Risk Register is the most important document in project management. Everyone agrees on that. But few PMs actually keep it in good shape. Why? They overcomplicate it!
Risk Register is a document that contains the information about identified risks, results of Risk Analysis (impact, probability, effects), as well as Risk Response Plans. You also use the Risk Register to monitor and control risks during the whole project life cycle.
For me, the first steps in risk management were overwhelming as well. Risk Register was the most challenging.
At first glance, it’s a simple document:
You just need to fill in the information you collect about each risk.
It’s a pitfall for many junior project managers.
The truth is:
You need to keep in mind that the Risk Register is a living thing:
- The information you put in it is changing rapidly.
- Risks evolve and change attributes.
- A Risk Response Plan may not provide the required efficiency.
- Threats and opportunities may disappear, or they may become irrelevant.
So, before we get into the details, please remember:
Risk Register should be simple, adaptable, maintainable, and close at hand.
But Risk Register is not a standalone document. It should integrate well with other Risk Management processes. That’s why I strongly recommend getting my Risk Management Plan👇
Risk Register Example Video
I recommend watching the video as it has additional examples and illustrations.
You’ll find more risk examples below as well in the video.
Simple Risk Register Example
You can get this template below.
But before you take it – do read these instructions on how to use it.
So, what’s the content of the Risk Register?
Here are the primary entities I suggest you include into the log:
It is a unique number that identifies a risk.
Throughout the project lifetime, you’ll log hundreds of risks. Even on a small project!
Therefore, you need a simple way to find and point to the correct risk in the Register.
Four digits number should suffice in most cases. Start with 0001.
Don’t overcomplicate it. Just keep incrementing the number with each new risk. Never decrease it.
I do suggest you integrate the risk register with other project documentation.
Work Breakdown Structure is intended to be the hub of integration with different knowledge areas.
For example, linking to the top-level item means threats to the project outcome.
If you link to a Deliverable or a Work Package – that’s an isolated risk.
Later you also need to check whether the work package on Critical Path or not.
Modern project management software applications can log risks in a WBS element. So, you don’t need a separate spreadsheet.
Grouping risks by categories can help you to fight the root cause of problems. It may show you a way to tackle several risks with one Risk Response Plan.
You need to decide what categories to use beforehand.
For example, you can use the following:
The common ones: scope, schedule, cost, quality, and HR.
Industry-specific ones (e.g. IT): requirements, design, implementation, testing, and deployment.
PESTLE: political, economic, social, technological, legal, and environmental.
Again, it’s up to you to identify the most appropriate categories.
Also, read this article to broaden your understanding of possible risks:
It’s a one-sentence description of a Risk.
In other words, you need to write it in such a way that it describes the nature and severity of a risk.
Check out these examples:
“David may leave the company which may impact the deadline.”
“David most probably will leave the company which will impact the deadline.”
“David leaves the company on June 16 which will impact the deadline.”
This risk title may be the only thing you need to describe a risk.
So, on small and medium projects, it’s usually enough.
Risk Description (Optional)
You may need to add Risk Description for two main reasons:
- You have complex risks that impact multiple areas or different impacts.
- There’s a need to share the Risk Register with other Stakeholders as is. This way, they have more context about a risk.
Above all, you want to ensure that anyone who reads the Risk Register understands the risks in it.
It’s a narrative description of the potential impact on the project.
You won’t find this on any other template. But I strongly recommend adding this column.
Not all your stakeholders, including clients, will be proficient with Risk Management terminology and concepts.
Moreover, Impact and Probability expressed in numbers are not descriptive enough.
You want to get an approval to have to add $10000 to the project budget as a Risk Reserve for a deliverable.
Will you get it because Risk #0023 has impact 7 and probability 6?
I doubt it!
Therefore, write it out as if you describe the risk in person. Two or three sentences should be enough.
PRO TIP: You can copy-paste these descriptions in your communication with stakeholders.
This value comes from Quantitative Risk Analysis.
It’s the likelihood of risk to happen.
You can use a 1-10 ranking grade or just Low, Medium, High.
It also comes from Quantitative Risk Analysis.
It’s the severity of the Effect on the project.
You can use a 1-10 ranking grade or just Low, Medium, High.
I use this value for sorting risks by severity.
To get the Risk Rank multiply Probability by Impact.
Risk Rank = Probability * Impact.
You will get values from 1 to 100.
The risk rank is the easiest way to shortlist the risk you’ll work with directly.
Likewise, you can use the Impact/Probability matrix. You’ll just mark the risks for further analysis.
Qualitative Analysis Values (Optional)
Don’t overwhelm the Risk Register with unnecessary information.
If you don’t perform Qualitative Risk Analysis don’t put these columns.
In any case, you’ll do it only for the top priority risks.
Therefore, it might be valuable if you keep Qualitative Analysis in a separate document.
