Now that you have ordered your risks and determined which ones will be evaluated in more detail we can move onto the second, more detailed, analysis phase.

Whilst it isn’t unusual to find risk logs with 20 or more fields I find that to make it: a) manageable, b) digestible and c) usable you need to strip these down to core principles (especially since we’re talking about a RM system that will actually work). In my opinion these 12 core fields are as follows:

1. ID – A unique identifier. Label them as you see fit…as long as they are unique
2. Description – Simply a clear concise description of the risk and its potential impact. This field is where you can outline some basic reasoning for your cost and probability estimates. Start with the simple title of the risk e.g. Resource Scarcity – There is a risk…etc
3. Risk author – Who identified/raised the risk in the first place.
4. Risk opened – The date the risk was identified/raised.
5. Risk closed – The date the risk was deemed as no longer being active.
6. Cost Impact – You should now convert the initial numerical impact (between 1 – 5) into a tangible cost impact. Some people try to argue that some risks can not be quantified in this manner….I say to them to give me an example of a risk that can’t be quantified and I’ll give you an example of something that isn’t a risk. But I admit sometimes you have to be creative when these risks might not actually cause a cost impact (e.g. having a wedding ceremony in the rain verses under a marquee) however you need to think in terms of ‘worth’. What is it worth to have all your wedding guests dry verses soaked to the skin (don’t get this confused with the cost of mitigating the risk…we’ll come to that shortly, just think of the value to you of this event not occurring)
7. Probability – Simply put, what is the % chance that this risk will occur. Using the above example, what are the chances of rain on a given day. If you are planning the wedding 6 months in advance you will need to base this probability on past estimates of rainfall in the location and time of year. This might give you an average chance of rain of, say, 10% (as you get closer to the risk window [between start and end date of exposure] you will re-evaluate your risks to get a better view of their probability/impact). In this example you would be able to get a 7-day forecast as you approach the wedding day, giving you a much more accurate probability of a ‘rainfall’ event occurring.
8. Treatment – Once the risk has been identified you have to decide how you are going to treat it. Each of these options should be documented in enough detail for anyone reading the log to understand. In some instances the reduction or contingency plans may refer to an additional, more detailed, breakdown. The options for risk treatment are as follows:
1. Mitigation/Reduction – Refers to an active reduction in the impact or probability of the risk occurring. Using our example this may mean moving the wedding in Texas (to reduce the likelihood of rainfall) or paying for a marquee to be erected on the day which can house the guests if rain occurs (and hence reduces the impact). Essentially this means actively planning additional activities that are undertaken before the risk exposure window to lessen its impact/probability.
2. Avoidance – Take action in advance of the risk exposure window to reduce the likelihood of the impact to zero E.g. Plan to have the wedding indoors so the impact of rain is eliminated.
3. Acceptance – Understand the risk and accept that it may happen. This will usually happen when the impact (in the event of the risk occurring) is minimal or the probability approaches zero. In our example this would mean taking no action and just accepting that if it rains the guests will get wet.
4. Transference – Moving the impact of the risk to another party. This type of treatment isn’t possible in all circumstances but is often associated with the utilisation of Insurance Brokers who will charge you a premium to take ownership of the risk themselves.
5. Contingency -  This final type of treatment is one of the most common, in that it involves planning a response to the risk that can be actioned immediately should the risk come to fruition. In our wedding example this could mean having a number of alternate indoor venues on hand should the risk occur.
9. Treatment description – So, you’ve decided how you’ll treat the risk but now you need to concisely and clearly define your approach. Don’t go overboard in your description but ensure you have enough detail for it to be useful to another party who may be read the content.
10. Treatment cost – Estimate how much is it going to cost your project to put this form of treatment in place? In the case of acceptance this will be zero. In the cases of avoidance, mitigation, transference and contingency this will have a cost impact.
11. Treatment responsibility – Who is going to action the treatment outlined above? This should the individual accountable.
12. Exposure Start Date – From what date is your project exposed to this risk? Whilst this can obviously get more complex if the exposure level changes over time the most important factor here is to keep it simple. Whilst it may not be 100% accurate it will certainly be significantly better than not having RM at all!
13. Exposure End Date – To which date is your project exposed to this risk?