The Project Risk Register: A Field Checklist You Can Use This Week

A risk register is a documented list of identified project risks, their likelihood and impact, their causes and early warning indicators, planned response strategies, and the owners responsible for monitoring and responding to them. A well-maintained risk register is one of the most valuable tools in project management. A poorly maintained risk register -- long, superficial, and rarely consulted -- is one of the most common examples of process compliance without process value.

Checklist Part 1: Risk Identification

1. Hold a structured risk identification workshop. Risk registers populated by the project manager alone miss risks that are visible only to subject matter experts, delivery team members, or stakeholders. Hold a structured workshop at project initiation and at each major phase transition. Use risk breakdown structures (RBS), prompt lists, and lessons learned from previous similar projects to stimulate identification.

2. Identify causes, not symptoms. A risk entry that reads 'cost overrun' is a symptom, not a risk. A risk entry that reads 'Subcontractor XYZ has limited capacity and may not be able to staff up sufficiently for the peak installation phase, causing schedule delays and acceleration costs' is a risk. Specific, cause-based risk entries are more manageable and more actionable than symptom-level entries.

3. Include opportunity risks, not just threat risks. Risk management is not only about threats. Opportunities -- positive risks that if realised would benefit the project -- should also be registered and managed. Examples: an opportunity to procure a key material earlier than scheduled if a bulk discount is available; an opportunity to accelerate a milestone if a regulatory decision comes sooner than expected.

Checklist Part 2: Risk Assessment

1. Score likelihood and impact separately. Use a consistent scale (1-3, 1-5, or Low/Medium/High) to score each risk's likelihood of occurring and its impact if it does occur. Score impact across multiple dimensions: cost, schedule, scope, quality, safety, and reputational. A risk that has low cost impact but high reputational impact should be assessed and managed accordingly.

2. Document the basis for the scores. Risk scores that are not documented cannot be challenged or revised. Record the assumptions and evidence behind each score. If the likelihood score is based on historical data from a previous project, record that.

3. Set a risk threshold. Determine the minimum risk score that triggers active response planning. Risks below this threshold go on the watch list. Risks above it get response strategies.

Checklist Part 3: Risk Response and Monitoring

• Assign every risk an owner. An unowned risk is an unmanaged risk. The risk owner is responsible for monitoring the risk, implementing the response strategy, and escalating if the risk materialises.

• Define early warning indicators for high-priority risks. An early warning indicator is a measurable signal that a risk is moving toward materialisation. For a subcontractor capacity risk, the early warning indicator might be the subcontractor's staffing level at the end of the mobilisation period.

• Review the risk register at regular intervals -- at minimum monthly, and at every significant milestone review. Remove risks that are no longer relevant, add risks that have been newly identified, and update scores as more information becomes available.

• Review the risk register at project close to capture lessons learned. Which risks materialised? Were they identified in advance? Were the response strategies effective?

XNM provides project risk management advisory to public-sector and capital-project clients. Reach out to XNM's program & project delivery advisory team to discuss risk management and project governance for your project.