research project risk register

Project Management, Project Planning, Templates and Advice

• Concise, focused guide that cuts through the clutter
• Step-by-step instructions for creating a project plan in under a day
• Master essential skills like work breakdowns and task sequencing
• Real-world troubleshooting for 20 common scheduling challenges
• Rapidly get up to speed if you're new to Microsoft Project
• Includes glossary, support resources, and sample plans
• Start planning like a pro
• Get your copy today!

20 Common Project Risks - Example Risk Register

Want to a kick start to your Risk Management ? Want to make sure you have identified key project risks ? Not sure what actions you can take to reduce the likelihood of key project risks? Look no further!

• The 20 common project risks
• View the register
• Download the risk register in Excel

Video - How to edit the risk register

• Bonus mindmap of the common risks

20 Common Project Risks

• Project purpose and need is not well-defined.
• Project design and deliverable definition is incomplete.
• Project schedule is not clearly defined or understood.
• No control over staff priorities.
• Consultant or contractor delays.
• Estimating and/or scheduling errors.
• Unplanned work that must be accommodated.
• Lack of communication, causing lack of clarity and confusion.
• Pressure to arbitrarily reduce task durations and or run tasks in parallel which would increase risk of errors.
• Scope Creep.
• project conflicts not resolved in a timely manner.
• Business Case becomes obsolete or is undermined by external or internal changes.
• Delay in earlier project phases jeopardizes ability to meet fixed date. For example delivery of just in time materials, for conference or launch date.
• Added workload or time requirements because of new direction, policy, or statute.
• Inadequate customer testing leads to large post go live defect list.
• Legal action delays or pauses project .
• Customer refuses to approve deliverables / milestones or delays approval, putting pressure on project manager to 'work at risk'.
• Theft of materials, intellectual property or equipment.
• Acts of God for example, extreme weather, leads to loss of resources , materials, premises etc.
• Stakeholder action delays the project . For more on the damage stakeholders can do see our case studies of real world projects that faced costs running into millions, because of stakeholder actions.

Completed risk register with 20 project risks you need to manage

Download a Complete Risk Register of Common Project Risks

Excel 1997 - 2003 download (.xls) - free risk register of common risks, excel download (.xlsx) - free risk register of common risks, mindmap download - free mindmap of common project risks, more on risk management, the top 50 business risks and how to manage them, checklist of 30 construction risks, download a risk register template, overall project risk assessment template, simple risk register template, resources used in this article, share this image.

Transform teamwork with Confluence. See why Confluence is the content collaboration hub for all teams.  Get it free

• The Workstream
• Project management
• Risk register

What is a risk register and how to create one

Browse topics.

In today’s competitive environment, businesses must deliver products faster and more frequently to maintain an advantage. Executing multiple projects at once can increase risk factors, and identifying, monitoring, and mitigating these risks is critical to meeting your project goals and maintaining customer satisfaction. 

Managing risks, from identifying their potential impact to planning your response, can help keep projects moving forward rather than derailing progress. Successful businesses often rely on a risk register to identify, document, and address risks throughout the project lifecycle. This guide discusses what a risk register is, its basic components, and how to create one.

Get started with a free Confluence risk assessment matrix template .

What is a risk register for project management?

A risk register is a project management tool for evaluating, prioritizing, and addressing risks to projects across your business. It serves as a central repository for identifying risks so project managers and teams can effectively track and mitigate them. Understanding risks and their implications and priorities can help streamline workflows and ensure you keep your projects on track.

Tools that provide a connected workspace are the foundation for implementing an effective risk register. Confluence allows teams to create, edit, and share information in a central repository for an updated, single source of truth. With a risk register template, teams can get started quickly, develop mitigation plans, and track risks throughout the project lifecycle.

Key components of a risk register

Risks come in many forms, including data security, legal compliance, and supply chain issues. A risk register should consider all the potential risks your project may face, no matter what category they fall under.

There are four key components of a risk register:

• Risk identification : Assigning an ID number and name helps track the risk throughout the project timeline . Adding a brief description of the risk keeps everyone on the same page when referencing or working on it.
• Risk assessment : This includes analyzing the risk and assigning it to a category based on schedule, budget, or scope. Identify the likelihood of the risk and its outcome using qualitative impacts, such as customer satisfaction, or quantitative impacts, such as cost. These factors will help you prioritize the risk.
• Risk response : Determine your response to the risk and document it in a risk response plan. Using a central repository such as Confluence for the response plan allows everyone to access and respond according to the plan.

Risk ownership : Assign a knowledgeable owner responsible for the overall risk, including the response plan.

When to use a risk register

It’s never too early to begin using a risk register. Teams often identify risks in the project planning and product discovery phases, which is an excellent time to start tracking, assessing, and strategizing how to address risks. Continue using the risk register throughout the project lifecycle.

Project changes are common, and reassessing risks and looking for new ones should be part of managing change. You should also include the risk register in standard project reviews with stakeholders to keep them informed.

Benefits of using risk registers

Understanding risks early, analyzing their impact, and creating a plan for addressing them can help keep your project on schedule and within budget. The following are some of the benefits of using a risk register.

Proactive risk management

Identifying every risk early might not be possible, but you can identify a large percentage through project collaboration . Teams that include risk identification in each phase of the product and project management lifecycles identify solutions early that they can build into the project plan.

Improved communication

A proactive risk management approach allows teams to coordinate early, understand the goal, and work together to mitigate risks. That way, when new risks arise, teams have a standard process for capturing, analyzing, assigning, and planning the response. Using collaborative tools such as Confluence provides a current source of truth about any risk at any time.

Enhanced decision making

The risk register provides project managers and stakeholders with clear information about each risk and its impact. It reduces or eliminates the guesswork. 

For example, a risk may seem like a high priority when you first identify it, but analysis may reveal that you can mitigate it quickly or easily. On the other hand, a risk that seems fairly low priority when you first identify it may become priority number one after the analysis. The risk register helps focus attention on the most important risks first.

Documentation

Tools such as Confluence help teams collect and maintain all information related to the risk, such as severity, impacts, response plan, and the person responsible, in a single repository. This single source of truth ensures that teams work from the same understanding of the risk, no matter where they’re located or what team they’re on.

Accountability

Assigning an owner to each risk in the register improves productivity by ensuring that the right people are working on the response plan. Scheduling, reviewing, and updating the risk register during project review meetings and throughout the project life cycle maintains a real-time snapshot of progress. It allows you to change priorities or adjust schedules as you resolve risks or new risks arise.

Task management software such as Jira can help track the progress of the work from identification to resolution.

Limitations of risk registers

A clear and easy-to-follow process can help overcome many of a risk register's limitations. However, identifying some risks, such as equipment malfunction, may be difficult, leading to gaps in the risk register.

Risks can evolve, and keeping the register current is important to ensure it reflects the latest information. Training team members on risk assessment, scoring or prioritizing, and providing complete and accurate data helps ensure the effectiveness of the risk register.

How to create a risk register

To create an effective risk register, use a standard process and provide training to the entire team. The following are steps to create and maintain the risk register.

Identify risks

Begin with a brainstorming session that involves the entire team. Different people bring varying perspectives and knowledge to areas others may not have insight into. 

For example, a developer may recognize compatibility issues that require additional software purchases, and finance may see budgetary risks associated with unexpected purchases. External partners may also have first-hand experience and can detail the risks they’ve encountered. During this step, collect as many different perspectives as possible.

Assess risks

Assess the risks using a standard scoring process. Apply the same standard to each risk, whether financial, technical, security, quality or another kind.

• First, determine the probability of the risk occurring using a number scale for high, medium, and low.
• Then, assess the potential impact on the project using the same number scale for high, medium, and low.
• Finally, calculate the risk score by multiplying the probability by the impact.

You can quickly identify high probability/high impact risks by their score and prioritize them first.

Plan risk responses

Develop strategies to reduce the likelihood and impact of each risk. A collaborative team environment can help, as team members bring unique experiences and insights. Plan the specific actions to take if the risk materializes. 

Having an action plan in place allows the team to respond and resolve issues immediately if they materialize, allowing the project to continue. It also provides information for other team members, such as finance, early in the project.

Include high probability/high impact risks in your roadmap software tool to ensure all stakeholders are aware.

Assign risk ownership

Assign an owner who understands the risk's nature and impact in detail. This may be a developer with experience in cybersecurity or a partner relationship manager possessing experience working with suppliers. The owner is responsible for researching additional information or solutions, updating the risk register with new or changing information, and requesting additional resources if necessary.

Monitor and review risks

Keep the risk register updated regularly to ensure it correctly reflects changes to existing risks and progress on the planned actions and captures new risks. The project review meeting should include reviewing the risk register, but having a separate and regular risk register meeting is good practice. 

New risks arise and identified risks change throughout the project. Making the risk register meeting a standard part of the project management lifecycle , including updating Gantt charts and timelines, can reduce surprises and keep the project on track.

Using risk register templates

Using a risk register template allows teams to get started quickly identifying and tracking risks. Confluence risk register template helps teams collect the necessary information, determine the severity and impact, and document the mitigation plan in case the risk becomes a reality. The template you choose should allow you to collaborate in a connected environment and provide the basic building blocks for tracking risks throughout the project lifecycle. With shared information, when risks require action, everyone on the team is aware of the plan and can immediately get to work.

Assess your risk with Confluence for a smoother project journey

What you don’t know, can hurt you. Understanding your project risks and preparing mitigation plans before they arise can make the difference in keeping your project on schedule, ensuring product quality, and maintaining your budget. 

Confluence organizes knowledge across teams, projects, and goals, bringing order to chaos. It allows you to find what you want, and discover what you need. With company-wide and project-related knowledge in a centralized place, surfacing important information has never been easier. Collaboration through real-time editing and inline comments allows the entire team to maintain velocity and move the business forward, as well as easily share information with the broader organization. 

The Confluence risk assessment matrix template helps fast-track the process. It walks you through identifying and assessing risks, developing a planned approach, documenting ownership, and tracking changes. Get started for free.

You may also like

Project poster template.

A collaborative one-pager that keeps your project team and stakeholders aligned.

Project Plan Template

Define, scope, and plan milestones for your next project.

