Risk Register in PMBOK 8 — Complete Guide

This guide covers everything you need to know about the risk register in PMBOK 8. The risk register is the central repository for all identified project risks — it documents each risk’s description, likelihood, potential impact, assigned owner, and planned response, providing the project team and stakeholders with a complete, current view of the project’s risk landscape.

What Is the Risk Register?

The risk register is a project document that records information about identified risks, including their description, category, probability, impact, risk score, triggers, response strategies, and current status. It is created during risk identification and updated continuously throughout the project as new risks are identified, existing risks materialize or are closed, and response plans are implemented.

The risk register is both a planning tool and an execution tool. During planning, it captures the results of risk identification and analysis sessions. During execution, it is the active tracking document that risk owners monitor and update as conditions change. A risk register that is only updated at formal risk reviews has already failed — it needs to be a live document.

PMBOK 8 emphasizes that both threats (negative risks) and opportunities (positive risks) belong in the risk register. Opportunities are risks that, if they materialize, produce better-than-planned outcomes. They are managed with exploit, enhance, and share strategies rather than avoid, mitigate, and transfer.

Risk Register in PMBOK 8 — Domain and Process

In the PMBOK Guide 8th Edition, the risk register belongs to the Risk Performance Domain and is first produced during the Identify Risks process. It is then progressively elaborated through qualitative and quantitative risk analysis, risk response planning, and continuous risk monitoring throughout the project.

The risk register feeds into the risk report (summarizing risk status for stakeholders), the contingency reserve calculation (funding risk responses), work performance reports, and the lessons learned register (documenting how risks were managed).

Key Elements of the Risk Register

A well-structured risk register typically includes:

• Risk ID and Description — unique identifier and clear description of the risk event and its potential cause
• Risk Category — classification using the risk breakdown structure
• Probability and Impact Ratings — assessed likelihood and consequence using the risk management plan’s scales
• Risk Score — probability x impact for prioritization
• Risk Owner — the team member responsible for monitoring and implementing the response
• Response Strategy and Plan — the chosen response (avoid, mitigate, transfer, accept) and specific actions
• Triggers and Warning Signs — early indicators that the risk is about to materialize
• Status — open, watch, active, closed, or transferred to operations

Risk Register Example — Project Phoenix

The Project Phoenix risk register identified 14 risks across three categories. The highest-rated risk (Risk #3) was “Key developer unavailability during development sprint” — Probability: High (based on John Tran’s concurrent project commitments), Impact: High (critical path impact). Response: Mitigate — Alex secured pre-approval from Priya Kapoor to authorize Sam Lee overtime up to 30 additional hours at $65/hour ($1,950 contingency pre-allocated) if development capacity fell below 80%.

Risk #7 was an opportunity: “BrightFrame completes design two weeks early, enabling early development start.” Response: Exploit — Alex built a schedule buffer that could be converted to an early start option if design was completed ahead of schedule. This risk did materialize partially (design completed five days early), contributing to the project finishing three weeks ahead of its original baseline. By project close, 11 of 14 risks were closed, 2 had materialized and been managed (including Risk #3), and 1 was transferred to operations as a residual risk.

You can download the complete filled-in example below — it shows exactly how the risk register was built and maintained throughout a real project.

Download Free Risk Register Template and Example

We have prepared two free resources to help you build and maintain a risk register on your own projects:

• Download the Risk Register Template — PMBOK 8 (blank, ready to fill in)
• Download the Risk Register Example — Project Phoenix (filled in for a real $72K website launch)

Both are free downloads — no registration required.

Risk Register — Best Practices and Common Mistakes

Assign every risk to a named owner — not “the team.” Ownership without a name means no one is monitoring the risk. Include both threats and opportunities in the register — teams that only track negative risks miss chances to exploit favorable conditions. Review the risk register at every status meeting; a risk that has not been reviewed in two weeks may have already materialized.

The risk register is most effective when it is treated as a live operational tool, actively managed by risk owners and reviewed regularly by the project manager. Teams that skip or rush risk registration often discover mid-project that they are managing surprises that were entirely predictable.

Want to master project management with PMBOK 8? The PMBOK Guide 8th Edition is the definitive reference. Get your copy and use it alongside these free resources.