Risk Register in Project Management

Risk is such a given in any project that, as we like to say, the biggest risk is ignoring project risk management. One strategy to help you anticipate and plan for potential project risks is creating a risk register and risk report. Project Management Professionals (PMP) use a risk register and risk report on risk-driven projects or risk-aware projects.

This risk register overview by your experts at Project Management Academy is your complete resource on the “who, what, when, where, and why” of risk registers in project management.

---

---

Risk Register PMP definition & purpose

A risk register is a document used to track and report on project risks and opportunities throughout the project’s life cycle. The contents of this tool can help you identify and organize information about potential issues that can impact project elements and outcomes. Here are some other uses of a risk register:

• Identifying potential risks
• Predicting the probability of a risk event occurring
• Putting controls in place to mitigate risks
• Establishing a response plan in the event a risk occurs
• Creating a risk report to summarize overall project risk, communicate to project stakeholders, and support overall risk management
• And much more!

For some projects, risk registers are required to meet compliance regulations. However, a risk register is an essential PMP exam tool for any project, no matter the size, complexity, or industry. Although it is impossible to anticipate every possible risk that could affect your project, a risk register will help you establish an effective risk management plan to prevent risks from derailing your project.

What is the difference between an issue vs. a risk?

While risk is an event that has not happened yet, an issue is an event that has already happened. Both issues and risks describe problematic events or conditions that can impact your project elements or outcomes.

As a project manager, you should know how to store, track, and organize information about both risks and issues. The document you use to store content about risks is called a risk register, while the document you use to store content about issues is called an issue log.

When is a Risk Register Created?

A risk register is created when a project carries many moving parts or much risk. The more complex a project is, the more critical it is to create a risk register. However, having a risk register is helpful for any project. Even including a simple spreadsheet in your project plan can help you track and mitigate risks.

Similarly, while a risk register is typically created during the project’s execution phase, it is never too early to begin thinking about risk management. Risk management should start as soon as project planning does. The sooner you create your project risk register, the sooner you will have a thorough document on hand to help you manage and report on risk.

Who Creates a Project Risk Register?

Project managers are typically responsible for creating a project risk register. However, if your project team includes a dedicated risk management professional, such as a PMI Risk Management Professional (PMI-RMP)® credential holder, creating and maintaining the content in the risk register would be their job.

Despite this, every project team member should contribute content to the risk register if possible. One person might be aware of a risk that no one else knows about, and in addition, anyone could potentially be impacted by any risks to the project. As a result, it can help to collaborate in identifying risks and appropriate risk response plans.

What is Included in a Risk Register?

There are many ways to go about creating a risk register, and there is no single correct method. You might need to include much detail in your risk register, or you might need a simple tool to help you stay organized. The contents of your risk register should at least capture the following:

• Qualitative and quantitative data about potential risks
• Estimates regarding the potential impact of the risk
• An outline of your established response plan
• Who on the project team will take ownership of the risk

This list is also a helpful general guide to the order in which you should acquire risk information. If you want to get more detailed, the following components can help you break down and organize project risk content on a more granular level:

• Risk Identification: a name or ID number to identify the risk. This element can be as simple as a reference number or letter.
• Risk Description: a brief explanation of the risk event or conditions that may trigger the risk event.
• Risk Analysis: a qualitative or quantitative estimate of the probability and impact of the risk event.
  • Risk Probability: the likelihood of a risk event occurring
  • Risk Impact/Categories: a description of which categories can impact or be impacted by the risk event, such as schedule, budget, scope, quality, or more.
  • Risk Priority: the risk score, which can be determined quantitatively (by multiplying the risk impact and probability) or qualitatively (by putting risks in the order of the highest impact and highest probability)
• Risk Response Plan: a description of the actions you will take to mitigate the effects of a risk event if it occurs
• Risk Ownership: a description of who will become the risk owner and take on the responsibility for deploying and supervising the risk response plan

Now you know what goes into a risk register, let’s go over some recommendations for creating your PMP risk register.

---

---

Risk register PMP how-to guide

Over time, you will be able to determine what content you need in your risk register to meet the needs of your specific industry and project types. When you first begin, try using a sample PMP exam risk register such as the Project Management Academy template.

