Zepth Core · Risk Management

Risk Register & Risk Management

A register built for the kickoff deck and reviewed at closeout is a talisman, not a tool.

Last updated

Zepth Core module

Risk Register & Risk Management

AI agent built into the module
Living registerHonest sizingResponses as tracked tasksMovement dashboards

P50/P80

the confidence levels contingency should be set against — not a percentage somebody felt comfortable with

AACE International — cost-contingency framing

P50 is the number you have a coin-flip chance of staying inside. P80 is the number you would defend to a board. Most projects carry a contingency at neither, because nobody asked which one it was.

New / Escalated / Retired

the three movements that make a risk review a review — rather than a reading of last month’s list

Risk-management practice

A heatmap is communication, not analysis. What an executive actually needs is the movement between reviews: what is new, what got worse, what is genuinely gone.

Overview

Project risk management is the register plus the behaviour around it: identify what could hurt the project, size it honestly, give it an owner who can actually act, and review it on a cadence that beats the risk’s own clock.

The register is the easy half. Almost every project has one. Very few projects have the second half, which is why almost every project is surprised.

The stale-register pathology

It is built for the kickoff deck. It is populated in a workshop, colour-coded, and screenshotted into a slide. And then it is never touched again — until closeout, when somebody opens it to write the lessons-learned and discovers that most of the risks either happened or became irrelevant, and nobody recorded which.

That register is not a control. It is a talisman: an object whose function is to have been produced. And its existence is worse than its absence, because it allows everyone to believe the risk was managed.

The fix is not a better template. It is a cadence — risk as a standing agenda item, with movement tracked at every review. What is new. What escalated. What was retired, and on what evidence. A register where nothing has moved in three months is not a stable project. It is an unattended one.

And the base rate is not encouraging. Flyvbjerg’s research across more than sixteen thousand capital projects found that only a small minority — around 8.5% — come in on both cost and schedule. That figure is discussed on our capital-planning page, and it is worth reading as a statement about risk management rather than about execution: most of the damage was done before anyone started building.

What a working register actually requires

  • Size it honestly — with ranges, not a universal “3×3, medium”. Probability times impact is fine as a sorting device and useless as a number. The top risks need quantifying with ranges, because that is what connects the register to money: contingency should be set against a confidence level, P50 or P80, rather than against a percentage that felt about right. And the drawdown should be tied to risk REALISATION — a materialised, documented risk — which is the control-account doctrine the budget process already runs on.

  • Ownership means the person who can act. “The commercial team” owns nothing. A department cannot be chased, cannot be escalated to, and cannot explain why the mitigation is forty days late. A named person with a dated response action can. Risk responses are tasks, and they should be tracked exactly like tasks — which most registers conspicuously do not do, because a task has an awkward habit of being visibly incomplete.

  • Choose a response, and say which one it is. Avoid, mitigate, transfer, accept. Four options, and “accept” is a legitimate one that almost never gets written down — because writing it down means somebody has to agree, in advance, to the thing going wrong. That is precisely why it is worth writing down. An accepted risk that materialises is a plan. An unacknowledged one that materialises is a crisis.

  • A realised risk becomes a record — with a clock attached. This is the linkage most registers do not have, and it is the expensive one. When a risk lands it becomes an event: a variation, a claim, a notice obligation. Under FIDIC 2017 the notice window is short and it is a genuine time bar, not a formality — and a register sitting in a spreadsheet beside the contract machinery, rather than connected to it, is a register that will watch a risk materialise and serve nothing. The most expensive risk on any project is the one you correctly predicted and then failed to notify.

  • The register that only holds threats systematically underprices the upside. Opportunities are risks with a positive sign, and they have owners, actions and dates in exactly the same way — an early-procurement window, a value-engineering candidate, a sequence that could be compressed. A register with no opportunities in it is not being conservative. It is being half-used, and it is quietly telling you that this project has no upside, which is never true.

How registers fail

Built once, never revisited — so the review is a reading, and the risks that mattered were the ones nobody thought of in the workshop.

Everything scored “medium”, so nothing is prioritised and contingency is a round number defended by confidence. Ownership assigned to functions rather than people, so no one is late because no one is responsible.

And the realised risk that nobody notified. The register said it might happen. It happened. And the entitlement that would have followed died in a drawer, because the register was a document rather than a mechanism.

How Zepth runs risk

A living register with owners, responses, review cadences and a full audit trail — where a risk that has not been touched through its own review window flags itself, rather than waiting for someone to notice the silence.

Heatmaps for the conversation, and movement dashboards for the signal: what is new, what escalated, what was retired. Realised risks route into the event, notice and claim machinery rather than sitting beside it. And contingency reconciles against the risks it was actually held for.

The value

Why it matters

The register moves — new, escalated, retired — so the review produces decisions rather than a reading.

Contingency is set against a confidence level and drawn against realised risk, rather than being a round number defended by conviction.

Risks have owners who can be asked why the mitigation is late, because they are people rather than departments.

A realised risk reaches the notice machinery inside its time bar — which is where the register either pays for itself or was pointless.

Capabilities

What you can do

01

Living register

Owners, responses, review cadences and a full audit trail — with risks that have gone quiet through their own review window flagging themselves.

02

Honest sizing

Ranges rather than a universal 3×3, with the top risks quantified well enough to connect to contingency at P50 or P80.

03

Responses as tracked tasks

Avoid, mitigate, transfer or accept — each with a named owner and a date, chased like any other task.

