A Risk Register is a risk management tool commonly used in project management and organisational risk assessments. It acts as a central repository for all risks identified by the project or organisation and, for each risk, includes information such as risk probability, impact, counter-measures, risk owner and so on. It can sometimes be referred to as a Risk Log (for example in PRINCE2).
A wide range of suggested contents for a risk register exist and recommendations are made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2 among others. In addition many companies provide software tools that act as risk registers. Typically a risk register contains:
- A description of the risk
- The impact should this event actually occur
- The probability of its occurrence
- Risk Score (the multiplication of Probability and Impact)
- A summary of the planned response should the event occur
- A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
The risks are often ranked by Risk Score so as to highlight the highest priority risks to all involved.
- In a “qualitative” risk register descriptive terms are used: for example a risk might have a “High” impact and a “Medium” probability.
- In a “quantitative” risk register the descriptions are enumerated: for example a risk might have a “$1m” impact and a “50%” probability.
- Contingent response – the actions to be taken should the risk event actually occur.
- Contingency – the budget allocated to the contingent response
- Trigger – an event that itself results in the risk event occurring (for example the risk event might be “flooding” and “heavy rainfall” the trigger)
Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota’s risk register listed reputation risks caused by Prius’ malfunctions but the company failed to take action. Risk registers often lead to ritualistic decision-making, illusion of control, and the fallacy of misplaced concreteness: mistaking the map for the territory. However, if used with common sense risk registers are a useful tool to stimulate cross-functional debate and cooperation.