Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

This is article is on RISK Register. It is equally applicable to Portfolio, program, project and ERM etc.

Throughout the article for the simplicity Risk Register is referred to Projects only.

Key Words

Risk identification, Risk communication, risk assessment, risk evaluation, risk meta-language, Qualitative Risk Analysis, Risk , Causes, Causation, Schedule, Cost, quality, Risk score, probability, safety, Risk Matrix, Heat map, High risk, Medium risk, Low Risk, Green Risk, Red Risk, Yellow Risk, Risk Appetite, PMI, ISO 31000, ISO 31000, Bayesian Belief Network (BBN), Bayesian theorem,  Risk Tolerance, Risk Audit, Risk Controls, Threat, Opportunity, Avoid, Mitigate, Transfer, , Avoid, Share, Enhance, Exploit, Risk management plan, Dashboard, Data, Analytics, Risk Complexity, Internal Factors, External factors, Qualitative, Quantitative, Taxonomy, RBS, WBS, Project Phase, PESTLE, TECOP,  Risk communication, Risk Register Traceability Matrix. Risk Exposure, , Cost estimate, Watchlist, Secondary Risk 

New Terminology

Risk Register Traceability Matrix: who provide the information, when and why, related information is stores in which location, like Bayesian Belief Network diagram, Causal influence Diagram to understand the risk as a whole


The Risk Register, risk log, a repository to record, analyze and store risk data.

According to IRM’s A Risk Practitioners Guide to ISO 31000: 2018:

“The nature and extent of communication of the information contained in the risk register throughout the risk architecture of the organization also help define the risk management context.”

The Risk register is a proportionate, aligned and dynamic document to tell risk stories to all the stakeholders. contained key risk information for risk assessment.
The risk register communicates and provides information to the stakeholders both ways. Top management looks for project risk (as a whole) and Key performance indicators to visualize overall project health. It is only possible by connecting the dots and present data in the form of interactive charts. Focus on risk analytics to quantify, measure and envisage uncertainties to deal with upcoming challenges of global expansion and fourth industrial revolution or second machine age. Counter challenges of digitizing with digital data. Risk visibility with infographics in risk register can be a game-changer.

Watch my webinar’s recording: 

Risk Register

The Risk register or Risk log is a repository to collect, analyze, visualize risk-related information. It is a document, helpful to communicate and provide information from top executives to bottom level workers. It is a constituent part of a risk management plan, created during project initiation and keep on updated during the complete project life cycle. Even it remains “live” after handing over the project to the operations team.


Why to create a risk register is a frequently asked question? Basic two answers are:

Risk is an uncertain condition or event that is required to capture in order to assess them.
The risk register is a tool to provide a holistic picture of project health. It is a tool to communicate flawlessly from top to bottom.

Creating a risk register is a kick start to execute risk management activities. Project tailored risk register helps to assess risk effectively. It doesn’t matter to use or follow any specific template. Only matter the way to capture the risks. Distinguish between risks and day to activities. Capture known – known, Known -Unknown and Unknown – Unknown risks.

Follow PACED [1] while creating a risk register. Although PACED is specific to risk management processes, but it is equally applicable to each individual risk process or relevant documents too. What is PACED? PACED is:

P – Proportionate
A – Aligned
C – Comprehensive
E – Embedded
D – Dynamic

PACED for Risk Management
Pic 1 - PACED

A simplified Mind map is given below to illustrate the risk register components. Risk register encapsulates risk appetite and risk tolerance while risk assessment. Risk assessment is:

  • Risk Identification
  • Risk Analysis
  • Risk Evaluation


The risk register can’t be created and updated in isolation. Schedule and cost estimates along with other project documents provide input to risk register for value creation. Without schedule and input document it is likely to have misleading risks leading to more turmoil.

Risk Breakdown Structure (RBS) or Risk categorization is helpful to provide a foundation for risk identification. Shell’s Technology, Economical, Commercial, Operational and Political (TECOP) benefits to define and align levels and sub-levels of RBS. A PESTEL analysis (formerly known as PEST analysis) is a framework or tool used to define RBS categories and subcategories. Either approach may have a profound impact on an overall risk management process.

Risk categorization or classification is a better approach to capture risks related to all business areas. It’s a consistent approach for value proposition to risk management. Defining and formalizing Key Risk Indicators (KRI) and utilizing the same categories for risk categorization will add value for achieving strategic goals. High-level risk register mind map is given below:

Big Picture Illustrates a big picture
Pic 2 - Big Picture Illustrates Big Picture

Risk Register Road Map

The Risk register journey starts  even before project initiation. Tailoring (adapting) the risk register to project size and complexity helps to estimate resources requirement, a balanced approach, for project risk management. Risk register Road Map or Timeline is interesting and vivid:

Risk Register Road Map designed and developed by GleeYM.
Pic 3 - Risk Register Road Map

Case Study – Development of Risk Register with Dashboard

The Risk register journey starts even before project initiation. Tailoring (adapting) the risk register to project size and complexity helps to estimate resources requirement, a balanced approach, for project risk management. Risk register Road Map or Timeline is interesting and vivid:

The Risk Register, risk log, provides information and the best way to communicate from top management to supervisors even to workers. A pervasive document to align the resource for achieving one goal i.e. enhance opportunities and reduce threats.
Stakeholders, especially the top executives don’t want to be lost in the Jungle of information. They want well-articulated data in the shape of charts, a dashboard.
Therefore, develop a risk register to cater the requirements of risk owner to the executive. With the clear concept to provide consistent, flawless and more importantly same information, but tailored information. All information is not for everyone.

