research project risk register

• Product overview
• All features
• Latest feature release
• App integrations
• project icon Project management
• Project views
• Custom fields
• Status updates
• goal icon Goals and reporting
• Reporting dashboards
• asana-intelligence icon Asana AI
• workflow icon Workflows and automation
• portfolio icon Resource management
• Capacity planning
• Time tracking
• my-task icon Admin and security
• Admin console
• Permissions
• list icon Personal
• premium icon Starter
• briefcase icon Advanced
• Goal management
• Organizational planning
• Project intake
• Resource planning
• Product launches
• View all uses arrow-right icon

• Work management resources Discover best practices, watch webinars, get insights
• Customer stories See how the world's best organizations drive work innovation with Asana
• Help Center Get lots of tips, tricks, and advice to get the most from Asana
• Asana Academy Sign up for interactive courses and webinars to learn Asana
• Developers Learn more about building apps on the Asana platform
• Community programs Connect with and learn from Asana customers around the world
• Events Find out about upcoming events near you
• Partners Learn more about our partner programs
• Asana for nonprofits Get more information on our nonprofit discount program, and apply.
• Project plans
• Team goals & objectives
• Team continuity
• Meeting agenda
• View all templates arrow-right icon
• Project management |
• What is a risk register: a project mana ...

What is a risk register: a project manager’s guide (and example)

Looking for tools to set your team up for success? A risk register can do just that.

A risk register is shared with project stakeholders to ensure information is stored in one accessible place. Since it’s usually up to project managers (we’re talking about you!), it’s a good idea to learn how and when to use a risk register so you’re prepared for your next project. 

3 ways to transform your enterprise project management

Watch a live demo and Q&A session to help you streamline goal-setting, accelerate annual planning, and automate how teams intake strategic work.

What is a risk register?

A risk register is a document that is used as a risk management tool to identify potential setbacks within a project. This process aims to collectively identify, analyze, and solve risks before they become problems. While usually centered around projects, other circumstances where risk management is helpful include product launches and manufacturing. 

A risk register document, otherwise known as a risk register log, tracks potential risks specifically within a project. It also includes information about the priority of the risk and the likelihood of it happening. 

A project risk register should not only identify and analyze risks, but also provide tangible mitigation measures. This way, if the risk becomes a larger threat, your team is prepared with solutions and empowered to solve the issues. 

When should you use a risk register?

There are many instances when a risk register comes in handy. Ideally, it should be used—or available for use when needed—for every project. It can be used for both small and large projects, though your risk log may look different depending on the scope and complexity of your initiative. 

While a small project may only include basic information about the risk such as likelihood, priority, and solutions, a more complicated project may require around 10 different document fields. 

While some companies employ risk management professionals to manage a risk log, it often falls on the project manager or team lead to oversee it. If your team doesn’t already use a risk management or incident management process, it may be helpful to know common risk scenarios to decide whether a risk register is right for you and your team. 

Some risk scenarios ranked by priority could include:

Low priority: Risks such as lack of communication and scheduling errors can leave projects open to scope creep and missed deliverables. 

Medium priority: Risks such as unplanned or additional work can cause teams to struggle with productivity and create unclear objectives. 

High priority: Risks such as data security and theft can leave your company open to revenue loss and should be prioritized. 

Once you know when to use a risk register, you can properly define high priority risks when you come across them. 

Common risk scenarios

Multiple risks could arise during a new project. Anything from data security to unplanned work can risk projects going over budget and scope. Nobody wants to imagine the consequences of missed due dates, which is why it’s important to identify potential risks before they happen.

It’s a good idea to include common risk categories in your risk register log so you’re prepared when they occur. Learn a little more about these risks and determine which ones could apply to your team. 

Data security 

If you’re working on projects that could affect data security, it’s extremely important to track and mitigate potential risks. Unmanaged risks could result in:

Information being stolen: Without proper mitigation, your business could become vulnerable to private information being stolen. This is especially harmful if it’s customer information being stolen.

Credit card fraud: This is dangerous for a number of reasons, but could result in a loss of revenue and potentially require legal action. 

Data security is a top risk and should be prioritized accordingly in order to prevent long-term security issues.  

Communication issues

Communication issues can arise no matter the size of your project and team. While a risk register can help identify where communication areas live, it can be helpful to also implement work management software to streamline communication at work .

Here are some risks that could arise from lack of communication:

Project inconsistencies: Without proper communication, inconsistencies in deliverables can cause confusion. 

Missed deadlines: No one wants to miss a deadline but without clear communication, your team may not be aware of due dates for deliverables. 

Creating a proper communication plan can also help prevent risks from surfacing in the first place. 

Scheduling delays

If scheduling errors and delays go unnoticed, they can become a big problem when deadlines are missed. Tools such as timelines and team calendar software can help prevent scheduling errors in the first place. 

Project scheduling delays could result in:

Rushed deliverables: There’s nothing worse than a project that hasn’t been properly executed, which can cause goals to be missed and work to appear sloppy.

Confusion: Teams can become overwhelmed and confused without a proper schedule in place. 

Implementing a schedule can help keep deliverables on track for both daily tasks and one-off projects. 

Unplanned work

We’ve all been in a situation where a project goes over scope. It’s a common risk that can be fairly easy to mitigate if tracked properly. Catching unplanned work early on allows you to properly delegate it to the project lead. 

Without a proper risk register, you could experience:

Missed deliverables: If work slips through the cracks, you may be at risk of missing a deadline altogether. 

Employee burnout: Overscheduling your team members with unplanned work can create tension and even cause overwork and burnout. That’s why it’s important to scope projects correctly. 

If you do run into issues with unplanned work, implementing a change control process can help communicate additional work to your team members.  

Theft of materials

While hopefully uncommon, businesses that have a large inventory of products could run the risk of theft or reporting errors. By tracking inventory consistently and frequently, you can catch risks early on to determine the cause.  

Theft can leave your business open to:

Loss of revenue: Whether products are being stolen or there are errors in reporting, theft will have a negative impact on revenue. 

Uncertainty: When theft happens, employee and business uncertainty can cause internal stress. 

Misuse of time: Along with theft of tangible goods, there’s a risk of time theft. In a remote working environment, it can be more difficult to track where your team is spending their time. 

Similar to data security, theft is a high-priority risk that should be handled as quickly as possible. 

What’s included in a risk register?

A risk register is made of a list of risks and tracking fields. Your team’s risk log will most likely look different than others as you’ll have unique risks associated with your projects. 

No matter the differences, most risk registers are made up of a few essential parts, including risk identification, risk likelihood, and risk mitigation. These parts work to create a fluid log of information on potential risks. These logs are also helpful to look back on when working on new projects that could face similar risks. 

Additional fields that are good to include are details like risk identification, description, and priority. The more specific you get, the more likely you’ll be prepared to mitigate whatever risks come your way. 

A great rule of thumb to keep in mind is the more complicated the project is, the more intricate your risk register is likely to be. That means it’s a good idea to be as specific as possible within your log for large projects that span multiple months and have a number of different stakeholders. 

Here are some of the most important fields to include in your project risk management plan. 

1. Risk identification  

One of the first entries included in a risk register is the identification of the risk. This is usually in the form of a risk name or identification number. A risk identification field should include:

The risk name

The identification date

A subtitle if needed

You don’t need to get super creative when naming your risks, a simple summary will do. On the other hand, if you want to get creative, you can craft personas for each type of risk. For example, using the persona “Daniela” as your data security risk name to help team members understand how to quickly identify risks. 

Along with a name, you may also choose to include a short subtitle and the date of the risk identification. This will help track how long mitigation methods are taking and allow you to identify which risks are taking the longest to resolve. 

2. Risk description

After the identification is complete, a short description should be added to your log. A risk description should include:

A short, high-level overview of the risk

Why the risk is a potential issue

How long you choose to make your descriptions is up to how detailed you want your log to be, but the average length is typically 80 to 100 characters.

More importantly than the length, a description should include the key points of the risk and why it’s a potential issue. The main takeaway is that a description should accurately describe the risk without getting in the weeds so it can be easily identified. 

3. Risk category

There are a number of risk categories that help quickly identify the potential risk. Quickly identifying the risk makes it easier to assign to the correct team—especially when working on a complicated project with multiple risks. A risk category could be any of the following:

Operations 

Information 

Project plan

To determine the category type, you’ll first need to evaluate where the risk is coming from and who can help solve it. You may need to work with department heads if the solution isn’t obvious. 

4. Risk likelihood

If risks are caught early enough, it’s possible the team will be able to sort them out before any real action is needed. So it’s possible that risks that are flagged on your risk register won’t actually become problems. 

The likelihood of a risk can be documented with a simple selection of: 

Not likely 

Very likely 

Categorizing your risks by likelihood can help identify which risks to tackle first and which you should wait on. 

5. Risk analysis

A risk analysis gauges the potential impact the risk could have on your project. This helps to quickly identify the most important risks to tackle. This is not to be confused with priority, which takes into account both likelihood and analysis. 

While teams document risk levels differently, you can start with this simple five-point scale:

If you’re struggling to identify the risk level, you may want to get a second opinion by working with a department head. This way you can accurately gauge how high the impact might be. 

6. Risk mitigation

A mitigation plan, also called a risk response plan, is one of the most important parts of a risk register. After all, the point of a risk management plan is to identify and mitigate possible risks. Basically, it’s an action plan. A risk mitigation plan should include:

A step-by-step solution on how to lessen the risk

A brief description of the intended outcome

How the plan will affect the impact 

While small risk assessments may be easy to mitigate, some risks are much more complex and don’t have obvious solutions. In this case, the mitigation plan will need a bit of teamwork to solve. This usually happens beyond the actual risk register document, such as during a meeting or team huddle. 

However you choose to conduct your mitigation plan, you should document a high-level description within the log for reference and clear communication. This will not only ensure everyone on the project team understands the response plans, but it will also help you visualize the solution. 

7. Risk priority 

While the impact of a risk will help determine priority, it’s good to also include this entry on your log. Priority should take into account both the likelihood of the risk and the risk analysis. Both of these aspects will make it clear which risks are likely to have harmful consequences on the project. 

Priority can be documented by a simple number scale:

If you’re looking to make your risk register more visually appealing, you may want to document priority by using a color-coded scale instead. This can be used in place of or alongside the three options. Love organizing by color? Then color-coding your log is the perfect option for you! 

8. Risk ownership

Once the risk has been identified, reviewed, and prioritized, it’s time to assign the mitigation deliverables to be implemented. Risk ownership should include:

The person assigned to oversee the implementation of deliverables

Any additional team members, if applicable

The risk ownership field can help quickly determine which department the risk should be handled by. It can also help visualize which team members have ownership of specific risks. 

9. Risk status

The last field to include in your risk register is the status of the risk. This helps communicate whether a risk has been successfully mitigated or not. A risk status field should be filled out with one of the following:

In progress

If you want to get more granular with your status options, you may choose a more specific list such as active, not started, hold, ongoing, and complete. 

Additional risk register fields

While there are a handful of main entries that every risk register should include, there are additional optional items you can include as well. It’s always better to over-prepare than be caught off guard when the time comes, so take a look at these additional fields to decide if you need them. 

Risk trigger: Adding a risk trigger entry can help you evaluate why the risk happened in order to prevent future risks. 

