Your Risk Register Is Probably a Graveyard. Here's How to Bring It Back to Life
Most project teams keep a risk register. Far fewer keep one that anyone uses. In early 2022, with material costs climbing, trades hard to book, and supply dates slipping by the week, the gap between a live register and a dead one became impossible to hide. A register is not a compliance artifact you produce for a gate review. It is a working tool whose only job is to change a decision before a problem lands. If it is not doing that, it is a graveyard with neat headstones.
What a dead register looks like
You can spot a stale register from across the room. The signs are consistent across organizations, and they almost always trace back to the same root cause: nobody owns the consequences.
Risks are phrased as vague worries — "supply chain issues" or "resourcing concerns" — with no event, no cause, and no effect you could actually measure.
Every risk shows the same probability and impact, usually "medium," because no one wanted to argue the numbers.
The owner column lists the project manager for all forty rows, which means nothing is truly owned.
Mitigation actions have no due date and no budget, so they never compete for anyone's calendar.
The register was last touched at the kickoff, and the version in the status deck is a screenshot of that first draft.
A register like this gives false comfort. It lets a steering committee believe risk is being managed when, in reality, the team is simply hoping the worst items stay quiet.
What a register that drives action looks like
A good register reads like a set of bets the project is actively managing. Each line is specific, owned, costed, and revisited. The discipline is less about the template and more about the habits around it.
Write each risk as cause, event, effect. "Because steel lead times have doubled (cause), the structural package may arrive after the slab pour window (event), delaying the project six to eight weeks and adding carrying costs (effect)." Now you can argue probability and act on the cause.
Give every risk a single accountable owner. Not the PM by default — the person who can actually move the mitigation, often a procurement lead or a superintendent. One name, one throat to choke.
Score impact in units that matter. Translate impact into dollars, weeks, or scope wherever you can. "High" is an opinion; "$420k and seven weeks" starts a real conversation about how much mitigation is worth.
Fund and schedule mitigations like work. Each response gets an action, an owner, a date, and a cost. If a mitigation has no place on someone's plan and no budget, it will not happen, and you should stop pretending it will.
Review the top risks on a fixed cadence. Walk the top five to ten at every status meeting. Retire what has passed, escalate what has grown, and add what the last two weeks taught you. A register reviewed monthly in name only is a dead one.
The test is simple. Open your register and ask: in the last month, did any line on this page change a decision — a sequence reorder, an early purchase order, a contingency draw, a scope trade? If the honest answer is no, the register is decoration. If the answer is yes, even once, it is doing its job. The 2022 squeeze on labour and materials punished teams that managed risk on paper and rewarded the ones who acted on the cause before the event arrived — pre-ordering long-lead items, locking prices, and sequencing around the constraints they could see coming.
If your register has gone quiet and you want it driving real decisions again, XNM's program & project delivery advisory can help you rebuild it into a tool your team actually uses.