A risk register that has never been independently challenged is a risk register the board cannot trust. Auditing the register before sanction is the most cost-effective insurance an investment committee can buy — usually 3–5 days of work that prevents 5–15% cost overrun on a sanctioned project.

This guide is the independent reviewer's checklist for challenging a risk register before it feeds the QSRA, QCRA, or JCL that informs sanction.

The audit question:
Can this register defend its contingency number to a CFO who has never read it? If three challenges in 30 minutes can poke holes in the top-5 risks, the register isn't ready.

Why register audits matter

Four reasons independent register review is non-negotiable on capital projects >£50M:

  • Workshop optimism bias compounds across 30–80 risks. Independent eyes catch the systemic pattern.
  • Auditors and lenders increasingly require it. UK MPA Gateway, lender independent technical reviews, and IPA assurance all check register quality explicitly.
  • The model is downstream of the register. A clean QCRA on a dirty register is a false-confidence machine.
  • Late-stage rework is expensive. An audit at FEL3 costs 3–5 days. The same fixes after sanction cost months.

The 15-point register audit checklist

Tier 1 — Structure (5 checks)

  1. WHY/WHAT/HOW compliance. Sample 10 risks at random. How many start with “Because of…”? Below 80% = redo workshop.
  2. Named owners. Job titles fail. Each risk should have a real person (first name + surname + role).
  3. Numeric probability. If you see “Low / Medium / High” instead of % — the register can't feed QCRA.
  4. 3-point cost & schedule impact. Min / most likely / max in £ and days for every quantifiable risk.
  5. Last-reviewed date. Anything older than 30 days is stale. Anything older than 90 days has been forgotten.

Tier 2 — Content (5 checks)

  1. Coverage against WBS. Walk the WBS. Are there activities with no associated risks? Common gaps: commissioning, interfaces, decommissioning.
  2. Coverage against estimate. Are there large cost lines with no associated cost risk? Long-lead equipment, design rework, escalation.
  3. Range plausibility. Spot-check 5 risks against analogous historical projects. Are the “max” values defensible?
  4. Correlation flags. Steel and concrete prices, labour-pool risks, weather windows — are these flagged for the QCRA correlation matrix?
  5. Residual vs gross. If only gross impacts are recorded, the model will double-count mitigation. Insist on residual.

Tier 3 — Outputs (5 checks)

  1. Tornado intuition test. Run a Spearman tornado from the register. Do the top 5 drivers match practitioner intuition? If a trivial risk dominates, the inputs are mis-scaled.
  2. Top-10 cumulative impact. Top 10 risks should typically account for 50–70% of total variance. If 50 risks split equally, your ranges are flat.
  3. Baseline placement on the S-curve. If the baseline sits below P10 the plan is implausibly aggressive. Above P70 = hidden float. Both are red flags.
  4. Back-test against analogous projects. If your last three projects came in at P95+, a model placing the new one at P30 needs explaining.
  5. Workshop participants and provenance. Who was in the room? Are key disciplines represented (design, procurement, construction, commercial, HSE)?
If the auditor can't reproduce a probability or impact range from documented evidence within 5 minutes, the register fails. “The workshop agreed” is not evidence.

The five red flags that should stop sanction

  • 1. More than 30% of risks lack quantified impact ranges.
  • 2. Probability bands instead of numeric % (kills QCRA feed).
  • 3. No correlation matrix or commodity-link flags (under-prices the tail).
  • 4. Baseline below P10 on the S-curve (the model says the plan is implausible).
  • 5. Top-10 risks all owned by the same person (single point of accountability failure).

How RDE™ supports register audit

The hardest part of an audit is the “range plausibility” check — it depends on empirical reference data the reviewer rarely has. IQRM's Risk Data Engine™ (RDE™) provides historical reference distributions by activity class and project profile — turning subjective auditor judgment into a calibrated comparison.

Audit deliverables & format

A defensible register audit produces:

  • 15-point scorecard with traffic-light status per check.
  • Top-10 register issues with severity and recommended fix.
  • Re-run QSRA / QCRA / JCL with audited inputs and delta vs original.
  • Sanction-readiness recommendation (Ready / Conditional / Reject).

Frequently asked questions

Who should perform the audit?

An independent reviewer — not the analyst who built the register. Many UK and GCC organisations now require independent register review at FEL3 / sanction gates.

How long does an audit take?

For a £50M project: 1–2 days. For a £500M+ programme with JCL: 1–2 weeks including back-testing and re-run.

What's the single most important check?

Back-testing against analogous projects. If your portfolio shows a consistent pattern, the new model should reflect it.

Should the audit be documented?

Yes — as an appendix to the QSRA/QCRA report. Auditors and lenders increasingly ask for it explicitly.

Make your register sanction-defensible

The QRM Professional Programme covers register design, RDE™ calibration, and independent audit methodology end-to-end.

Explore the Programme →

Related: Risk Register Guide · Construction Risk Register · Oil & Gas Risk Register · NEC4 & FIDIC Risk Register

Created with