But from my point of view it’s a trick question, and that’s not just because “risks” are not singular. We might write some so-called risks down in a list (or a database) we call the risk register, but the reality is we deal with risk and uncertainty all the time. We ask questions at our daily stand-ups which seek out and try to address potential problems. We run retrospectives which look back on past problems and find ways of stopping them recurring. We talk to colleagues in other areas to help prevent small problems becoming large problems. We escalate concerns up the chain of command. We perform due diligence on suppliers to ensure they’re more likely to be the right choice for us. And on, and on. Managing risk and (more widely) uncertainty is mostly managed by our daily working processes.
That’s how we manage our many uncertainties, continuously. Given that, we can see that looking in a risk register gives an incredibly distorted view of the real risk management that happens in our day to day work.
The next question, then, is how do we provide that assurance to external stakeholders that risk registers (falsely) offer?
Some time ago I attended a project board meeting which suggested an answer. Present at the meeting were the usual managers from the various project areas, each providing an update, answering hard questions from the project director, raising concerns, and jointly addressing them. Also present was a representative from an external group that was charged with overseeing the wider project portfolio. He was seeking assurance on behalf of others. He did it by seeing for himself—listening to the conversation, observing the interactions, noting the actions. (He might also have attended various daily stand-ups to see specific detail, but in his case he was interested in an overview.) He had a much more rounded view. He could then report more widely, and his report is independent.
Uncertainty is all around us, and managing that uncertainty—whether we do it well or not—is a continuous part of our daily work. Risk registers provide a very distorted view of the reality of that.