Creating a Risk Register: All You Need to Know

Project management goes hand in hand with uncertainty and risks. The present-day disruptions caused by the pandemic bits and pieces, military conflicts, and economic crisis can only increase the number of risks projects will be exposed to.

For this reason, identifying and managing project risks gains even more importance these days: it significantly increases the chances for a project to stay afloat.

One of the important components of project risk management is creating a risk register. What kind of document is it? What is the purpose of a risk register, and how to compile one? Read further to know the answers.

Risk Register in Project Management

First of all, let’s define a risk register and figure out its importance for the project management process.

What is a risk register?

A project risk register (or a risk register log) is a document that presents detailed information about potential project risks, their priority, impact, risk responses, and risk owners [1]. This is one of the components of a project risk management plan, which is compiled during the project planning phase. At the same time, it’s not something that can be done once and left aside: it should be updated every time a risk-bearing event appears on the horizon. A risk log should be shared with all project stakeholders and team members and reviewed at every team meeting so as not to miss any important updates.

Importance of a risk register

The main purpose of a risk register is to allow project managers to identify possible risks, track them, and take timely measures to mitigate their negative influence. Here are the other benefits of compiling a risk register.

Proactive risk management

Detecting risks and listing them early in the project lifecycle allows the project team to manage them proactively, take measures to mitigate their negative impact, and in such a way contributes to a more successful risk management strategy. This reduces the likelihood of potential consequences if risk events occur — they will be less likely to disrupt the project’s progress.

Improved decision-making

A risk register is not only helpful for project managers and the team; it creates awareness among project stakeholders, which helps them make informed decisions. Having performed risk analysis, they gain insight into potential challenges and uncertainties within the project, which in turn helps them make further decisions (e.g., assigning resources, responding to risks, etc.).

Enhanced communication

A risk register can serve as a communication tool that allows for sharing information about potential risks with stakeholders. It also promotes transparency and ensures that all the project participants are aware of the risks and corresponding mitigation strategies.

Now, let’s explore how a risk register should be created

How to Create a Project Risk Register?

The steps listed below will help you create a risk register.

1. Identifying risks.

First of all, you should think of all possible risks. There are three ways to gather the required data:

• analyzing historical data,
• consulting key stakeholders and team members,
• performing modeling and simulations.

Some risk-bearing events will be added to the risk register later — don’t forget that it should be regularly reviewed as a project progresses. Each listed risk should be given a name, marked with a special number, or a code that helps a project manager quickly identify the risk among others.

2. Describing risks.

The description of risks should be short but informative. It’s also important to be aware of events that result in a risk, they can be also mentioned here. For example, implementing a new technology solution may result in a project delay.

3. Creating a risk breakdown structure.

A risk breakdown [1] structure can be optionally included in the risk register. Similarly to a work breakdown structure, it’s a hierarchical representation of risk sources, where each descending level provides an increasingly detailed definition of project risk sources. It gives a much better understanding of project risks and makes the whole risk management process more effective.

Here is an example of a risk breakdown structure [2].

4. Categorizing risks.

There are several classifications for risk categories in project management. Here is one of them:

• technical risks (related to technology, requirements, interfaces, etc.);
• external risks (related to customers, suppliers, market, etc.);
• organizational risks (associated with resources, budget, logistics, etc.);
• and project management risks (related to planning, scheduling, etc.).

Knowing the risk category makes it easier to engage a corresponding department to work with it. 

5. Determining the probability of risk occurrence.

The probability of risk events may vary. In the risk register, you can express the risk likelihood in different ways:

• on a numerical scale from 1 to 5, 10, or 100;
• using the degree of probability: high (80-100%), medium-high (60-80%), medium-low (30-60%), and low probability (0-30%).

It’s essential to include it in the risk register — this will help you prioritize risks and manage them more effectively.

6. Identifying risk impact.

Some risks require taking active measures, while others require just keeping an eye on them. Therefore, it’s important to mention the potential impact of a risk-bearing situation in the risk log. The severity of this impact can be expressed at three levels:

• high meaning the catastrophic impact,
• medium for the critical one,
• low for the marginal impact.

For example, an overall project delay of more than 2 weeks has a high impact on a project’s outcomes, a 1-2-week delay has a medium impact, while less than a week’s delay is considered to have a low impact.

7. Prioritizing risks.

Having determined the level of a risk’s impact on a project, the risk-bearing event can be given a high, medium, or low priority. It can be marked with colors (e.g., red, yellow/orange, green) for visual reference. Also, you can order the list of risks according to their priority, so you’ll always know the most critical risks that must be addressed first and foremost.

8. Specifying a risk response.

This is one of the most important parts of a risk register. Risk responses should be planned for each risk and agreed upon with stakeholders. Here are the most common variants of risk responses.

• Risk avoidance: actions aimed at minimizing the exposure to risks.

• Risk transfer: assigning other organizations (e.g., an insurance company) to deal with the risk.

• Risk mitigation: minimizing the negative impact of a risk.

• Risk acceptance: taking no action to mitigate risks.

• Escalating risks: engaging leadership to deal with a risk.

Actions to be taken in response to risks should be described in detail in the register.