Deming’s Plan – Do – Check – Act (PDCA) cycle is a simple, but powerful way to create documents and satisfy the requirements of a quality management system. Follow PDCA for developing risk register.

Pic 4 - Deming's PCDA

Risk Identification

The Risk Identification number can be the combination of WBS, RBS or risk categorization and Risk No. After defining the risk identification, defining risk is a major foremost important task. Defining risk requires to follow Risk Meta – Language i.e.

Cause(s) – Risk – Effect

Because of (Cause) Risk may occur leading to schedule overrun (effect)

Risk Example. Put unavailability of Skilled Worker example.

Cause: Because of so many projects in an area

Risk: Unavailability of skilled labor during construction

Impact: Leading to schedule delay and cost impact

Is it complete information? Does it provide detail insight into the risk? The answer is no. It is impossible to capture complete information related to risk in the risk register. That is the reason sometimes it is hard and time-consuming to understand the risk context.

Pic 5 – Mind map to Analyze risk causes and Way to Mitigate Actions

One way to tackle this issue is to provide a risk description i.e. a brief background. However, by introducing the Risk Traceability Matrix Register (RTMR, a new concept) to track the complete risk data will provide the complete log of each risk. It will also help to record the location of extra or detailed information (either physically or electronically) and tag data with proper identification codes. Furthermore, it will become a part of risk achieving and lessons learned.

Qualitative Risk Analysis

Qualitative risk analysis is done in risk register to prioritize risks., but all related information like schedule impact estimate and cost impact should be captured. This information must not be heuristics, P6/MSP schedule or cost estimates provide the input information. Store data in numbers to perform semi-qualitative risk analysis in risk register as per requirement.

Based on the judgement or expert opinion, specify the probability of a risk. The Bayesian theorem can be the best alternative to avoid heuristics. Bayesian Belief Network (BBN) is the best way to create causation and find out posterior probability.

Risk Impact or consequences categories are often schedule, cost, quality, and HSE, but not limited too. In this era of digitization, cybersecurity, political, organizational reputation, change management can also be the major impact categories.

Probability and impact analysis are done by using the risk matrix or heat map. A sample risk matrix is given below:

Pic 6 - Risk Matrix - Heat MAP

Risk score is calculated by using following formula:


Risk Score = Probability X Impact

Risk score is also called as Expected Monitory Value (EMV)

Pic 7 - Risk Score

Risk Evaluation

In case of threat (negative impact), there are four options available to reduce impact:

  • Accept
  • Avoid
  • Mitigate
  • Transfer

Either one of them or a combination of these options can be used to treat risk. Although practically there is no significance. However, it is required to specify response actions with target dates and proper “Risk Action owner”. Risk owner can be the Risk action owner, but usually, it is a person who implements the actions. Response action must be “SMART”. SMART is:

Pic 8 - SMART

For opportunities (positive impact), there are four options available to enhance the impact:

  • Accept
  • Enhance
  • Exploit
  • Share


Risk response actions are defined for high and mediums risks. While green risks are kept alive in risk register as a “Watchlist”.

There can be a secondary risk in case of a transfer option. Therefore, it is required to keep on eye on associated risks too.

Risk Audit

Risk audit should be carried at after a regular frequency as per the risk management plan for major and medium risks. For major risks it is a suggestion, option, to sign off the risk before risk closure like HAZOP.

Risk audit helps to measure the risk efficacy and trends over the period. It wills to identify pitfalls in the process and suggest process improvement initiatives.

Risk Health Indicators – Dashboard

Risk audit should be carried at after a regular frequency as per the risk management plan for major and medium risks. For major risks it is a suggestion, option, to sign off the risk before risk closure like HAZOP.

Risk audit helps to measure the risk efficacy and trends over the period. It wills to identify pitfalls in the process and suggest process improvement initiatives.

There is a question quite often is this project risky? Determine the risky nature of the Project also drives the overall risk management process at the project or program level. If the project is large, consumes more organizational resources then it may be a complex risky project. The question here is how to define the complexity of the project or overall project risk?

It is needed to define internal and external factors. Also determining the score based on project risk too.

A combination of these three (3) components help to determine the overall project risk. Well define questionnaire helps to get it done either by using expert opinion or conducting interviews with the key stakeholder or combination of both. We need to proportionate the risk efforts with project complexity. The system should be aligned with the risk register to indicate the complexity of the project. Summation of high Red risks can’t be an indicator to describe Project risk.

GleeYM has developed a risk register to calculate the overall project risk. Transforming data including text to charts is required to communicate with the management. Management requires crisp information to indicate overall project health. Need KPIs to elaborate an overall project risk. Project Risk Health Indicators are given below:

Pic 9 - Risk Health Indicators


Pic 10 - Risk Register Infographics


1- A Risk Practitioners Guide to ISO 31000: 2018 by IRM 

2- Practice Standard for Risk Management By PMI

Thank you



Softvative Inc.


More To Explore

Leave a Reply

Your email address will not be published. Required fields are marked *