Risk register calculations describing an example. Register of the main operational risks of production management in Tyumen as of the year. A.2 Risk matrix

risks that are considered important to the project, while discussion of the risks raised is not allowed. Then the risks are sorted into categories and specified.

Delphi method is similar to the brainstorming method, but the participants do not know each other. The facilitator uses a list of questions to get ideas about the risks of the project, gathering answers from the experts. Then the experts' answers are analyzed, categorized and returned to experts for further comments. A consensus and a list of risks is obtained through several cycles of this process. The Delphi method eliminates peer pressure and the fear of awkwardness when expressing an idea.

Table 5.7. Risk register template

RISK IDENTIFICATION
№	date emergence risk	date registration risk	Name and description risk	Initiator	Causes	Consequences	Risk owner	Risk expiry date
.
.

Table 5.8. Example of filling out the register of risks (simplified)

Root cause

Condition

Aftermath

Lack of staffing

Can be combined Table 5.9. An example of filling out an extended risk journal

Risk type	Description of the risk	Proactive events	Reactive activities	Probability	Consequences	Risk factor
Technological	The customer may delay the release of the product due to constant changes and additions to the product requirements	Divide the requirements into "absolutely necessary" and "it would be nice to have", before starting the system, fulfill only absolutely necessary requirements Ensure that the client's management understands and supports the approach that change requests will be processed after the completion of major work wherever possible	Discuss the change in the timing of the commissioning of the system due to the accumulated volume of changes to ensure the required level of quality of the final product	8	6	48
Financial	The customer insists on free correction of all errors (in this case, we are talking only about those points that we can also recognize as errors), which can lead to serious financial losses	Include in the work plan the budget and time of programmers to fix errors based on testing results. Explain to key customer representatives that identifying and fixing bugs is part of the development technology ON	If it is impossible to reach an agreement, raise the issue to the level of the steering committee	8	6	48

R 50.1.084-2012 Risk management. Risk register. Organization Risk Register Guidelines

set a bookmark

Risk management

RISK REGISTER

Organization Risk Register Guidelines

Risk management. Risk register. Guidelines on construction of organization risk register

Introduction date 2013-12-01

Foreword

1 DEVELOPED AUTONOMOUS non-profit organization"Research Center for Control and Diagnostics of Technical Systems" (ANO "NITs KD")

2 INTRODUCED The Technical Committee for standardization TC 10 "Risk Management"

3 APPROVED AND PUT INTO EFFECT by Order of the Federal Agency for Technical Regulation and Metrology of November 29, 2012 N 1283

4 INTRODUCED FOR THE FIRST TIME

Information on changes to these recommendations is published in the annual index "Guidance documents, recommendations and rules", and the text of changes and amendments - in the monthly information index " National standards". In case of revision (replacement) or cancellation of these recommendations, a corresponding notice will be published in the monthly information index" National Standards. " information system general use - on the official website Federal agency on technical regulation and metrology on the Internet

Introduction

A risk register is one of the ways to present and store information about hazardous events and risk. The presence of a risk register allows an organization to obtain information related to a specific hazard source, consequences, object of influence of hazardous events, etc. However, the development of a risk register, especially in the presence of a large number of hazard sources, requires a lot of effort, time-consuming, financial resources, as well as a large amount of information.

The organization determines the need to develop and maintain a risk register independently.

3.2 risk register(risk register) form for recording information about an identified risk.

NOTE The term "risk log" is sometimes used instead of the term "risk register".

3.3 danger(hazard): A source of potential harm.

NOTE Hazard can be a source of risk.

3.4 risk manager(risk manager) specialist in identifying, assessing, analyzing, processing, monitoring risk, and other activities in the field of risk management of an organization.

4 Procedure for the development of an organization's risk register

4.1 General Provisions

The organization should determine the need for development, stages, form and methods of maintaining a risk register. The main goals of developing an organization's risk register, its place in the risk management system, the advantages and disadvantages of the risk register are established in GOST R 51901.21.

