders to ensure continuous risk management support.

When to Create the Report

In the context of formal traditional (waterfall) project management, a risk report is created during the Identify Risk process. Then the report is updated during the processes of:

• Perform Qualitative Risk Analysis
• Perform Quantitative Risk Analysis
• Plan Risk Responses
• Implement Risk Responses
• Monitor Risks

From a “risk report PMP” lens, that is the strict timing of creating and updating the risk report which is the basis of related PMP certification exam questions. However, a project manager should strive to understand the culture of the business and the needs of critical stakeholders, which can influence when a risk report is needed. It would not behoove a project manager to reply to the inquiry of “what is the status of our risk?” with a reply of “we are not at the point where I update the risk report, so you need to wait to find out.” Factors to consider for the timing of risk reports:

• The needs of the most influential stakeholders
• The results of the risk watch list work that indicate significant changes in risk
• Following a reporting schedule to manage the time needed for reporting
• Maintaining consistent communication with the team and with stakeholders on risk activities

When considering the timing of risk reports, aim to be consistent and timely versus trying to follow an inflexible schedule.

What to Include in the Report

The type of project, the project management methodology practiced, the project management standards of the business, and the scope of the project will all influence the level of detail and content of a risk report. Most commonly, these information types are included in a risk report:

• overall project risk sources
• overall project risk status (e.g. high, medium, low)
• number of identified risks, labeled as threats or opportunities
• distribution of risks across risk categories
• risk trends across risk categories
• identified risks that have occurred and what action taken
• changes in how risks are assessed for the probability of occurrence
• financial impact of occurred risks
• timeline impact of occurred risks
• predicted level of overall project risk for next risk report milestone

Additionally, the inputs from risk analysis efforts will shape risk report content as will changes in the risk watch list.

---

---

How to create a Risk Report

There is not a single perfect risk report template. As indicated by the range of information that can be included in a report, so too does the report vary by project. What should not vary is the report itself within a given project. It is important that within a project, the risk reports are consistent in content and approach. The team and stakeholders should know what to expect in the report and what information will be found in it.

From just one risk management consulting firm, they show five different risk reports as examples of the range of options.

Where possible, leverage existing proven templates and software to create a report that is accurate and easy to maintain. If the project manager can influence existing templates or is in the situation of creating a new risk report, use these guidelines:

• Does the report provide the information needed to make decisions (versus showing a bunch of colored graphs for the sake of having a graph)?
• Does the report convey how risk is being managed (versus just reporting status)?
• Is the report giving equal attention to all risks (versus focusing on the highest potential risks)?
• Is the report data connected to risk management activities (versus functioning as a standalone document)?
• Do report updates require excessive time from the team (versus the use of automation or software tools to minimize time and maximize accuracy)?

As the project manager builds out the template for a project’s risk report, know it can leverage a combination of summary text, dashboards, heat maps, and/or matrixes, but what is most important is the value it brings to the overall risk management work.

How Risk Report fits into Risk Management documents

The risk report does not replace other risk management documents. It serves a specific purpose within the overall project risk management efforts.

The risk register document has information about individual risks, assessment, and status. It is an input into the risk report which conveys the overall risk status at a given moment. Both are part of the overall risk management plan.

Conclusion

A risk report is an indicator of the performance of the overall risk management work. Project managers should use the risk report to convey risk status to the team and to provide information to stakeholders to inform risk management decisions.

---