Enable faster content collaboration for every team with Confluence

Copyright © 2024 Atlassian

Risk Register

• Great for beginners
• Ready-to-use, fully customizable Folder
• Get started in seconds

Risk assessment is essential for any project. Identifying, assessing, and managing risks helps you stay on top of your project and ensure its success. And a risk register template is the best way to organize it all!

The ClickUp Risk Register Template makes it easy to:

• Identify potential risks before they become issues
• Organize risk assessments in an easy-to-understand format
• Track risk status, ownership, and impacts in one place

Whether starting a new project or managing existing projects, this template will help you create detailed risk registers with ease!

Risk Register templates are essential for any organization to help track and manage potential risks. Benefits of using a Risk Register template include:

• Providing a standardized system for evaluating and tracking risks
• Improving communication between stakeholders and departments
• Helping to identify potential risks and plan strategies to mitigate them
• Increasing the accuracy and efficiency of risk management processes

ClickUp's Risk Register Template is designed to help you manage and track potential risks associated with a project . This Folder template includes:

• Custom Statuses: Mark task status such as Occurred, Mitigated, and Active to keep track of the progress of each risk in the project
• Custom Fields: Use 7 different custom attributes such as Consequence, Description, Expected Cost of Risk, Mitigation Cost, Probability, and more to keep track of potential risks and their associated costs
• Custom Views: Open 6 different views in different ClickUp configurations, such as Costs of Risks, List of Risks, Risks by Status, Risks by Response, Risks by Level, and more so that all the information is easy to access and organized
• Project Management: Improve risk management with task dependencies, automated reminders, collaborative editing, and more

Creating a risk register can be an effective way to identify and manage potential risks associated with a particular project. Follow these steps to help you create your own risk register:

Your first step is to brainstorm all the potential risks associated with your project. This step can include anything from technological issues to political or environmental factors.

Use a Whiteboard in ClickUp to brainstorm potential risks.

Once you have your list of risks, the next step is to assess each one. This involves rating each risk according to its likelihood of occurring and the potential impact it would have on the project.

Create custom fields in ClickUp to categorize and rate the risks.

Using a spreadsheet program or other suitable software, create a table with columns for each of the risk categories (likelihood, impact, etc.).

Use the Table view in ClickUp to quickly create a custom risk register table.

Start by entering all the risks you brainstormed into the table, along with the ratings you assigned them.

Create tasks in ClickUp to track each risk and assign ratings.

Once all the risks have been entered into the table, you can then identify possible mitigation strategies. This should be done for each risk, and can include anything from putting extra safeguards in place to avoiding the risk altogether.

Create custom fields in ClickUp to identify mitigation strategies for each risk.

It's important to regularly monitor your risk register and make adjustments as needed. If new risks arise or the likelihood or impact of existing risks changes, make sure to update the register accordingly.

Set a recurring task in ClickUp to review and update your risk register.

Risk managers can use this Risk Register Template to help everyone stay on the same page when it comes to identifying and assessing potential risks.

First, hit “Add Template” to sign up for ClickUp and add the template to your Workspace. Make sure you designate which Space or location in your Workspace you’d like this template applied.

Next, invite relevant members or guests to your Workspace to start collaborating.

Now you can take advantage of the full potential of this template to manage risks:

• Use the Costs of Risks View to calculate the cost of any risks that have occurred or may occur in the future
• The List of Risks View will help you keep track of all the risks associated with your project
• The Risks by Status View will provide insight into the current status of each risk
• The Risks by Response View will provide insight into the response plans for each risk
• The Risks by Level View will provide insight into the severity of each risk
• Organize risks into nine different statuses: Occurred, Mitigated, Occurred, Active, Active, to keep track of progress
• Update statuses as risks occur and are mitigated to keep stakeholders informed of progress
• Monitor and analyze risks to ensure maximum productivity

Get Started with Our Risk Register Template Today

• Business Budget Template
• Break Even Analysis Template
• Annual Calendar Template
• SOP Template Template
• 2-2-3 Schedule Template

Template details

Free forever with 100mb storage.

Free training & 24-hours support

Serious about security & privacy

Highest levels of uptime the last 12 months

• Product Roadmap
• Affiliate & Referrals
• On-Demand Demo
• Integrations
• Consultants
• Gantt Chart
• Native Time Tracking
• Automations
• Kanban Board
• vs Airtable
• vs Basecamp
• vs MS Project
• vs Smartsheet
• Software Team Hub
• PM Software Guide

• Contact sales

Start free trial

What Is a Risk Register & How to Create One

You’ll never be able to anticipate every risk event that could occur in a project, but by using a risk register, you’re prepared to respond quickly before project risks become real problems that sidetrack the whole project.

What Is a Risk Register?

A risk register, or risk log is a risk management tool that’s used to identify potential risks that could affect the execution of a project plan . While the risk register is mostly used during the execution of the project, it should be created during the project planning phase. It’s never too early to start thinking about risk analysis in your project and having a project risk register on hand and ready is essential in managing risk.

Get your free

Risk Register Template

Use this free Risk Tracking Template for Excel to manage your projects better.

A risk register is the first step in project risk management , and it’s an important part of any risk management framework. It helps project managers list risks, their priority level, mitigation strategies and the risk owner so everybody on the project team knows how to respond to project risk.

What Is the Purpose of a Risk Register?

If you know what risk management is, then you’ll know that the next step to managing risk is strategically working to control the potential issues that are most likely to occur when you’re managing a project. Therefore, you should have a risk analysis mechanism in place to collect potential risks and map out a path to mitigate risks and get the project back on track, should those risks become realities.

Having a risk log to track project risks , whether by a simple spreadsheet or as part of a more robust project management software solution, is a good idea to tackle in any project plan. There’s risk inherent in everything, and that’s especially true when managing a project with many moving parts.

Project management software can help you track risk better than a static spreadsheet. With ProjectManager you can make an online risk register where you can identify risks, calculate their impact and manage them with your team. With our Risk view, you can make a risk list and stay on top of all the risks within your project. Write a description, add tags, identify a resolution, mark impact and likelihood, even see a risk matrix—all in one place. Get started today with a free trial.

Risk Register vs. Risk Matrix

A risk register and a risk matrix are similar tools. Both assess the level of risk and are key to any contingency plan or risk management plan. But there are differences. For one, the risk matrix is a visual tool. It charts each risk and maps it on a grid.

The risk matrix measures the likelihood of the risk occurring, from rare to almost certain, and its severity, from insignificant to severe. It’s also color-coded to show the priority of each of the risks charted on the matrix.

A risk register also deals with the impact of risk on a project. However, it’s a spreadsheet, not a graphical representation of those risks. Therefore, it provides more detailed information, such as a description of the risk, the response and who’s responsible for identifying and mitigating that risk .

Risk Register Example

Let’s get a better understanding of what a risk register does by making up a risk register example. Let’s say you’re Acme Manufacturing and you’re planning for a large run of widgets that need to be delivered to distributors by a certain date to reach your retailers and customers as expected. Here’s what a risk log example looks like. We used our free risk traking template for Excel to make this example. You can download one for free for your project.

The first step is identifying the risk. You’d give it an ID to make it easier to track. Let’s call this number one, which is equipment malfunction. The next item is describing its impact. If equipment goes down on the assembly line work stops. That impacts the schedule and even the viability of the entire project.

To avoid this issue is to do periodic preventive maintenance, which reduces the likelihood of a breakdown. However, a malfunction is always a risk that might occur, even if the machinery is well-maintained. To mitigate this, you might have backup equipment to keep the assembly line running while the other equipment is being repaired. The risk level depends on the impact this risk might have on your project. The risks listed in this risk register example are high because they affect the project budget and schedule.

Next, is the owner of the risk. That could be John Smith, the mechanic, or Fred Jones, the employee who runs the machine. It could also be both, as Fred could identify the risk when it’s an issue and John is then called to repair the equipment.

If there’s anything that you’d like to add to the risk register, there’s a column for notes in our risk register template. This could be used to track the repair if the risk in fact occurs, or it could capture some other pertinent information not already covered in the risk register.

How to Use a Risk Register In Project Management

The first step in the risk management process is risk identification. Projects are all different, of course, but for organizations that run similar projects year after year, there might be historical data to review to help identify common risk categories for those types of projects.

Additionally, you can anticipate some project risks based on market forces (supply and demand risks, for example), based on common project management issues or even based on weather.

Collect the Project Risks

Collecting the possible risks that can show up when managing a project requires a systematic approach to make sure you’re as thorough as possible. The project risk register is a system, which can then track that risk if it in fact appears and then evaluate the actions you’ve set in place to resolve it.

When registering these risks on a risk log spreadsheet or within your project management software , you have a place to put this data and follow the specific risk event throughout the project, thereby seeing if the risk response actions you’ve put in place to remedy the risk are working. A risk tracking document keeps project risks on a tight leash to mitigate their impact so they don’t ruin your project.

Document the Project Risks

Documenting project risks using a risk register is vital to the success of any project. It gives you one place to identify the risk, note its history—from where it first occurred to where you finally resolve it—and even tag the risk to the person who identified it and manages it. On the risk log, you can note the risk score and how likely the risk will impact the project and so much more.

Monitor the Project Risks

As mentioned, you can assign risks to your team members in your project risk register. That person then is responsible for monitoring the risk and leading any risk response actions required to mitigate the impact of that risk event or address it once it becomes an issue. By documenting this process in a project risk register, you’re less likely to lose track of project risks over the course of a busy project, which means the risks aren’t turning into real issues that can negatively impact the project budget or schedule and compromise the success of the project.

Resolve the Risks

Finally, when the project risk is resolved, you can close it. Nothing is better than checking off that risk in your risk log as no longer a problem in the project. If the risk event has been remedied, you don’t want to continue using resources on a problem that doesn’t exist. It simply gives you more control over your risk management plan and fosters better communication with your project team and stakeholders.

What Is Included in a Risk Register?