An organization's risk register is a form of maintaining records of identified hazardous events, assessing the risk associated with them, methods and timing of its processing. When maintaining a risk register, it is necessary to take into account the relevant mandatory requirements, as well as other available information on the types of hazard and the risk of its occurrence. Depending on the specifics of the organization, the form and content of the risk register can be changed or supplemented in relation to the standard form of the risk register shown in Table 1 GOST R 51901.22.

When developing a risk register, an organization should consider:

the organization's risk management policy, objectives and strategy;
features of manufactured products and services provided by the organization;
the main production processes and the organization's management processes;
established and used methods of analysis and risk assessment;
legal requirements;
operating conditions of manufactured products.

Responsibility for risk management should be assigned to the responsible risk manager or risk management group, including responsibility for controlling and monitoring risk. Requirements for risk managers are established in GOST R 51901.21.

The development, approval, maintenance and updating of the organization's risk register should be carried out in accordance with clause 5 GOST R 51901.22.

The exchange of information on the risk register and ensuring the confidentiality of information related to the risk register must be carried out taking into account the requirements of clause 6 of GOST R 51901.22 and the recommendations established in R 50.1.070.

An example of a simplified risk assessment method and the development of a reduced risk register for a small organization is given in Appendix A.

4.2 Steps in the organization's risk management process

The milestones in the development of an organization's risk register should be consistent with the steps in the risk management process. At the same time, the content of the stages depends on the characteristics of the organization's risk management. The principles of risk management are established in GOST R ISO 31000. The main elements of the risk management process for small organizations are shown in Figure 1.

Figure 1 - General outline of the risk management process

A description of the main elements of the risk management process for small organizations is given in R 50.1.069.

4.3 Map of the organization's risk management process

Based on the risk management process in accordance with GOST R 51901.21, the organization can draw up a risk management process map. When developing a process map for small organizations, it is recommended to retain the basic elements of risk management (identification of hazardous events, quantitative risk assessment, risk analysis and comparative assessment, risk treatment, monitoring and revision), while their content can be clarified depending on the characteristics of the organization's activities.

4.4 Developing an organization's risk register

4.4.1 General

The results of the actions performed at each stage of the risk management process should be reported in a risk register. The rules for building a risk register are given in GOST R 51901.22... The standard form of the risk register is shown in table 1 of GOST R 51901.22.

The assignment of responsibility for the development and maintenance of the organization's risk register should be consistent with the stages of the risk management process, since information in the risk register and adjustments should be made after each stage of the risk management process is completed.

The main stages in the development of the organization's risk register are described in clauses 4.4.2-4.4.6.

4.4.2 Establishing the objectives and scope of the risk register

The organization shall establish the organization's external and internal objectives and risk management objectives for performing the remaining elements of the risk management process. Guidance on defining the scope of risk management is given in R 50.1.068.

When defining the objectives and scope of the risk register, the objects of the risk register are determined first. Risk register objects can be:

the organization as a whole, its structural subdivision or part of it;
product, service, process or activity;
staff or individual workers.

General requirements for determining the scope of the risk register are established in GOST R 51901.21.

4.4.3 Developing risk criteria

The organization should establish risk criteria. The criteria should reflect the purpose and scope. They often depend on the interests of the parties involved, as well as on the relevant legal and / or regulatory requirements. Risk criteria can be operational, technical, financial, legal, legislative, social, environmental, humanitarian, and / or others.

A general description of the decision criteria should be developed when establishing the scope of risk management. Risk criteria should be refined and / or revised after identifying a specific type of risk and choosing a risk analysis method. Risk criteria should be appropriate for the type of risk and the way it is presented.

Risk criteria are usually recorded in the organization's risk register, however, for small organizations, risk criteria can be established in the organization's documented procedures or other risk management documents.

4.4.4 Identification of hazardous events

The identification of hazardous events should include the identification of phenomena and events that may affect the risk register items identified in the scope of the risk register. The general requirements for the identification of hazardous events for inclusion in the risk register are established in clause 4.2. GOST R 51901.21.