Response type: While many risks will be on the negative end of the spectrum, there is a possibility for a positive outcome. In this case, you can add a field for a positive or negative response. 

Timeline: You can also include the schedule or timeline of the mitigation plan within the log in order to keep information in one place. Timeline software is a great tool to help with this. 

How to create a risk register (with example)

A risk register contains a lot of information and can be challenging to create for the first time. While you may know what information you need to include, getting started can be difficult. That’s why we put together an example to help you get started on your own risk management plan. 

Here’s what your risk register log might look like:

The key objective of a risk register is to log the information of potential risks, so don’t get too caught up in the details. You should choose the fields necessary to communicate potential risks to your team members. 

Some teams may only need a simple risk register with few fields, while others may need something more complex. It may be helpful to start simple and work your way up to a more complex log if needed.

Here’s an example of a risk register entry to get you started on your own risk log. 

Risk name: Design delay

Risk description: Design team is overbooked with work, which could result in a timeline delay. 

Risk category: Schedule

Risk likelihood: Likely

Risk analysis: Medium

Risk mitigation: Hire a freelancer to create project graphics. Move meetings from Kabir’s calendar during the week of 7/12 to free up time to edit graphics and send to Kat for final approval. 

Risk priority: 2

Risk ownership: Kat Mooney

Risk status: In progress

Once you get the hang of filling out your risk register, you can work to continuously improve and perfect your data log for future projects.   

Don’t risk your risk management plan

Identifying risks is a large part of any successful risk management strategy. While identifying and mitigating new risks isn’t always easy, it’s essential in order to keep your business on track for success. Once you nail down your risk register, project risks won’t seem as hard to manage. Plus, your team will have more time to spend on important things, like delivering impact. 

If you’re looking for additional resources on risk management, check out how to create a contingency plan to prevent business risks. 

Related resources

How to use benchmarking to set your standards for success

How to scale retail management operations with Asana

How Asana’s digital team used work management to refresh our brand

Your guide to RACI charts, with examples

• Contact sales

Start free trial

What Is a Risk Register & How to Create One

You’ll never be able to anticipate every risk event that could occur in a project, but by using a risk register, you’re prepared to respond quickly before project risks become real problems that sidetrack the whole project.

What Is a Risk Register?

A risk register, or risk log is a risk management tool that’s used to identify potential risks that could affect the execution of a project plan . While the risk register is mostly used during the execution of the project, it should be created during the project planning phase. It’s never too early to start thinking about risk analysis in your project and having a project risk register on hand and ready is essential in managing risk.

Get your free

Risk Register Template

Use this free Risk Tracking Template for Excel to manage your projects better.

A risk register is the first step in project risk management , and it’s an important part of any risk management framework. It helps project managers list risks, their priority level, mitigation strategies and the risk owner so everybody on the project team knows how to respond to project risk.

What Is the Purpose of a Risk Register?

If you know what risk management is, then you’ll know that the next step to managing risk is strategically working to control the potential issues that are most likely to occur when you’re managing a project. Therefore, you should have a risk analysis mechanism in place to collect potential risks and map out a path to mitigate risks and get the project back on track, should those risks become realities.

Having a risk log to track project risks , whether by a simple spreadsheet or as part of a more robust project management software solution, is a good idea to tackle in any project plan. There’s risk inherent in everything, and that’s especially true when managing a project with many moving parts.

Project management software can help you track risk better than a static spreadsheet. With ProjectManager you can make an online risk register where you can identify risks, calculate their impact and manage them with your team. With our Risk view, you can make a risk list and stay on top of all the risks within your project. Write a description, add tags, identify a resolution, mark impact and likelihood, even see a risk matrix—all in one place. Get started today with a free trial.

Risk Register vs. Risk Matrix

A risk register and a risk matrix are similar tools. Both assess the level of risk and are key to any contingency plan or risk management plan. But there are differences. For one, the risk matrix is a visual tool. It charts each risk and maps it on a grid.

The risk matrix measures the likelihood of the risk occurring, from rare to almost certain, and its severity, from insignificant to severe. It’s also color-coded to show the priority of each of the risks charted on the matrix.

A risk register also deals with the impact of risk on a project. However, it’s a spreadsheet, not a graphical representation of those risks. Therefore, it provides more detailed information, such as a description of the risk, the response and who’s responsible for identifying and mitigating that risk .

Risk Register Example

Let’s get a better understanding of what a risk register does by making up a risk register example. Let’s say you’re Acme Manufacturing and you’re planning for a large run of widgets that need to be delivered to distributors by a certain date to reach your retailers and customers as expected. Here’s what a risk log example looks like. We used our free risk traking template for Excel to make this example. You can download one for free for your project.

The first step is identifying the risk. You’d give it an ID to make it easier to track. Let’s call this number one, which is equipment malfunction. The next item is describing its impact. If equipment goes down on the assembly line work stops. That impacts the schedule and even the viability of the entire project.

To avoid this issue is to do periodic preventive maintenance, which reduces the likelihood of a breakdown. However, a malfunction is always a risk that might occur, even if the machinery is well-maintained. To mitigate this, you might have backup equipment to keep the assembly line running while the other equipment is being repaired. The risk level depends on the impact this risk might have on your project. The risks listed in this risk register example are high because they affect the project budget and schedule.

Next, is the owner of the risk. That could be John Smith, the mechanic, or Fred Jones, the employee who runs the machine. It could also be both, as Fred could identify the risk when it’s an issue and John is then called to repair the equipment.

If there’s anything that you’d like to add to the risk register, there’s a column for notes in our risk register template. This could be used to track the repair if the risk in fact occurs, or it could capture some other pertinent information not already covered in the risk register.

How to Use a Risk Register In Project Management

The first step in the risk management process is risk identification. Projects are all different, of course, but for organizations that run similar projects year after year, there might be historical data to review to help identify common risk categories for those types of projects.

Additionally, you can anticipate some project risks based on market forces (supply and demand risks, for example), based on common project management issues or even based on weather.

Collect the Project Risks

Collecting the possible risks that can show up when managing a project requires a systematic approach to make sure you’re as thorough as possible. The project risk register is a system, which can then track that risk if it in fact appears and then evaluate the actions you’ve set in place to resolve it.

When registering these risks on a risk log spreadsheet or within your project management software , you have a place to put this data and follow the specific risk event throughout the project, thereby seeing if the risk response actions you’ve put in place to remedy the risk are working. A risk tracking document keeps project risks on a tight leash to mitigate their impact so they don’t ruin your project.

Document the Project Risks

Documenting project risks using a risk register is vital to the success of any project. It gives you one place to identify the risk, note its history—from where it first occurred to where you finally resolve it—and even tag the risk to the person who identified it and manages it. On the risk log, you can note the risk score and how likely the risk will impact the project and so much more.

Monitor the Project Risks

As mentioned, you can assign risks to your team members in your project risk register. That person then is responsible for monitoring the risk and leading any risk response actions required to mitigate the impact of that risk event or address it once it becomes an issue. By documenting this process in a project risk register, you’re less likely to lose track of project risks over the course of a busy project, which means the risks aren’t turning into real issues that can negatively impact the project budget or schedule and compromise the success of the project.

Resolve the Risks

Finally, when the project risk is resolved, you can close it. Nothing is better than checking off that risk in your risk log as no longer a problem in the project. If the risk event has been remedied, you don’t want to continue using resources on a problem that doesn’t exist. It simply gives you more control over your risk management plan and fosters better communication with your project team and stakeholders.

What Is Included in a Risk Register?

Risk registers vary depending on the organization and the project. However, most risk register templates share these commonly used elements:

• Risk identification ID: A name or ID number to identify the risk.
• Risk description: A brief explanation of the risk.
• Risk breakdown structure: A risk breakdown structure is a chart that allows you to identify all your project risks and categorize them.
• Risk categories: There are many risk categories that can impact a project such as a schedule, budget and technical and external risks.
• Risk analysis: The purpose of risk analysis is to determine the probability and impact of a risk. You can either do a qualitative risk analysis or a quantitative risk analysis.
• Risk probability: You’ll need to estimate the likelihood of each risk and assign a qualitative or quantitative value.
• Risk priority: The risk priority is determined by assigning a risk score to each risk, which is obtained by multiplying the risk impact and probability values. If you’re using qualitative measurements, prioritize risks with the highest impact and highest probability.
• Risk response: Each risk needs a risk response to mitigate its effect on your project. Those risk responses are also documented in a risk response plan.
• Risk ownership: Each risk needs to be assigned to a team member who becomes a risk owner. The risk owner is responsible for deploying the appropriate response and supervising it.

How to Create a Risk Register

Let’s go through the steps to create a risk register so we can get the most out of this risk management tool.

1. Risk Identification

Get the project team together to brainstorm potential risks. Every team member is responsible for different areas of the project, so use their expertise to identify potential project-derailing risks. You’ll also want to speak with stakeholders to ensure you’ve brought their concerns to mind and are tracking their risks, too. Be sure to exhaust all risk categories of potential impact, from market forces to resources to the weather.

2. Describe Project Risks

The next thing you want to do is describe the project risk. Try to be as thorough as you can while keeping the description to the essentials. Having too vague a risk makes it a challenge to truly understand whether a risk has become a real issue. For example, don’t write, “the weather” for a risk contingent on the weather. Rather, go for something specifically related to your project, such as, “Monsoon season in India could cause shipping delays for copper which will impact the project schedule .”

As you identify and describe risk, ProjectManager will help you assign ownership to a team member, set the priority and attach any relevant files. Teams can collaborate, share the risk, add comments and tag people. Managers get visibility into the work and everyone is working on the same updated and life data.

3. Estimate Risk Impact

Include everything that the risk can influence, so you can develop a strong strategy to deal with it. For example, if layoffs have been rumored in your business sector regionally, identify the actual impact that might have on your project schedule if it came to pass. For example, “Projected layoffs in Southeast manufacturing could risk production schedules in June. This could delay the entire project execution by three months unless alternative production options are considered.” This tells the risk owner to investigate potential options for manufacturing facilities outside of that region, so a real risk management plan is in place.

4. Create a Risk Response Plan

This is the heavy lifting in the project risk register, so give it the time and effort necessary to complete it properly. You want to be thorough, but not excessive. Keep the risk response plan short and to the point. Do your research, so if the risk shows up in the project you can go right into action. Document all response plans and implementation strategies. If this requires a long document, add a link or add an attachment to the risk response plan document to point directly toward the planned response.

5. Prioritize Project Risks

Not all project risks are created equally. Some of them have a greater impact than others, so you have to decide which are going to move to the front of the line and which are okay to ignore if you don’t have the time and resources. Here you’ll determine the level of risk: high, medium or low. This way you can filter your register and prioritize accordingly.

6. Define Risk Owners

Finally, assign an owner to each risk. If you don’t have a risk owner for each and every potential risk, then you might not know about it until the impact of that risk is irreversible.

There’s one last column in your risk register, and that’s a place to collect any notes that don’t fit under the categories already discussed. It’s important to have a place to put these ideas so they don’t get lost in the endless churn of a project.

