A risk register is a risk management tool commonly used in risk management and regulatory compliance. It acts as a central repository for all risks identified by the organisation and, for each risk, includes information such as source, nature, treatment option, existing counter-measures, recommended counter-measures and so on. ISO 73:2009 Risk management—Vocabulary defines a risk register to be a record of information about identified risks. It can sometimes be referred to as a risk log (for example in PRINCE2).
A Risk Register can contain many different items. There are recommendations for Risk Register content made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2. ISO 31000:2009 does not use the term risk register, however it does state that risks need documented.
There are many different tools that can act as risk registers from comprehensive software suites to simple spreadsheets. The effectiveness of these tools depends on their implementation and the organisation's culture.
A typical risk register contains:
- A risk category to group similar risks
- A brief description or name of the risk to make the risk easy to discuss
- The impact or consequence should this event actually occur rated on a number scale (e.g. 1-3)
- The probability or likelihood of its occurrence rated on a number scale (e.g. 1-3)
- Risk Score or Risk Rating (the multiplication of Probability and Impact)
Additional fields can be added depending on need.
The risks are often ranked by Risk Score so as to highlight the highest priority risks.
Risk register for project "birthday party" in table format:
|Risk Category||Risk Name||Risk Number||Probability (1-3)||Impact (1-3)||Risk Score||Mitigation||Contingency||Risk Score after Mitigation||Action By||Action When|
|Guests||The guests find the party boring||1.1.||2||2||4||Invite crazy friends, provide sufficient liquor||Bring out the karaoke||2||within 2hrs|
|Guests||Drunken brawl||1.2.||1||3||3||Don’t invite crazy friends, don't provide too much liquor||Call 911||1||Now|
|Nature||Rain||2.1.||2||2||4||Have the party indoors||Move the party indoors||0||10mins|
|Nature||Fire||2.2.||1||3||3||Start the party with instructions on what to do in the event of fire||Implement the appropriate response plan||1||Everyone||As per plan|
|Food||Not enough food||3.1.||1||2||2||Have a buffet||Order pizza||1||30mins|
|Food||Food is spoiled||3.2.||1||3||3||Store the food in deep freezer||Order pizza||1||30mins|
The picture shows another example of the Risk Register for a 3-month project simulator SimulTrain.
In a "qualitative" risk register descriptive terms are used: for example a risk might have a "High" impact and a "Medium" probability.
In a "quantitative" risk register the descriptions are enumerated: for example a risk might have a "$1m" impact and a "50%" probability.
Contingent response - the actions to be taken should the risk event actually occur.
Contingency - the budget allocated to the contingent response
Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger)
Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota's risk register listed reputation risks caused by Prius' malfunctions but the company failed to take action. Risk registers often lead to ritualistic decision-making, illusion of control, and the fallacy of misplaced concreteness: mistaking the map for the territory. However, if used with common sense risk registers are a useful tool to stimulate cross-functional debate and cooperation.
- Drummond, Helga. "MIS and illusions of control: an analysis of the risks of risk management. Journal of Information Technology (2011) 26, 259–267. doi:10.1057/jit.2011.9
- Lyytinen, Kalle. "MIS: the urge to control and the control of illusions – towards a dialectic". Journal of Information Technology (2011) 26, 268-270 (December 2011). doi:10.1057/jit.2011.12
- Budzier, Alexander. "The risk of risk registers – managing risk is managing discourse not tools". Journal of Information Technology (2011) 26, 274-276 (December 2011), doi:10.1057/jit.2011.13
- Tom Kendrick (2003). Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project. AMACOM/American Management Association. ISBN 978-0-8144-0761-5.
- David Hillson (2007). Practical Project Risk Management: The Atom Methodology. Management Concepts. ISBN 978-1-56726-202-5.
- Kim Heldman (2005). Project Manager's Spotlight on Risk Management. Jossey-Bass. ISBN 978-0-7821-4411-6.
- Robert Buttrick (2009). The Project Workout: 4th edition. Financial Times/ Prentice Hall. ISBN 978-0-273-72389-9.
- Lev Virine and Michael Trumper (2007). Project Decisions: The Art and Science. Management Concepts. Vienna, VA. ISBN 978-1-56726-217-9.
- Lev Virine and Michael Trumper (2013). ProjectThink: Why Good Managers Make Poor Project Choices. Gower Pub Co. ISBN 978-1409454984.