Every construction project carries risk. Cost overruns, programme delays, design failures, contractor insolvencies, ground conditions, planning refusals — the list of things that can go wrong on a construction project is long, and experienced project teams know this. What separates the projects that manage risk effectively from those that are derailed by it is not the absence of problems — it is the presence of a structured, maintained risk register that keeps those problems visible, owned and actively managed.

This article explains how to build and maintain a construction risk register that is genuinely useful — not a compliance document that sits in a folder and is reviewed once a quarter.

What Is a Risk Register?

A risk register is a structured log of the risks that could affect a project — its cost, programme, quality or safety — together with an assessment of their likelihood and impact, the actions being taken to mitigate them, and the person responsible for each risk. It is the primary tool for risk management on a construction project and the basis for reporting risk to the client and wider stakeholders.

A good risk register does three things: it makes risks visible so they cannot be ignored; it assigns ownership so someone is accountable for managing each risk; and it tracks mitigation actions so that the team can see whether risks are being reduced over time or getting worse.

Structure of an Effective Risk Register

Risk ID and Description

Each risk should have a unique reference number and a clear, specific description of what the risk is. “Programme delay” is not a risk description — it is a consequence. “Planning authority requests additional ecology survey, delaying planning submission by six to eight weeks” is a risk description. Specificity matters because vague risks cannot be managed or owned effectively.

Category

Grouping risks by category — design, commercial, programme, statutory, ground conditions, contractor, client — makes the register easier to navigate and helps identify which areas of the project are carrying the most risk at any given point.

Likelihood and Impact Scoring

The standard approach is to score each risk on a scale of one to five for both likelihood and impact. Multiplying the two scores gives a risk rating — a number between one and twenty-five — that allows risks to be ranked and prioritised. The scoring should be honest. A risk that everyone knows is highly likely but which is scored as “unlikely” because the rating looks bad in a report is not being managed — it is being obscured.

Risk Owner

Every risk must have a named owner — the individual who is responsible for monitoring the risk, implementing the mitigation actions and reporting on status. Without named ownership, risks become collective responsibilities, which in practice means nobody’s responsibility.

Mitigation Actions

For each risk, the register should record what is being done to reduce the likelihood of it materialising or to reduce the impact if it does. Mitigation actions should be specific and time-bound. “Monitor” is not a mitigation action. “Commission ground investigation report by end of RIBA Stage 2 to confirm assumed bearing capacity” is a mitigation action.

Residual Risk

After mitigation actions are applied, what is the remaining risk? Recording the residual risk score — separate from the initial pre-mitigation score — allows the team to see whether the management actions are actually reducing the risk or simply giving the appearance of activity.

Cost Allowance

For significant risks, the register should record the potential cost impact and the contingency allowance that has been set aside to cover it. This feeds directly into the project’s cost plan and helps the client understand how much of the contingency is spoken for at any given point.

How to Run a Risk Review

A risk register that is not reviewed regularly is not a risk management tool — it is a historical document. Risk reviews should be built into the project meeting cycle, typically monthly, with a structured agenda that covers: risks that have closed since the last review; risks whose scores have changed; new risks that have emerged; and the status of mitigation actions that were due to be completed.

The risk review meeting should be attended by the key project stakeholders — client, Project Manager, Design Manager and key consultants as appropriate. It is not a meeting where risks are hidden or softened for the client’s benefit. It is a working session where problems are surfaced, owned and addressed.

Common Mistakes to Avoid

The most common failure is treating the risk register as a one-time exercise. Risk management is a continuous process, not an event. New risks emerge as the project develops; existing risks change in likelihood and impact; risks that were theoretical at RIBA Stage 1 become urgent at RIBA Stage 4. The register must be maintained to reflect this changing picture.

The second most common failure is having too many risks on the register. A register with two hundred items is unmanageable. Focus on the risks that are material — those that could genuinely affect the project outcome if they materialise — and manage them properly rather than cataloguing every theoretical possibility.

How JC Virtual PMs Can Help

Our Project Managers build and maintain risk registers as a standard part of every project we manage. We facilitate risk workshops, score and prioritise risks with the project team, assign ownership and track mitigation actions through to completion. Risk reporting is included in our standard monthly progress reports, giving clients a clear and honest picture of where the project stands. Get in touch to discuss how we can support your project.