Using ProjectManager’s Risk Log Features to Track Risks

ProjectManager is an award-winning project management software with integrated risk-tracking features that allow you to list, manage and collaborate with ease. Once you’ve selected a certain risk, there’s a simple and fast way to edit every aspect of the risk, including its name, description, owner and its level of priority. Even better, you have the ability to add notes, files, images and other attachments to that specific project risk.

Another powerful risk management features is our real-time dashboard. Our project dashboard gives you a snapshot of your project status and is ideal for catching risks before they become issues. This unique feature is valued by project managers all over the world, in major companies like Volvo, NASA and Bank of America.

ProjectManager is online project management software that offers a collaborative risk-tracking tool that gives you all the features you need to identify, track and resolve risks as they become issues in your project. Try it yourself and see how it can make managing risk and the whole project that much easier. Take our free 30-day trial today!

Deliver your projects on time and on budget

Start planning your projects.

Project Management, Project Planning, Templates and Advice

• Concise, focused guide that cuts through the clutter
• Step-by-step instructions for creating a project plan in under a day
• Master essential skills like work breakdowns and task sequencing
• Real-world troubleshooting for 20 common scheduling challenges
• Rapidly get up to speed if you're new to Microsoft Project
• Includes glossary, support resources, and sample plans
• Start planning like a pro
• Get your copy today!

20 Common Project Risks - Example Risk Register

Want to a kick start to your Risk Management ? Want to make sure you have identified key project risks ? Not sure what actions you can take to reduce the likelihood of key project risks? Look no further!

• The 20 common project risks
• View the register
• Download the risk register in Excel

Video - How to edit the risk register

• Bonus mindmap of the common risks

20 Common Project Risks

• Project purpose and need is not well-defined.
• Project design and deliverable definition is incomplete.
• Project schedule is not clearly defined or understood.
• No control over staff priorities.
• Consultant or contractor delays.
• Estimating and/or scheduling errors.
• Unplanned work that must be accommodated.
• Lack of communication, causing lack of clarity and confusion.
• Pressure to arbitrarily reduce task durations and or run tasks in parallel which would increase risk of errors.
• Scope Creep.
• project conflicts not resolved in a timely manner.
• Business Case becomes obsolete or is undermined by external or internal changes.
• Delay in earlier project phases jeopardizes ability to meet fixed date. For example delivery of just in time materials, for conference or launch date.
• Added workload or time requirements because of new direction, policy, or statute.
• Inadequate customer testing leads to large post go live defect list.
• Legal action delays or pauses project .
• Customer refuses to approve deliverables / milestones or delays approval, putting pressure on project manager to 'work at risk'.
• Theft of materials, intellectual property or equipment.
• Acts of God for example, extreme weather, leads to loss of resources , materials, premises etc.
• Stakeholder action delays the project . For more on the damage stakeholders can do see our case studies of real world projects that faced costs running into millions, because of stakeholder actions.

Completed risk register with 20 project risks you need to manage

Download a Complete Risk Register of Common Project Risks

Excel 1997 - 2003 download (.xls) - free risk register of common risks, excel download (.xlsx) - free risk register of common risks, mindmap download - free mindmap of common project risks, more on risk management, the top 50 business risks and how to manage them, checklist of 30 construction risks, download a risk register template, overall project risk assessment template, simple risk register template, resources used in this article, share this image.

Risk Register in Project Management

Risk is such a given in any project that, as we like to say, the biggest risk is ignoring project risk management . One strategy to help you anticipate and plan for potential project risks is creating a risk register and risk report. Project Management Professionals (PMP) use a risk register and risk report on risk-driven projects or risk-aware projects.

This risk register overview by your experts at Project Management Academy is your complete resource on the “who, what, when, where, and why” of risk registers in project management.

On this page:

Risk Register PMP definition & purpose

When is a risk register created, who creates a project risk register, what is included in a risk register, risk register pmp how-to guide.

Get Your Comprehensive Guide to Risk Management

Learn how to manage risk in every project.

A risk register is a document used to track and report on project risks and opportunities throughout the project’s life cycle. The contents of this tool can help you identify and organize information about potential issues that can impact project elements and outcomes. Here are some other uses of a risk register:

• Identifying potential risks
• Predicting the probability of a risk event occurring
• Putting controls in place to mitigate risks
• Establishing a response plan in the event a risk occurs
• Creating a risk report to summarize overall project risk, communicate to project stakeholders, and support overall risk management
• And much more!

For some projects, risk registers are required to meet compliance regulations. However, a risk register is an essential PMP exam tool for any project, no matter the size, complexity, or industry. Although it is impossible to anticipate every possible risk that could affect your project, a risk register will help you establish an effective risk management plan to prevent risks from derailing your project.

What is the difference between an issue vs. a risk?

While risk is an event that has not happened yet, an issue is an event that has already happened. Both issues and risks describe problematic events or conditions that can impact your project elements or outcomes.

As a project manager, you should know how to store, track, and organize information about both risks and issues. The document you use to store content about risks is called a risk register , while the document you use to store content about issues is called an issue log .

A risk register is created when a project carries many moving parts or much risk. The more complex a project is, the more critical it is to create a risk register. However, having a risk register is helpful for any project. Even including a simple spreadsheet in your project plan can help you track and mitigate risks.

Similarly, while a risk register is typically created during the project’s execution phase, it is never too early to begin thinking about risk management. Risk management should start as soon as project planning does. The sooner you create your project risk register, the sooner you will have a thorough document on hand to help you manage and report on risk.

Project managers are typically responsible for creating a project risk register. However, if your project team includes a dedicated risk management professional, such as a PMI Risk Management Professional (PMI-RMP)® credential holder, creating and maintaining the content in the risk register would be their job.

Despite this, every project team member should contribute content to the risk register if possible. One person might be aware of a risk that no one else knows about, and in addition, anyone could potentially be impacted by any risks to the project. As a result, it can help to collaborate in identifying risks and appropriate risk response plans.

There are many ways to go about creating a risk register, and there is no single correct method. You might need to include much detail in your risk register, or you might need a simple tool to help you stay organized. The contents of your risk register should at least capture the following:

• Qualitative and quantitative data about potential risks
• Estimates regarding the potential impact of the risk
• An outline of your established response plan
• Who on the project team will take ownership of the risk

This list is also a helpful general guide to the order in which you should acquire risk information. If you want to get more detailed, the following components can help you break down and organize project risk content on a more granular level:

• Risk Identification: a name or ID number to identify the risk. This element can be as simple as a reference number or letter.
• Risk Description: a brief explanation of the risk event or conditions that may trigger the risk event.
• Risk Probability: the likelihood of a risk event occurring
• Risk Impact/Categories: a description of which categories can impact or be impacted by the risk event, such as schedule, budget, scope, quality, or more.
• Risk Priority: the risk score, which can be determined quantitatively (by multiplying the risk impact and probability) or qualitatively (by putting risks in the order of the highest impact and highest probability)
• Risk Response Plan: a description of the actions you will take to mitigate the effects of a risk event if it occurs
• Risk Ownership: a description of who will become the risk owner and take on the responsibility for deploying and supervising the risk response plan

Now you know what goes into a risk register, let’s go over some recommendations for creating your PMP risk register.

Studying for the PMP Exam?

Over time, you will be able to determine what content you need in your risk register to meet the needs of your specific industry and project types. When you first begin, try using a sample PMP exam risk register such as the Project Management Academy template .

Using a risk register template as a reference will help you familiarize yourself with the process of gathering, calculating, and documenting all the necessary information. As you become more familiar with risk registers, you can adapt these practices to your needs.

Follow these steps to add content to your risk register using the Project Management Academy PMP risk register template as your guide.

1. Identify all potential risks

Your first step in creating a risk register is identifying risks. This step is essential in effective risk management. It can be challenging to identify every single possible risk, but here are some tips to help you add content to your risk register:

• Review historical data. If your organization has run a similar project in the past, there may be common risks to add to your register.
• Check-in with stakeholders. Your project team members, clients, and other stakeholders may be aware of potential risks that you don’t know about, so ensure you ask for their input.
• Do some market research. Market research will help you discover potential external risks, such as supply and demand, common project management issues, or past project information shared by other organizations and project managers.

Once you have identified all potential risks, you can organize your content in a risk breakdown structure.

2. Layout your risk breakdown structure

A risk breakdown structure is a tool to help you organize your risk register. You can use your risk breakdown structure to categorize risks, track data, and compare information about various risks. Examples of risk breakdown structures include charts or spreadsheets structured to classify and compartmentalize project risk content logically.

Keeping an organized risk breakdown structure is critical to risk reporting. Your risk register is the primary tool you will use to track and report project risks to stakeholders.

3. Gather qualitative data about each risk in your risk register

Qualitative project risk data can include your risk identification, risk description, and some or all elements of your risk analysis. For example, a risk description or risk statement can be phrased in the following ways:

• EVENT may occur, causing IMPACT
• If CONDITION exists, EVENT may occur, leading to EFFECT

In this sample content, the capitalized words represent variables on the specific risk you describe.

Risk analysis can be done either qualitatively or quantitatively. Here are some examples of qualitative risk analysis:

• Risk probability : is the chance of a risk event happening low, medium, or high?
• Risk impact/categories : will a category impact or be impacted by a risk event, and is the impact likely to be low, medium, or high?
• Risk priority : how would you describe each risk’s combined probability and impact score? For example, if a risk’s probability is low and its potential impact is medium, its priority is medium-low.

There may be other qualitative components to each risk, but these content elements provide a great starting point to help you break each risk down in more detail.

4. Calculate quantitative data about each risk in your risk register

If you are performing quantitative risk analysis, here are some examples of how you would adjust your approach:

• Risk probability : calculate the likelihood of the risk event or condition occurring and express it as a ratio or percentage.
• Risk impact/categories : score the potential impact of the risk on each of your project’s objectives or categories using a standardized number system.
• Risk priority : multiply the probability by the impact score to calculate a risk priority level.

Risk quantification can help you evaluate your identified risks and develop data to support your decision-making processes.

5. Determine the order of priority for your risk register

Once you have established the risk priority level for each risk event or condition in your risk register, you should order them within your risk breakdown structure by priority level. Arranging your risk register content by order of priority will give you a better picture of your highest-priority risk, any related risk events, and more.

6. Outline your risk response plan

Understanding each risk event’s priority level will also help you determine the urgency for your relevant risk response plans. You should come to a consensus with your project stakeholders about a favorable risk response for each item in your risk register, including identifying the risk owner who will oversee the execution of the risk response plan if the risk becomes an issue.

Ideally, your risk response plan will lower the likelihood of the risk occurring, reduce the impact of each risk on your project categories, or eliminate the risk. Ensure you think about how your risk response plan may impact your project’s budget, timeline, and other categories as well.

Having a risk register to record and track all identified project risks is essential to the success of your project. This crucial tool in the risk management process can help you avoid problems or mitigate their effects on your project outcomes.

Do you want to learn more about risk management for the PMP exam and project management? Read our resources on risk audits in project management or how to apply risk management in your projects .

Risk management is critical in project management. That’s why the Project Management Professional certification and the PMI Risk Management Professional (PMI-RMP)® certification both emphasize practical risk management skills. Get in touch with your Project Management Academy experts to learn how to hone your risk management skills.