Risk registers vary depending on the organization and the project. However, most risk register templates share these commonly used elements:

• Risk identification ID: A name or ID number to identify the risk.
• Risk description: A brief explanation of the risk.
• Risk breakdown structure: A risk breakdown structure is a chart that allows you to identify all your project risks and categorize them.
• Risk categories: There are many risk categories that can impact a project such as a schedule, budget and technical and external risks.
• Risk analysis: The purpose of risk analysis is to determine the probability and impact of a risk. You can either do a qualitative risk analysis or a quantitative risk analysis.
• Risk probability: You’ll need to estimate the likelihood of each risk and assign a qualitative or quantitative value.
• Risk priority: The risk priority is determined by assigning a risk score to each risk, which is obtained by multiplying the risk impact and probability values. If you’re using qualitative measurements, prioritize risks with the highest impact and highest probability.
• Risk response: Each risk needs a risk response to mitigate its effect on your project. Those risk responses are also documented in a risk response plan.
• Risk ownership: Each risk needs to be assigned to a team member who becomes a risk owner. The risk owner is responsible for deploying the appropriate response and supervising it.

How to Create a Risk Register

Let’s go through the steps to create a risk register so we can get the most out of this risk management tool.

1. Risk Identification

Get the project team together to brainstorm potential risks. Every team member is responsible for different areas of the project, so use their expertise to identify potential project-derailing risks. You’ll also want to speak with stakeholders to ensure you’ve brought their concerns to mind and are tracking their risks, too. Be sure to exhaust all risk categories of potential impact, from market forces to resources to the weather.

2. Describe Project Risks

The next thing you want to do is describe the project risk. Try to be as thorough as you can while keeping the description to the essentials. Having too vague a risk makes it a challenge to truly understand whether a risk has become a real issue. For example, don’t write, “the weather” for a risk contingent on the weather. Rather, go for something specifically related to your project, such as, “Monsoon season in India could cause shipping delays for copper which will impact the project schedule .”

As you identify and describe risk, ProjectManager will help you assign ownership to a team member, set the priority and attach any relevant files. Teams can collaborate, share the risk, add comments and tag people. Managers get visibility into the work and everyone is working on the same updated and life data.

3. Estimate Risk Impact

Include everything that the risk can influence, so you can develop a strong strategy to deal with it. For example, if layoffs have been rumored in your business sector regionally, identify the actual impact that might have on your project schedule if it came to pass. For example, “Projected layoffs in Southeast manufacturing could risk production schedules in June. This could delay the entire project execution by three months unless alternative production options are considered.” This tells the risk owner to investigate potential options for manufacturing facilities outside of that region, so a real risk management plan is in place.

4. Create a Risk Response Plan

This is the heavy lifting in the project risk register, so give it the time and effort necessary to complete it properly. You want to be thorough, but not excessive. Keep the risk response plan short and to the point. Do your research, so if the risk shows up in the project you can go right into action. Document all response plans and implementation strategies. If this requires a long document, add a link or add an attachment to the risk response plan document to point directly toward the planned response.

5. Prioritize Project Risks

Not all project risks are created equally. Some of them have a greater impact than others, so you have to decide which are going to move to the front of the line and which are okay to ignore if you don’t have the time and resources. Here you’ll determine the level of risk: high, medium or low. This way you can filter your register and prioritize accordingly.

6. Define Risk Owners

Finally, assign an owner to each risk. If you don’t have a risk owner for each and every potential risk, then you might not know about it until the impact of that risk is irreversible.

There’s one last column in your risk register, and that’s a place to collect any notes that don’t fit under the categories already discussed. It’s important to have a place to put these ideas so they don’t get lost in the endless churn of a project.

Using ProjectManager’s Risk Log Features to Track Risks

ProjectManager is an award-winning project management software with integrated risk-tracking features that allow you to list, manage and collaborate with ease. Once you’ve selected a certain risk, there’s a simple and fast way to edit every aspect of the risk, including its name, description, owner and its level of priority. Even better, you have the ability to add notes, files, images and other attachments to that specific project risk.

Another powerful risk management features is our real-time dashboard. Our project dashboard gives you a snapshot of your project status and is ideal for catching risks before they become issues. This unique feature is valued by project managers all over the world, in major companies like Volvo, NASA and Bank of America.

ProjectManager is online project management software that offers a collaborative risk-tracking tool that gives you all the features you need to identify, track and resolve risks as they become issues in your project. Try it yourself and see how it can make managing risk and the whole project that much easier. Take our free 30-day trial today!

Deliver your projects on time and on budget

Start planning your projects.

Risk Register in Project Management

Risk is such a given in any project that, as we like to say, the biggest risk is ignoring project risk management . One strategy to help you anticipate and plan for potential project risks is creating a risk register and risk report. Project Management Professionals (PMP) use a risk register and risk report on risk-driven projects or risk-aware projects.

This risk register overview by your experts at Project Management Academy is your complete resource on the “who, what, when, where, and why” of risk registers in project management.

On this page:

Risk Register PMP definition & purpose

When is a risk register created, who creates a project risk register, what is included in a risk register, risk register pmp how-to guide.

Get Your Comprehensive Guide to Risk Management

Learn how to manage risk in every project.

A risk register is a document used to track and report on project risks and opportunities throughout the project’s life cycle. The contents of this tool can help you identify and organize information about potential issues that can impact project elements and outcomes. Here are some other uses of a risk register:

• Identifying potential risks
• Predicting the probability of a risk event occurring
• Putting controls in place to mitigate risks
• Establishing a response plan in the event a risk occurs
• Creating a risk report to summarize overall project risk, communicate to project stakeholders, and support overall risk management
• And much more!

For some projects, risk registers are required to meet compliance regulations. However, a risk register is an essential PMP exam tool for any project, no matter the size, complexity, or industry. Although it is impossible to anticipate every possible risk that could affect your project, a risk register will help you establish an effective risk management plan to prevent risks from derailing your project.

What is the difference between an issue vs. a risk?

While risk is an event that has not happened yet, an issue is an event that has already happened. Both issues and risks describe problematic events or conditions that can impact your project elements or outcomes.

As a project manager, you should know how to store, track, and organize information about both risks and issues. The document you use to store content about risks is called a risk register , while the document you use to store content about issues is called an issue log .

A risk register is created when a project carries many moving parts or much risk. The more complex a project is, the more critical it is to create a risk register. However, having a risk register is helpful for any project. Even including a simple spreadsheet in your project plan can help you track and mitigate risks.

Similarly, while a risk register is typically created during the project’s execution phase, it is never too early to begin thinking about risk management. Risk management should start as soon as project planning does. The sooner you create your project risk register, the sooner you will have a thorough document on hand to help you manage and report on risk.

Project managers are typically responsible for creating a project risk register. However, if your project team includes a dedicated risk management professional, such as a PMI Risk Management Professional (PMI-RMP)® credential holder, creating and maintaining the content in the risk register would be their job.

Despite this, every project team member should contribute content to the risk register if possible. One person might be aware of a risk that no one else knows about, and in addition, anyone could potentially be impacted by any risks to the project. As a result, it can help to collaborate in identifying risks and appropriate risk response plans.

There are many ways to go about creating a risk register, and there is no single correct method. You might need to include much detail in your risk register, or you might need a simple tool to help you stay organized. The contents of your risk register should at least capture the following:

• Qualitative and quantitative data about potential risks
• Estimates regarding the potential impact of the risk
• An outline of your established response plan
• Who on the project team will take ownership of the risk

This list is also a helpful general guide to the order in which you should acquire risk information. If you want to get more detailed, the following components can help you break down and organize project risk content on a more granular level:

• Risk Identification: a name or ID number to identify the risk. This element can be as simple as a reference number or letter.
• Risk Description: a brief explanation of the risk event or conditions that may trigger the risk event.
• Risk Probability: the likelihood of a risk event occurring
• Risk Impact/Categories: a description of which categories can impact or be impacted by the risk event, such as schedule, budget, scope, quality, or more.
• Risk Priority: the risk score, which can be determined quantitatively (by multiplying the risk impact and probability) or qualitatively (by putting risks in the order of the highest impact and highest probability)
• Risk Response Plan: a description of the actions you will take to mitigate the effects of a risk event if it occurs
• Risk Ownership: a description of who will become the risk owner and take on the responsibility for deploying and supervising the risk response plan

Now you know what goes into a risk register, let’s go over some recommendations for creating your PMP risk register.

Studying for the PMP Exam?

Over time, you will be able to determine what content you need in your risk register to meet the needs of your specific industry and project types. When you first begin, try using a sample PMP exam risk register such as the Project Management Academy template .

Using a risk register template as a reference will help you familiarize yourself with the process of gathering, calculating, and documenting all the necessary information. As you become more familiar with risk registers, you can adapt these practices to your needs.

Follow these steps to add content to your risk register using the Project Management Academy PMP risk register template as your guide.

1. Identify all potential risks

Your first step in creating a risk register is identifying risks. This step is essential in effective risk management. It can be challenging to identify every single possible risk, but here are some tips to help you add content to your risk register:

• Review historical data. If your organization has run a similar project in the past, there may be common risks to add to your register.
• Check-in with stakeholders. Your project team members, clients, and other stakeholders may be aware of potential risks that you don’t know about, so ensure you ask for their input.
• Do some market research. Market research will help you discover potential external risks, such as supply and demand, common project management issues, or past project information shared by other organizations and project managers.

Once you have identified all potential risks, you can organize your content in a risk breakdown structure.

2. Layout your risk breakdown structure

A risk breakdown structure is a tool to help you organize your risk register. You can use your risk breakdown structure to categorize risks, track data, and compare information about various risks. Examples of risk breakdown structures include charts or spreadsheets structured to classify and compartmentalize project risk content logically.

Keeping an organized risk breakdown structure is critical to risk reporting. Your risk register is the primary tool you will use to track and report project risks to stakeholders.

3. Gather qualitative data about each risk in your risk register

Qualitative project risk data can include your risk identification, risk description, and some or all elements of your risk analysis. For example, a risk description or risk statement can be phrased in the following ways:

• EVENT may occur, causing IMPACT
• If CONDITION exists, EVENT may occur, leading to EFFECT

In this sample content, the capitalized words represent variables on the specific risk you describe.