For small, small organizations, identification of hazardous events can consist of three stages:

determination of risk identification methods;
identification of dangerous events;
identification of the reasons for the occurrence of a hazardous event.

The organization must first determine the methods for identifying the risk. When identifying risk, the following methods can be used: analysis of checklists, expert assessments, analysis of experimental and historical data, analysis structural diagram reliability, brainstorming method, systems analysis, scenario analysis, systems design methods. These methods are discussed in more detail in GOST R ISO / IEC 31010. The choice of method depends on the type of risk, the scope and risk management objectives of the organization, and the controls and methods used and required to manage the organization’s risk.

Risk identification methods are usually recorded in the organization's risk register, but for small organizations, risk identification methods can be defined in the organization's documented procedures or other risk management documents.

The next step is the identification of hazardous events, in which the organization must draw up a general list of hazardous events that could adversely affect its activities and the achievement of objectives. On the basis of the list, it is necessary to describe in detail each identified hazardous event that may occur. When compiling a list of hazardous events, the hazard classification given in Appendix A can be used. GOST R 51901.21.

The name of the hazardous event should be formulated in an understandable phrase. For a hazardous event whose name is long enough, a short name may be used.

After identifying possible hazardous events, it is necessary to consider the sources and causes of their occurrence, as well as the possible consequences for the organization's activities.

Hazardous events, their sources and possible consequences are entered into the risk register of the organization (regardless of its size).

When carrying out the stage of hazard identification, it is recommended to take into account the requirements of GOST R 51901.23.

4.4.5 Risk analysis

The general requirements for risk analysis of hazardous events for inclusion in the risk register are established in clause 4.3 of GOST R 51901.22.

Risk analysis includes an investigation of the sources of hazardous events, their consequences and the probabilities of occurrence of these events. At the same time, the factors influencing the consequences and likelihood of the event should also be identified. The risk should be analyzed taking into account the combination of the consequences of the event and its likelihood. In addition, the organization should review and evaluate the controls and methods used. The magnitude of the consequences of an event and its likelihood need to be assessed taking into account the effectiveness of existing strategies, controls and management methods.

An organization's risk analysis can be performed in varying degrees of detail depending on the nature of the risk, the purpose of the analysis, the data and resources available. Risk analysis can be qualitative, quantitative, or combined. For small organizations qualitative analysis usually used to obtain overall assessment risk and identification of risk problems. If the organization decides on the need for further detailed analysis, then quantitative or combined methods risk analysis. A description of these types of risk analysis is given in R 50.1.069 and GOST R ISO / IEC 31010.

The way in which the consequences and likelihood of events are presented in the risk register should be chosen to ensure that the objectives of the risk analysis are met.

Risk analysis should take into account the uncertainty and variability in the estimates of the consequences and the likelihood of an event, as well as the effectiveness of risk communication. When quantitative data are entered in the risk register, the associated uncertainty should be indicated (if possible).

4.4.6 Comparative risk assessment

The general requirements for comparative risk assessment for inclusion in the risk register are established in subsection 4.4. GOST R 51901.22.

The purpose comparative evaluation small organization risk is the decision on the need for risk treatment and on the prioritization of risk treatment based on the results of the risk analysis and risk acceptance criteria.

When performing a comparative risk assessment, one should be guided by the requirements of GOST R 51901.23.

The results of the comparative risk assessment are usually recorded in the organization's risk register, unless otherwise specified in the organization's documented procedures or other documents for risk management.

4.4.7 Risk treatment

The general requirements for risk treatment for inclusion in the risk register are established in subsection 4.5 of GOST R 51901.22.

At the stage of risk treatment, the choice of a risk treatment strategy, an assessment of the consequences, the probability of a hazardous event and risk (taking into account the application of the selected risk treatment strategy) is carried out, measures for risk treatment, the timing and those responsible for their implementation are determined, and the results of risk treatment are evaluated.

For small organizations, the mandatory elements of the risk register associated with the risk treatment stage are the definition of risk treatment activities, the timing of their planned and actual implementation.