Upcoming PMP Certification Training – Live & Online Classes

Erin Aldridge, PMP, PMI-ACP, & CSPO

• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link Understanding Project Management: Basics and Beyond
• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link Understanding and Managing Scope Creep for Project Management Professionals
• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link Mastering the PMP Test: Key Strategies and Tips for Success
• Erin Aldridge, PMP, PMI-ACP, & CSPO #molongui-disabled-link Understanding the Duration of the PMP Exam: A Complete Guide

Popular Courses

PMP Exam Preparation

PMI-ACP Exam Preparation

Lean Six Sigma Green Belt Training

CBAP Exam Preparation

Corporate Training

Project Management Training

Agile Training

Read Our Blog

Press Release

Charitable Contributions

Connect With Us

PMI, PMBOK, PMP, CAPM, PMI-ACP, PMI-RMP, PMI-SP, PMI-PBA, The PMI TALENT TRIANGLE and the PMI Talent Triangle logo, and the PMI Authorized Training Partner logo are registered marks of the Project Management Institute, Inc. | PMI ATP Provider ID #3348 | ITIL ® is a registered trademark of AXELOS Limited. The Swirl logo™ is a trademark of AXELOS Limited | IIBA ® , BABOK ® Guide and Business Analysis Body of Knowledge ® are registered trademarks owned by International Institute of Business Analysis. CBAP ® , CCBA ® , IIBA ® -AAC, IIBA ® -CBDA, and ECBA™ are registered certification marks owned by International Institute of Business Analysis. | BRMP ® is a registered trademark of Business Relationship Management Institute.

Transform teamwork with Confluence. See why Confluence is the content collaboration hub for all teams.  Get it free

• The Workstream
• Project management
• Risk register

What is a risk register and how to create one

Browse topics.

In today’s competitive environment, businesses must deliver products faster and more frequently to maintain an advantage. Executing multiple projects at once can increase risk factors, and identifying, monitoring, and mitigating these risks is critical to meeting your project goals and maintaining customer satisfaction. 

Managing risks, from identifying their potential impact to planning your response, can help keep projects moving forward rather than derailing progress. Successful businesses often rely on a risk register to identify, document, and address risks throughout the project lifecycle. This guide discusses what a risk register is, its basic components, and how to create one.

Get started with a free Confluence risk assessment matrix template .

What is a risk register for project management?

A risk register is a project management tool for evaluating, prioritizing, and addressing risks to projects across your business. It serves as a central repository for identifying risks so project managers and teams can effectively track and mitigate them. Understanding risks and their implications and priorities can help streamline workflows and ensure you keep your projects on track.

Tools that provide a connected workspace are the foundation for implementing an effective risk register. Confluence allows teams to create, edit, and share information in a central repository for an updated, single source of truth. With a risk register template, teams can get started quickly, develop mitigation plans, and track risks throughout the project lifecycle.

Key components of a risk register

Risks come in many forms, including data security, legal compliance, and supply chain issues. A risk register should consider all the potential risks your project may face, no matter what category they fall under.

There are four key components of a risk register:

• Risk identification : Assigning an ID number and name helps track the risk throughout the project timeline . Adding a brief description of the risk keeps everyone on the same page when referencing or working on it.
• Risk assessment : This includes analyzing the risk and assigning it to a category based on schedule, budget, or scope. Identify the likelihood of the risk and its outcome using qualitative impacts, such as customer satisfaction, or quantitative impacts, such as cost. These factors will help you prioritize the risk.
• Risk response : Determine your response to the risk and document it in a risk response plan. Using a central repository such as Confluence for the response plan allows everyone to access and respond according to the plan.

Risk ownership : Assign a knowledgeable owner responsible for the overall risk, including the response plan.

When to use a risk register

It’s never too early to begin using a risk register. Teams often identify risks in the project planning and product discovery phases, which is an excellent time to start tracking, assessing, and strategizing how to address risks. Continue using the risk register throughout the project lifecycle.

Project changes are common, and reassessing risks and looking for new ones should be part of managing change. You should also include the risk register in standard project reviews with stakeholders to keep them informed.

Benefits of using risk registers

Understanding risks early, analyzing their impact, and creating a plan for addressing them can help keep your project on schedule and within budget. The following are some of the benefits of using a risk register.

Proactive risk management

Identifying every risk early might not be possible, but you can identify a large percentage through project collaboration . Teams that include risk identification in each phase of the product and project management lifecycles identify solutions early that they can build into the project plan.

Improved communication

A proactive risk management approach allows teams to coordinate early, understand the goal, and work together to mitigate risks. That way, when new risks arise, teams have a standard process for capturing, analyzing, assigning, and planning the response. Using collaborative tools such as Confluence provides a current source of truth about any risk at any time.

Enhanced decision making

The risk register provides project managers and stakeholders with clear information about each risk and its impact. It reduces or eliminates the guesswork. 

For example, a risk may seem like a high priority when you first identify it, but analysis may reveal that you can mitigate it quickly or easily. On the other hand, a risk that seems fairly low priority when you first identify it may become priority number one after the analysis. The risk register helps focus attention on the most important risks first.

Documentation

Tools such as Confluence help teams collect and maintain all information related to the risk, such as severity, impacts, response plan, and the person responsible, in a single repository. This single source of truth ensures that teams work from the same understanding of the risk, no matter where they’re located or what team they’re on.

Accountability

Assigning an owner to each risk in the register improves productivity by ensuring that the right people are working on the response plan. Scheduling, reviewing, and updating the risk register during project review meetings and throughout the project life cycle maintains a real-time snapshot of progress. It allows you to change priorities or adjust schedules as you resolve risks or new risks arise.

Task management software such as Jira can help track the progress of the work from identification to resolution.

Limitations of risk registers

A clear and easy-to-follow process can help overcome many of a risk register's limitations. However, identifying some risks, such as equipment malfunction, may be difficult, leading to gaps in the risk register.

Risks can evolve, and keeping the register current is important to ensure it reflects the latest information. Training team members on risk assessment, scoring or prioritizing, and providing complete and accurate data helps ensure the effectiveness of the risk register.

How to create a risk register

To create an effective risk register, use a standard process and provide training to the entire team. The following are steps to create and maintain the risk register.

Identify risks

Begin with a brainstorming session that involves the entire team. Different people bring varying perspectives and knowledge to areas others may not have insight into. 

For example, a developer may recognize compatibility issues that require additional software purchases, and finance may see budgetary risks associated with unexpected purchases. External partners may also have first-hand experience and can detail the risks they’ve encountered. During this step, collect as many different perspectives as possible.

Assess risks

Assess the risks using a standard scoring process. Apply the same standard to each risk, whether financial, technical, security, quality or another kind.

• First, determine the probability of the risk occurring using a number scale for high, medium, and low.
• Then, assess the potential impact on the project using the same number scale for high, medium, and low.
• Finally, calculate the risk score by multiplying the probability by the impact.

You can quickly identify high probability/high impact risks by their score and prioritize them first.

Plan risk responses

Develop strategies to reduce the likelihood and impact of each risk. A collaborative team environment can help, as team members bring unique experiences and insights. Plan the specific actions to take if the risk materializes. 

Having an action plan in place allows the team to respond and resolve issues immediately if they materialize, allowing the project to continue. It also provides information for other team members, such as finance, early in the project.

Include high probability/high impact risks in your roadmap software tool to ensure all stakeholders are aware.

Assign risk ownership

Assign an owner who understands the risk's nature and impact in detail. This may be a developer with experience in cybersecurity or a partner relationship manager possessing experience working with suppliers. The owner is responsible for researching additional information or solutions, updating the risk register with new or changing information, and requesting additional resources if necessary.

Monitor and review risks

Keep the risk register updated regularly to ensure it correctly reflects changes to existing risks and progress on the planned actions and captures new risks. The project review meeting should include reviewing the risk register, but having a separate and regular risk register meeting is good practice. 

New risks arise and identified risks change throughout the project. Making the risk register meeting a standard part of the project management lifecycle , including updating Gantt charts and timelines, can reduce surprises and keep the project on track.

Using risk register templates

Using a risk register template allows teams to get started quickly identifying and tracking risks. Confluence risk register template helps teams collect the necessary information, determine the severity and impact, and document the mitigation plan in case the risk becomes a reality. The template you choose should allow you to collaborate in a connected environment and provide the basic building blocks for tracking risks throughout the project lifecycle. With shared information, when risks require action, everyone on the team is aware of the plan and can immediately get to work.

Assess your risk with Confluence for a smoother project journey

What you don’t know, can hurt you. Understanding your project risks and preparing mitigation plans before they arise can make the difference in keeping your project on schedule, ensuring product quality, and maintaining your budget. 

Confluence organizes knowledge across teams, projects, and goals, bringing order to chaos. It allows you to find what you want, and discover what you need. With company-wide and project-related knowledge in a centralized place, surfacing important information has never been easier. Collaboration through real-time editing and inline comments allows the entire team to maintain velocity and move the business forward, as well as easily share information with the broader organization. 

The Confluence risk assessment matrix template helps fast-track the process. It walks you through identifying and assessing risks, developing a planned approach, documenting ownership, and tracking changes. Get started for free.

You may also like

Project poster template.

A collaborative one-pager that keeps your project team and stakeholders aligned.

Project Plan Template

Define, scope, and plan milestones for your next project.

Enable faster content collaboration for every team with Confluence

Copyright © 2024 Atlassian

The Essentials of Effective Project Risk Assessments

By Kate Eby | September 19, 2022

• Share on Facebook
• Share on LinkedIn

Link copied

Performing risk assessments is vital to a project’s success. We’ve gathered tips from experts on doing effective risk assessments and compiled a free, downloadable risk assessment starter kit. 

Included on this page, you’ll find details on the five primary elements of risk , a comprehensive step-by-step process for assessing risk , tips on creating a risk assessment report , and editable templates and checklists to help you perform your own risk assessments.

What Is a Project Risk Assessment?

A project risk assessment is a formal effort to identify and analyze risks that a project faces. First, teams identify all possible project risks. Next, they determine the likelihood and potential impact of each risk.

During a project risk assessment, teams analyze both positive and negative risks. Negative risks are events that can derail a project or significantly hurt its chances of success. Negative risks become more dangerous when teams haven’t identified them or created a plan to deal with them.

A project risk assessment also looks at positive risks. Also called opportunities, positive risks are events that stand to benefit the project or organization. Your project team should assess those risks so they can seize on opportunities when they arise.

Your team will want to perform a project risk assessment before the project begins. They should also continually monitor for risks and update the assessment throughout the life of the project.

Some experts use the term project risk analysis to describe a project risk assessment. However, a risk analysis typically refers to the more detailed analysis of a single risk within your broader risk assessment. For expert tips and information, see this comprehensive guide to performing a project risk analysis. 

Project risk assessments are an important part of project risk management. Learn more from experts about best practices in this article on project risk management . For even more tips and resources, see this guide to creating a project risk management plan .

How Do You Assess Risk in a Project?

Teams begin project risk assessments by brainstorming possible project risks. Avoid missing important risks by reviewing events from similar past projects. Finally, analyze each risk to understand its time frame, probability, factors, and impact.  

Your team should also gather input from stakeholders and others who might have thoughts on possible risks. 

