What is a risk register?
A risk register is a central document that records all identified project risks with probability, impact, and planned countermeasures, and is maintained continuously.
DEFINITION
A risk register is the central instrument of risk management in projects. It records all risks that threaten the project: people, technical, financial, or external. Each risk documents: what could happen? How likely is it? What impact would it have on schedule, budget, or quality? Who is responsible? And what countermeasures exist? Typically the register rates probability and impact on a scale, often 1 to 5, and prioritises risks by their product (risk score). High risk scores require active risk management: reduce probability, mitigate impact, or transfer the risk, for example through insurance. The risk register is not a static document. Regular maintenance closes resolved risks and adds new ones. A well-maintained register significantly reduces the number of unexpected crises during the project.
CONNECTIONS
Leadership
Risks only reach reporting when there is psychological safety in the team. Anyone afraid of bad news holds risks back until they escalate. A safety culture is the prerequisite for an honest risk register.
Artificial Intelligence
AI hallucinations and uncontrolled agents are measurable project risks. The risk register must explicitly address AI-specific risks: false statements, data protection breaches, and lack of traceability.
Agility
In agile projects, risks are regularly identified and addressed in retrospectives. That can make the formal risk register obsolete in some agile contexts, but it remains useful for external reporting requirements.
KEY POINTS
- The risk register records all risks with probability and impact.
- Risks are prioritised: probability × impact = risk score.
- Each risk has an owner and planned countermeasures.
- It is not a one-off document — it is maintained continuously.
- Four strategies: avoid, reduce, transfer, accept.
EXAMPLE
An IT migration project records ten risks in the risk register. The highest: data loss during migration, probability 3/5, impact 5/5, risk score 15. Countermeasure: full backup before migration starts and a rollback plan. The IT lead is responsible. The register is updated weekly in the status meeting. Two risks do not materialise; one is successfully mitigated through the backup plan.
MISCONCEPTIONS
Is it enough to create the risk register once at project start?
No. Risks change during the project. New ones emerge; known ones occur or lose probability. The register needs regular maintenance.
Must all risks be avoided?
No. Some risks are consciously accepted when the countermeasure costs more than the possible damage. That is a strategic decision.