Risk register
A risk register is a document used as a risk management tool and to fulfill regulatory compliance acting as a repository for all risks identified and includes additional information about each risk, e.g. nature of the risk, reference and owner, measures. It can be displayed as a scatterplot or as a table.
ISO 73:2009 Risk management—Vocabulary defines a risk register to be a "record of information about identified risks".
Example
Risk register of the project "barbecue party" with somebody inexperienced handling the grill, both in table format and as plot.| Category | Name | RBS ID | Probability | Impact | Mitigation | Contingency | Risk Score after Mitigation | Action By | Action When |
| Guests | The guests find the party boring | 1.1. | low | medium | Invite crazy friends, provide sufficient liquor | Bring out the karaoke | 2 | within 2hrs | |
| Guests | Drunken brawl | 1.2. | medium | low | Don’t invite crazy friends, don't provide too much liquor | Call 911 | x | Immediately | |
| Nature | Rain | 2.1. | low | high | Have the party indoors | Move the party indoors | 0 | 10mins | |
| Nature | Fire | 2.2. | highest | highest | Start the party with instructions on what to do in the event of fire | Implement the appropriate response plan | 1 | Everyone | As per plan |
| Food | Not enough food | 3.1. | high | high | Have a buffet | Order pizza | 1 | 30mins | |
| Food | Food is spoiled | 3.2. | high | highest | Store the food in deep freezer | Order pizza | 1 | 30mins |
Terminology
A Risk Register can contain many different items. There are recommendations for Risk Register content made by the Project Management Institute Body of Knowledge and PRINCE2. ISO 31000:2009 does not use the term risk register, however it does state that risks need to be documented.There are many different tools that can act as risk registers from comprehensive software suites to simple spreadsheets. The effectiveness of these tools depends on their implementation and the organisation's culture.
A typical risk register contains:
- A risk category to group similar risks
- The risk breakdown structure identification number
- A brief description or name of the risk to make the risk easy to discuss
- The impact if event actually occurs rated on an integer scale
- The probability or likelihood of its occurrence rated on an integer scale
- The Risk Score is the multiplication of Probability and Impact and is often used to rank the risks.
- Common mitigation steps are Identify, Analyze, Plan Response, Monitor and Control.
"quantitative" both the impact and the probability is put into numbers, e.g. a risk might have a "$1m" impact and a "50%" probability.
Contingent response - the actions to be taken should the risk event actually occur.
Contingency - the budget allocated to the contingent response
Trigger - an event that itself results in the risk event occurring