Risk identification

Each identified risk is given a unique reference number, appropriate management actions are identified and agreed by the Risk Group and an Action Owner assigned. Each risk is then evaluated in terms of probability and impact, with the information entered into the risk register. A formula in the register converts the probability and impact evaluations into numeric values which are then combined to give a 'Risk Rating'. This risk rating provides an indication of the overall risk to the project presented by this item and can be used to sort the register to identify the highest priority risks.

The risk rating system is used to indicate the level of management that should be assigned to manage each risk. It also allows the comparison of risks and their prioritisation in relation to action plans and resource allocation.

For each identified risk, management actions are discussed, agreed and recorded. These management actions can be classified as:

• Accept - no management, but monitor;

• Mitigate - manage, to reduce Probability or Impact;

• Transfer - insure against the risk or contract it out;

• Avoid - change the scope of the project.

It is emphasised that the Internal Risk Management Register is a live document which is updated as new risks are identified and/or existing risks change.