Risk analysis can be done either qualitatively or quantitatively. Here are some examples of qualitative risk analysis:

• Risk probability : is the chance of a risk event happening low, medium, or high?
• Risk impact/categories : will a category impact or be impacted by a risk event, and is the impact likely to be low, medium, or high?
• Risk priority : how would you describe each risk’s combined probability and impact score? For example, if a risk’s probability is low and its potential impact is medium, its priority is medium-low.

There may be other qualitative components to each risk, but these content elements provide a great starting point to help you break each risk down in more detail.

4. Calculate quantitative data about each risk in your risk register

If you are performing quantitative risk analysis, here are some examples of how you would adjust your approach:

• Risk probability : calculate the likelihood of the risk event or condition occurring and express it as a ratio or percentage.
• Risk impact/categories : score the potential impact of the risk on each of your project’s objectives or categories using a standardized number system.
• Risk priority : multiply the probability by the impact score to calculate a risk priority level.

Risk quantification can help you evaluate your identified risks and develop data to support your decision-making processes.

5. Determine the order of priority for your risk register

Once you have established the risk priority level for each risk event or condition in your risk register, you should order them within your risk breakdown structure by priority level. Arranging your risk register content by order of priority will give you a better picture of your highest-priority risk, any related risk events, and more.

6. Outline your risk response plan

Understanding each risk event’s priority level will also help you determine the urgency for your relevant risk response plans. You should come to a consensus with your project stakeholders about a favorable risk response for each item in your risk register, including identifying the risk owner who will oversee the execution of the risk response plan if the risk becomes an issue.

Ideally, your risk response plan will lower the likelihood of the risk occurring, reduce the impact of each risk on your project categories, or eliminate the risk. Ensure you think about how your risk response plan may impact your project’s budget, timeline, and other categories as well.

Having a risk register to record and track all identified project risks is essential to the success of your project. This crucial tool in the risk management process can help you avoid problems or mitigate their effects on your project outcomes.

Do you want to learn more about risk management for the PMP exam and project management? Read our resources on risk audits in project management or how to apply risk management in your projects .

Risk management is critical in project management. That’s why the Project Management Professional certification and the PMI Risk Management Professional (PMI-RMP)® certification both emphasize practical risk management skills. Get in touch with your Project Management Academy experts to learn how to hone your risk management skills.

Upcoming PMP Certification Training – Live & Online Classes

Erin Aldridge, PMP, PMI-ACP, & CSPO

• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link Mastering Scope Management Plan in PMP: A Comprehensive Guide
• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link Crafting Effective Project Scope Statements for Project Management Success
• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link What Is Control Scope Process: A Complete Explanation
• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link Master the PMP Application Process: Step-by-Step Guide

Popular Courses

PMP Exam Preparation

PMI-ACP Exam Preparation

Lean Six Sigma Green Belt Training

CBAP Exam Preparation

Corporate Training

Project Management Training

Agile Training

Read Our Blog

Press Release

Charitable Contributions

Connect With Us

PMI, PMBOK, PMP, CAPM, PMI-ACP, PMI-RMP, PMI-SP, PMI-PBA, The PMI TALENT TRIANGLE and the PMI Talent Triangle logo, and the PMI Authorized Training Partner logo are registered marks of the Project Management Institute, Inc. | PMI ATP Provider ID #3348 | ITIL ® is a registered trademark of AXELOS Limited. The Swirl logo™ is a trademark of AXELOS Limited | IIBA ® , BABOK ® Guide and Business Analysis Body of Knowledge ® are registered trademarks owned by International Institute of Business Analysis. CBAP ® , CCBA ® , IIBA ® -AAC, IIBA ® -CBDA, and ECBA™ are registered certification marks owned by International Institute of Business Analysis. | BRMP ® is a registered trademark of Business Relationship Management Institute.

• Creative & Design
• See all teams

For industries

• Manufacturing
• Professional Services
• Consumer Goods
• Financial Services
• See all industries
• Resource Management
• Project Management
• Workflow Management
• Task Management
• See all use cases

Explore Wrike

• Book a Demo
• Take a Product Tour
• ROI Calculator
• Customer Stories
• Start with Templates
• Gantt Charts
• Custom Item Types
• Project Resource Planning
• Project Views
• Kanban Boards
• Dynamic Request Forms
• Cross-Tagging
• See all features
• Integrations
• Mobile & Desktop Apps
• Resource Hub
• Educational Guides

Upskill and Connect

• Training & Certifications
• Help Center
• Wrike's Community
• Premium Support Packages
• Wrike Professional Services

Explore Wrike for Enterprise

• Enterprise Overview
• Enterprise Customers
• Enterprise Features

What is a risk register in project management?

August 26, 2024 - 10 min read

Project managers have a number of tools in their arsenal that can help them address potential challenges and obstacles. One such tool is the project risk register. But what is a risk register, how do you use one, and how can it keep your next project from being derailed?

We’ve created this guide to answer the above questions and help project managers handle risks better. This is part of our larger effort to give project managers the knowledge and tools they need to manage their projects successfully. In this guide, we’ll walk you through exactly what to include in your project risk register and provide details on when and how to build and maintain one for your next project. 

What is a risk register? 

A project risk register is a tool project managers use to track and monitor any risks that might impact their projects. Risk management is a vital component of project management because it’s how you proactively combat potential problems or setbacks. 

Using a project risk register, also called a risk log, is an essential part of this risk management process. 

What is the purpose of a risk register?

The purpose of a project management risk register is to identify, log, and track potential project risks. A risk in project management is anything unexpected that could happen that would positively or negatively affect your project. 

Any time someone identifies something that could impact your project, it should be assessed by the team and recorded in your risk register. 

As Adriana Girdler, project management coach and founder of CornerStone Dynamics, reminds us :

A risk register is something that you should already have created from the beginning of the project so you can keep it in the back of your mind and ensure that you know how to handle those risks if and when they occur. Adriana Girdler, Founder, CornerStone Dynamics

Why do you need a risk register? 

You need a risk register because, as projects get larger, longer, and more complex, it becomes increasingly difficult to stay on top of everything. If risks aren’t tracked in a central location and reviewed regularly, something may be missed or forgotten. 

A four-year field study examining risk management practices across 35 large projects in 17 high-technology companies found that about half of the risks went undetected until they had already impacted the projects.

Some risks may seem small or unlikely at first but have the potential to impact your project nonetheless. Examples of project risks can include:

• Data/security risk (materials being hacked or stolen)
• Legal risk (litigation or changes in the law that impact the project) 
• Catastrophic events (fire, flooding, storm damage) 
• Supply chain disruption 

Risk management is about identifying potential problems early so you can decide how to handle them. It also empowers you to track risks over time to see if and how they’re changing. 

When a risk is first identified, you might consider it so unlikely that you don’t bother doing anything about it. But what if, as the project progresses, the risk becomes a lot more likely to occur? By tracking your risks, you can notice changes like this early enough to take action. 

Who creates a project risk register?

If you’re working on a very large, complex, or critical project, you may have a risk coordinator or risk manager on your team. In this scenario, it would be their job to create and maintain the risk register. 

However, for most projects, responsibility for creating the risk register falls on the project manager. 

This doesn’t mean the risk manager or project manager is responsible for identifying or taking action against all the risks. Everyone on the project team and anyone potentially impacted by the project’s success should help identify and assess risks. 

For instance, the client or sponsor may be aware of a potential problem that no one on the project team knew about.  

What is included in a risk register?

A risk register is essentially a table of project risks that allows you to track each identified risk and any vital information about it. 

Standard columns included in a project risk register are:

• Identification number (to quickly refer to or identify each risk)
• Name or brief description of the risk
• Risk categories (internal or external, related to materials or labor, etc.) 
• Probability (how likely the risk is to occur)
• Impact (if the risk takes place, how seriously will it impact your project)
• Rating (where does this risk fall on your priority list)
• Approach (will you monitor the risk, try to mitigate it, avoid it, etc.)
• Action (if you plan to mitigate or avoid the risk, what are the steps involved, and when will they occur)
• Person responsible for overseeing or mitigating the risk

How to create a risk register

According to the latest edition of the PMBOK® Guide , risk register can be created using several criteria:

• Probability
• Manageability
• Controllability 
• Detectability
• Connectivity
• Strategic impact
• Propinquity (i.e., proximity)

These factors help assess the nature and severity of risks to effectively prioritize management efforts. To create a risk register, all you need to do is build a table with the columns covered above and start populating it with project risks. 

Let’s go through a couple of the columns in more detail to help you determine how to fill them in:

Risk categories: The purpose of the categories is to help you sort risks to make it easier to monitor them and understand what they impact. You should customize these categories to your business and project. You may even choose to have columns for separate categories. For instance, you may want a column identifying what sprint might be impacted and another identifying what type of work (development, testing, etc.) will be impacted.

Probability and impact: There are two ways to assess risk: qualitative and quantitative. Qualitative is the simplest and most common form. With this approach, you generally assess probability and impact on a five-point scale such as very high, high, medium, low, and very low. Quantitative risk requires assigning numerical values. Instead of saying there could be a “high” impact, you need to define it in quantifiable terms, such as a four-week schedule delay or a 5% increase in cost. 

Rating: If you’re using a qualitative risk assessment method, your rating is typically probability multiplied by impact. If the probability is high (4) and impact is medium (3), then your rating would be 12 (4 x 3). This method gives you a simple way to sort and prioritize risks quickly.  Quantitative risk analysis isn’t quite as simple. It’s difficult to compare and rank a 60% chance of a two-week schedule delay with a 40% chance of a 10% increase in costs. To make this work, you’ll need to rate the schedule and budget impacts so they can be compared. For instance, you might consider a six-week delay and a 10% budget increase to both be a “very high impact” and assign them a “5.” 

However you choose to track and assess risks, make sure the process is standardized across your project. If team members assess risks differently or fill out columns inconsistently, it makes it harder to view, track, and prioritize your project risks. 

With Wrike, you can create blueprints and custom workflows for your team to ensure everyone follows the same path.

Common pitfalls in risk register management

But wait! Before you start drawing up your risk register, you should be aware of the potential obstacles. Here are just a few:

Neglecting regular updates

Risk registers are dynamic tools that should evolve as the project progresses. Failing to update them regularly can result in the oversight of emerging risks and outdated responses to existing ones. 

