Project managers have a number of tools in their arsenal that can help them address potential challenges and obstacles. One such tool is the project risk register. But what is a risk register, how do you use one, and how can it keep your next project from being derailed?
We’ve created this guide to answer the above questions and help project managers handle risks better. This is part of our larger effort to give project managers the knowledge and tools they need to manage their projects successfully. In this guide, we’ll walk you through exactly what to include in your project risk register and provide details on when and how to build and maintain one for your next project.
What is a risk register?
A project risk register is a tool project managers use to track and monitor any risks that might impact their projects. Risk management is a vital component of project management because it’s how you proactively combat potential problems or setbacks.
Using a project risk register, also called a risk log, is an essential part of this risk management process.
What is the purpose of a risk register?
The purpose of a project management risk register is to identify, log, and track potential project risks. A risk in project management is anything unexpected that could happen that would positively or negatively affect your project.
Any time someone identifies something that could impact your project, it should be assessed by the team and recorded in your risk register.
As Adriana Girdler, project management coach and founder of CornerStone Dynamics, reminds us:
Why do you need a risk register?
You need a risk register because, as projects get larger, longer, and more complex, it becomes increasingly difficult to stay on top of everything. If risks aren’t tracked in a central location and reviewed regularly, something may be missed or forgotten.
A four-year field study examining risk management practices across 35 large projects in 17 high-technology companies found that about half of the risks went undetected until they had already impacted the projects.
Some risks may seem small or unlikely at first but have the potential to impact your project nonetheless. Examples of project risks can include:
- Data/security risk (materials being hacked or stolen)
- Legal risk (litigation or changes in the law that impact the project)
- Catastrophic events (fire, flooding, storm damage)
- Supply chain disruption
Risk management is about identifying potential problems early so you can decide how to handle them. It also empowers you to track risks over time to see if and how they’re changing.
When a risk is first identified, you might consider it so unlikely that you don’t bother doing anything about it. But what if, as the project progresses, the risk becomes a lot more likely to occur? By tracking your risks, you can notice changes like this early enough to take action.
Who creates a project risk register?
If you’re working on a very large, complex, or critical project, you may have a risk coordinator or risk manager on your team. In this scenario, it would be their job to create and maintain the risk register.
However, for most projects, responsibility for creating the risk register falls on the project manager.
This doesn’t mean the risk manager or project manager is responsible for identifying or taking action against all the risks. Everyone on the project team and anyone potentially impacted by the project’s success should help identify and assess risks.
For instance, the client or sponsor may be aware of a potential problem that no one on the project team knew about.
What is included in a risk register?
A risk register is essentially a table of project risks that allows you to track each identified risk and any vital information about it.
Standard columns included in a project risk register are:
- Identification number (to quickly refer to or identify each risk)
- Name or brief description of the risk
- Risk categories (internal or external, related to materials or labor, etc.)
- Probability (how likely the risk is to occur)
- Impact (if the risk takes place, how seriously will it impact your project)
- Rating (where does this risk fall on your priority list)
- Approach (will you monitor the risk, try to mitigate it, avoid it, etc.)
- Action (if you plan to mitigate or avoid the risk, what are the steps involved, and when will they occur)
- Person responsible for overseeing or mitigating the risk
How to create a risk register
According to the latest edition of the PMBOK® Guide, risk register can be created using several criteria:
- Probability
- Impact
- Urgency
- Proximity
- Dormancy
- Manageability
- Controllability
- Detectability
- Connectivity
- Strategic impact
- Propinquity (i.e., proximity)
These factors help assess the nature and severity of risks to effectively prioritize management efforts. To create a risk register, all you need to do is build a table with the columns covered above and start populating it with project risks.
Let’s go through a couple of the columns in more detail to help you determine how to fill them in:
Risk categories: The purpose of the categories is to help you sort risks to make it easier to monitor them and understand what they impact. You should customize these categories to your business and project. You may even choose to have columns for separate categories. For instance, you may want a column identifying what sprint might be impacted and another identifying what type of work (development, testing, etc.) will be impacted.
Probability and impact: There are two ways to assess risk: qualitative and quantitative. Qualitative is the simplest and most common form. With this approach, you generally assess probability and impact on a five-point scale such as very high, high, medium, low, and very low. Quantitative risk requires assigning numerical values. Instead of saying there could be a “high” impact, you need to define it in quantifiable terms, such as a four-week schedule delay or a 5% increase in cost.