In general terms, consider these five important elements when analyzing risks:

• Risk Event: Identify circumstances or events that might have an impact on your project. 
• Risk Time Frame: Determine when these events are most likely to happen. This might mean when they happen in the lifecycle of a project or during a sales season or calendar year. 
• Probability: Estimate the likelihood of an event happening. 
• Impact: Determine the impact on the project and your organization if the event happens. 
• Factors: Determine the events that might happen before a risk event or that might trigger the event.

Project Risk Assessment Tools

Project leaders can use various tools and methodologies to help measure risks. One option is a failure mode and effects analysis. Other options include a finite element analysis or a factor analysis and information risk.

These are some common risk assessment tools:

• Process Steps: Identify all steps in a process.
• Potential Problems: Identify what could go wrong with each step.
• Problem Sources: Identify the causes of the problem.
• Potential Consequences: Identify the consequences of the problem or failure.
• Solutions: Identify ways to prevent the problem from happening.
• Finite Element Analysis (FEA): This is a computerized method for simulating and analyzing the forces on a structure and the ways that a structure could break. The method can account for many, sometimes thousands, of elements. Computer analysis then determines how each of those elements works and how often the elements won’t work. The analysis for each element is then added together to determine all possible failures and the rate of failure for the entire product.
• Factor Analysis of Information Risk (FAIR): This framework helps teams analyze risks to information data or cybersecurity risk.

How to Conduct a Project Risk Assessment

The project manager and team members will want to continually perform risk assessments for a project. Doing good risk assessments involves a number of steps. These steps include identifying all possible risks and assessing the probability of each.

Most importantly, team members must fully explore and assess all possible risks, including risks that at first might not be obvious.

“The best thing that a risk assessment process can do for any project, over time, is to be a way of bringing unrecognized assumptions to light,” says Mike Wills , a certified mentor and coach and an assistant professor at Embry-Riddle Aeronautical University’s College of Business. “We carry so many assumptions without realizing how they constrain our thinking.”

Steps in a Project Risk Assessment

Experts recommend several important steps in an effective project risk assessment. These steps include identifying potential risks, assessing their possible impact, and formulating a plan to prevent or respond to those risks.

Here are 10 important steps in a project risk assessment:

Step 1: Identify Potential Risks

Bring your team together to identify all potential risks to your project. Here are some common ways to help identify risks, with tips from experts:

• Review Documents: Review all documents associated with the project.
• Consider Industry-Specific Risks: Use risk prompt lists for your industry. Risk prompt lists are broad categories of risks, such as environmental or legal, that can occur in a project.
• Revisit Previous Projects: Use checklists from similar projects your organization has done in the past. 

• “What I like to do for specific types of projects is put together a checklist, a taxonomy of old risks that you've identified in other projects from lessons learned,” says Wendy Romeu, President and CEO of Alluvionic . “Say you have a software development program. You would pull up your template that includes all the risks that you realized in other projects and go through that list of questions. Then you would ask: ‘Do these risks apply to our project?’ That's kind of a starting point.” “You do that with your core project team,” Romeu says, “and it gets their juices flowing.” Learn more about properly assessing lessons learned at the end of a project in this comprehensive guide to project management lessons learned .
• Consult Experts: Conduct interviews with experts within and, in some cases, outside your organization.
• Brainstorm: Brainstorm ideas with your team. “The best scenario, which doesn't usually happen, is the whole team comes together and identifies the risks,” says Romeu.
• Stick to Major Risks: Don’t try to identify an unrealistic or unwieldy number of risks. “You want to identify possible risks, but you want to keep the numbers manageable,” says Wills. “The more risks you identify, the longer you spend analyzing them. And the longer you’re in analysis, the fewer decisions you make.”
• Look for Positive Risks: Identify both positive risks and negative ones. It’s easy to forget that risks aren’t all negative. There can be unexpected positive events as well. Some people call these opportunities , but in a risk assessment, experts call them positive risks. 

• “A risk is a future event that has a likelihood of occurrence and an impact,” says Alan Zucker, founding principal of Project Management Essentials , who has more than two decades of experience managing projects in Fortune 100 companies. “Risks can both be opportunities — good things — and threats. Most people, when they think about risk assessment, they always think about the negatives. I really try to stress on people to think about the opportunities as well.” Opportunities, or positive risks, might include your team doing great work on a project and a client wanting the team to do more work. Positive risks might include a project moving forward more quickly than planned or costing less money than planned. You’ll want to know how to respond in those situations, Zucker says. Learn more about project risk identification and find more tips from experts in this guide to project risk identification .

Step 2: Determine the Probability of Each Risk

After your team has identified possible risks, you will want to determine the probability of each risk happening. Your team can make educated guesses using some of the same methods it used to identify those risks.

Determine the probability of each identified risk with these tactics:

• Brainstorm with your team.
• Interview experts.
• Review similar past projects.
• Review other projects in the same industry.

Step 3: Determine the Impact of Each Risk

Your team will then determine the impact of each risk should it occur. Would the risk stop the project entirely or stop the development of a product? Or would the risk occurring have a relatively minor impact?

Assessing impact is important because if it’s a positive risk, Romeu says, “You want to make sure you’re doing the things to make it happen. Whereas if it's a high risk and a negative situation, you want to do the things to make sure it doesn't happen.”

There are two ways to measure impact: qualitative and quantitative. “Are we going to do just a qualitative risk assessment, where we're talking about the likelihood and the probability or the urgency of that risk?” asks Zucker. “Or are we going to do a quantitative risk assessment, where we're putting a dollar figure or a time figure to those risks?”

Most often, a team will analyze and measure risk based on qualitative impact. The team will analyze risk based on a qualitative description of what could happen, such as a project being delayed or failing. The team may judge that impact as significant but won’t put a dollar figure on it.

A quantitative risk assessment, on the other hand, estimates the impact in numbers, often measured in dollars or profits lost, should a risk happen. “Typically, for most projects, we don’t do a quantitative risk assessment,” Zucker says. “It’s usually when we’re doing engineering projects  or big, federal projects. That’s where we're doing the quantitative.”

Step 4: Determine the Risk Score of Each Event

Once your team assesses possible risks, along with the risk probability and impact, it’s time to determine a risk score for each potential event. This score allows your organization to understand the risks that need the most attention.

Often, teams will use a simple risk matrix to determine that risk score. Your team will assign a score based on the probability of each risk event. It will then assign a second score based on the impact that event would have on the organization. Those two figures multiplied will give you each event or risk a risk score.

Zucker says he prefers to assign the numbers 1, 5, and 10 — for low, medium, and high — to both the likelihood of an event happening and its impact. In that scenario, an event with a low likelihood of happening (level of 1) and low impact (level of 1) would have a total risk score of 1 (1 multiplied by 1). An event with a high likelihood of happening (level of 10) and a large impact (level of 10) would have a total risk score of 100.

Zucker says he prefers using those numbers because a scale as small as one to three doesn't convey the importance of high-probability and high-impact risks. “A nine doesn't feel that bad,” he says. “But if it's 100, it's like, ‘Whoa, I really need to worry about that thing.’”

While these risk matrices use numbers, they are not really quantitative. Your teams are making qualitative judgments on events and assigning a rough score. In some cases, however, teams can determine a quantitative risk score.

Your team might determine, based on past projects or other information, that an event has a 10 percent chance of happening. For example, if that event will diminish your manufacturing plant’s production capacity by 50 percent for one month, your team might determine that it will cost your company $400,000. In that case, the risk would have a risk score of $40,000.

At the same time, another event might have a 40 percent chance of happening. Your team might determine the cost to the business would be $10,000. In that case, the risk score is $4,000.

“Just simple counts start to give you a quantifiable way of looking at risk,” says Wills. “A risk that is going to delay 10 percent of your production capacity is a different kind of risk than one that will delay 50 percent of it. Because you have a number, you can gather real operational data for a week or two and see how things support the argument. You can start to compare apples to apples, not apples to fish.”

Wills adds, “Humans, being very optimistic and terrible at predicting the future, will say, ‘Oh, I don't think it'll happen very often.’ Quantitative techniques help to get you away from this gambler fallacy kind of approach. They can make or break your argument to a stakeholder that says, ‘I've looked at this, and I can explain mechanically, count by the numbers like an accountant, what's going on and what might go wrong.’”

Step 5: Understand Your Risk Tolerance

As your team considers risks, it must understand the organization’s risk tolerance. Your team should know what kinds of risks that organizational leaders and stakeholders are willing to take to see a project through.

Understanding that tolerance will also help your team decide how and where to invest time and resources in order to prevent certain negative events.

Step 6: Decide How to Prioritize Risks

Once your team has determined the risk score for each risk, it will see which potential risks need the most attention. These are risks that are high impact and that your organization will want to work hard to prevent.

“You want to attack the ones that are high impact and high likelihood first,” says Romeu. 

“Some projects are just so vital to what you do and how you do it that you cannot tolerate the risk of derailment or major failure,” says Wills. “So you're willing to spend money, time, and effort to contain that risk. On other projects, you're taking a flier. You're willing to lose a little money, lose a little effort.”

“You have to decide, based on your project, based on your organization, the markets you're in, is that an ‘oh my gosh, it's gonna keep me up every night’ kind of strategic risk? Or is it one you can deal with?” he says.

Step 7: Develop Risk Response Strategies

Once your team has assessed all possible risks and ranked them by importance, you will want to dive deeper into risk response strategies. That plan should include ways to respond to both positive and negative risks.

These are the main strategies for responding to threats or negative risks:

• Mitigate: These are actions you will take to reduce the likelihood of a risk event happening or that will reduce the impact if it does happen. “For example, if you’re building a datacenter, we might have backup power generators to mitigate the likelihood or the impact of a power loss,” says Zucker. You can learn more, including more tips from experts, about project risk mitigation .
• Avoid: If a certain action, new product, or new service carries an unacceptably high risk, you might want to avoid it entirely. 
• Transfer: The most common way that organizations transfer risk is by buying insurance. A common example is fire insurance for a building. Another is cybersecurity insurance that would cover your company in the event of a data breach. An additional option is to transfer certain risks to other companies that can do the work and assume its risks for your company. “It could be if you didn't want to have the risk of running a datacenter anymore, you transfer that risk to Jeff Bezos (Amazon Web Services) or to Google or whoever,” Zucker says.

These are the main strategies for responding to opportunities or positive risks:

• Share: Your company might partner with another company to work together on achieving an opportunity, and then share in the benefits.
• Exploit: Your company and team work hard to make sure an event happens because it will benefit your company.
• Enhance: Your company works to improve the likelihood of something happening, with the understanding that it might not happen.

These are the main strategies for responding to both threats and opportunities, or negative and positive risks:

• Accept: Your company simply accepts that a risk might happen but continues on because the benefits of the action are significant. “You're not ignoring the risks, but you're saying, ‘I can't do anything practical about them,’” says Wills. “So they're there. But I'm not going to spend gray matter driving myself crazy thinking about them.”
• Escalate: This is when a project manager sees a risk as exceptionally high, impactful, and beyond their purview. The project manager should then escalate information about the risk to company leaders. They can then help decide what needs to happen. “Some project managers seem almost fearful about communicating risks to organization leaders,” Romeu says. “It drives me nuts. It's about communicating at the right level to the right people. At the executive level, it’s about communicating what risks are happening and what the impact of those risks are. If they happen, everybody knows what the plan is. And people aren't taken by surprise.”

