Risk register explained

A risk register (PRINCE2) is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g., nature of the risk, reference and owner, mitigation measures. It can be displayed as a scatterplot or as a table.

ISO 73:2009 Risk management—Vocabulary^[1] defines a risk register to be a "record of information about identified risks".

Example

Risk register of the project "barbecue party" with somebody inexperienced handling the grill, both in table format (below) and as plot (right).

Category	Name	RBS ID	Probability	Impact	Mitigation	Contingency	Risk Score after Mitigation	Action By	Action When
Guests	The guests find the party boring	1.1.	low	medium	Invite crazy friends, provide sufficient liquor	Bring out the karaoke	2		within 2hrs
Guests	Drunken brawl	1.2.	medium	low	Don’t invite crazy friends, don't provide too much liquor	Call 911	x		Immediately
Nature	Rain	2.1.	low	high	Have the party indoors	Move the party indoors	0		10mins
Nature	Fire	2.2.	highest	highest	Start the party with instructions on what to do in the event of fire	Implement the appropriate response plan	1	Everyone	As per plan
Food	Not enough food	3.1.	high	high	Have a buffet	Order pizza	1		30mins
Food	Food is spoiled	3.2.	high	highest	Store the food in deep freezer	Order pizza	1		30mins

Terminology

A Risk Register can contain many different items. There are recommendations for Risk Register content made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2. ISO 31000:2009^[2] does not use the term risk register, however it does state that risks need to be documented.

There are many different tools that can act as risk registers from comprehensive software suites to simple spreadsheets. The effectiveness of these tools depends on their implementation and the organisation's culture.

A typical risk register contains:

• A risk category to group similar risks
• The risk breakdown structure identification number
• A brief description or name of the risk to make the risk easy to discuss
• The impact (or consequence) if event actually occurs rated on an integer scale
• The probability or likelihood of its occurrence rated on an integer scale
• The Risk Score (or Risk Rating) is the multiplication of Probability and Impact and is often used to rank the risks.
• Common mitigation steps (e.g. within IT projects) are Identify, Analyze, Plan Response, Monitor and Control.

The risk register is called "qualitative if the probabilities are estimated by ranking them, as "high" to "low" impact. It is called"quantitative" both the impact and the probability is put into numbers, e.g. a risk might have a "$1m" impact and a "50%" probability.

Contingent response - the actions to be taken should the risk event actually occur.

Contingency - the budget allocated to the contingent response

Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger)

Criticism

Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota's risk register listed reputation risks caused by Prius' malfunctions but the company failed to take action.^[3] Risk registers often lead to ritualistic decision-making, illusion of control,^[4] and the fallacy of misplaced concreteness: mistaking the map for the territory.^[5] However, if used with common sense risk registers are a useful tool to stimulate cross-functional debate and cooperation.

See also

• Risk
• Event chain methodology
• Risk Breakdown Structure
• Risk management tools
• Issue log
• Failure mode and effects analysis
• Failure mode, effects, and criticality analysis

Further reading

• Book: Tom Kendrick . 2003 . Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project . AMACOM/American Management Association . 978-0-8144-0761-5 . registration .
• Book: David Hillson . 2007 . Practical Project Risk Management: The Atom Methodology . Management Concepts . 978-1-56726-202-5 .
• Book: Kim Heldman . 2005 . Project Manager's Spotlight on Risk Management . Jossey-Bass . 978-0-7821-4411-6 .
• Book: Robert Buttrick . 2009 . The Project Workout: 4th edition . Financial Times/ Prentice Hall . 978-0-273-72389-9.
• Book: Lev Virine and Michael Trumper . 2007 . Project Decisions: The Art and Science . Management Concepts. Vienna, VA . 978-1-56726-217-9.
• Book: Project Management Institute . A guide to the project management body of knowledge (PMBOK guide) . 2021 . Project Management Institute . 978-1-62825-664-2 . 7th . Newtown Square, PA.
• Book: Lev Virine and Michael Trumper . 2013 . ProjectThink: Why Good Managers Make Poor Project Choices . Gower Pub Co . 978-1409454984.
• Risk Register vs Risk Report (PMP/CAPM) by Mudassir Iqbal, February 8, 2019.

Notes and References

1. Web site: ISO Guide 73:2009. ISO.
2. Web site: Risk management standards. www.iso.org. 2020-08-10.
3. Drummond, Helga. "MIS and illusions of control: an analysis of the risks of risk management. Journal of Information Technology (2011) 26, 259–267.
4. Lyytinen, Kalle. "MIS: the urge to control and the control of illusions – towards a dialectic". Journal of Information Technology (2011) 26, 268-270 (December 2011).
5. Budzier, Alexander. "The risk of risk registers – managing risk is managing discourse not tools". Journal of Information Technology (2011) 26, 274-276 (December 2011),