Rating: If you’re using a qualitative risk assessment method, your rating is typically probability multiplied by impact. If the probability is high (4) and impact is medium (3), then your rating would be 12 (4 x 3). This method gives you a simple way to sort and prioritize risks quickly.
Quantitative risk analysis isn’t quite as simple. It’s difficult to compare and rank a 60% chance of a two-week schedule delay with a 40% chance of a 10% increase in costs. To make this work, you’ll need to rate the schedule and budget impacts so they can be compared. For instance, you might consider a six-week delay and a 10% budget increase to both be a “very high impact” and assign them a “5.”
However you choose to track and assess risks, make sure the process is standardized across your project. If team members assess risks differently or fill out columns inconsistently, it makes it harder to view, track, and prioritize your project risks.
With Wrike, you can create blueprints and custom workflows for your team to ensure everyone follows the same path.
Common pitfalls in risk register management
But wait! Before you start drawing up your risk register, you should be aware of the potential obstacles. Here are just a few:
Neglecting regular updates
Risk registers are dynamic tools that should evolve as the project progresses. Failing to update them regularly can result in the oversight of emerging risks and outdated responses to existing ones.
Imagine you have a long-term construction project. If the risk register isn’t updated to reflect changes such as new environmental regulations or changes in supplier reliability, the project could face delays or increased costs that weren’t anticipated, leading to overruns.
To avoid this, you should have a structured schedule for updating the risk register, ideally aligning with project milestones or weekly team meetings.
Overlooking smaller risks
Managers often focus on more dramatic or immediate risks, potentially missing out on the cumulative effect of smaller, more frequent issues.
For instance, in software development projects, small risks like minor bugs in code seem manageable individually but can collectively lead to major functionality issues or user dissatisfaction if they are not tracked and addressed.
How do you fix this? Encourage team members to report all potential risks, not just the major ones.
Failing to prioritize risks
Without prioritizing risks based on their potential impact and likelihood, resources may be misallocated, focusing too much attention on less critical issues.
For example, a technology firm may face various risks, from data breaches to supplier delays. Without clear prioritization, the firm might spend excessive resources safeguarding against unlikely data breaches while neglecting more probable risks like delays, which could directly impact client deliverables.
To counteract this, use a quantifiable method to assess and prioritize risks. A risk matrix, for example, will help you evaluate each risk’s impact and probability.
Creating vague risk descriptions
A risk register with poorly defined risk descriptions is a no-no.
If a project risk is listed as “potential project delay,” this does not provide enough information for effective action. However, specifying “potential delay due to critical component shortage from supplier X” gives clear direction for mitigation efforts.
Train team members on how to write clear, actionable risk descriptions. Include examples and templates in risk management training sessions to standardize the quality of entries in the risk register.
Ignoring risk interdependencies
Risks in a project do not exist in isolation; they often influence one another.
For example, in an infrastructure project, a delay due to bad weather might also affect the availability of the workforce, which in turn could delay subsequent phases of the project, like installations or inspections.
Use risk mapping tools to visualize and understand how different risks relate. Regularly review these connections and adjust the risk register and mitigation plans to reflect the interdependent nature of project risks.
Challenges in maintaining a risk register
So, now you’re aware of the best practices. However, maintaining a risk register can still be a complex process. Here’s how to navigate the most common challenges:
- Challenge: Stakeholders aren’t fully engaged and don’t provide necessary input.
- Solution: Regularly communicate the importance of their contributions and update them on how their input has influenced the project. (See more tips on stakeholder communication below!)
- Challenge: Risks without a clear owner often get neglected.
- Solution: Assign each risk to a suitable team member and clarify their responsibilities in managing it.
- Challenge: Too much information can make the register unwieldy and difficult to use.
- Solution: Use clear, concise language and avoid jargon; supplement with detailed appendices or links if necessary.
How to communicate risks to stakeholders using a risk register
Tricky stakeholders? It wouldn’t be the first time! Stakeholder management is a skill that’s definitely worth your while honing. Here’s how you can use a risk register to communicate project updates effectively to stakeholders:
- Share updated risk registers at consistent intervals to ensure stakeholders have the latest risk information.
- Write the risk descriptions in straightforward language to make them accessible to everyone, regardless of their technical background.
- Draw attention to the most critical risks by placing them prominently or using distinctive colors.