Step 8: Monitor Your Risk Plans

Your team will want to understand how viable your organization’s risk plans are. That means you might want to monitor how they might work or how to test them.

A common example might be all-hands desktop exercises on a disaster plan. For example, how will a hospital respond to a power failure or earthquake? It’s like a fire drill, Zucker says. “Did we have a plan? Do people know what to do when the risk event occurs?”

Step 9: Perform Risk Assessments Continually

Your team will want to continually assess risks to the project. This step should happen throughout your project, from project planning to execution to closeout. 

Zucker explains that the biggest mistake teams tend to make with project risk assessment: “People think it's a one-and-done event. They say, ‘I’ve put together my risk register, we’ve filed it into the documents that we needed to file, and I'm not worrying about it.’ I think that is probably the most common issue: that people don't keep it up. They don't think about it.”

Not thinking about how risks change and evolve throughout a project means project leaders won’t be ready for something when it happens. That’s why doing continual risk assessment as a primary part of risk management is vital, says Wills.

“Risk management is a process that should start before you start doing that activity. As you have that second dream about doing that project, start thinking about risk management,” he says. “And when you have completely retired that thing — you've shut down the business, you've pensioned everybody off, you’re clipping your coupons and working on your backstroke — that's when you're done with risk management. It's just a living, breathing, ongoing thing.”

Experts say project managers must learn to develop a sense for always assessing and monitoring risk. “As a PM, you should, in every single meeting you have, listen for risks,” Romeu says. “A technical person might say, ‘Well, this is going to be difficult because of X or Y or Z.’ That's a risk. They don't understand that's a risk, but as a PM, you should be aware of that.”

Step 10: Identify Lessons Learned

After your project is finished, your team should come together to identify the lessons learned during the project. Create a lessons learned document for future use. Include information about project risks in the discussion and the final document.

By keeping track of risks in a lessons learned document, you allow future leaders of similar projects to learn from your successes and failures. As a result, they can better understand the risks that could affect their project.

“Those lessons learned should feed back into the system — back into that original risk checklist,” Romeu says. “So the next software development project knows to look at these risks that you found.”

How to Write a Project Risk Assessment Report

Teams will often track risks in an online document that is accessible to all team members and organization leaders. Sometimes, a project manager will also create a separate project risk assessment report for top leaders or stakeholders.

Here are some tips for creating that report:

• Find an Appropriate Template for Your Organization, Industry, and Project: You can find a number of templates that will help guide you in creating a risk assessment report. Find a project risk assessment report template in our project risk assessment starter kit.
• Consider Your Audience: As you create the report, remember your audience. For example, a report for a technical team will be more detailed than a report for the CEO of your company. Some more detailed reports for project team members might include a full list of risks, which would be 100 or more. “But don't show executives that list; they will lose their mind,” says Romeu.

Project Risk Assessment Starter Kit

Download Project Risk Assessment Starter Kit

This starter kit includes a checklist on assessing possible project risks, a risk register template, a template for a risk impact matrix, a quantitative risk impact matrix, a project risk assessment report template, and a project risk response table. The kit will help your team better understand how to assess and continually monitor risks to a project.

In this kit, you’ll find: 

• A risk assessment checklist PDF document and Microsoft Word to help you identify potential risks for your project. The checklist included in the starter kit is based on a document from Alluvionic Project Management Services.
• A project risk register template for Microsoft Excel to help you identify, analyze, and track project risks.
• A project risk impact assessment matrix for Microsoft Excel to assess the probability and impact of various risks.
• A quantitative project risk impact matrix for Microsoft Excel to quantify the probability and impact of various risks. 
• A project risk assessment report template for Microsoft Excel to help you communicate your risk assessment findings and risk mitigation plans to company leadership.
• A project risk response diagram PDF document and Microsoft Word to better understand how to respond to various positive and negative risks.

Expertly Assess and Manage Project Risks with Real-Time Work Management in Smartsheet 

Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. 

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time.  Try Smartsheet for free, today.

Discover why over 90% of Fortune 100 companies trust Smartsheet to get work done.

• Skip to primary navigation
• Skip to main content
• Skip to primary sidebar
• Skip to footer

Ten Six Consulting

Project and Earned Value Management, Primavera P6 & Deltek Cobra & Acumen Services

How to Design A Risk Register

August 12, 2020 By Ten Six

Project risk management is a hot topic here: it seems like every week there’s a world event or shift in the markets that could disrupt (or benefit) projects across a range of industries.

The core of all risk management across your organization is to have a robust risk register. But how do you create one?

Spoiler alert: The easiest way to create a project risk register is to use enterprise project management tools with built-in risk management features. That will save you the job of creating your own risk registers that are not integrated with your main project management tools.

What is a risk register?

A risk register is simply a log of all risks facing a project. At program and portfolio level, it is a log of all risks facing the program and portfolio. You can have risk registers at any level, in fact, including enterprise-wide registers.

The risk register is a dynamic document. It is created at project initiation, drawing on the main risks highlighted in the business case or project proposal. It’s kept up to date throughout the project as new risks are identified, risk management actions are completed and risks expire or are closed.

A risk management workshop will help the project team identify risks at the current point in the project. Workshops are helpful because they ensure a wide range of stakeholders has the opportunity to contribute to the risk data. Information from the workshop is then recorded in the risk register.

The design principles for your risk register should include:

• It has to be easy to use
• It has to be accessible by the right people
• It has to provide data in a format that helps decision making.

What’s the purpose of a risk register?

The risk register is an agreed record of the project risks at any given moment, along with the tasks being undertaken to manage those risks.

The risk register facilitates ownership of all risks. It ensures someone is taking responsibility for the management of associated actions. Whether the action is ‘do nothing’ and simply have a watching brief over the task, or to undertake detailed steps to mitigate the risk, someone has to be in overall control for that risk. They should be reporting progress on their actions back to the project manager, so that at a project level there can be confidence that risks are being adequately managed.

Tip: As a project manager, avoid taking responsibility for all the risk management actions. Ideally, these should be managed by subject matter experts who can report back.

Remember, risks can have a positive or negative affect on the project, so risk management actions could either be to enhance the risk should it happen, or to minimize the impact.

What goes into a risk register?

When designing your risk register, you should include the following elements:

• A unique identifier for the risk, typically a number or other short reference
• A title for the risk
• A description of the risk
• The results of the risk assessment and any Monte Carlo analysis
• The areas of the business or operations affected
• A categorization or classification for the risk ( learn the 5 ways to classify risk )
• The action plan proposed and approved to manage the risk, along with updates tracking those actions have been undertaken as expected
• The dates the risk was opened and closed.

Most software for risk management will have these fields already created and ready for you to populate. You may also be able to create new fields to use to capture any information particularly relevant to your situation and not covered by the existing template.

What format to use?

Risk registers can take any format, as long as they cover the core data elements required and are accessible to the team who needs to use them. The two most common formats for risk register are spreadsheets and risk management software.

A spreadsheet is simple to set up and relatively easy to maintain. However, risk management software has the advantage that you lock down permissions. Access controls make it possible for only the appropriate people to go in and make changes. You could allow the project manager access to all records, and risk owners access to change their own records – but no one else can go into the risk data and amend it.

Risk management software also benefits from being easier to use for analysis. The data is typically stored in database tables behind the scenes so you can display the risk information in a number of ways. It can be easier to manipulate data and show, for example, number of risks per category. If you have many projects using the software, you could also aggregate risks across a number of projects to see the risk portfolio at a higher level.

The benefits of using the risk management features in enterprise project management software become quickly apparent if you want to aggregate risks from all projects, programs and portfolios to assess the risk profile of the enterprise.

You can still do that type of data analysis using the data from your risk spreadsheet, but it’s time consuming and requires data management skills that perhaps your project team do not have.

A risk management checkup can clarify if you could be using your software more efficiently and give you tips on how to improve the quality of your risk register.

The risk management process on projects, programs, at portfolio level and across your whole enterprise should be seen as a value-add service. The better prepared you are for what might happen, the easier it is to shift and pivot when challenges arise. A robust approach to risk management across the organization will help improve decision making and support successful project delivery.

Upcoming Classes

• Join Our Mailing List
• Name This field is for validation purposes and should be left unchanged.
• Primavera P6 Training
• Deltek Training
• Earned Value Management Training
• Project Management Training
• Open Training Class Dates
• Scheduling Services
• RFP Support
• Your EVM System
• Certification
• Data Analysis and Reporting
• Post Contract Support
• Staff Augmentation
• WBS Guidelines for Government Acquisition Programs (MIL-STD 881D)
• Knowledge Transfer, Mentoring and Coaching
• BI Publisher Services
• Primavera Unifier
• Knowledge Transfer, Coaching and Mentoring
• Microsoft Project to Primavera P6 Conversion Services
• Building an Integrated Master Schedule (IMS)
• Integrating Microsoft Project with Deltek Cobra
• Migrating From Microsoft Project To Oracle Primavera P6
• Deltek Acumen
• Deltek Cobra
• Earned Value Mgmt
• Microsoft Project
• Primavera P6
• Project Management
• Risk Management

How to Create a Risk Management Plan for Your Project

Industry Advice Management

A project manager has many responsibilities within their organization, all of which revolve around initiating, planning, executing, monitoring, and controlling projects that deliver on various strategic goals. 

While each of these discrete steps in the project life cycle is critical in its own right, the planning phase is perhaps the most impactful in how it can determine the success—or failure—of all of the phases that come after it. It’s for this reason that project managers are responsible for creating various plans for the projects they helm.

While the project plan is often considered the most important of these plans, it is not the only one. A number of subsidiary plans are also recommended and, in many cases, required. 

The risk management plan is one of the most crucial of these subsidiary plans, as it forces the project manager to plan for potential disruptions and opportunities the project may encounter. Below, we define what “risk” means in terms of project management, take a look at what the risk management plan actually is, and walk through steps you can follow to create a risk management plan for your next project. 

Download Our Free Guide to Advancing Your Project Management Career

Learn what you need to know, from in-demand skills to the industry’s growing job opportunities.

DOWNLOAD NOW

What is project risk?

When it comes to project management, the term “ risk ” specifically refers to factors or events which might influence the final outcome of the project. 

Some of the most common project risks are those which impact a project’s constraints . This includes the triple constraint of a project’s cost or budget, its timeline or schedule, and its scope—all of which can affect the final quality or performance of the project. Yet there are many other kinds of risk that project managers should be aware of, as well, and the risk management plan is used to identify each of these potential disruptors. 

While risk is often assumed to be a negative, it is important to note that project risk can also occasionally be positive, depending on how the event impacts the project. 

For Example: Consider a project that is heavily dependent upon the price of oil. In creating their project’s budget, the project manager would likely look to oil’s historical prices, and use those figures to forecast the project’s budget. If the cost of oil were to suddenly and unexpectedly drop, however (as it did during the depths of the Coronavirus lockdowns ), then the project would likely come in under budget. This is technically a positive risk, because it is an event which led to a positive outcome for the project.

Project manager’s should aim to understand not only the negative risks which might impact their project, but the positive risks as well, says Connie Emerson , assistant teaching professor for Northeastern’s Master of Science in Project Management program. 

She explains that by understanding those potential positive events, project managers can take steps to increase the probability of them occurring so that the project can take advantage of that and realize the benefits.

