The risk register is the single most-used and most-misused artefact in project risk management. Used well, it drives sanction, contingency, and contract decisions. Used badly — as most are — it's a compliance log nobody reads.
This guide is the practitioner's reference: what fields a defensible risk register actually needs, how it differs from a risk log or database, the seven rules that separate decision-grade registers from compliance theatre, and how it plugs into QSRA, QCRA, and JCL models.
A risk register is a structured, live record of every threat and opportunity facing the project, with enough quantification to feed your Monte Carlo model and enough discipline to drive decisions.
Risk register vs risk log vs risk database
| Artefact | Purpose | Use it when… |
|---|---|---|
| Risk log | Lightweight running list of identified risks. | Early FEED, brainstorming, before quantification. |
| Risk register | Quantified, owned, structured working tool. | FEED gate onwards; feeds QSRA / QCRA / JCL. |
| Risk database | Cross-project historical archive (lessons learned). | Calibrating new registers via RDE™. |
Most teams confuse the three. A risk log can become a register; a register can feed a database; but they are not interchangeable.
The 12 fields of a defensible risk register
| Field | Why it matters |
|---|---|
| 1. Risk ID | Permanent reference across documents and Monte Carlo iterations. |
| 2. WHY / WHAT / HOW statement | WHY/WHAT/HOW. |
| 3. Category | Design, procurement, ground, weather, permits, IR, commercial, HSE. |
| 4. Owner (named) | Job titles don't chase risks; people do. |
| 5. Probability (numeric %) | 35% not “Medium”. Banded labels can't drive Monte Carlo. |
| 6. Cost impact: min / ML / max (£) | 3-point range for QCRA. |
| 7. Schedule impact: min / ML / max (days) | 3-point range mapped to specific WBS activities for QSRA. |
| 8. Affected activity / cost item | The model needs to know where the impact lands. |
| 9. Response strategy | Avoid / Transfer / Mitigate / Accept — with action plan and deadline. |
| 10. Residual probability & impact | What you carry into the Monte Carlo model after treatment. |
| 11. Status | Open / Closed / Realised / Retired. |
| 12. Last reviewed (date) | Anything older than 30 days is stale. |
Seven rules for a register that drives decisions
1. Every risk uses WHY / WHAT / HOW
If you can't start the statement with “Because of…”, it's not a risk — it's a worry. See the WHY/WHAT/HOW framework.
2. Owners are named, not titled
“Sarah K. (PM, Civils Package)” chases risks. “Project Manager” does not.
3. Probability and impact are numeric
Banded scales (Low/Med/High) are useless to QCRA. Force numeric ranges from day one.
4. Impact ranges are calibrated, not invented
Subjective 3-point estimates routinely understate uncertainty by 50–70% — see three-point estimates & RDE™. Calibrate against historical data where available.
5. The register is reviewed at a defined cadence
Monthly minimum. Critical-path risks weekly. Major change events trigger immediate re-review.
6. Residual risk is the figure that drives contingency
Carrying gross impact double-counts mitigation. Only the residual goes into the Monte Carlo model and the contingency calculation.
7. The register and the schedule/cost model are reconciled
Every register risk maps to an activity ID or cost line. Every QSRA/QCRA Monte Carlo iteration draws from the register. Drift between the two is the most common audit finding.
How to set up the register
The first version takes a focused 2-day workshop:
- Day 1 morning: Risk identification using WBS, stakeholder interviews, and lessons learned from analogous projects.
- Day 1 afternoon: Statement writing in WHY / WHAT / HOW form. Assign category, owner, and affected activity/cost item.
- Day 2 morning: Quantification — numeric probability, 3-point cost and schedule impact, distribution shape.
- Day 2 afternoon: Response strategies, residual quantification, and reconciliation with the schedule / estimate.
Where the RDE™ advantage compounds
A perfectly structured register still fails if the impact ranges are subjective. IQRM's Risk Data Engine™ (RDE™) calibrates 3-point ranges against your historical project data — turning the register from a workshop opinion log into a data-driven decision instrument.
Frequently asked questions
How many risks should a register have?
30–80 well-written risks typically outperform 200+ vague ones. The QSRA/QCRA tail is driven by 10–15 critical risks anyway.
Should we include opportunities?
Yes — in the same register, with the same fields. The “HOW” becomes a positive impact.
Excel or dedicated software?
Excel works for projects <£50M. For larger programmes, use a dedicated tool (Safran, Predict!, ARM) integrated with your QSRA/QCRA model.
How does the register link to NEC4 or FIDIC contracts?
Contract-linked risks need an additional field: “contractual mechanism” (e.g. NEC4 compensation event clause, FIDIC variation type). This drives commercial response strategy.
Build registers that drive decisions, not paperwork
The QRM Professional Programme covers register design, WHY/WHAT/HOW workshops, residual quantification, and Monte Carlo integration end-to-end.
Explore the Programme →Related: Construction Risk Register · Quantitative Risk Register · WHY / WHAT / HOW · Three-Point Estimates & RDE™