Typically, a small organization's risk treatment budget is limited, so treatment methods should also establish how each risk is handled. The organization shall compare the total costs of a hazardous event occurring when no action is taken against the savings gained from risk treatment and preventive action.

4.4.8 Risk monitoring and revision of the risk register

General requirements for risk monitoring and revision of the risk register are established in subsection 4.6. GOST R 51901.22.

The organization must ensure the continuity of the risk management process, therefore it is necessary to regularly monitor all types of risk and revise the entries in the risk register.

The results of risk monitoring are usually recorded in the organization's risk register, however, for small organizations, these results can be determined in the organization's documented procedures or other documents on risk management.

Appendix A
(reference)

An example of a simplified risk assessment method and the development of a reduced risk register for a small organization

A.1 General

The structure and composition of the risk register depends on the characteristics of the organization. The standard form of the risk register is given in GOST R 51901.22. Small organizations can use an abbreviated (simplified) form of the risk register, an example of which is shown in Table A.1.

Table A.1 - Simplified form of the risk register

Identity dangerous event fixer	Name novelty and description of a hazardous event	Responsibility military risk manager	The last through a dangerous event	Probability severity of a dangerous event	Risk assessment	Risk treatment arrangements	Deadline for implementation of risk treatment measures	Example- chania

When completing the risk register, the following scales can be used:

scale of consequences: 5 - catastrophic consequences, 4 - significant consequences, 3 - moderate consequences, 2 - small consequences, 1 - insignificant consequences;

the scale of the probability of a hazardous event: 5 - the probability is very high, 4 - the probability is high, 3 - the probability is medium, 2 - the probability is low, 1 - the probability is very low;

risk assessment: acceptable risk (0-4), controlled risk (5-8), significant risk (9-25);

risk treatment measures: (0) no risk, no action taken; (0-4) low risk, only low-cost actions are taken; (5-8) medium risk, actions are taken taking into account the time of their implementation and economic feasibility; (9-25) high risk, urgent implementation of measures to reduce the risk is necessary; (16-25) high risk, the use of immediate (emergency) actions to reduce the risk.

A.2 Risk matrix

A.2.1 General

The method for assessing the risk of hazardous events is given in GOST R 51901-23 *, however, small organizations can use simplified methods of risk assessment, while it is necessary to take into account the uncertainty of such risk assessments.

________________

* Probably a mistake in the original. Should read: GOST R 51901.23... - Note from the manufacturer of the database.

Small organizations can use a risk matrix to assess the significance of a risk. For a systematic and consistent risk assessment, it is necessary to develop a risk matrix in accordance with the following steps:

assessment of the probability of a hazardous event (A.2.2);
assessment of the consequences of a hazardous event (A.2.3);
drawing up a risk matrix (A.2.4);
identification of risk treatment arrangements (A.2.5).

This example shows the simplest version of the risk matrix. The organization, depending on the conditions of risk assessment, can develop its own risk matrix.

A.2.2 Assessment of the likelihood of a hazardous event

In a small organization, depending on the object of the risk register, the risk manager must answer the question of what is the likelihood of a hazardous event occurring when the specified controls and management methods for risk mitigation are applied. In this case, table A.2 can be used.

Table A.2 - Assessment of the probability of a hazardous event

If there are doubts in assessing the likelihood of a hazardous event, then the hazard rank of the event is increased.

A.2.3 Assessment of the consequences of a hazardous event

Depending on the area of impact of the hazardous event, the risk manager should assess the consequences of the hazardous event with the existing controls, management practices and risk mitigation measures. To do this, you can use table A.3.

Table A.3 - Assessment of the consequences of a hazardous event

Consequence, in points	Description of the consequences	Objects of impact of a hazardous event *
	disastrous consequences	People, environment, economy, government and municipal government, social environment, infrastructure
	significant consequences	People, economy, infrastructure, environment, social environment
	moderate consequences	People, economy, infrastructure
	small consequences	Economy, infrastructure
	minor consequences	Social environment
* The objects of influence of a hazardous event are given for example only.