Using a risk register template as a reference will help you familiarize yourself with the process of gathering, calculating, and documenting all the necessary information. As you become more familiar with risk registers, you can adapt these practices to your needs.

Follow these steps to add content to your risk register using the Project Management Academy PMP risk register template as your guide.

1. Identify all potential risks

Your first step in creating a risk register is identifying risks. This step is essential in effective risk management. It can be challenging to identify every single possible risk, but here are some tips to help you add content to your risk register:

• Review historical data. If your organization has run a similar project in the past, there may be common risks to add to your register.
• Check-in with stakeholders. Your project team members, clients, and other stakeholders may be aware of potential risks that you don’t know about, so ensure you ask for their input.
• Do some market research. Market research will help you discover potential external risks, such as supply and demand, common project management issues, or past project information shared by other organizations and project managers.

Once you have identified all potential risks, you can organize your content in a risk breakdown structure.

2. Layout your risk breakdown structure

A risk breakdown structure is a tool to help you organize your risk register. You can use your risk breakdown structure to categorize risks, track data, and compare information about various risks. Examples of risk breakdown structures include charts or spreadsheets structured to classify and compartmentalize project risk content logically.

Keeping an organized risk breakdown structure is critical to risk reporting. Your risk register is the primary tool you will use to track and report project risks to stakeholders.

3. Gather qualitative data about each risk in your risk register

Qualitative project risk data can include your risk identification, risk description, and some or all elements of your risk analysis. For example, a risk description or risk statement can be phrased in the following ways:

• EVENT may occur, causing IMPACT
• If CONDITION exists, EVENT may occur, leading to EFFECT

In this sample content, the capitalized words represent variables on the specific risk you describe.

Risk analysis can be done either qualitatively or quantitatively. Here are some examples of qualitative risk analysis:

• Risk probability: is the chance of a risk event happening low, medium, or high?
• Risk impact/categories: will a category impact or be impacted by a risk event, and is the impact likely to be low, medium, or high?
• Risk priority: how would you describe each risk’s combined probability and impact score? For example, if a risk’s probability is low and its potential impact is medium, its priority is medium-low.

There may be other qualitative components to each risk, but these content elements provide a great starting point to help you break each risk down in more detail.

4. Calculate quantitative data about each risk in your risk register

If you are performing quantitative risk analysis, here are some examples of how you would adjust your approach:

• Risk probability: calculate the likelihood of the risk event or condition occurring and express it as a ratio or percentage.
• Risk impact/categories: score the potential impact of the risk on each of your project’s objectives or categories using a standardized number system.
• Risk priority: multiply the probability by the impact score to calculate a risk priority level.

Risk quantification can help you evaluate your identified risks and develop data to support your decision-making processes.

5. Determine the order of priority for your risk register

Once you have established the risk priority level for each risk event or condition in your risk register, you should order them within your risk breakdown structure by priority level. Arranging your risk register content by order of priority will give you a better picture of your highest-priority risk, any related risk events, and more.

6. Outline your risk response plan

Understanding each risk event’s priority level will also help you determine the urgency for your relevant risk response plans. You should come to a consensus with your project stakeholders about a favorable risk response for each item in your risk register, including identifying the risk owner who will oversee the execution of the risk response plan if the risk becomes an issue.

Ideally, your risk response plan will lower the likelihood of the risk occurring, reduce the impact of each risk on your project categories, or eliminate the risk. Ensure you think about how your risk response plan may impact your project’s budget, timeline, and other categories as well.

Conclusion

Having a risk register to record and track all identified project risks is essential to the success of your project. This crucial tool in the risk management process can help you avoid problems or mitigate their effects on your project outcomes.

Do you want to learn more about risk management for the PMP exam and project management? Read our resources on risk audits in project management or how to apply risk management in your projects.

Risk management is critical in project management. That’s why the Project Management Professional certification and the PMI Risk Management Professional (PMI-RMP)® certification both emphasize practical risk management skills. Get in touch with your Project Management Academy experts to learn how to hone your risk management skills.

---