- Clearly show who is responsible for each risk to demonstrate accountability and ongoing monitoring.
- Explain what could happen if a risk becomes a reality, helping stakeholders understand potential consequences.
- Use charts or graphs to make the risks’ probability and impact visually clear and immediately apparent.
- Open a channel for stakeholders to give feedback on the risk register, allowing for additional insights and engagement.
- Organize briefings or workshops to help stakeholders understand the importance of risk management and how the risk register aids in this effort.
Risk register example
Example 1: Machinery breakdown leading to production stop
- Risk description: A crucial machine in the production line unexpectedly fails.
- Impact: This causes an immediate halt to all production activities.
- Probability: Given the machine’s reliability history, the likelihood is low.
- Mitigation steps: Implementing a regular maintenance schedule and establishing rapid-response agreements with repair services are important steps.
- Owner: Christine is responsible for monitoring the machine’s performance and coordinating swift repairs when necessary.
Example 2: Machinery breakdown causing production delays
- Risk description: In this example, the same essential machine experiences minor issues that reduce operational efficiency.
- Impact: Production continues but at a slower pace, leading to potential delays in meeting order deadlines.
- Probability: This risk is more likely to occur than a complete shutdown.
- Mitigation steps: Regular inspections, maintaining a stock of essential spare parts, and training staff for quick, onsite repairs can mitigate this risk.
- Owner: John ensures that preventative measures are in place and operational staff are prepared to address minor issues without external help.
These examples are visually represented in the risk register table below. This simple risk register example will help you create a risk log for your next project.
Risk registers in real life
Case study: U.S. Border Patrol
The U.S. Border Patrol facilities and tactical infrastructure project is a true example of how comprehensive a risk register needs to be to effectively manage large-scale infrastructure projects.
The risk register for this project categorized risks into several key areas, including construction, contractor performance, design, environmental issues, external entity compliance, latent conditions, real estate, and project scope.
Each risk was defined specifically to ensure measurable and actionable mitigation strategies. For example, the risk of flood conditions during construction was mitigated by requiring the contractor to ensure levee or wall protection within 48 hours of the government’s notification.
Case study: Bedford Borough Council
Kempston Town Centre was a project designed by Bedford Borough Council to boost the local economy by upgrading infrastructure and public areas. At its inception, the project team outlined a clear risk management strategy, including establishing a risk register. The project manager, responsible for overseeing the risk management process, ensured that the risk register was regularly updated to reflect the evolving nature of the project.
The team held meetings to talk about risks at important times during the project:
- When the project designs were being drawn up and halfway through this phase
- When they were choosing companies to buy supplies from
- After choosing these companies and during the building phase
These meetings were important for everyone to stay on the same page and keep the risk register relevant. Early on, the team noted risks like design errors or delays. With the risk register, they could adjust their plans in time to avoid slowdowns.
The register also helped the team foresee issues like delays from suppliers. They planned for these by having backup suppliers ready.
Use Wrike to create an effective project risk register
Did you know that you can build, update, maintain, and share your risk register right in your project management software? Thanks to Wrike’s custom fields, it’s easy to create and modify your register to reflect exactly what columns and categories you need to track.
Plus, you can easily share it with your team and other stakeholders to get their input. You can also incorporate it into your reports and dashboards, so risks are always top of mind and nothing important gets overlooked.
Key takeaways
Information overload? We’ve got you — just remember these key points from the article:
- A risk register is used to identify, log, and track potential project risks.
- The responsibility for the risk register usually falls on the project manager.
- Risk registers include standard columns such as identification numbers, risk categories, probability of risk, impact of risk, ratings, and more.
- It’s best to use a systematic approach to prioritize risks based on their impact and likelihood. PMI outlines 11 key factors to assess the nature and severity of risks.
- The risk register should be regularly updated and adjusted to reflect new insights and changes in the project environment.
Next steps to implement what you’ve learned
- Create a risk register at the start of your project, including all necessary columns and definitions.
- Establish a regular schedule for reviewing and updating the risk register.
- Conduct a risk identification workshop with your project team to gather diverse insights.
- Assign a team member to each risk for monitoring and management.
- Provide training to ensure all team members understand how to use and update the risk register.
- Be flexible and ready to adapt your risk management strategies based on real-time project developments and stakeholder feedback.
- Use project management software like Wrike to track risk management activities and progress.
Ready to build your first risk register? Start your free trial of Wrike today.