Risk register

From Wikipedia, the free encyclopedia - View original article

Jump to: navigation, search

A Risk Register is a Risk Management tool commonly used in Project Management and organisational risk assessments. It acts as a central repository for all risks identified by the project or organisation and, for each risk, includes information such as risk probability, impact, counter-measures, risk owner and so on. It can sometimes be referred to as a Risk Log (for example in PRINCE2).

Example contents[edit]

A wide range of suggested contents for a risk register exist and recommendations are made by the Project Management Institute Body of Knowledge (PMBOK) and PRINCE2 among others. In addition many companies provide software tools that act as risk registers. Typically a risk register contains:

The risks are often ranked by Risk Score so as to highlight the highest priority risks to all involved.

Example Risk Register in table format[edit]

Risk Register for project "birthday party"

Risk CategoryRisk NameRisk NumberProbability (1-3)Impact (1-3)Risk ScoreMitigationContingencyRisk Score after MitigationAction ByAction When
GuestsThe guests find the party boring1.1.224Invite crazy friends, provide sufficient liquorBring out the karaoke2within 2hrs
GuestsDrunken brawl1.2.133Don’t invite crazy friends, don't provide too much liquorCall 9111Now
NatureRain2.1.224Have the party indoorsMove the party indoors010mins
NatureFire2.2.133Start the party with instructions on what to do in the event of fireImplement the appropriate response plan1EveryoneAs per plan
FoodNot enough food3.1.122Have a buffetOrder pizza130mins
FoodFood is spoiled3.2.133Store the food in deep freezerOrder pizza130mins

Useful terminology[edit]

In a "qualitative" risk register descriptive terms are used: for example a risk might have a "High" impact and a "Medium" probability.

In a "quantitative" risk register the descriptions are enumerated: for example a risk might have a "$1m" impact and a "50%" probability.

Contingent response - the actions to be taken should the risk event actually occur.

Contingency - the budget allocated to the contingent response

Trigger - an event that itself results in the risk event occurring (for example the risk event might be "flooding" and "heavy rainfall" the trigger)


Although risk registers are commonly used tools not only in projects and programs but also in companies, research has found that they can lead to dysfunctions, for instance Toyota's risk register listed reputation risks caused by Prius' malfunctions but the company failed to take action.[1] Risk registers often lead to ritualistic decision-making,[1] illusion of control,[2] and the fallacy of misplaced concreteness: mistaking the map for the territory.[3] However, if used with common sense risk registers are a useful tool to stimulate cross-functional debate and cooperation.[3]

See also[edit]


  1. ^ a b Drummond, Helga. "MIS and illusions of control: an analysis of the risks of risk management. Journal of Information Technology (2011) 26, 259–267. doi:10.1057/jit.2011.9
  2. ^ Lyytinen, Kalle. "MIS: the urge to control and the control of illusions – towards a dialectic". Journal of Information Technology (2011) 26, 268-270 (December 2011). doi:10.1057/jit.2011.12
  3. ^ a b Budzier, Alexander. "The risk of risk registers – managing risk is managing discourse not tools". Journal of Information Technology (2011) 26, 274-276 (December 2011), doi:10.1057/jit.2011.13

Further reading[edit]