I have an opinion that most of us like the the theory of risk management but when it comes to putting it into practice, regard it on a par with QA and don't do it! On most training courses I run I just ask for a show of hands for those who can honestly say they have an up-to-date risk register on their project(s) - I reckon the yes is about 1 in 50, which is appalling!
Why? Is it the thought of going around in circles at a risk workshop with yellow sticky paper? Or facing 40+ columns to fill in on a superior risk register? Or not really knowing what the heck to do with the risk as and when it materialises and discuss that nasty aspect of liability?
I love the simplicity of the 2 column Risk Register found in most NEC3 contracts which is kept current through the early warning process - at any risk reduction meeting the participants basically determine what is the risk (called a 'matter') and what are we going to do about it? The latter has to be the most important aspect of risk management, the practical and constructive part of doing something about the problem.
Any other opinions?
Rob