But it’s up to you to decide.
It’s just the name of a responsible person.
This person must monitor, manage, and report on the risk to you.
Ideally, you should not put your name on the risks that are not related to project management.
Therefore, all technical risks should be owned by subject matter experts.
It’s a description of the action plans to avoid or mitigate the risk.
Otherwise, you can state here that you are going to accept the risk and will do nothing.
If you want to learn more about Risk Response Plans do read this article:
Practical Application of Risk Register
So, how should you use the register?
1. Keep it Close at Hand
Books say that you start filling the data during the Risk Identification process.
But here’s the truth:
You should start filling in the Risk Register as early as you are assigned to the project.
A good project manager is always in risk identification mode. Therefore, you should log risks yet in the project initiation or even pre-sales phase.
2. Risk Register is Always in a Draft State
Logging your thoughts, concerns and high-level risks is OK.
You will be able to refine them later.
So, as you get more information from subject matter experts you need to make changes to your entries.
After that, you need to review your Risk Register with stakeholders.
You do want to get their feedback.
Moreover, you need to keep them informed about all these changes.
3. Don’t Mix Identification and Analysis
Write down the description of a new risk. Come back to analyze it later.
So, don’t think you need to fill all the columns at once. You can write down the Risk Titles on meetings or during calls.
Later you can find time to add the details. Moreover, do it with team members as much as possible.
4. Describe Risks as Detailed as it’s Reasonable
Are you the only user of the Risk Register? Then, you don’t need to put all the information I described above.
So, be selective of your efforts.
Risk Management is not free of charge. It’s your time and efforts. But more often than not, you need the team’s input as well.
5. Don’t Do it Alone
At some point, you need to start delegating risks to your project team or stakeholders.
Each risk should have a responsible person.
Always remember, that you are an expert in project and risk management. You don’t have to know every knowledge area of each risk.
Most importantly, some experts can perform better analysis and suggest a better action plan.
6. Share it with the team
Keep your team engaged in risk management activities.
Here’s the catch:
You do need to educate them on your risk management approach.
Therefore, don’t assume they know everything you know.
You’ll need to repeat the same information about Risk Management over and over many times.
7. Refine Risk Register Before Finalizing Project Management Plan
Put your most efforts in refining and analyzing the Risk Register just before finalizing the project management plan.
You’ll have quality standards, HR plan, drafts of the procurement documents, etc.
Therefore, you’ll put it all together in the first project management plan draft.
After that, you need to perform the bulk of risk analysis and define responses.
8. Review it regularly
When do you need to review the Risk Register?
- Create a recurring calendar event to have review sessions on a regular basis.
- Revisit your list of risks when a change request comes.
- Review Risk Register when you start and finish working on a deliverable.
- Check it when a risk happens.
- When a Risk Response Plan is inefficient
- When you managed a risk successfully.
You got the point. Check it regularly!
9. Keep Risk Register Up to Date
Risk management is a continuous effort. It doesn’t end with planning.
Moreover, risks change their Impact and Priority over time. They change because of other risks, change requests, external factors.
So, you need to monitor risks during the whole project life cycle.
10. Make it Presentable
Risk management gives more value when you can efficiently communicate future risks to stakeholders.
Moreover, it helps to manage their expectations, secure their engagement, and prepare them for problems.
So, make it easy to communicate the information from the Risk Register.
The Place of Risk Register in Risk Management Framework
In this video, you’ll get an overview of all Risk Management processes as described in the PMBOK® Guide.
PMBOK Definition of Risk Register
Here is how the PMBOK® Guide puts it:
“Risk Register (or Risk Log) is a document that contains all the results of risk analysis and where risk response plans are recorded.”
The results of other risk management processes eventually also end up in Risk Register.
You fill it in during the planning phase.
Moreover, a good practice is to share the register and lessons learned about risks as a part of the project archive.
So keep in mind that you contribute to the organization’s knowledge base. Moreover, to your future projects as well.
Risk Register Template
Again this is just a starting point for you.
As always I suggest you create a custom risk register template yourself.
As you can see the register is quite simple in structure and contents.
Nevertheless, it is one of the artifacts that require constant attention and maintenance.
It provides you with the information necessary to make quality decisions on response plans. Also, you will be able to focus on the most severe risk and spend your risk management budget wisely.
Keep in mind that risk management does not come for free.
Are You Ready to Put Risk Register to Good Use?
Do you think you know enough about Project Risk Management?
Take this short quiz and identify gaps in your knowledge.
In the end, I’ll provide correct answers and explanations.
I also recommend to read:
- Featured Article: How to Become an IT Project Manager Without Experience
- Next in the series: Risk Response Strategy (Definitive Guide with Examples)
- Previous in the series: Do You Know These 6 Practical Risk Identification Techniques?