A construction risk register isn't a spreadsheet — it's a decision-making instrument. Done well, it drives contingency, contracts, and sanction. Done badly (as most are), it sits in a folder nobody reads while the project quietly drifts toward overrun.
This guide shows you how to build a construction risk register that survives investment committee scrutiny — tuned for UK and GCC EPC and infrastructure work.
Can your construction risk register defend its contingency number to a CFO who has never read it? If not, it's a compliance artefact, not a decision tool.
What a construction risk register actually is
A construction risk register is a structured, live record of every threat and opportunity facing a construction project, with enough quantification to feed QSRA and QCRA models.
It is not:
- A heatmap (a heatmap is a view of the register, not the register).
- A SWOT analysis (too coarse).
- A list of mitigations (mitigations live on risks, not as risks).
- A static document signed at FEED gate and forgotten.
Why most construction risk registers fail
Four failure modes recur on UK and GCC projects:
1. Vague risk statements
“Weather may delay works” isn't quantifiable. Use IQRM's WHY / WHAT / HOW framework instead: “Because piling runs through GCC summer, there is a risk that heat-stress shutdowns reduce productivity 20–40%, resulting in 2–6 weeks slip and £0.3M–£0.9M cost impact.”
2. Owners assigned by job title, not by name
“Project Manager” isn't an owner. “Sarah K. (PM, Civils Package)” is. Risks without named owners go stale within one month.
3. Probability and impact set by gut feel
Workshop participants routinely understate uncertainty by 50–70%. The Monte Carlo model faithfully reproduces this bias — see three-point estimates & RDE™.
4. No quantification
A register without numeric impact ranges cannot drive contingency. Probability bands like “Low / Medium / High” are useless to QCRA.
Anatomy of a defensible construction risk register
Minimum field set for every risk:
| Field | Why it matters |
|---|---|
| Risk ID | Permanent reference across documents and Monte Carlo iterations. |
| WHY / WHAT / HOW statement | Quantifiable cause, event, and impact. |
| Category | Design, procurement, ground, weather, permits, IR, commercial, HSE. |
| Owner (named) | Who chases it. Job titles don't work. |
| Probability (%) | Numeric, not banded. 35% not “Medium”. |
| Cost impact: min / most likely / max (£) | 3-point range for QCRA. Calibrated to RDE™ data where possible. |
| Schedule impact: min / most likely / max (days) | 3-point range for QSRA. Mapped to specific WBS activities. |
| Response strategy | Avoid / Transfer / Mitigate / Accept — with action plan and deadline. |
| Residual (post-treatment) probability & impact | What you actually carry into the Monte Carlo model. |
| Status & date last reviewed | Anything older than 30 days is stale. |
Common construction risk categories (UK + GCC)
- Design maturity: late-stage design changes, clash detection misses, FEED-to-EPC scope creep.
- Ground conditions: unforeseen geology, contamination, dewatering. Especially relevant for HS2, NEOM, Lower Thames Crossing.
- Procurement & long lead: single-source LSTK reactors, switchgear, HV cabling, GIS modules.
- Weather & climate: GCC summer heat-stress, UK winter rainfall, cyclone windows.
- Permits & consents: environmental, planning, third-party land access. Often the silent killer.
- Industrial relations: labour availability, strikes, visa quotas (GCC).
- Commercial: NEC4 compensation events, FIDIC variations, FX exposure.
- HSE / regulatory: CDM2015 compliance, near-miss escalation, regulatory inspection.
Connecting the register to QSRA / QCRA / JCL
This is where most construction risk registers stop short. To drive defensible contingency, the register must map directly to Monte Carlo inputs:
- Schedule risks → activity IDs in the P6/MSP plan, with 3-point impact ranges feeding QSRA.
- Cost risks → line items in the estimate, with 3-point cost ranges feeding QCRA.
- Dual-impact risks (permits, ground, weather) → same risk event drives both dimensions in JCL.
- Correlated risks → commodity, labour-pool, and weather correlations captured in Spearman matrix.
The RDE™ advantage
Even a perfectly structured register fails if the impact ranges are subjective guesses. IQRM's Risk Data Engine™ (RDE™) calibrates impact ranges against your historical project data — so the register feeding your QCRA reflects how your projects actually behave, not workshop optimism.
Frequently asked questions
How many risks should a construction register have?
30–80 well-written risks typically outperform 200+ vague ones. The QSRA/QCRA tail is driven by 10–15 critical risks anyway.
Should opportunities be in the same register?
Yes — with the same fields. The “HOW” becomes a positive impact. Modern QCRA models treat upside symmetrically.
How often should we review?
Minimum monthly for active construction. Critical-path risks weekly. Major change events trigger immediate review.
What software should we use?
Excel works for small projects. For projects >£100M, use a dedicated tool (Safran, Predict!, Risk Register Pro) integrated with your QSRA/QCRA model.
Build a register that drives decisions
The QRM Professional Programme covers register design, WHY/WHAT/HOW workshops, and integration with Monte Carlo end-to-end.
Explore the Programme →Related: WHY / WHAT / HOW Framework · Three-Point Estimates & RDE™ · Cost Contingency Method · Quantitative Risk Register