What is a risk management plan?

A risk management plan is a subsidiary plan which is usually created in tandem with a project plan. This plan outlines the approach for how the project team is going to conduct risk work , or those tasks related to project risk.

“By creating a risk management plan, you are seeking to understand how you are rating risks, how much risk your stakeholders will tolerate, how you will pay for risks in the event they become a reality, and more,” Emerson says. “So it’s critical to have conversations about your general approach, as a team, to risk work and also making sure that your key stakeholders agree.”

Risk Management Plan vs. Risk Register

Emerson notes that it’s important for project managers to understand that, while some individuals will use the terms interchangeably, the risk management plan and the risk register are in fact separate documents, though they are related and each is important to the success of the project.

While the risk management plan outlines your team’s risk management process and approach to handling risk work, Emerson says that “the risk register is your list of risks, your analysis of those risks, and what you are planning to do about them.”

Emerson goes on to note that while you might apply your risk management plan to several different projects, the risk register should be tailored to the specifics of a given project. 

How to Create a Risk Management Plan & Risk Register

1. define your approach through the risk management plan..

The first step in creating a risk management plan is to outline the methods that you and your team will use to identify, analyze, and prioritize risk. You should aim to answer the following questions:

• How are we going to identify risks to the project?
• What techniques are we going to use to analyze those risks?
• How will we decide what to do in the event a risk becomes a reality?
• What is the communication plan for a risk event?
• Which stakeholders should be kept apprised of project risks?

You should also determine how you will communicate with key stakeholders about risk, as well as how you will respond to risk if and when it materializes. 

Emerson notes that this is also the point in the process where you should identify the key stakeholders for your project and work to measure their levels of risk tolerance. Just as an investment advisor should tailor their investment strategy to the risk tolerance of their clients, a project manager should tailor their risk management strategy to the risk tolerance of their project’s stakeholders. 

2. Use your risk management plan to create your risk register.

Once you have answered all of the questions above, crafted a risk strategy, and codified it in your risk management plan, you will then use that methodology to create a risk register for the project you are currently working on. 

While it’s important to be thorough in creating your risk register, Emerson notes that perfection can sometimes be the enemy of progress. Instead of viewing risk work as an item which must be crossed off of a checklist before a project can begin, Emerson recommends that project managers view it as an ongoing, iterative process.

“You don’t just create your risk register and then be done with it,” Emerson says. “It’s something you actively manage and modify throughout your project. This keeps you agile, while also allowing the project to actually begin. If you approach your risk register like something that must be exhaustive before the project can kick off, you’ll be doing risk work forever, and the project will never get done.”

3. Identify risk events and the potential impact of those risks. 

The next step is to actually go about identifying risk events for your project, which will form the basis for your project’s risk register.  

“Ask yourself: What are the risks?” Emerson says. “Some people might say, ‘Well, we might miss a date, and that’s a risk.’ But that’s not really a risk. That’s an impact of a risk. So why might we miss the date? What’s the root cause for that impact? If you can understand the root cause that drives a risk event, it’s possible to preempt it before it becomes an issue.”

Emerson notes that it is important not just to think about potential risks, but also the impact that risk might have on the project.

“When I’m writing my risk statements, I’m usually thinking: Because of X [event], Y [risk] might occur, causing a Z [impact],” she says.

It’s important at this stage to also review your list of potential risks with other members of your team, key stakeholders, key vendors and suppliers, and even subject matter experts who aren’t a part of your team. Each of these individuals will bring their own point of view to the challenge of identifying risk, which can ensure that you haven’t missed anything with the potential to affect your project.

4. Analyze, prioritize, and assign risk. 

Once you have built out a thorough list of all of the risks associated with your project, the next step would be to analyze those risks. 

“There are lots of ways to analyze risk, both qualitatively and quantitatively,” Emerson says. “For many companies, qualitative analysis is enough because you’re just trying to decide if you need to actively do something about a risk, or if you can just keep an eye on it.”

Exactly how you analyze your project risks will be dependent on the situation you find yourself in. Emerson notes that many organizations will grade risks based on probability and impact, and use those two scores to determine which risks warrant the most effort to control. Those risks which score high on both probability and impact are logically often prioritized in risk management plans, while those that score low on both probability and impact are deprioritized.

Using this understanding, you might then assign each member of your team one or several risks which they are responsible for monitoring and assessing throughout the course of your project.

5. Plan your risk response. 

Armed with your prioritized list of risks, it is now possible to plan the responsive action that you will take in the event that a risk becomes a reality.

“It’s a matter of using that analysis to guide what you do about the risk and trying to match your response to the risk,” Emerson says. “If it’s a little risk, you don’t want to spend millions of dollars dealing with it. At the same time, you don’t want to under-prepare either.”

Emerson notes that while risk work may seem reactive, a skilled project manager will be proactive in recognizing and minimizing risks before they become an active issue capable of derailing a project. 

6. Monitor and adjust accordingly.

Once you’ve identified your risks, prioritized them, and planned your response, the final step is to monitor your risk throughout the course of the project, says Emerson. Keep your risk register up to date, adding or removing risk events as necessary as the project unfolds. 

Additionally, after a project is completed, revisit your risk management plan and ask yourself: What worked? What didn’t? Is there anything that you can learn from the project that will allow you to adjust your risk management strategy to avoid similar issues in the future?

Emerson goes on to explain that if a risk event occurs, pay attention to it. Identify what happened, how you responded to it, how it impacted the project, etc. All of these insights can make you more effective at risk management in future projects.

Learning to Manage Risk

All projects will contain at least some level of risk. While a project manager cannot possibly prevent all risk events from occurring, it is the project manager’s duty to identify and plan for risk when possible. As such, risk management is a crucial skill for any current or aspiring project manager to develop.  

It’s for this reason that the Master of Science in Project Management at Northeastern emphasizes risk management as a central piece of the core curriculum required to complete the degree. Paired with courses on project scope management, project quality management, and project scheduling and cost planning, the program aims to train students who will graduate ready to immediately put their education into action managing projects.

To learn how a master’s degree in project management can help advance your career, download our free guide to breaking into the industry below.

Subscribe below to receive future content from the Graduate Programs Blog.

About scott w. o'connor, related articles.

Master’s in Project Management or MBA: What’s the Difference?

6 Project Management Trends Emerging in 2023

Master’s Degree Comparison: Sports Leadership vs. Sports Management

Did you know.

Employers will need to fill 2.2 million new project-oriented roles each year through 2027. (PMI, 2017)

Master of Science in Project Management

Behind every successful project is a leader who forged its path.

Most Popular:

Tips for taking online classes: 8 strategies for success, public health careers: what can you do with an mph, 7 international business careers that are in high demand, edd vs. phd in education: what’s the difference, 7 must-have skills for data analysts, in-demand biotechnology careers shaping our future, the benefits of online learning: 8 advantages of online degrees, how to write a statement of purpose for graduate school, the best of our graduate blog—right to your inbox.

Stay up to date on our latest posts and university events. Plus receive relevant career tips and grad school advice.

By providing us with your email, you agree to the terms of our Privacy Policy and Terms of Service.

Keep Reading:

Top Higher Education Conferences To Attend in 2024

Grad School or Work? How To Balance Both

Is a Master’s in Computer Science Worth the Investment?

Should I Go to Grad School: 4 Questions To Consider

Project risk assessment: an example with a risk matrix template

“Begin with the end in mind” (Stephen Covey) is to say, “Think first what could go wrong.”

A project is a collection of interconnected tasks that are bound to specific timelines, resources, and deliverables. Any task could carry a certain uncertainty (risk) that, if it happens, could affect the project’s success. In this regard, project risk comprises two factors: the probability of happening and the consequences if it does.

While you cannot avoid risks entirely, with the help of risk management methods, such as the project risk assessment matrix, you can evaluate the potential damages caused by those risks. And consequently—increase the likelihood of successful project completion.

Today, you are going to learn about:

What is a project risk assessment?

What is a project risk matrix.

• How to create a risk matrix template for your project.
• How to visualize project risks on a risk matrix.
• Types of risks in project management.

A project risk assessment is a process that aims to gain a deeper understanding of which project tasks, deliverables, or events could influence its success. Through the assessment process, you identify potential threats to your project and analyze consequences in case they occur.

Risk assessment takes on many forms. It could be a simple matrix or a database using sophisticated algorithms. In this article, we will focus on a risk assessment matrix.

A project risk matrix, also known as a Probability and Severity risk matrix, is a graphical risk analysis tool in the form of a table (matrix). It is typically square, but some risk matrices are rectangular or circular. A risk matrix gives you a quick view of project risks and their consequences’ severity (impact). You use it to allocate ratings for each risk based on two intersecting factors:

• The  likelihood  (or probability) of a risk to occur (x-axis).
• The  impact  (or severity) if a risk occurs (y-axis).

The higher a risk ranks for these two factors, the bigger threat it poses to your project.

The bottom-left corner of the matrix is where the likelihood and impact of a risk occurring are very low. On the opposite side, in the top-right corner, the likelihood and the impact are the highest. In short, when the likelihood increases, the risk moves to the right; if the impact increases, then the risk moves up.

To denote the threat level, many risk maps feature a red-yellow-green color-coding that indicates whether risks are significant-, moderate- or low-level concerns respectively. (Hence why risk matrices are often called risk heatmaps.) You may also come across risk heatmaps that use different shades of one color instead of red-yellow-green.

Once you assess the likelihood and impact of each risk, you will be able to prioritize and prepare for them accordingly.

Risk matrix template: create a risk matrix for your project 

A risk matrix is a useful tool for project planning that you can create in just a few steps. In this article, we will create a risk assessment form and a respective 5×5 risk matrix template for a construction project.

Step 1. Identify project risks

Start by brainstorming and analyzing potential risks and opportunities related to your project scope. Leave no risk behind. Depending on your organization and project, your list of risks might include several types of risks, such as cost, environmental, and legal risks.

(You will find a comprehensive list of risk types at the end of this article).

Hint : If you are not a huge fan of lists and prefer visual methods, you can follow a  work breakdown structure  style to identify and categorize your risks. Or, in other words, you could create a sort of “risk breakdown structure” for your project. Take a look at the example below.

Step 2: Determine the risk likelihood

In this step, you need to identify the likelihood of a given risk happening. ​​On a 5×5 matrix, you express the  likelihood scale  on 5 levels:

• 1  – (Very unlikely): A very slim chance for this risk to occur.
• 2  –  (Not likely): Low chances for this risk to occur.
• 3  – (Possible): Fifty-fifty chances for this risk to occur.
• 4  – (Probable): Good chances for this risk to occur.
• 5  – (Very likely): You can bet this risk will occur at some point.

Step 3. Define the impact scale

Next, you rank your risks based on the impact they would cause on your project if they occur. The  impact scale  also has 5 levels:

• 1  – (Negligible): This risk will hardly impact your project.
• 2  –  (Low): You can easily handle the consequences of this risk.
• 3  – (Moderate): It will take some time and effort to mitigate the consequences of this risk.
• 4  – (Significant): This risk could cause long-term consequences that will be hard to recover from.
• 5  – (Catastrophic): The impact of this risk might wreck your project.

