HKSM

A risk register is a living list of identified threats and opportunities, their characteristics, owners, and planned responses. It is created early and updated throughout the project to guide risk analysis, response, and monitoring.

Key Points

• Captures both threats and opportunities with clear owners and planned responses.
• Starts during risk identification and is updated continuously through monitoring and control.
• Uses agreed scales for probability and impact; may include qualitative and quantitative data.
• Different from the risk report: the register is detailed and operational, while the report is a summary for stakeholders.
• Links to actions in the schedule and budget, enabling contingency and fallback planning.
• Under configuration control as a living document; changes are traceable and time-stamped.
• Feeds risk reviews, status reporting, and decision making at phase gates and change control.

Purpose

• Provide a single source of truth for identified risks and their handling plans.
• Enable consistent analysis, prioritization, and monitoring of risk exposure.
• Assign accountability for risk ownership and action execution.
• Support communication to stakeholders and alignment with risk thresholds.

Field Definitions

• ID: Unique identifier for each risk item.
• Title/Short name: Brief label for quick reference.
• Description: Clear statement of the risk event; what might happen and why.
• Cause and effect: Root cause and the potential impact on objectives.
• Category/Source: Risk breakdown structure category or source area.
• Affected objectives: Scope, schedule, cost, quality, or other objectives at risk.
• Triggers/Indicators: Early warning signs that the risk may occur.
• Proximity/Target date: When the risk might occur or when action is needed.
• Probability: Likelihood rating (e.g., Very Low to Very High or numeric scale).
• Impact/Consequence: Effect severity rating on objectives.
• Risk score/Priority: Combined rating used to rank risks.
• Response strategy: Threats—avoid, mitigate, transfer, accept, escalate; Opportunities—exploit, enhance, share, accept, escalate.
• Response actions: Specific tasks, with due dates and resources.
• Risk owner: Person accountable for monitoring and managing the risk.
• Action owner: Person responsible for executing response actions.
• Status: Open, in progress, implemented, closed.
• Residual risk: Remaining exposure after responses.
• Secondary risks: New risks created by responses.
• Contingency/Fallback: Planned measures if the primary response is insufficient.
• Last update/Notes: Date of last change and any relevant comments or assumptions.

How to Create

1. Define scales and rules: Agree on probability and impact scales, scoring method, and status values.
2. Select a template: Include the fields needed by your governance and reporting.
3. Identify risks: Facilitate workshops, interviews, and reviews to populate initial entries.
4. Describe clearly: Record cause, risk event, and effect in a consistent format.
5. Assign owners: Name a risk owner and action owner for each entry.
6. Prioritize: Apply qualitative scoring; add quantitative data where appropriate.
7. Plan responses: Select strategies and define concrete actions with dates and resources.
8. Establish controls: Set versioning, access rights, and update procedures.

How to Use

• Review regularly to update probabilities, impacts, statuses, and action progress.
• Track triggers and proximity to decide when to implement responses.
• Link actions to schedule tasks and budget items to manage reserves.
• Escalate risks that exceed project thresholds to the appropriate governance body.
• Capture residual and secondary risks after implementing responses.
• Summarize key items into the risk report for stakeholder communication.
• Use trends (e.g., total exposure or risk burndown) to inform decisions and forecasts.

Ownership & Update Cadence

• Maintained by the project manager or risk manager; each risk has a named owner.
• Update cadence aligns with risk reviews (e.g., weekly for high-risk projects, biweekly or monthly otherwise).
• Immediate updates occur when triggers fire, responses change, or new risks are identified.
• Review at phase gates, major milestones, and before change control decisions.

Example Rows

• R-01 — Supplier delay due to logistics disruptions may extend schedule by 2 weeks; Probability: Medium; Impact: High; Score: 12; Owner: Operations lead; Strategy: Mitigate; Actions: Place orders early and add second source; Status: In progress; Proximity: Next month.
• R-02 — Key specialist may become unavailable, affecting design quality; Probability: Low; Impact: High; Score: 10; Owner: PM; Strategy: Transfer; Actions: Contract backup specialist; Status: Open; Proximity: Next quarter.
• R-03 — Opportunity: Early integration testing could reduce rework by 15%; Probability: Medium; Impact: Medium; Score: 9; Owner: Test manager; Strategy: Enhance; Actions: Reserve test environment and adjust schedule; Status: Open; Proximity: Next sprint.
• R-04 — Regulatory change could require additional documentation; Probability: Medium; Impact: Medium; Score: 9; Owner: Compliance lead; Strategy: Accept with contingency; Actions: Monitor regulator updates and prepare templates; Status: Open; Proximity: Ongoing.

PMP Example Question

During planning, the team compiles a detailed list of identified risks with owners, triggers, and selected response strategies. Which artifact should be updated to capture this information?

1. Risk register
2. Risk report
3. Issue log
4. Lessons learned register

Correct Answer: A — Risk register

Explanation: The risk register records detailed risk data, owners, and responses. The risk report summarizes risk information for stakeholders at a higher level.