If there are doubts about the assessment of the consequences of a dangerous event, then the rank of this event is increased.

A.2.4 Compilation of a risk matrix

V this example the simplest method of risk assessment was used - a qualitative assessment of the consequences and probability of a hazardous event. In this case, the risk is calculated as the product of the consequences and the probability:

Consequence ranks and probabilities are determined from Tables 2 and 3.

The results obtained allow constructing a risk matrix (Table A.4), which can be used as a basis for identifying acceptable and unacceptable risks.

Table A.4 - Risk matrix

Qualitative assessment of the probability of a hazardous event	Consequences
	minor (1)	small (2)	moderate (3)	significant (4)	catastrophic (5)
Very low (1)
Low (2)
Medium (3)
High (4)
Very High (5)
NOTE Risk assessment (risk rank): acceptable (0-4), controlled (5-8), significant (9-25).

For greater clarity in the risk register, the risk assessment can be highlighted in color:

green - acceptable risk (0-4);

yellow color - controlled risk (5-8);

red (dark red) color is a serious and significant risk (9-25).

The identified types of risk can be ranked both within departments and throughout the organization. The ranking is based on a risk matrix (product of consequences and probability) and allows identification of most of the significant risks.

A.2.5 Determining risk treatment strategy and measures

Depending on the risk assessment (see Table A.4), the actions to be taken for each risk recorded in the risk register should be determined. Table A.5 provides an example of the actions to be taken taking into account the risk assessment.

Table A.5 - Example of actions to be taken taking into account risk assessment

Risk assessment	Actions taken
Acceptable risk (0)	No risk, no action taken
Acceptable risk (0-4)	Low risk, only low-cost actions are taken
Controlled risk (5-8)	Medium risk, actions are taken taking into account the implementation time and cost-effectiveness of risk mitigation measures
Serious risk (9-25)	High risk, urgent risk mitigation measures need to be taken
Significant risk (16-25)	Very high risk, immediate (emergency) risk mitigation measures must be taken

Risk mitigation or risk treatment activities can be included in a risk register and / or developed as a separate document. In this case, the risk register must provide a link to this document. In the example shown, the risk treatment activities are included in the risk register.

A.3 Additional provisions

As the risk register is constantly updated, it is necessary to record the dates of the risk entries and any changes made. If the action plan is included in the risk register, the purpose and timing of the completion of the actions foreseen by the plan must be recorded.

The column of comments or notes in the risk register allows you to make references to necessary information, for example, holding a meeting where issues of a given risk were discussed.

The project risk register contains information in a tabular, readable form about known, identified project risks. The project risk register should always contain up-to-date information, the quality of the project team's work with risks fully depends on this. Usually, the project risk register contains the following information:

ID- unique an identification number project risk. When used, this number must match the Risk ID shown in the PMIS.
Description of the risk- a detailed description of the risk of the project.
Category- risk category in accordance with the KSPP. For example, investment risk, technological risk, risk associated with the project team, etc.
A type- type of risk: positive or negative. Positive risks play into the hands of the project team and carry additional benefits that allow for faster project implementation. On the other hand, negative risks reduce the likelihood of a successful project completion.
Influence- the degree of influence of risk on one of the four key parameters of the project: cost, timing, content or quality. Usually estimated at values of 0.05, 0.1, 0.2, 0.4, 0.8.

Total impact- the overall impact of the risk depends on the chosen model ( max- the maximum value is used, avg- the average value is used) and is determined based on the influence of risk on four parameters.
Probability- the likelihood of risk occurrence. Usually estimated as 0.1, 0.3, 0.5, 0.7, 0.9.
Meaning- in fact, the magnitude of the risk is calculated as the product Total influence on the Probability.
Strategy- risk response strategy. One of seven strategies is selected. For negative risks: dodging, lowering, sharing... For positive risks: transmission, use, amplification... For all risks: Adoption.
Events- a description of measures to deal with the risk, in accordance with the chosen response strategy.
Responsible- Name of the project team member responsible for risk management.