Risk Register – All You Need to Know About It

Risk Register is the most important document for all your risk management efforts. It is the primary input for developing correct risk response plans. Moreover, it is the only tool that helps to control and monitor threats and opportunities.

So here is the most important thing you need to know about it.

For me, the first steps in risk management were overwhelming. Risk Register was the most challenging. At first glance, it is a simple document. You just need to fill in the information you collect about each risk. It is a pitfall for many junior project managers.

You need to keep in mind that Risk Register is a living thing. The information you put in it is changing rapidly. Risks evolve and change attributes. A Risk Response Plan may not provide required efficiency. Threats and opportunities may disappear, or they may become irrelevant.

Before we get into the details, please remember. Risk Register should be simple, adaptable, maintainable, and close at hand.

What is Risk Register?

Here is how PMBOK® Guide puts it. “Risk Register (or Risk Log) is a document that contains all the results of risk analysis and where risk response plans are recorded.”

The results of other risk management processes eventually also end up in Risk Register. You fill it in during the planning phase.

A good practice is to share the register and lessons learned about risks as a part of project archive. So keep in mind that you contribute to the organisation’s knowledge base. Moreover, to your future projects as well.

Practical Application

So, how should you use the register?

1. I believe that you should keep it close at hand as early as you are assigned to the project. Books say that you start filling the data in during Risk Identification process. However, a good project manager is always in risk identification mode. Therefore, you should log risks yet in the project initiation phase.
2. Risk Register is always in a draft state. Logging your thoughts, concerns and high-level risks is OK. You will be able to refine them later.
3. I strongly suggest not to mix identification and analysis. Write down the description of a new risk. Come back to analyse them later. Even better to do it with the project team (or a reasonable part of it).
4. Describe risks as detailed as it is reasonable.
5. Don’t do it alone. At some point, you need to start delegating risks to your project team or stakeholders. Each risk should have a responsible person. Always remember, that you are an expert in project and risk management. You do not have to know every knowledge area of each risk. Some experts can perform better analysis and suggest a better action plan.
6. Share it with the team. Keep your team engage in risk management activities. It does mean that you need to educate them with your risk management approach.
7. Put your most efforts in refining and analysing the Risk Register just before finalising project management plan. At some point of planning, you have scope baseline, budget and schedule drafts. You have quality standards, HR plan, drafts of the procurement documents, etc. Therefore, you will put it all together in a first project management plan draft. Here you need to perform the bulk of risk analysis and define responses. You can also identify more risks here as you will see the big picture.
8. Review it regularly. Create a recurring calendar event to have review sessions. Revisit your list of risks when change requests come. Review it when you start and finish working on a deliverable. Check it when a risk happens, when a risk response plan is inefficient when you managed a risk. You got the point. Check it regularly.
9. Keep it up to date. Risk management is a continuous effort. It does not end with planning.
10. Make it presentable. Risk management gives more value when you can efficiently communicate future risks to stakeholders. It helps to manage their expectations, secure their engagement, and prepare them for problems. So, make it easy to communicate the information from the Risk Register.

Risk Register Example

What is the content of the risk register? There is an example of risk register below, but first, let’s review the columns.

Here are the primary entities I suggest you include into the log:

• Risk Index. It is a unique number that identifies a risk.
• WBS Element. I suggest you integrate the risk register with other project documentation. I believe it is valuable to link risks to deliverables. Therefore, it is a code of a work breakdown structure element that a risk will impact. Linking to the top level item means threats to the project outcome.
• Risk Category. You need to decide what categories to use beforehand. Grouping the risk by categories can help you to fight the root cause of problems.
• Risk Description. A brief description of a risk.
• Effects. A narrative description of the potential impact on the project.
• Probability. The likelihood for risk to happen. Use 1-10 ranking grade.
• Impact. The severity of the Effect for the project. Use a 1-10 ranking grade.
• Risk Rank. I use this value for sorting risks by the severity. To get the Risk Rank multiply Probability by Impact. Risk Rank = Probability * Impact. You will get values from 1 to 100.
• Risk Owner. A name of a responsible person. This person must monitor, manage, and report on the risk to you.
• Response Plan. Description of the action plans to avoid or mitigate the risk. Otherwise, you can state here that you are going to accept the risk and will do nothing.

Below is the link to an example of a filled Risk Register. It includes one a few of risks. Keep in mind that even a small project can list about a hundred risks.

Download the Risk Register Example (xlsx)

Risk Register Template

Again this is just a starting point for you. As always I suggest you create a custom risk register template yourself. At least you can update this one to your needs.

Download Risk Register Template (xlsx)

As you can see the register is quite simple in structure and contents. Nevertheless, it is one of the artefacts that require constant attention and maintenance. It provides you with the information necessary to make quality decisions on response plans. Also, you will be able to focus on the most severe risk and spend your risk management budget wisely. Keep in mind that risk management does not come for free.

Do you have any questions? Feel free to ask me in comments below!