Risk registers are commonly used in project management. In essence, risk registers are a tabulation of risks which have been identified on the project along with their potential cost and schedule impacts. A well-constructed risk register includes the probability of risks materializing along with their impacts. The forecasted cost (and/or schedule) impacts are the product of the risk magnitudes and probabilities of occurrence. Keep in mind that risks can be negative or positive, so risk registers also provide potential (positive) opportunities and their associated impacts and probabilities. Assuming a negative risk has been identified, for example, gaps in software testing requirements, a corresponding mitigation plan must be identified. The intent of mitigation is to lessen the probability of occurrence and lower the potential magnitude of the risk.
The risk register indicates a total weighted average impact of all risks and the calculated cost impact is carried in the project’s forecasted cost (or Estimate-at-Completion).
Risk registers have limitations which the project manager must understand. Suppose there is a potential catastrophic risk with an extremely low probability of occurrence; 1% for example. It is not enough to carry the 1% risk in the weighted average calculation because it can distort the true risk of the project. If the risk represents an unacceptable threat to the organization, a clear footnote and management summary must supplement the risk register in order to provide visibility of the risk severity to executive management.
Risk registers are only effective if they are maintained diligently and are used as a proactive project management tool, rather than a reporting sheet.