Search the PMO Conference Library

Watch back all our PMO Conference sessions

PMO Library | Free Articles | Inside PMO | PMO Book Shelf

Risk Management – Not Just a Risk Register

The Risk Register – The Core of Successful Delivery

The risk register is frequently a risk of worries, useless as a tool for actually managing the risks. In this session, we get back to basics and focus on the role of the PMO in risk management.

The role of the PMO is to provide services and support to ensure consistent risk management practices are designed, implemented and maintained. The PMO has a wide remit to provide support in areas such as identification, assessment, planning, monitoring and controlling – yet the risk log and register are often the only reactive service provided.

In this PMO Conference 2023 session, the focus is on the proactive role the PMO can take – including understanding where to look for the risks, how to capture them, and how to plan and manage responses.

Listen to this session and you’ll learn about an approach to identifying the risks that affect their project/programme; a structure to capture meaningful risk descriptions and tips on SMART responses.

Recorded Session


Presentation Deck

Download the deck

Insights from the Session

Written by Graham Gunn, PMO Conference Reporter

John’s presentation started out summarising what we actually mean by “risk”, and then launched into a unique, structured approach to risk management and some very useful insights into practical ways for making the process as effective as possible.

The key proposal is to lay the processes of defining and evaluating risks over a system engineering template – a recognition that risks (and the responses to them) are often multi-dimensional phenomena that can affect several aspects of a project, at different stages, and at different levels simultaneously. The use of “progressive elaboration”, inherent in systems engineering, means that risks (and their consequences) can be worked on in manageable chunks of project or programme activities, then aggregated up as necessary.

It was suggested that this process can be applied in four phases:

Identify ambiguities (often the result of vague, incomplete or conflicting requirements, different interpretations of the requirements by different actors in the project, imprecise terminology, poorly defined interfaces, etc.), and uncertainties (e.g. weather, economic conditions, resource availability….)


Dealing with the information shortfall to clarify, assess and resolve (if possible) the potential impacts of the identified ambiguities/uncertainties means getting as many relevant facts as possible.


Planning for potential (or actual) risk events.  Where potential risks have been identified in the preceding steps, measures can be proposed to avoid, take precautions against, mitigate, work around or compensate for them, with the objective of minimising potential impact on the project/programme.

Estimating the consequences (variances) of risk responses.  Here, the conventional processes of project modelling and forecasting can be applied to evaluate alternative risk management options, recognising that uncertainties in individual risk activities can aggregate, leading to uncertainties at higher project levels


A further very important observation was that it works best if the four phases are conducted by small groups of people who are experts in, or closely associated with, a particular chunk of project activities. Such groups in different workstreams would co-operate where risk interfaces are identified.  This can be easier to manage and be more productive than holding large risk workshops. (“agile” risk management perhaps?)  It may also ensure adequate focus on the small risks early on, so that they are less likely to become “show-stoppers” later in the project.

In summary, the points that struck me in particular about this presentation were:

  • Risk management is (or should be) a very dynamic operation (it’s not just a risk register as the presentation subtitle suggests)
  • It requires the establishment of a structured approach
  • It is best done in small groups focussed on workstream elements or stages, looking out for ambiguities and uncertainties
  • It is closely related to quality assurance activities
  • The methods suggested might be management intensive and expensive – but not as expensive as the consequences of not doing it (as we have seen on many high-profile projects in the recent past, and throughout history, in fact)
  • Dynamic, proactive risk management is a key project management office function.


About John Greenwood

John followed a fairly conventional career path in the Defence Electronics and IT industry, moving from systems engineering to project and programme management roles.

He gained a reputation for recovering challenged business, challenges that he observed emerge from a small number of root causes.

John decided that early and continued application of risk management was the key to keeping projects and programmes out of trouble, and from starting rigorous application in the sales stages, drove risk management throughout the project lifecycle.

>> You can connect with John over on Linkedin

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
Please Share Your Feedback
How Can We Improve This Article?
Table of Contents