Project management goes hand in hand with uncertainty and risks. The present-day disruptions caused by the pandemic bits and pieces, military conflicts, and geopolitical tensions can only increase the number of risks that projects will be exposed to.     

For this reason, identifying and managing project risks gains even more importance these days: it significantly increases the chances for a project to keep afloat. 

One of the important components of project risk management is creating a risk register. What kind of document is it, and how to compile one? Read further to know the answers.      

Risk Register: Definition and Purpose 

A risk register (or a risk log) is a document that presents detailed information about potential project risks, their priority, impact, responses to them, and risk owners [1]. It allows project managers to identify possible risks, track them, and take timely measures to mitigate their negative influence. This document is compiled during the project planning phase and is one of the components of a risk management plan. At the same time, it’s not something that can be done once and left aside: it should be updated every time a risk-bearing event appears on the horizon. A risk log should be shared with all project stakeholders and team members and reviewed at every team meeting not to miss any important updates. 

Let’s explore how a risk register should be created.

How to Create a Risk Register?

Before filling in a risk register, you should think of all possible risks. There are three ways to gather the required information: 

  • analyzing historical data,
  • consulting stakeholders and team members,
  • modeling and simulations.

Some risk-bearing events will be added to the risk register later – don’t forget that it should be regularly reviewed as a project progresses.  

There are no standardized templates for a risk register; it’s usually presented in the form of a spreadsheet. However, its typical elements are as follows. 

Risk identification/number 

It’s a name, a special number, or a code that helps a project manager quickly identify the risk among others.

Risk description  

Try to make this description short but informative. It’s also important to be aware of events that result in a risk, they can be also mentioned here. For example, implementing a new technology solution may result in a project delay. 

Risk breakdown structure 

Risk breakdown structure can be optionally included into the risk register. Similarly to work breakdown structure, it’s a hierarchical representation of risk sources, where each descending level provides an increasingly detailed definition of project risk sources. It gives a much better understanding of project risks and makes the whole risk management process more effective.

Here is an example of a risk breakdown structure [2].


Risk category

Knowing the risk category makes it easier to engage a corresponding department into work with it. There are several classifications for risk categories in project management. Here is one of them:  

  • technical risk (technology, requirements, interfaces, etc.); 
  • external risk (customer, supplier, market, etc.); 
  • organizational risk (resources, budget, logistics, etc.); 
  • and project management risk (planning, scheduling, etc.). 

Probability of risk occurrence

You can express the likelihood of a risk-bearing event in different ways: 

  • on a numerical scale from 1 to 5, 10 or 100; 
  • using the degree of probability: high (80-100%), medium-high (60-80%), medium-low (30-60%), and low probability (0-30%). 

Risk impact 

Some risks require taking active measures, while others require just keeping an eye on them. Therefore, it’s important to mention the potential impact of a risk-bearing situation in the risk log. The severity of this impact can be expressed at three levels: 

  • high meaning the catastrophic impact,
  • medium for the critical one, 
  • low for the marginal impact.

For example, overall project delay of more than 2 weeks has a high impact on a project’s outcomes, 1-2-week delay has a medium impact, while less than a week’s delay is considered to have a low impact.    

Risk priority

Having determined the level of a risk’s impact on a project, the risk-bearing event can be given a high, medium, or low priority. It can be marked with colors (e.g., red, yellow/orange, green) for visual reference. Also, you can order the list of risks according to their priority, so you’ll always know the ones that require maximum attention.  

Risk response

One of the most important parts of a risk register that should be considered for each risk and agreed with stakeholders. Risk responses can be aimed at eliminating the risk, lowering the probability of its occurrence, or lowering the impact of a risk on a project. 

Risk owner 

It’s usually a person responsible for monitoring the risk triggers and/or the one who is expected to deploy a risk response plan. [3]

Finally, here is an example of a risk register [3].

risk register

Read more: Project Risk Management: Importance, Challenging Issues, Recommendations

In general, the risk management process is rather complex and time-consuming. Furthermore, if you have more than one project underway, it becomes much more difficult to identify, analyze, and manage risks properly. What tools can a project manager use for more efficient risk management? Let’s figure it out in the next section.

Risk Management: How a Project/Resource Management Solution Helps

Project and resource management tools have a variety of functions that make work on projects more efficient and streamlined as well as provide solutions for effective risk management. 

Let’s consider how they help through the example of Epicflow, a multi-project resource management software. It has three important areas of focus: 

  • seamless orchestration of multiple projects, 
  • maximum efficient resource utilization, 
  • spotting bottlenecks before they become risks and lead to real problems. 

Let’s dwell upon the latter point and see how some of Epicflow’s features help manage project risks effectively.  

Checking the state of all projects in the portfolio

Proper risk management is impossible without regular monitoring of a project’s “health”. Pipeline is one of the features that presents a comprehensive overview of all projects and milestones in a multi-project environment. Projects are ordered according to their priority: those that are at risk of being delayed are placed on the top and marked with corresponding colors. Milestones are also marked with colors depending on their feasibility.   

Bubble Graph is another tool to monitor the state of projects. It’s an improved version of a Fever Chart and shows the remaining time and budget, so you can always check if there are any risks of missing due dates or going over the budget.   

dashboard bubble graph 1

Read more: Bubble Graph: Critical Chain Fever Chart Re-Imagined

Preventing risks caused by improper workload

Improper workload can be a serious risk factor: both overloaded and idle employees work inefficiently and can create bottlenecks in the future, which will bring project success into question. To prevent the team members from inadequate workload, you can use the Future Load Graph that analyzes active projects in the Pipeline to show which resources are going to be over- or underloaded later.  

future load 1 1

Running simulations to spot future bottlenecks

As we’ve mentioned earlier, one of the ways to identify possible risks is modeling and simulations. In Epicflow’s What-if Analysis, you can analyze different variants of project outcomes and see how current changes (reassigning resources, moving milestones, etc.) will affect the project flow in the future. Therefore, you can come up with the best possible decision and plan risk responses so that potential risks won’t derail your project.    

Protecting your project timeline with a buffer

To cope with increasing uncertainty and be prepared for possible risks, Epicflow’s approach suggests adding a buffer to the end date of your project. There is a clear system of buffer monitoring: in the Pipeline, you can track how much of the buffer has already been consumed. This is expressed in numbers before a project’s name: e.g., 80 means that you have a 20% buffer and won’t miss the delivery date, while 100 shows that you’ll deliver the project on time, but there’s no more buffer left.  

These were just several examples of how Epicflow can contribute to effective risk management. If you’re interested in more detailed information, don’t hesitate to contact us.  


  1. Hillson, D. (2014). Managing overall project risk. Paper presented at PMI® Global Congress 2014—EMEA, Dubai, United Arab Emirates. Newtown Square, PA: Project Management Institute.
  2. Hillson, D. (2002). Use a risk breakdown structure (RBS) to understand your risks. Paper presented at Project Management Institute Annual Seminars & Symposium, San Antonio, TX. Newtown Square, PA: Project Management Institute.
  3. Lavanya, N. & Malarvizhi, T. (2008). Risk analysis and management: a vital key to effective project management. Paper presented at PMI® Global Congress 2008—Asia Pacific, Sydney, New South Wales, Australia. Newtown Square, PA: Project Management Institute.