Imagine you have a long-term construction project. If the risk register isn’t updated to reflect changes such as new environmental regulations or changes in supplier reliability, the project could face delays or increased costs that weren’t anticipated, leading to overruns. 

To avoid this, you should have a structured schedule for updating the risk register, ideally aligning with project milestones or weekly team meetings.  

Overlooking smaller risks

Managers often focus on more dramatic or immediate risks, potentially missing out on the cumulative effect of smaller, more frequent issues. 

For instance, in software development projects, small risks like minor bugs in code seem manageable individually but can collectively lead to major functionality issues or user dissatisfaction if they are not tracked and addressed. 

How do you fix this? Encourage team members to report all potential risks, not just the major ones. 

Failing to prioritize risks

Without prioritizing risks based on their potential impact and likelihood, resources may be misallocated, focusing too much attention on less critical issues. 

For example, a technology firm may face various risks, from data breaches to supplier delays. Without clear prioritization, the firm might spend excessive resources safeguarding against unlikely data breaches while neglecting more probable risks like delays, which could directly impact client deliverables. 

To counteract this, use a quantifiable method to assess and prioritize risks. A risk matrix , for example, will help you evaluate each risk’s impact and probability.  

Creating vague risk descriptions

A risk register with poorly defined risk descriptions is a no-no. 

If a project risk is listed as “potential project delay,” this does not provide enough information for effective action. However, specifying “potential delay due to critical component shortage from supplier X” gives clear direction for mitigation efforts.

Train team members on how to write clear, actionable risk descriptions. Include examples and templates in risk management training sessions to standardize the quality of entries in the risk register.

Ignoring risk interdependencies

Risks in a project do not exist in isolation; they often influence one another. 

For example, in an infrastructure project, a delay due to bad weather might also affect the availability of the workforce, which in turn could delay subsequent phases of the project, like installations or inspections.

Use risk mapping tools to visualize and understand how different risks relate. Regularly review these connections and adjust the risk register and mitigation plans to reflect the interdependent nature of project risks.

Challenges in maintaining a risk register

So, now you’re aware of the best practices. However, maintaining a risk register can still be a complex process. Here’s how to navigate the most common challenges:

• Solution: Regularly communicate the importance of their contributions and update them on how their input has influenced the project. (See more tips on stakeholder communication below!)
• Solution: Assign each risk to a suitable team member and clarify their responsibilities in managing it.
• Solution: Use clear, concise language and avoid jargon; supplement with detailed appendices or links if necessary.

How to communicate risks to stakeholders using a risk register

Tricky stakeholders? It wouldn’t be the first time! Stakeholder management is a skill that’s definitely worth your while honing. Here’s how you can use a risk register to communicate project updates effectively to stakeholders:

• Share updated risk registers at consistent intervals to ensure stakeholders have the latest risk information.
• Write the risk descriptions in straightforward language to make them accessible to everyone, regardless of their technical background.
• Draw attention to the most critical risks by placing them prominently or using distinctive colors.
• Clearly show who is responsible for each risk to demonstrate accountability and ongoing monitoring.
• Explain what could happen if a risk becomes a reality, helping stakeholders understand potential consequences.
• Use charts or graphs to make the risks’ probability and impact visually clear and immediately apparent.
• Open a channel for stakeholders to give feedback on the risk register, allowing for additional insights and engagement.
• Organize briefings or workshops to help stakeholders understand the importance of risk management and how the risk register aids in this effort.

Risk register example

Example 1: Machinery breakdown leading to production stop

• Risk description: A crucial machine in the production line unexpectedly fails.
• Impact: This causes an immediate halt to all production activities.
• Probability: Given the machine’s reliability history, the likelihood is low.
• Mitigation steps: Implementing a regular maintenance schedule and establishing rapid-response agreements with repair services are important steps.
• Owner: Christine is responsible for monitoring the machine’s performance and coordinating swift repairs when necessary.

Example 2: Machinery breakdown causing production delays

• Risk description: In this example, the same essential machine experiences minor issues that reduce operational efficiency.
• Impact: Production continues but at a slower pace, leading to potential delays in meeting order deadlines.
• Probability: This risk is more likely to occur than a complete shutdown.
• Mitigation steps: Regular inspections, maintaining a stock of essential spare parts, and training staff for quick, onsite repairs can mitigate this risk.
• Owner: John ensures that preventative measures are in place and operational staff are prepared to address minor issues without external help.

These examples are visually represented in the risk register table below. This simple risk register example will help you create a risk log for your next project.

Risk registers in real life

Case study: u.s. border patrol.

The U.S. Border Patrol facilities and tactical infrastructure project is a true example of how comprehensive a risk register needs to be to effectively manage large-scale infrastructure projects.  

The risk register for this project categorized risks into several key areas, including construction, contractor performance, design, environmental issues, external entity compliance, latent conditions, real estate, and project scope. 

Each risk was defined specifically to ensure measurable and actionable mitigation strategies. For example, the risk of flood conditions during construction was mitigated by requiring the contractor to ensure levee or wall protection within 48 hours of the government’s notification. 

Case study: Bedford Borough Council

Kempston Town Centre was a project designed by Bedford Borough Council to boost the local economy by upgrading infrastructure and public areas. At its inception, the project team outlined a clear risk management strategy, including establishing a risk register. The project manager, responsible for overseeing the risk management process, ensured that the risk register was regularly updated to reflect the evolving nature of the project. 

The team held meetings to talk about risks at important times during the project:

• When the project designs were being drawn up and halfway through this phase
• When they were choosing companies to buy supplies from
• After choosing these companies and during the building phase

These meetings were important for everyone to stay on the same page and keep the risk register relevant. Early on, the team noted risks like design errors or delays. With the risk register, they could adjust their plans in time to avoid slowdowns. 

The register also helped the team foresee issues like delays from suppliers. They planned for these by having backup suppliers ready.

Use Wrike to create an effective project risk register 

Did you know that you can build, update, maintain, and share your risk register right in your project management software ? Thanks to Wrike’s custom fields, it’s easy to create and modify your register to reflect exactly what columns and categories you need to track. 

Plus, you can easily share it with your team and other stakeholders to get their input. You can also incorporate it into your reports and dashboards , so risks are always top of mind and nothing important gets overlooked.  

Key takeaways

Information overload? We’ve got you — just remember these key points from the article:

• A risk register is used to identify, log, and track potential project risks. 
• The responsibility for the risk register usually falls on the project manager.
• Risk registers include standard columns such as identification numbers, risk categories, probability of risk, impact of risk, ratings, and more.
• It’s best to use a systematic approach to prioritize risks based on their impact and likelihood. PMI outlines 11 key factors to assess the nature and severity of risks.
• The risk register should be regularly updated and adjusted to reflect new insights and changes in the project environment.

Next steps to implement what you’ve learned

• Create a risk register at the start of your project, including all necessary columns and definitions.
• Establish a regular schedule for reviewing and updating the risk register.
• Conduct a risk identification workshop with your project team to gather diverse insights.
• Assign a team member to each risk for monitoring and management.
• Provide training to ensure all team members understand how to use and update the risk register.
• Be flexible and ready to adapt your risk management strategies based on real-time project developments and stakeholder feedback.
• Use project management software like Wrike to track risk management activities and progress.

Ready to build your first risk register? Start your free trial of Wrike today.

Occasionally we write blog posts where multiple people contribute. Since our idea of having a gladiator arena where contributors would fight to the death to win total authorship wasn’t approved by HR, this was the compromise.

Related articles

What is risk identification in project management?

Project risk identification is not just for enterprises but a practice that should sit at the core of any business’s modus operandi.

How to build a robust risk management framework

When things veer off track, does your organization have a backup plan? If not, you need to check out Wrike’s guide to creating a risk management framework.

How Gantt charts help with risk management

Here’s how to use Gantt charts to manage risks for smoother project execution.

Get weekly updates in your inbox!

You are now subscribed to wrike news and updates.

Let us know what marketing emails you are interested in by updating your email preferences here .

Sorry, this content is unavailable due to your privacy settings. To view this content, click the “Cookie Preferences” button and accept Advertising Cookies there.

How to Create a Risk Management Plan for Your Project

Industry Advice Management

A project manager has many responsibilities within their organization, all of which revolve around initiating, planning, executing, monitoring, and controlling projects that deliver on various strategic goals. 

While each of these discrete steps in the project life cycle is critical in its own right, the planning phase is perhaps the most impactful in how it can determine the success—or failure—of all of the phases that come after it. It’s for this reason that project managers are responsible for creating various plans for the projects they helm.

While the project plan is often considered the most important of these plans, it is not the only one. A number of subsidiary plans are also recommended and, in many cases, required. 

The risk management plan is one of the most crucial of these subsidiary plans, as it forces the project manager to plan for potential disruptions and opportunities the project may encounter. Below, we define what “risk” means in terms of project management, take a look at what the risk management plan actually is, and walk through steps you can follow to create a risk management plan for your next project. 

Download Our Free Guide to Advancing Your Project Management Career

Learn what you need to know, from in-demand skills to the industry’s growing job opportunities.

DOWNLOAD NOW

What is project risk?

When it comes to project management, the term “ risk ” specifically refers to factors or events which might influence the final outcome of the project. 

Some of the most common project risks are those which impact a project’s constraints . This includes the triple constraint of a project’s cost or budget, its timeline or schedule, and its scope—all of which can affect the final quality or performance of the project. Yet there are many other kinds of risk that project managers should be aware of, as well, and the risk management plan is used to identify each of these potential disruptors. 

While risk is often assumed to be a negative, it is important to note that project risk can also occasionally be positive, depending on how the event impacts the project. 

For Example: Consider a project that is heavily dependent upon the price of oil. In creating their project’s budget, the project manager would likely look to oil’s historical prices, and use those figures to forecast the project’s budget. If the cost of oil were to suddenly and unexpectedly drop, however (as it did during the depths of the Coronavirus lockdowns ), then the project would likely come in under budget. This is technically a positive risk, because it is an event which led to a positive outcome for the project.

