Risk register

From Wikipedia, the free encyclopedia
Jump to: navigation, search

A risk register is a risk management tool commonly used in risk management and compliance . It acts as a central repository for all risks identified by the organization and, for each risk, includes information such as source, nature, treatment option, existing counter-measures, recommended counter-measures and so on. It can sometimes be referred to as a risk log (for example in PRINCE2).

Example contents[edit]

A wide range of suggested contents for a risk register exist and recommendations are made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2 among others. In addition many companies provide software tools that act as risk registers. Typically a risk register contains:

  • A description of the risk
  • The impact should this event actually occur
  • The probability of its occurrence
  • Risk Score (the multiplication of Probability and Impact)
  • A summary of the planned response should the event occur
  • A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)

The risks are often ranked by Risk Score so as to highlight the highest priority risks to all involved.

Example risk register[edit]

Risk register for project "birthday party" in table format:

Risk Category Risk Name Risk Number Probability (1-3) Impact (1-3) Risk Score Mitigation Contingency Risk Score after Mitigation Action By Action When
Guests The guests find the party boring 1.1. 2 2 4 Invite crazy friends, provide sufficient liquor Bring out the karaoke 2 within 2hrs
Guests Drunken brawl 1.2. 1 3 3 Don’t invite crazy friends, don't provide too much liquor Call 911 1 Now
Nature Rain 2.1. 2 2 4 Have the party indoors Move the party indoors 0 10mins
Nature Fire 2.2. 1 3 3 Start the party with instructions on what to do in the event of fire Implement the appropriate response plan 1 Everyone As per plan
Food Not enough food 3.1. 1 2 2 Have a buffet Order pizza 1 30mins
Food Food is spoiled 3.2. 1 3 3 Store the food in deep freezer Order pizza 1 30mins

Useful terminology[edit]

In a "qualitative" risk register descriptive terms are used: for example a risk might have a "High" impact and a "Medium" probability.

In a "quantitative" risk register the descriptions are enumerated: for example a risk might have a "$1m" impact and a "50%" probability.

Contingent response - the actions to be taken should the risk event actually occur.

Contingency - the budget allocated to the contingent response

Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger)


Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota's risk register listed reputation risks caused by Prius' malfunctions but the company failed to take action.[1] Risk registers often lead to ritualistic decision-making,[1] illusion of control,[2] and the fallacy of misplaced concreteness: mistaking the map for the territory.[3] However, if used with common sense risk registers are a useful tool to stimulate cross-functional debate and cooperation.[3]

See also[edit]


  1. ^ a b Drummond, Helga. "MIS and illusions of control: an analysis of the risks of risk management. Journal of Information Technology (2011) 26, 259–267. doi:10.1057/jit.2011.9
  2. ^ Lyytinen, Kalle. "MIS: the urge to control and the control of illusions – towards a dialectic". Journal of Information Technology (2011) 26, 268-270 (December 2011). doi:10.1057/jit.2011.12
  3. ^ a b Budzier, Alexander. "The risk of risk registers – managing risk is managing discourse not tools". Journal of Information Technology (2011) 26, 274-276 (December 2011), doi:10.1057/jit.2011.13

Further reading[edit]

  • Tom Kendrick (2003). Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project. AMACOM/American Management Association. ISBN 978-0-8144-0761-5. 
  • David Hillson (2007). Practical Project Risk Management: The Atom Methodology. Management Concepts. ISBN 978-1-56726-202-5. 
  • Kim Heldman (2005). Project Manager's Spotlight on Risk Management. Jossey-Bass. ISBN 978-0-7821-4411-6. 
  • Robert Buttrick (2009). The Project Workout: 4th edition. Financial Times/ Prentice Hall. ISBN 978-0-273-72389-9. 
  • Lev Virine and Michael Trumper (2007). Project Decisions: The Art and Science. Management Concepts. Vienna, VA. ISBN 978-1-56726-217-9. 
  • Lev Virine and Michael Trumper (2013). ProjectThink: Why Good Managers Make Poor Project Choices. Gower Pub Co. ISBN 978-1409454984.