The 4 Steps

The Four Steps of completing a Risk Register
1. Identification – risks are described along with the impact should the event occur.
This wording should take the format ‘there is a risk that ...... which will impact ...’
2. Evaluation – probability and impact are selected from the ranges high / medium /
low and trend is selected from the range ‘decreasing / no change / increasing’
Probability should be assessed based on past experience; for example: how many
times has this occurred over the last 12 months?
Impact is measured as the amount of disruption caused to the achievement of the
management team objectives.
3. Mitigation – there are 5 types of ways to mitigate a risk:
a) Avoid – eliminate the cause of the risk by doing something else
b) Contain – take action by adding tasks to the plan to reduce the probability
or impact
c) Active acceptance – accept the consequences of the risk but set aside
some contingency or insurance usually to be owned by a higher level of
d) Passive acceptance – accept the consequences and do nothing
e) Transfer – pass the risk to someone else using a commercial agreement
4. Monitoring – by regular reviews or in management meetings ensure that all
actions are chased, probability and impact is re-assessed and new risks are added.
Communicate risk information to all stakeholders in a concise and appropriate
fashion. Management Teams should agree traffic light (RAG) status of each risk in
a regular basis:
a) RED – existing controls are not working or are not adequate. Risk should
be escalated for attention of more senior management
b) AMBER – existing controls are in danger of failing but the management
team is in control and no escalation is required
c) GREEN – controls are working