Risk Logs, Risk Registers, Risk Management Plans And Assumptions

1. Introduction

Many contracts for the supply of information technology systems expressly require the supplier to manage risks to the successful and timely implementation of the information technology system.

The risk management services frequently extend to maintaining a risk log or risk register and preparing and implementing a risk management plan. An example of items that may appear in a risk register is set out below:

Risk name	Description	Impact of risk
Change of ownership of customer	Change in customer ownership could lead to project disruption	Scope/schedule/cost/quality
Implementation	Roll-out of the system is large and timetable is aggressive	Schedule/cost/quality
Project leadership turnover	Project leadership turnover will impact project timeline	Schedule/cost
Third party skills	Third party skills not available in time	Scope/schedule/cost/quality

The supplier also frequently expressly includes a list of assumptions that underpin the provision of the services. The list of assumptions drafted by suppliers can be quite extensive. In some cases the assumptions will address issues and risks which are already addressed elsewhere in the contract. Each of the risks in the above risk register can be recast as an assumption: for example, an assumption can be included that there will be minimal project leadership turnover.

Both the risk management services and list of assumptions are incorporated into the schedules to the contract. In many cases the risk log, risk register or risk management plan will not be attached to the contract that is executed but will instead be incorporated by reference or prepared and signed off by the customer after contract signature.

Companies which want to understand how risk is allocated in the contract need to understand the impact of risk logs, risk registers, risk management plans and assumptions.

2. Allocation of risk in the contract

Risk allocation and risk management are key functions of contract. Nearly every contractual term has some impact on risk. Conventional contractual risk allocation is addressed in clauses stating performance obligations and warranties, force majeure, extensions of time, limitations of liability and exclusion clauses. Clauses stating performance obligations are positive internal risk allocators. Clauses such as exclusion clauses are negative risk allocators.

The description of the supplier’s performance obligations and risk management services – including the risk log, risk register or risk management plan - in the schedules has a key impact on risk allocation in the contract. Schedules (and documents incorporated by reference in the schedules) are generally prepared by commercial or technical representatives of the parties involved. Therefore, they may not receive the same level of legal scrutiny or involvement. The language used in the schedules may mean it is unclear how risk is allocated between the parties. In particular, it is sometimes not clear how the risk logs, risk registers and risk management plans and assumptions which are incorporated or referred to in the schedules fit within the overall framework of the contract.

3. The ambiguity issue

The major problem with risk logs, risk registers and the risk management plan is understanding the relationship with the contractual allocation of risk such as force majeure, extension of time, liquidated damages, liability clauses (such as indemnities) and variation.

On one hand the risk logs, risk register or risk management plan may not look to be a reflection of the contractual allocation of risk so much as a statement of (and to some extent an attribution of responsibility for) potential risks inherent in the project or a contract management tool. On the other hand, they may purport to broaden the risk allocation mechanisms found in the terms and conditions of the contract itself. If there is no indication (in the contract itself) of the status of the risk log, risk register and risk management plan and the relationship with the conventional contract provisions addressing risk allocation it is a potential source of confusion and disagreement between the parties. For example, where a risk is described in the risk register as having an impact on schedule or cost, then is the customer assuming the burden of that risk? Has the pricing been negotiated in the context of that risk?

Similarly, there will typically be no indication as to the status of the list of assumptions and the consequences if an assumption is not valid. The effect of the list of assumptions without a status explanation seems to be that the customer will bear the burden of events which render the assumption invalid and which causes delay or increased costs to the supplier. The inclusion of assumptions can broaden the basis for the supplier to be able to recover additional costs or claim an extension of time (or both), on the basis that one or more of the assumptions is not valid. For example, there may be an assumption that all of the customer staff allocated to the project are suitably skilled and qualified. There may already be a commitment to that effect from the customer expressed as an obligation or warranty in the contract. However, the risk to the customer of expressing this as an assumption is that the supplier may claim an extension of time or additional costs on the basis that the assumption is not correct in circumstances where the supplier may not be entitled to make such a claim under the contract itself.

4. Solution

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.