9. Assigning a risk owner.

A risk owner is usually a person responsible for monitoring the risk triggers and/or the one who is expected to deploy a risk response plan. [3]

Jump into the next section to explore an example of a risk register.

Project Risk Register Example

There are no standardized templates for a risk register; it’s usually presented in the form of a table or a spreadsheet. However, based on the steps listed in the previous section, the components of the risk register usually include the following items.

1. Risk identification/number.
2. Risk description.
3. Risk breakdown structure.
4. Risk category.
5. Risk probability.
6. Risk impact.
7. Risk priority.
8. Risk response.
9. Risk owner.
10. Risk status (optional).

Here is a risk register example [3].

Read more: Project Risk Management: Importance, Challenging Issues, Recommendations

In fact, the risk management process is rather complex and time-consuming. Furthermore, if you have more than one project underway, it becomes much more difficult to identify, analyze, and manage risks properly. What tools a project manager can use for more efficient risk management? Let’s figure it out in the next section.

Risk Management: How a Project/Resource Management Solution Helps

Project and resource management tools have a variety of functions that make work on projects more efficient and streamlined as well as provide solutions for effective risk management.

Let’s consider how they help through the example of Epicflow, a multi-project resource management software. It has three important areas of focus:

• seamless orchestration of multiple projects,
• maximum efficient resource utilization,
• preventing and detecting bottlenecks before they become risks and lead to real problems.

Let’s review some of Epicflow’s functions that help manage project risks in more detail.

Checking the state of all projects in the portfolio

Proper risk management is impossible without continuous monitoring of projects’ “health”, which becomes twice as important in multi-project management. Epicflow’s Pipeline presents a comprehensive overview of all projects and milestones in a multi-project environment. Projects are ordered according to their state – those that are at risk of being delayed are placed on the top and marked with corresponding colors. Milestones are also marked with colors depending on their feasibility.

The Bubble Graph, which is an improved version of a Fever Chart, shows the remaining time and budget, so you can always check if there are any risks of missing due dates or going over the budget.

Read more: Bubble Graph: Critical Chain Fever Chart Re-Imagined

Preventing risks caused by improper workload

Improper workload can be a serious risk factor: both overloaded and idle employees work inefficiently and can create bottlenecks in the future, which will bring project success into question. To prevent inadequate workload, employee burnout, and reduced productivity, you can use the Future Load Graph that analyzes active projects in the Pipeline to show what resource groups/teams are going to be over- or underloaded later.

Running simulations to spot future risks

As we’ve mentioned earlier, one of the ways to identify possible risks is modeling and simulations. In Epicflow’s What-if Analysis, you can run simulations to detect possible future project- and resource-related risks. In addition, you can play various scenarios to find the best possible risk response — the feature will show you how changes (reassigning resources, moving milestones, etc.) will affect the project flow and outcome in the future. Therefore, you can come up with the best possible decision and plan risk responses so that potential threats won’t derail your project.

Protecting your project timeline with a buffer

To cope with increasing uncertainty and be prepared for possible risks, Epicflow’s approach suggests adding a buffer to the end date of your project. There is a clear system of buffer monitoring: in the Pipeline, you can track how much of the buffer has already been consumed. This is expressed in numbers before a project’s name: e.g., 80 means that you have a 20% buffer and won’t miss the delivery date, while 100 shows that you’ll deliver the project on time, but there’s no more buffer left. Therefore, even if unfavorable events occur, you will have more chances to fix the situation and deliver a project on time.

Getting early warnings on issues in the workflow

Epicflow’s AI assistant Epica offers one more way to protect the workflow from project management risks — it can send a project/resource/portfolio manager notifications upon detecting bottlenecks that may affect the project progress, e.g., overloaded resource groups. This gives an opportunity to timely improve the situation and avoid project management risks.

These were just several examples of how Epicflow can assist in managing risks. Contact us to learn more about Epicflow’s capabilities and how they facilitate seamless multi-project and effective resource management.

Key Takeaways

1. A risk register as an essential element of risk management plan is a document that outlines all the necessary information about possible project risks — probability, impact, responses, responsible people, etc.
2. The main benefits of creating a risk register involve proactive and more effective risk management, more effective communication with all project stakeholders as well as improved decision-making.
3. Creating a risk register embraces a series of steps: identifying and describing possible risks, determining their probability and impact, prioritizing them, specifying responses, and assigning risk ownership to people responsible for monitoring the potential risk areas and deploying a plan of action to address the risk.
4. For more effective risk management, it’s a good idea to leverage project management solutions with predictive capabilities, like Epicflow. These tools will let you keep control of the whole project environment, predict project management risks, and test the best possible responses to them.      

References

1. Hillson, D. (2014). Managing overall project risk. Paper presented at PMI® Global Congress 2014—EMEA, Dubai, United Arab Emirates. Newtown Square, PA: Project Management Institute.
2. Hillson, D. (2002). Use a risk breakdown structure (RBS) to understand your risks. Paper presented at Project Management Institute Annual Seminars & Symposium, San Antonio, TX. Newtown Square, PA: Project Management Institute.
3. Lavanya, N. & Malarvizhi, T. (2008). Risk analysis and management: a vital key to effective project management. Paper presented at PMI® Global Congress 2008—Asia Pacific, Sydney, New South Wales, Australia. Newtown Square, PA: Project Management Institute.