Information to keep in a risk register In the PMI process, they include a document called a Risk Register. It contains a list of all the risks -- realized and unrealized -- including some fields like probability and impact. For software projects, what kind of fields should we include in a risk register? Mine tend to have: \- Risk name \- Risk severity (low/moderate/high/terminal) \- Risk probability (low/medium/high) \- Risk state (eg. accepted, monitor, minimized) \- Risk trigger (how do we know this risk occurred?) What else can you put in there that has value, without creating a huge, bloated documented? This question is somewhat intended as a community wiki question.

In addition to all the numerical data (impact, severity, likelihood, etc.), I always include:

* **Minimisation measures** : They describe what we do in order to decrease the likelihood of the risk. Knowing that there is a risk and not doing anything to decrease its likelihood is silly.
* **Mitigation measures** : They describe what we will do if the risk eventuates. It is good to think about this beforehand, so we can act quickly and from some well thought out base whenever bad things happen.



According to my experience, thinking about and writing down these two pieces of information for each risk is extremely valuable. It helps the project manager (as well as the rest of the team) stay alert and minimise/mitigate the risks as necessary.