Project manager’s should aim to understand not only the negative risks which might impact their project, but the positive risks as well, says Connie Emerson , assistant teaching professor for Northeastern’s Master of Science in Project Management program. 

She explains that by understanding those potential positive events, project managers can take steps to increase the probability of them occurring so that the project can take advantage of that and realize the benefits.

What is a risk management plan?

A risk management plan is a subsidiary plan which is usually created in tandem with a project plan. This plan outlines the approach for how the project team is going to conduct risk work , or those tasks related to project risk.

“By creating a risk management plan, you are seeking to understand how you are rating risks, how much risk your stakeholders will tolerate, how you will pay for risks in the event they become a reality, and more,” Emerson says. “So it’s critical to have conversations about your general approach, as a team, to risk work and also making sure that your key stakeholders agree.”

Risk Management Plan vs. Risk Register

Emerson notes that it’s important for project managers to understand that, while some individuals will use the terms interchangeably, the risk management plan and the risk register are in fact separate documents, though they are related and each is important to the success of the project.

While the risk management plan outlines your team’s risk management process and approach to handling risk work, Emerson says that “the risk register is your list of risks, your analysis of those risks, and what you are planning to do about them.”

Emerson goes on to note that while you might apply your risk management plan to several different projects, the risk register should be tailored to the specifics of a given project. 

How to Create a Risk Management Plan & Risk Register

1. define your approach through the risk management plan..

The first step in creating a risk management plan is to outline the methods that you and your team will use to identify, analyze, and prioritize risk. You should aim to answer the following questions:

• How are we going to identify risks to the project?
• What techniques are we going to use to analyze those risks?
• How will we decide what to do in the event a risk becomes a reality?
• What is the communication plan for a risk event?
• Which stakeholders should be kept apprised of project risks?

You should also determine how you will communicate with key stakeholders about risk, as well as how you will respond to risk if and when it materializes. 

Emerson notes that this is also the point in the process where you should identify the key stakeholders for your project and work to measure their levels of risk tolerance. Just as an investment advisor should tailor their investment strategy to the risk tolerance of their clients, a project manager should tailor their risk management strategy to the risk tolerance of their project’s stakeholders. 

2. Use your risk management plan to create your risk register.

Once you have answered all of the questions above, crafted a risk strategy, and codified it in your risk management plan, you will then use that methodology to create a risk register for the project you are currently working on. 

While it’s important to be thorough in creating your risk register, Emerson notes that perfection can sometimes be the enemy of progress. Instead of viewing risk work as an item which must be crossed off of a checklist before a project can begin, Emerson recommends that project managers view it as an ongoing, iterative process.

“You don’t just create your risk register and then be done with it,” Emerson says. “It’s something you actively manage and modify throughout your project. This keeps you agile, while also allowing the project to actually begin. If you approach your risk register like something that must be exhaustive before the project can kick off, you’ll be doing risk work forever, and the project will never get done.”

3. Identify risk events and the potential impact of those risks. 

The next step is to actually go about identifying risk events for your project, which will form the basis for your project’s risk register.  

“Ask yourself: What are the risks?” Emerson says. “Some people might say, ‘Well, we might miss a date, and that’s a risk.’ But that’s not really a risk. That’s an impact of a risk. So why might we miss the date? What’s the root cause for that impact? If you can understand the root cause that drives a risk event, it’s possible to preempt it before it becomes an issue.”

Emerson notes that it is important not just to think about potential risks, but also the impact that risk might have on the project.

“When I’m writing my risk statements, I’m usually thinking: Because of X [event], Y [risk] might occur, causing a Z [impact],” she says.

It’s important at this stage to also review your list of potential risks with other members of your team, key stakeholders, key vendors and suppliers, and even subject matter experts who aren’t a part of your team. Each of these individuals will bring their own point of view to the challenge of identifying risk, which can ensure that you haven’t missed anything with the potential to affect your project.

4. Analyze, prioritize, and assign risk. 

Once you have built out a thorough list of all of the risks associated with your project, the next step would be to analyze those risks. 

“There are lots of ways to analyze risk, both qualitatively and quantitatively,” Emerson says. “For many companies, qualitative analysis is enough because you’re just trying to decide if you need to actively do something about a risk, or if you can just keep an eye on it.”

Exactly how you analyze your project risks will be dependent on the situation you find yourself in. Emerson notes that many organizations will grade risks based on probability and impact, and use those two scores to determine which risks warrant the most effort to control. Those risks which score high on both probability and impact are logically often prioritized in risk management plans, while those that score low on both probability and impact are deprioritized.

Using this understanding, you might then assign each member of your team one or several risks which they are responsible for monitoring and assessing throughout the course of your project.

5. Plan your risk response. 

Armed with your prioritized list of risks, it is now possible to plan the responsive action that you will take in the event that a risk becomes a reality.

“It’s a matter of using that analysis to guide what you do about the risk and trying to match your response to the risk,” Emerson says. “If it’s a little risk, you don’t want to spend millions of dollars dealing with it. At the same time, you don’t want to under-prepare either.”

Emerson notes that while risk work may seem reactive, a skilled project manager will be proactive in recognizing and minimizing risks before they become an active issue capable of derailing a project. 

6. Monitor and adjust accordingly.

Once you’ve identified your risks, prioritized them, and planned your response, the final step is to monitor your risk throughout the course of the project, says Emerson. Keep your risk register up to date, adding or removing risk events as necessary as the project unfolds. 

Additionally, after a project is completed, revisit your risk management plan and ask yourself: What worked? What didn’t? Is there anything that you can learn from the project that will allow you to adjust your risk management strategy to avoid similar issues in the future?

Emerson goes on to explain that if a risk event occurs, pay attention to it. Identify what happened, how you responded to it, how it impacted the project, etc. All of these insights can make you more effective at risk management in future projects.

Learning to Manage Risk

All projects will contain at least some level of risk. While a project manager cannot possibly prevent all risk events from occurring, it is the project manager’s duty to identify and plan for risk when possible. As such, risk management is a crucial skill for any current or aspiring project manager to develop.  

It’s for this reason that the Master of Science in Project Management at Northeastern emphasizes risk management as a central piece of the core curriculum required to complete the degree. Paired with courses on project scope management, project quality management, and project scheduling and cost planning, the program aims to train students who will graduate ready to immediately put their education into action managing projects.

To learn how a master’s degree in project management can help advance your career, download our free guide to breaking into the industry below.

Subscribe below to receive future content from the Graduate Programs Blog.

About scott w. o'connor, related articles.

Master’s in Project Management or MBA: What’s the Difference?

6 Project Management Trends Emerging in 2023

Master’s Degree Comparison: Sports Leadership vs. Sports Management

Did you know.

Employers will need to fill 2.2 million new project-oriented roles each year through 2027. (PMI, 2017)

Master of Science in Project Management

Behind every successful project is a leader who forged its path.

Most Popular:

Tips for taking online classes: 8 strategies for success, public health careers: what can you do with an mph, 7 international business careers that are in high demand, edd vs. phd in education: what’s the difference, 7 must-have skills for data analysts, in-demand biotechnology careers shaping our future, the benefits of online learning: 8 advantages of online degrees, how to write a statement of purpose for graduate school, the best of our graduate blog—right to your inbox.

Stay up to date on our latest posts and university events. Plus receive relevant career tips and grad school advice.

By providing us with your email, you agree to the terms of our Privacy Policy and Terms of Service.

Keep Reading:

Top Higher Education Conferences To Attend in 2024

Grad School or Work? How To Balance Both

Is a Master’s in Computer Science Worth the Investment?

Should I Go to Grad School: 4 Questions To Consider

Project risk management guidance

Guidance on risk management for Science and Technology Facilities Council (STFC) research projects.

Project risk management guidance (PDF)

PDF , 299 KB

If you cannot open or read this document, you can ask for a different format.

Email [email protected] , telling us:

• the name of the document
• what format you need
• any assistive technology you use (such as type of screen reader).

Find out about our approach to the accessibility of our website .

An outline of principles and steps used in the STFC risk management process, and guidance to using a risk index.

This is the website for UKRI: our seven research councils, Research England and Innovate UK. Let us know if you have feedback or would like to help improve our online products and services .

Why You Need a Project Risk Register

Download This Template »

What You Will Learn

• 1 It helps you plan
• 2 It helps you get your priorities right
• 3 It helps you prepare your budget
• 4 It helps you get ownership for action plans

It helps you plan

One key item on a risk register is the action plan that you’ll take to manage the risk. For example, you might have some tasks to do to mitigate against the risk happening, or you might have some contractual negotiations to do if you plan to transfer the risk to another party.

These items need planning, just like any other project task. So your risk register serves as a place to ‘find’ additional actions that need to go on your main project schedule. All project tasks take work, and you may have to reorganize your team members’ priorities in order to get these risk management actions done in a timely manner. You’ll get a complete picture of their workload if you include the risk management tasks in your resource plans and project schedule.

It helps you get your priorities right

Which risks are likely to have the biggest impact on your project? If you don’t know this already, your risk register can help. With all the risks captured in one place, you can easily go through them and establish which has the largest impact. This will help you schedule your risk management actions, as you can put the most resources on managing the biggest risks. 

It also helps with your reporting – project sponsors aren’t going to want to read about 120 different risks every month, but they will want to know the latest status of the top 5.

It helps you prepare your budget

Have you factored the cost of managing project risk into your project budget? Many project managers don’t, and then when they come to implement their risk management action plans, find that they don’t have the money to carry out the required tasks. The project team will have to work additional hours on these tasks, and some of your risk management items may incur additional costs, like the legal fees for negotiating insurance contracts for risk transference. Many mitigating actions will also cost money as you put your ‘Plan B’ in place, just in case.

These costs should all be added to your project budget. It’s likely that you won’t know what you want to do about all the risks (and you probably won’t know about all the risks, either) when the project starts, so make sure that you have some budget allocation for risk management activities.

If you don’t have the funds to manage all the risks in the way you planned, you’ll have to prioritize, so go back to your risk register log to work out how to spread the budget between the highest priority risks. There’s no point spending lots of money on a risk that isn’t really a great worry!

