What is Risk register

What is a Risk register?

Executing the project without knowing the risks involved is a big RISK in itself. Though 5% chance is that the project gets executed easily, but if not, then the situation might look like a dooming one. In this post, I am going to discuss and explain about Risk Register.

What is a Risk Register?

It is basically a log which is created during the early phase of the project. This log captures the unforeseen issues which can appear during the project execution. These unforeseen issues are nothing but Risks. There is no specific format how to create the log. However, this is a project and an organisation specific. If a particular template is used to capture the Risks, let it be followed.

  • It is a matrix which can be created in excel or word.
  • It is part of the Project Plan.
  • It needs to be maintained on regular basis and updated accordingly with the current status.

Purpose of a RISK Register

As a manager or a Senior Team member or a Business Analyst you will be required to understand the RISK REGISTER creation and maintenance. When we start any project, the intention is to successfully complete it. It is a hyperbole ideal situation where one cannot foresee any hurdles during the project execution. These hurdles as RISK help the manager to plan accordingly.

  • If these risks are captured in a right manner it will become smooth to meet the project objectives.


  • The risk register helps in RISK handling this is also known as risk mitigation. This helps the organization to achieve objectives with fewer slip down along the way.



  • It also helps in preparedness of the contingency plan. It prepares the project and stakeholders for the cases when the unfavourable situation has occurred. In that case what action needs to be taken without hampering the other work. It ensures that, when undesirable events occur, there are enough strategies in place to minimise and handle the uncertainty.

A typical RISK Register looks like this.

Elements of a Risk register

You have seen various items in the risk register as risk id, date raised, risk details, probability, Severity, Impact, mitigation plan, contingency plans, owner and status. You can also find the color coding as Red Amber green here. Depending upon the alarming conditions the colors are applied to the register. Red, Amber Green denote the danger alarm as High, medium and Low respectively.

Let us understand few terminologies which are used in a typical RISK Register.

RISK Id:  A unique identifier given to the risk

Date Raised:  When was this RISK identified. This risk can be raised before the project plan is developed or during the execution of the project.

Risk Details: The details of the risks are captured here. It is advisable to mention what are the consequences in case the RISK occurs.

Probability: What is the chance that the risk will occur. This can be categorized as Certain, Likely, Possible, Unlikely or Rare. You can assign it as High – Medium – Low. It is preferred to keep it in percentage like 60% or in value as 0.6, lesser than 1.

Severity: Severity is the amount of damage or harm a hazard could create. This can be categorized as Critical, Marginal or Negligible. Every project assigns a value for its severity.

Impact:  This is the value which is arrived as a product of probability and Severity. It shows how important it is to handle this particular risk. To handle any RISK high cost is involved. Cost in terms of money, schedule, resources so on. The project would need approval from the stakeholders. The figure for Impact will help the stakeholders and project manager to plan accordingly.

Mitigation Plan: to reduce the severity of the RISK, it is advisable to apply some feasible and affordable solution. For example, let us say the project identified a risk of key team member to leave the ongoing incomplete project. What can the project do beforehand? In this case one of the mitigation plans could be to assign another person along with the key member to work with him or assist him on the very same work.

Risk mitigation needs to be planned, budgeted, staffed, scheduled and managed like any other important project activity.

Contingency Action Plan: It is required to come up with a plan which reduces the damage done when the RISK has already occurred. This is called contingency action plan. In the above scenario where the key team member is planning to leave, the contingency could be to have a detailed KT and a Takeover Plan from the leaving team member.

Owner: Who is the person responsible to manage the risk. The owner need not to be responsible for mitigation action. But he is responsible to get the people together and plan risks mitigation steps.

Status: RISK Register is a live document. It is a good practice to keep the document updated. The RISK which has already occurred, or the RISK which is no more a RISK now should be updated accordingly.

Calculating Risk Ranking/Rating

Now that we have discussed about RISK Register Items. We can see how the RISK Ratings are calculated. It’s the same as Impact. The Risk Rank is based upon the calculation, experience and intuition. The color code is defined by the manager while preparing the RISK Register.

In this case when calculated risk factor X is less than or equal to 0.5, it is considered to be low. You can see the color has been marked as green.

When the risk factor X has value in between 0.5 and 0.85, it is considered to be medium and colored as amber.

And when the risk factor has value greater than or equal to 0.85 it is of high risk and colored as RED.

Let us see how is this calculated.

Suppose a risk having probability as 0.9 and Severity as 1. The impact will be calculated as 0.9*1 which comes out to be 0.9 which lies in the range of high risk. The color code is made as RED.

You can see the other 2 risks also calculated. With their values they have been marked in Amber and Green respectively. These risks can be ranked now as 1, 3 and 2 respectively.


Risk planning and monitoring is an important activity in a project. Project Managers are responsible for overall risk analysis and management, though business analysts are stakeholders in this activity. Risk analysis and management is an important technique in BABOK v3.

We have included risk analysis and management in our CCBA Certification course as well as CBAP certification course.

CBAP/CCBA Study Guide


Leave a Reply

Your email address will not be published. Required fields are marked *