The Risk Register captures and maintains the information (both threats and opportunities) on almost all the risks that were identified and relate to the project. So it provides a record of risks, including their status and history. It is used to capture and maintain information on all the identified threats and opportunities relating to the project, and to help with the Risk theme.
Timeline Risk Register
- The Risk Register is not used Starting Up a Project process as the project has not really started, therefore it not worth adding risks to the Risk Register. The Project Manager will use the Daily Log and transfer the risks to the Risk Register later.
- The Risk Register is created in the Initiation Stage (IP process) by the Project Manager. The Risk Management Approach document will describe how the Risk Register should be configured and used.
- The Risk Register is updated in the Controlling a Stage process as the Project Manager will examine new risks and check on the status of existing risks.
- During the Stage Boundary process, the Project Manager will mainly use the Risk Register to provide input to the End Stage Report.
- During the Closing a Project process, the Project Manager will archive the Risk Register and also notify the team of any risks that may affect the main project product once it goes into production.
Sample Risk Register
- Risk identifier: This is just a unique number (e.g., 042)
- Risk author: Person who raised the risk
- Date registered: Date the risk was registered
- Risk category: A project can have its own categories. One of these will be selected, such as quality, network, legal, and supplier.
- Risk description: This is written in a specific way (e.g., cause, event, and effect).
- Probability impact: Choose value from an agreed scale (very low, low, normal, etc.).
- Proximity: How soon (when) the risk is likely to happen
- Response category: Avoid, Exploit, Reduce, Transfer, …
- Risk response: List of actions to resolve the risk
- Risk status: Current status of the risk: active or closed
- Risk owner: Mention one person who is responsible for managing the risk
- Risk actionee: Person who carries out the actions described in the response (Note: This can be the same person as the risk owner)
Source data for the Risk Register
- The format and presentation comes from the Risk Management Approach
- The project mandate may already provide some risks for the project
- The Daily Log may provide risks that the Project Manager has captured in the Starting Up a Project process.
- Entries are made on the Risk Register once a new risk has been identified
- New risks may be discovered at any time in the project, for example:
- creating the Project Brief
- designing and appointing the project management team
- designing on the project controls
- creating the Product Breakdown Structure
- defining the Product Descriptions
- issuing Work Packages and reviewing Work Packages
- creating or reviewing plans
Format of the Risk Register
- Document, spreadsheet or database. This is normally a spreadsheet
- Part of an integrated project register for all risks, actions, decisions, assumptions, issues, lessons etc.
Quality Criteria for the Risk Register
- Risk responsibilities are clear and understood by both customer and supplier
- The risk management procedure is clear, agreed by the Project Board and understood by all parties
- Scales, expected value and proximity definitions are clear and standard within the organisation
- The chosen scales are appropriate for the level of control required
- Risk reporting requirements are fully defined in the Risk Management Approach
Tips from Frank
- Use a common Risk Register template for your project
- Understand how to describe a risk using the format: Due to ____, there is a risk that ____, which will have the following impacts ____.
- The Project Management should give themselves times to review risks during the project
- Ask the Project Board how they want to be kept up to date concerning risks
- Keep the Risk Register in a secure place if it contains sensitive data