2.2.3 Develop a Risk Register

How-To

Develop a Risk Register


Risks may have important implications for an agency’s resource allocation decisions. A risk register is a way to identify, analyze, and monitor risks that transportation agencies face. Developing a risk register helps accomplish a number of the steps in the risk management process and keeps the risk management process organized. This How-To Guide provides nine steps for developing a risk register.

Risk Likelihood - Impact


  1. Review Existing Resources

    Review what programs or initiatives the organization has already established for risk management. This may include agency-wide enterprise risk management efforts, as well as programs to mitigate specific risks such as risks to bridges, or procedures for minimizing risks of project cost and schedule overruns.


  2. Determine Register Scope

    Next determine the scope of the risk register. What types of risks will be included? What assets are being considered? Are there specific risks that should be excluded because they are already being addressed through a separate program?


  3. Identify Risks

    Prepare master list of risks. It is often helpful to identify risks in a workshop setting. Classify the risks according the type/scopes identified in Step 2. For each risk prepare a risk statement describing the risk and the consequence to the agency if the risk is realized as an “if-then” statement.


  4. Analyze Risks

    For each risk that is identified, calculate or estimate the likelihood the risk will occur, and the consequence or impact of the risk if it does occur. Often this step is performed qualitatively using a risk matrix. An example matrix is shown on the previous page. In this example risk likelihood is depicted on the vertical axis, and impact or consequence is shown on the horizontal axis.


  5. Perform Initial Prioritization

    Determine an initial priority for each risk to help determine where to focus further effort identifying treatment strategies. In the matrix above, an initial priority is defined for each combination of likelihood and consequence.


  6. Evaluate Potential Risk Management Strategies

    For high priority risks (or all risks if time allows), determine potential strategies for mitigating the negative effects of a risk, and/or leveraging the positive effects. Strategies might include treating the risk in some manner, transferring the risk to another party, avoiding the risk altogether, or accepting the risk with treatment. Evaluate the potential for reducing the negative impacts of each risk.


  7. Prioritize Risk Management Strategies

    Prioritize the risk management strategies developed in the previous step. The prioritization should consider the severity of the risk, the potential for treating the risk, and the cost of the strategy. For example, a treatment may have low priority if it does little to reduce the likelihood or impact of a risk, even if the risk itself has high priority. In some cases the strategy may entail collecting additional data, and/or performing a more detailed analysis to better characterize a risk and determine the investments needed to best address it.


  8. Develop Mitigation Plan

    Given the prioritized set of risk management strategies, prepare a mitigation plan that describes the actions needed to implement the highest priority strategies. This may include a mix of process improvements, data collection efforts, and/or projects to treat or avoid risks.


  9. Establish Monitoring Approach

    Determine how the organization will monitor the risks moving forward. The plan should
    describe the approach for implementing the mitigation plan, as well as for reviewing and
    updating the risk register.