It helps you get ownership for action plans

The risk register also includes the name of the person who owns the risk. This is a separate field, and the risk owner is normally someone from the project team who is taking responsibility for seeing through the action plan related to that risk. They will most likely work with others to complete the risk management activities, but for the purposes of ownership and reporting, they are your main contact. 

Having this documented in the risk register is a good way to ensure that people know they are responsible and are prepared to step up and see that the work is carried out. Try to spread the responsibility around so that subject matter experts become responsible for risks in their field of expertise, otherwise you’ll end up managing them all and that will become very difficult.

Convinced about the value of a risk register? I hope so! If you don’t already have a risk register on your project, now is the time to set one up. If you do have a risk register, when was the last time you dusted it off and updated it? Check that every risk has a priority and an owner, and check that the actions are costed, included in your budget and noted on your project schedule. Then you’ll be prepared for whatever comes you way!

Are you using a Risk Register in your projects?

Ask a question

Start a discussion.

• Atlassian logo Jira Product Discovery
• Jira Service Desk Jira Service Management
• Confluence Confluence
• Trello Trello
• Atlassian logo Atlassian Guard

Community resources

• Announcements
• Documentation and support

Atlassian Community Events

• Atlassian University
• groups-icon Welcome Center
• groups-icon Featured Groups
• groups-icon Product Groups
• groups-icon Regional Groups
• groups-icon Industry Groups
• groups-icon Community Groups
• Learning Paths
• Certifications
• Courses by Product
• Live learning
• Local meet ups
• Community led conferences

Get product advice from experts

Join a community group

Advance your career with learning paths

Earn badges and rewards

Connect and share ideas at events

• Featured Groups
• App Central

Implementing ISO 31000 with Risk Register by ProjectBalm

Was this helpful.

Craig Schwarze _ProjectBalm_

About this author

Founder at ProjectBalm

ProjectBalm

8 accepted answers

127 total posts

• +22 more...
• project-management
• risk-management
• Community Guidelines
• Privacy policy
• Notice at Collection
• Terms of use
• © 2024 Atlassian

Download Free Risk Register Templates

By Kate Eby | September 20, 2018

• Share on Facebook
• Share on LinkedIn

Link copied

This article provides free, customizable risk register templates and forms in Excel, Word, and PDF formats. Learn what to include and how to identify and track risk to ensure successful project completion.

Simple Safety Risk Register Template

Download Simple Safety Risk Register Template - Excel

Use this basic risk register template to evaluate safety risks, calculate the priority based on probability and potential impact, make notes on mitigation strategies, and assign the risk to a team member.

See how Smartsheet can help you be more effective

Watch the demo to see how you can more effectively manage your team, projects, and processes with real-time work management in Smartsheet.

Watch a free demo

Simple Business Risk Register Template

Download Simple Business Risk Register Template

Excel | Smartsheet

Use this basic risk register template to evaluate risks to your business, calculate the priority based on probability and potential impact, make notes on mitigation strategies, and assign it to a team member to manage.

Risk Register Template

Download Risk Register Template

Excel | Word | PDF | Smartsheet

Use this preformatted, customizable risk register template to create a targeted action plan to identify and mitigate risks as they arise. With space to document risk descriptions, risk owners, triggers, probability, and response plan, you can easily create a strategic plan before a project’s timelines, budgets, or resources are derailed.

Project Risk Register Template

Download Project Risk Register Template

Use this project risk register template as a master document to outline all potential project risks.The template includes spaces for risk category, identification date, potential project impacts, and possible mitigation strategies. Similar to the risk register template, you can leverage this comprehensive template to detail the risks involved with every phase of your project and update it regularly to maintain visibility with team members and key stakeholders. Easily identify and mitigate risks associated with your projects before they seriously impact your deadlines — and your bottom line — with this customizable template.

Data Risk Register Template

Download Data Risk Register Template - Excel

Keeping data accessible and relevant is a priority for nearly every company today. Use this template to follow risks to your data, including data compliance, data corruption, and loss of data due to failures.

For data security-related risk tracking, check out the Data Protection Risk Register template below.

Agile Risk Register Template for Information Technology

Download Agile Risk Register Template - Excel

The Agile methodology presents a unique set of challenges, due to its short cycles and  self-organizing, cross-functional nature. Agile has its roots in software development and information technology — use this template to track risks during the Agile process.

Internal Audit Risk Register Template

Download Internal Audit Risk Register Template - Excel

An auditor can use this template to evaluate a department by categorizing and tracking the risks, creating a list of root causes, and determining the likely time frame of the onset of the risk.

Corporate Risk Register Template

Download Corporate Risk Register Template - Excel

For company-level risk assessment, use this free template to keep track of pre and post-mitigation impacts, the processes and documents connected to each risk, and track the risks until they are closed.

Tax Risk Register Template

Download Tax Risk Register Template - Excel

Use this tax risk register to manage risks related to taxation, including information on the type of risk, the time frame for onset, how the risk will be monitored, and any documents or processes related to the risk.

Strategic Risk Register for Schools Template

Download Strategic Risk Register fo Schools Template - Excel

In an educational environment, risk tracking needs to keep on top of the affected processes, as well as the steps within those processes. Use this template in a school situation, and manage the opening and closing dates for each risk.

Construction Risk Register Template

Download Construction Risk Register Template

Excel | Word | PDF

This template focuses on risks associated with construction projects, and can help you to identify risks before they arise, describe possible consequences, and propose risk treatment plans in an effort to eliminate project delays. Use this premade template to describe possible risks and organize them into appropriate categories, like climate, traffic and transport, and nature conservation. Pinpoint risk ratings based on the likelihood and consequences of each risk, and assign specific team members risk action plans to create.

Risk Register Template for Banks

Download Risk Register Template for Banks

This risk register template for banks works to assess and mitigate risks in the banking industry. Use this downloadable template to create a proactive plan to identify and assuage risks and their negative impacts on banking projects, like inspection or audit issues. Prepare and update this template with potential risk activities, contingency plans, risk impact timelines, and more to keep your banking projects and day-to-day activities on track and on time.

Operational Risk Register Template

Download Operational Risk Register Template - Excel

In an operational environment, both new and ongoing risks need to be addressed. Use this template to track both kinds of risks for your operations, and record how the impact of ongoing issues changes after you implement mitigation strategies or controls.

Data Protection Risk Register Template

Download Data Protection Register Template - Excel

Risks to data can come from external or internal sources — they may be one-time events or ongoing problems. Use this data protection risk register template to keep track of the issues that can arise while working to comply with changing data protection mandates and regulations.

Human Resources Risk Register Template

Download Human Resources Risk Register Template - Excel

Because the human resources department has so many areas of responsibility, risks in HR can be separated into several different categories. Download this HR risk register template to manage risks and divide them into overarching categories in order to better manage them.

Occupational Health and Safety Hazard Risk Register Template

Download OHS Risk Register Template

This occupational health and safety (OHS) risk register template targets the understanding, possible causes, and mitigation strategies involved with any foreseeable health risks and hazards associated with a project. Completing an OHS risk register is a legal requirement for all projects that have the potential to impact any person’s health or wellbeing,  — use this template to assess any hazards in a workplace, the seriousness of the hazard, and any control factors or features that should be put in place to prevent this hazard from harming anyone involved. Prepare this preformatted template to keep hazards in your workplace at bay and prevent legal or safety issues in the future.

ISO Risk Register Template

Download ISO Register Template - Excel

The International Standards Organization (ISO) is a consortium of standards organizations from around the world that create quality standards. Risk assessment is part of the process to qualify for and maintain ISO certification. Use this template when assessing risks  processes as part of your ISO certification.

Clinical Risk Register Template

Download Clinical Register Template - Excel

The healthcare industry is covered by numerous regulatory bodies, so risk assessment needs to track any laws or regulations that cover changes made in response to identified risks. Mark risks in this template as ongoing or one-time, and each risk can include required resources and actions to stay in compliance with regulations.

What Is Included in a Risk Register?

A risk register is a brief yet informational document that includes many key components that help businesses and individuals identify, assess, and mitigate any risks associated with projects at each phase, from start to finish. These components include the following:

• Heading and date
• Project title or ID number
• Project manager
• Project category
• Project impact or risk
• Risk description
• Date of risk or impact
• Risk likelihood
• Risk impact
• Risk trigger
• Risk category
• Risk probability
• Risk response or action plan
• Positive and negative response options
• Alternate response options
• Cost of action plan
• Schedule of action plan
• Risk severity, ranking, and score
• Mitigation or contingency plan
• Status of risk (active, not started, ongoing, complete, dormant, retired)

You can include additional components in your risk register as well, such as residual risk, action progress, response effectiveness rating, and threat responses. Often, the risk register is included in a project’s work breakdown structure , a tool that visually breaks down a project into separate deliverables and individual components needed to complete the work. Doing so helps teams gain the most comprehensive sense of what the project entails and how to complete it.

Why Is a Risk Register Necessary?

Using a risk register adds structure and consistency to the project risk management process by having a readily-available document that targets each individual risk before it occurs. Both the Project Management Body of Knowledge (PMBOK) and Prince2 state that a risk register template is a key component of any successful project. Additionally, you can review risks at the end of each phase of a project lifecycle and assess how well each risk was handled or how proposed remedies aided in the control of the specific risk.

You should incorporate a risk register at the beginning stages of the project planning process. When updated regularly and shared with team members, a risk register serves as a useful tool to manage and reduce the risks associated with any given project.

Additionally, using a risk register during business planning can help you to do the following:

• Provide a documentation of risk strategies
• Grade all potential risks
• Ensure communication with key stakeholders and senior management, should risks come into effect
• Identify mitigation actions required to solve a risk or its impact
• Forecast and preparing a strategy for inevitable risks
• Flag unidentified risks through open communication and input from team members
• Instigate actions to reduce probability and potential impact

Although risk register templates are extremely useful for project owners as they work to identify risks and combat them, there are some downfalls in preplanning for risks so meticulously. Sometimes, doing so can lead to ritualistic decision making and give a false illusion of control over situations. However, not all risks can be foreseen, which can lead to a fallacy of concreteness in project plans. Keep an open mind to ensure these downfalls don’t plague your projects, even as you begin to identify and solve risks before they arise.