Step 4. Calculate the risk rating

Assign each risk a corresponding risk rating based on the likelihood and impact you have already identified. For example, a project risk that is very likely to happen and will cause major safety hazards will receive a higher risk rating than a risk that is unlikely to occur and will cause very minor harm.

The formula for the risk rating is as follows:

Likelihood x impact = Risk rating

e.g., Likelihood (4) x Impact (5) = Risk rating (20)

(A risk with such a high rating could threaten your project, therefore you should monitor it closely.)

Since we work on a 5×5 matrix, the risk rating values will range from 1 to 25.

• 1 – 6  (Low): Low-rating risks most likely will not happen. If they do, they will not be a threat to your project.
• 7 – 12  (Medium): Some medium-rating risks might happen at some point. You do not need to prioritize them but you should not ignore them either.
• 13 – 25  (High): High-rating risks are serious and very likely to happen threats. They can cause your project to go off the rails, so you should keep them in mind when planning your project.

Step 5. Draw your risk matrix

To draw a risk matrix, extract the data from the risk assessment form and plug it into the matrix accordingly. In our example, we identified risks for which 5 levels of likelihood and 5 levels of impact were sufficient. Therefore, we get the 5×5 matrix that looks like this:

The risk ratings in the lower-left quadrants are the lowest, therefore they have a green color; the ratings in the upper-right quadrants are the highest—hence the red color.

Important notes on creating a risk matrix template

The 5×5 template we have created in the previous steps is only an example of how you approach creating your matrices. You can create a separate matrix for an entire organization, a specific program, or a project. In each case, it could be different. Therefore, there are a few important things about risk assessment matrices to note:

• When defining your matrix, think about the number of intervals for the likelihood and impact. How many rows and columns will it have? For example, a 3×3 or 3×4 matrix could suit your project better. When you decide on your matrix size, place labels and values on its scales accordingly.
• Likelihood and Impact scale intervals are numerical values (e.g., 1 – 5 or 0% – 100%). You place those values on your matrix but you can also use them to describe the likelihood and impact of certain risks. Depending on your project, it could be, e.g., safety, quality, cost, schedule risks, etc. (You will find several risk types at the end of this article.)

Let’s take a look at some examples.

As you can see from the above, the numerical value for the impact is the same. However, the description for each risk type is different. Therefore, you may need to define interval names for individual objectives and their respective impacts and probabilities.

• Your scale will not always be linear. You may observe it with risks that carry high impact—those will often have larger intervals than low-impact risks. Take a look at the table above, and compare the interval for the “Low” impact (0-3%) and the “Catastrophic” impact (50-100%). The discrepancy is quite significant—the impact of a fatal injury will be much greater than that of a scratched finger.
• Instead of risk rating values in your matrix, you can plug in the number of risks you identified in your project for each quadrant. For example:

(In fact, that is pretty much how the BigPicture Risk matrix report looks like. Read on to learn more about visualizing risks in the BigPicture app).

• The labels in brackets on matrix scales are arbitrary. You can name your values however you want. For example, Impact (1) could have a label: “Insignificant.”
• Your risk form and matrix are not the type of task that you complete and forget. You should manage your risks throughout the life of your project. A common mistake in project management is creating a fairly standard risk register during the project planning and not returning to it until something happens. Project managers should carry out regular risk assessments to be able to react to changes in the project environment on an ongoing basis.

Visualize project risks on a risk matrix

What might have struck you is that the matrix does not offer much room for putting risks directly on it. It could work for a few, but if you have dozens of them, it will become cluttered and a pain to use. Not to mention that over the course of your project, you might need to identify new risks and revise the existing ones for their likelihood and impact. This means you will need reliable software to visualize and work with project risks efficiently.

The risk software we would like to introduce is  BigPicture which seamlessly integrates with Jira. It offers many key features that will help you assess and monitor your project risks.

Not a BigPicture user yet? Start your free 30-day trial today. Or visit our demo page  to play with the app straight in your browser — no registration or installation needed.

View your risks on the risk matrix

The BigPicture  Risk module  enables you to generate a risk assessment matrix with a default size of 5×5. The matrix features two scales: the risk consequence and risk probability.

The risk consequence scale has the following values: Trivial, Low, Medium, High, and Severe. Whereas with the risk probability scale, you can assign the following values to a risk: Almost none, Low, Medium, High, and Very high. If you enable the heatmap mode, the app will color the risk cards based on their risk rate with four default colors: green, yellow, orange, and red.

Visualizing risks from the risk assessment example

Let’s return to our construction risk assessment form and see what the risks will look like on the BigPicture risk heatmap.

The electrical leakage has the highest probability (likelihood) and consequence (impact). That is why you will find it in the top right corner (the app colored a risk card of such a high-priority risk with red color). The app  automatically calculates the risk rating,  so you do not have to worry about manually updating the heat map.

If you want to  move any risk to a different quadrant  (because its impact or likelihood has changed) you can edit the risk or use a drag-and-drop feature. Of course, you can place several risk cards in a given quadrant. Our simple project has only 5 risks but yours might carry many more and BigPicture will visualize all of them for you. If you notice your risk map getting really busy, you can display risks in a  compact mode .

Populate your risk matrix with risks and issues

You can add  any issue type  to the risk heat map as long as you select the Consequence and Probability fields and assign them respective values. (You will need your Jira admin to preconfigure the fields you will be able to add to your tasks.)

So when you create a new task or edit the existing one, just add those two fields to make it pop up on your risk matrix.

In our risk assessment form, we did not add any issues, epics, or milestones—only risks. So how come those risks are on the heatmap? By clicking on any quadrant, you can  add new and existing tasks  and  tasks as risks  directly on the risk matrix.

Click “Create new Jira issue” and provide details for your risk (remember about the Probability and Consequence fields).

Since you can add project tasks as risks, and risks directly to the matrix, you can use the BigPicture’s Risk board in  two ways .

Risks as tasks approach

The first approach is about directly adding the  tasks as risks  to the risk matrix. Those tasks will not result from the project plan (unlike typical project tasks that must be completed) and will serve as risks alone.

Let’s come back to the “Water leakage” risk as an example. Previously, we added it directly to the matrix as a typical risk that carries some probability and impact. Such a model will not readily show you which task(s) a given risk relates to. However, you could connect this risk to the actual tasks it has an impact on using Jira Issue Links. Also, by adding a task as a risk to the matrix, you can immediately read what this risk is about (e.g., the risk of “Water leakage”).

Project tasks at risk approach

(This approach is more popular among BigPicture users.) You can also add individual  project   tasks  to the risk matrix. Unlike in the previous model, you will not see details about the risk just by looking at the matrix. Because, in fact, you would be looking at the task, not a risk as such. But you will know the probability and the impact of the risk that this task is related to.

For example, let’s say you want to add a “Road building task” to the risk matrix. You situate this task on the matrix according to the risk’s probability and impact. You do not know that this task is at risk due to the potential “Water leakage” but you know the likelihood and impact of it. If you want to have a more detailed overview of a given task at risk, you can add the info about the risk to the issue (e.g., as a comment or a relevant attachment).

Customize your risk matrix

If the default look of the BigPicture risk matrix is not optimal for your project, you can  customize it .

• Transpose the whole matrix and/or invert individual scales (one or both simultaneously).
• Change the scale names (e.g., from “Consequence” to “Impact”).
• Add and delete Probability and Consequence individual values. For example, let’s say you want to see only the risks with the highest ratings on your map. In such a case, you delete low and medium values.

• Configure the risk matrix to have  SAFe® ROAM-based quadrants .
• Use the  card view creator  to see more details on your risk cards.

Risk matrix report

The  Risk matrix report  gives you a quick overview of your existing risks in each matrix quadrant. You can use this report for risks present in your program, project, or iterations on a lower hierarchy level (on the ART level, the report will also display risks from the PI iterations and the PI sprints).

When you hover over a given quadrant, you will see a list of risks with their corresponding statuses.

You can rename the report, invert the risk scales, or transpose the whole risk report matrix.

9 Types of risks in project management

Arguably, the biggest indicator of the risk likely occurring is whenever your project has something “new” in it. For example, a “new supplier” for safety goggles; “new processes” according to which employees will carry out their work; “new technologies” that the higher-ups want to introduce; a “new software developer” the company wants to hire for the current project.

Of course, there are many types of risks to consider when assessing your project. These could be:

Schedule risks

Performance risks, operational risks, market risks, governance risks, strategic risks, legal risks, environmental risks.

They indicate there is a possibility that the project’s cost will exceed the budget. Cost risk might occur due to poor budget planning, inaccurate cost estimating, and scope creep. This type of project risk can cause other risks to emerge, such as schedule risk and performance risk.

Example : “The cost of steel might increase over the next quarter.”

This risk occurs when activities take longer than expected, typically due to poor planning. Schedule risk can impact cost risk because any delay in a schedule could increase the costs of a project.

Example : “Hiring a new foreman might take longer than anticipated.”

Performance risk is the risk of a project failing to produce the expected results. It is a complex risk that can result from the activities of several parties, so it can be hard to pinpoint the exact reason behind it.

Example : “The level of noise might increase after the office redesign.”

This type of risk results from poor implementation and process problems such as distribution, procurement, and production. And since any of these could cause the project to produce results differing from project specifications, operational risk is a type of performance risk.

Example : “Insufficient funds to pay for the next batch of goods.”y

Market risk could be, among others, competition, commodity markets, and foreign exchange. Because these types of risks are highly unpredictable, planning for them is difficult without sound expertise.

Example : “Foreign exchange fluctuations due to…”

This risk concerns the company’s top management and other important stakeholders with regard to their ethics and company reputation. This risk can be fairly easy to mitigate because it largely depends on the stakeholder’s behavior.

Those risks are another type of performance risk. Strategic risks stem from erroneous strategic decisions concerning the selection of people for the job, the tools, as well as the technology that does not help with the work as expected.

Example : “The application might not be compatible with systems already in use.”

Legal risk is the consequence of legal obligations, such as law of the land, local laws, and statutory requirements. This type of project risk is also about the contractual obligations, as well as avoiding and handling any lawsuits against the company.

Example : “Export license might not be granted.”

Those risks pertain to external hazards that one cannot fully avoid or even foresee. For example, storms, floods, earthquakes, force majeure, pandemics, terrorism, labor strikes, etc.

Example : “Severe weather conditions might delay the maintenance works.”

Related posts

Getting things done: managing complex projects in jira.

Today, we would like to share a few tips for managing complex projects. You will learn about common factors …

Jira Issue Links and dependencies management

Dependencies indicate the relationship of one task to another in a logical sequence. They help to visualize the order …

Jira cross-project dependencies: best practices and management

Dependencies in project management do not need to be your bane. Yes, they require proper product planning to reduce the …

What’s hiding behind the idea of Agile boards?

An agile board shows a board that is divided into columns, to show the progress of each task by …

What kind of demo would you like to get?

Watch the demo.

" * " indicates required fields

Enterprise demo

Finding the right management system for a large-scale organization is quite a challenge.

We are here to help! As BigPicture is one of the most flexible PPM tools on the market, we would be thrilled to demo the system with your unique business case and requirements in mind. Let us better understand your needs by filling out the form:

Register for a live demo webinar

Congratulations, get started.

Enterprise Program & Portfolio Management right in monday.com

Try it out now

Request offer

Questionnaire, contact us, contact customer success, contact partner relations.