Tips For Creating a Risk Register Template

As you create your risk register template for your project, keep these tips in mind to create the most effective, comprehensive documentation of risks.

• Create the plan when the project is approved as part of the project proposal or brief. Doing so ensures that all potential risks are analyzed and covered within the risk register, which can minimize potential impacts on projects if the risks come to fruition.
• Include active risks in project status reports to maintain visibility. This keeps all team members and stakeholders on the same page, which ensures transparency.
• Identify new risks or update risks as the project progresses. Risks can pop up at any time, and keeping your risk register updated throughout the project guarantees that visibility and mitigation strategies will never falter.
• Assign each risk a separate identification number to ensure continuity and clarity. Performing this step will eliminate any confusion when it comes to each risk and its subsequent mitigation plan, especially for large projects with many potential risks.
• Define risk impacts and probabilities in a manner that is easy to understand (i.e. low, medium, and high). Streamline risk and impact terminology so all team members and stakeholders understand how a risk could impact a potential project.
• Review the risk register regularly, especially before progressing to the next phase of the project. This step will ensure that all potential risks are up to date as the goals or targets of the project shift.
• Do not skip the process of creating a risk register. Risks can occur at any time, and it is important to stay ahead of them and have an action plan in mind.

Improve Risk Mitigation with Real-Time Work Management in Smartsheet

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation and analyze site usage.

Search the site

The ide newsletter.

Get the latest from MIT IDE delivered weekly to your inbox.

MIT Initiative on the Digital Economy

MIT Sloan School of Management

245 First St, Room E94-1521

Cambridge, MA 02142-1347

617-452-3216

• share on facebook
• share on twitter
• share on linkedin
• share by email

MIT Researchers Create an AI Risk Repository

August 21, 2024

A new database catalogs more than 700 risks cited in AI literature to date. The goal is to raise awareness and head off problems before they arise.

Many risks associated with AI use — from biased opinions to machine language ‘hallucinations’ that produce incorrect information — are widely known in tech communities. There are also economic risks to human jobs, concerns over privacy and security, and misuse that worry the public. But many other threats are specific to certain programs or to niche applications. Software developers have different concerns than policymakers, environmentalists, or business leaders, for instance.

A new MIT  FutureTech  project reviewed 43 AI frameworks produced by research, industry and government organizations; they identified 777 risks in total. These risks are outlined in the recently published  AI Risk Repository .

The repository includes a risk database linking each risk to the source information (paper title, authors) and supporting evidence, such as quotes and page numbers.

It also includes two taxonomies that can help users search the identified risks. The domain taxonomy classifies specific risks into seven categories, such as misinformation, and 23 subdomains. Together, the resources can support those working toward AI regulations, risk assessment, research, and organizational risk policy.

“Many organizations are still pretty early in the process of adopting AI,” and they need guidance on the possible perils, says Neil Thompson, a research scientist at MIT and research lead at the MIT Initiative on the Digital Economy  (IDE), who is involved with the project.

Peter Slattery, project lead and a researcher at MIT’s FutureTech group, says the database highlights the fact that some AI risks get more attention than others. More than 70% of frameworks mention privacy and security issues, for example, but only around 40% refer to misinformation. AI system safety, failures and limitations were covered in 76% of documents, while some risk subdomains are relatively underexplored, such as AI welfare and rights (<1% of risks).

Slattery offered more details about the project in an interview with Paula Klein, Editorial Content Manager at the IDE.

IDE: In addition to education about AI risk, what is the ultimate goal that you hope to achieve with this project?

Slattery : We created the AI Risk Repository for three reasons. First, to provide an overview for people who are new to the field. Second, to make it easier for people already working on AI risks in policy and practice to see the overlap and disconnects among all of the work taking place. Third, we want to use it for our own research to understand how organizations are responding to AI risks.

When we reached out to people working in related areas, for instance on AI risk evaluations and policy, we realized they faced similar challenges because of the lack of a comprehensive compilation of research.

IDE: Can the risks you cite actually be reduced or avoided once they are specified in this way? Can you give an example?

Slattery : By identifying and categorizing risks, we hope that those developing or deploying AI will think ahead and make choices that address or reduce potential exposure before they are deployed. For example, consider the risk subdomain of “AI system security vulnerabilities and attacks.”

If organizations are aware of these issues, they can proactively address these potential problems, for instance, by implementing security protocols or using penetration testing.

IDE: What were your key findings and who is the repository aimed at?

Slattery : We used approaches that we developed from two existing frameworks to categorize each risk by cause (e.g., when or why it occurs), risk domain (e.g., “Misinformation”), and risk subdomain (e.g., “False or misleading information”).

As shown in Table C,

most of the risks (51%) were caused by AI systems rather than humans (34%), and were found  after  the AI model was trained and deployed (65%) rather than before (10%).

As shown in Table D, we found significant differences in how frequently our risk domains and subdomains were discussed in the frameworks we included. Some risks were very widely discussed, while others were only mentioned in a handful of documents.

The key finding from our analysis is that there are significant gaps in existing risk frameworks, with the average framework covering only 34% of the identified risk subdomains and even the most significant frameworks covering only 70%.

The fragmentation of the risk literature should give us pause. We are potentially in a situation where many may believe they’ve grasped the full picture after consulting one or two sources, when in reality they’re navigating AI with significant blind spots.

This underscores the need to actively identify and reduce gaps in our knowledge, to ensure we don’t overlook crucial threats.

Our project is aimed at a broad, global audience including policymakers, researchers, industry professionals, and AI safety experts. We want them to understand that the current landscape of risks is relatively fractured, and have a better way forward. We expect that what we have produced will need some modification before it is useful for most audiences, but we hope that it provides a solid foundation.

IDE: What was most surprising? Was the scope or number of risks unexpected?

Slattery : I didn’t expect to see so much diversity across the frameworks. I was also surprised that certain risks, such as “AI welfare and rights” (2%), “pollution of information ecosystem and loss of consensus reality” (12%), and “competitive dynamics” (12%), were so infrequently mentioned.

I was less surprised that we found more than 700 risks because I knew that there was a lot of attention being paid to this area. However, these risks didn’t overlap as much as I had expected.

IDE: What has been the response so far?

Slattery : Very positive. We have received supportive engagement and useful feedback from many different stakeholders in academia, industry, and policy circles. In less than a week, over 35,000 people have used the website and over 6,000 have viewed our  explainer video on YouTube . There clearly seems to be widespread interest in understanding and reducing the risks from AI, and a lot of people therefore value the repository. However, we know there are many more resources to be added and improvements to make.

What are the risks from Artificial Intelligence?

A comprehensive living database of over 700 ai risks categorized by their cause and risk domain., what is the ai risk repository.

The AI Risk Repository has three parts:

• The AI Risk Database captures 700+ risks extracted from 43 existing frameworks, with quotes and page numbers.
• The Causal Taxonomy of AI Risks classifies how, when, and why these risks occur.
• The Domain Taxonomy of AI Risks classifies these risks into seven domains (e.g., “Misinformation”) and 23 subdomains (e.g., “False or misleading information”).

How can I use the Repository?

The AI Risk Repository provides:

• An accessible overview of the AI risk landscape.
• A regularly updated source of information about new risks and research.
• A common frame of reference for researchers, developers, businesses, evaluators, auditors, policymakers, and regulators.
• A resource to help develop research, curricula, audits, and policy.
• An easy way to find relevant risks and research.

AI Risk Database

The AI Risk Database links each risk to the source information (paper title, authors), supporting evidence (quotes, page numbers), and to our Causal and Domain Taxonomies. You can copy it on Google Sheets , or OneDrive . Watch our explainer video below.

Search below if you want to explore the risks extracted into our database. This search looks for exact text matches in one field: "Description". It returns information for four fields: "QuickRef", "Risk category", "Risk subcategory", and "Description". For example, try searching for "privacy" to see all risk descriptions which mention this term.

Causal Taxonomy of AI Risks

The Causal Taxonomy of AI risks classifies how, when, and why an AI risk occurs. You can explore the taxonomy (to three levels of depth) in the interactive figure below. Read our preprint for more detail.

Search below if you want to explore how we group risks by cause in our database. This search looks for exact text matches in three fields: "Entity", "Intention" and "Timing". It returns information for seven fields: "QuickRef", "Risk category", "Risk subcategory", "Description", "Entity", "Intent", and "Timing". For instance, try searching for "Pre-deployment" to see all risks of this category.

Domain Taxonomy of AI Risks

The Domain Taxonomy of AI Risks classifies risks from AI into seven domains and 23 subdomains. You can explore the taxonomy (to four levels of depth) in the interactive figure below. Read our preprint for more detail.

Search below if you want to explore how we group risks by domain. This search looks for exact text matches in two fields: "Domain" and "Subdomain". It returns information for six fields: "QuickRef", "Risk category", "Risk subcategory", "Description", "Domain" and "Subdomain". For instance, try searching for "Misinformation" to see all risks categorized in this domain.

How to use the AI Risk Repository

• Our Database is free to copy and use.
• The Causal and Domain Taxonomies can be used separately to filter this database to identify specific risks, for instance, risks occurring pre-deployment or post-deployment or related to Misinformation .
• The Causal and Domain Taxonomies can be used together to understand how each causal factor (i.e., entity , intention and timing ) relate to each risk domain. For example, to identify the intentional and unintentional variations of Discrimination & toxicity .
• ‍ Offer feedback or suggest missing resources risks here , or email pslat[at]mit.edu.

We provide examples of use cases for some key audiences below.

Frequently Asked Questions

Acknowledgments

Feedback and useful input: Anka Reuel, Michael Aird, Greg Sadler, Matthjis Maas, Shahar Avin, Taniel Yusef, Elizabeth Cooper, Dane Sherburn, Noemi Dreksler, Uma Kalkar, CSER, GovAI, Nathan Sherburn, Andrew Lucas, Jacinto Estima, Kevin Klyman, Bernd W. Wirtz, Andrew Critch, Lambert Hogenhout, Zhexin Zhang, Ian Eisenberg, Stuart Russel, and Samuel Salzer .

How to engage

Read our preprint, and copy and use our database, follow mit futuretech on social media for updates.