04

Movement dashboards

New, escalated, retired. The heatmap is for the conversation; the movement is the signal.

05

Risk-to-record linkage

A realised risk becomes an event, a notice, a claim — inside the machinery rather than beside it.

06

Opportunity tracking

Because a register holding only threats is half-used, and is quietly asserting that the project has no upside.

The workflow

How it actually runs

  1. 1

    Identify — in workshops, and then continuously

    The kickoff workshop is the start of the register, not the whole of it. Most of the risks that hurt a project were not in the room that day.

  2. 2

    Assess with ranges, and name an owner

    Quantify the top risks properly enough to connect them to contingency. And give each one a person — not a department, which cannot be asked anything.

  3. 3

    Plan the response, with a date

    Avoid, mitigate, transfer or accept — and write down which. Responses are tasks. Track them like tasks.

  4. 4

    Review on a cadence, and track the movement

    New, escalated, retired. A register where nothing has moved is not a calm project; it is an unattended one.

  5. 5

    Route the realised risk into the machinery

    It becomes an event, a notice, a claim. The notice clock starts whether or not anyone is watching the register — and it is a time bar, not a formality.

  6. 6

    Reconcile contingency against realisation

    Drawn against risks that actually materialised, and documented. Which is the only way to know afterwards whether the contingency was right or merely sufficient.

AI that does the work

How AI changes Risk Register & Risk Management management.

Stale-risk detection.

Risks with no update through their own review window, surfaced automatically. The register cannot tell you what is being ignored — but the silence around an entry can, and silence is measurable.

Unregistered risks, inferred from live signals.

RFI clusters in one zone. Procurement slipping on a long-lead package. An NCR trend against one trade. These are risks the project is already running and nobody has written down — and they are visible in the record before they are visible to anyone.

Unserved-notice warnings.

A realised risk with no notice against it, flagged while the clock is still running. This is the single highest-value thing an agent can do on this page, because the entitlement dies quietly and on schedule.

Risk-review packs, drafted.

The movement since last time — new, escalated, retired — written up from the register itself, so the meeting starts from the changes rather than from the list.

The engineer’s judgment stays in charge; the AI removes the latency and the blind spots.

Best practices

  • Make the risk review a standing agenda item, and report movement rather than status. A register where nothing has changed in three months is not a stable project — it is an unattended one.
  • Write down when you ACCEPT a risk. It is a legitimate response and it is almost never recorded, because recording it means agreeing in advance to the thing going wrong. Which is exactly the conversation worth having.
  • Assign risks to people, never to functions. A department cannot be asked why the mitigation is forty days late.
  • Connect the register to the notice machinery. The most expensive risk on any project is the one you correctly predicted and then failed to notify inside the time bar.

Dashboards & reporting

The register by owner, response and review status, with the movement since the last review — new, escalated, retired — which is the part an executive actually needs. Heatmaps for the conversation. Stale risks, untouched through their own window. Contingency drawn against realised risk, reconciled to what was actually held for. And realised risks with their notice status, which is the report that tells you whether the register is a mechanism or a document.

Live dashboards
Drill-down & filters
Export to Excel / PDF
FAQ

Common questions

What belongs in a project risk register?

Each risk with a cause and a consequence stated separately, a range-based assessment rather than a universal “medium”, a named owner who can actually act, a chosen response — avoid, mitigate, transfer or accept — with dated actions, and its current review status. And opportunities, because a register holding only threats systematically underprices the upside.

Read the full answer
How often should risks be reviewed?

On a cadence that beats the risk’s own clock, and as a standing agenda item rather than a periodic special event. What matters is not the frequency but the movement: report what is new, what escalated and what was retired. A register where nothing has changed in three months is not describing a stable project — it is describing an unattended one.

How do you quantify risk for contingency — what are P50 and P80?

They are confidence levels. A P50 contingency is the number you have roughly a coin-flip chance of staying within; P80 is the number you would defend to a board. Most projects carry a contingency at neither, because nobody asked which one it was. Size the top risks with ranges, set the contingency against a stated confidence level, and draw it down only against risks that have actually materialised.

Read the full answer
Who should own a risk?

A named person who can act on it. “The commercial team” owns nothing — a department cannot be chased, cannot be escalated to, and cannot explain why the mitigation is late. Risk responses are tasks, and they should be tracked like tasks, which most registers avoid doing precisely because a task has an awkward habit of being visibly incomplete.

What happens when a risk materialises — and what is the notice trap?

It stops being a risk and becomes an event: a variation, a delay, a claim. And it starts a clock. Under FIDIC 2017 the notice window is short and it is a genuine time bar, not a formality. The trap is that the register sits in a spreadsheet beside the contract machinery rather than connected to it — so the project correctly predicted the risk, watched it happen, and served nothing. That is the most expensive kind of risk there is.

Read the full answer
Should the register include opportunities?

Yes, and most do not. An opportunity is a risk with a positive sign: an early-procurement window, a value-engineering candidate, a sequence that could be compressed. It gets an owner, an action and a date exactly like a threat. A register with no opportunities in it is not being prudent — it is quietly asserting that this project has no upside, which has never been true of any project.

Sources

  • AACE International — cost-contingency practice, and the P50/P80 confidence-level framing
  • FIDIC 2017 — the claim-notice window as a genuine time bar. Anchored on /modules/site-instructions/; referenced here rather than re-stated.
  • Flyvbjerg — capital-project delivery research across 16,000+ projects. The 8.5% on-cost-and-schedule figure is anchored on /modules/capex-management/ and referenced here once. We deliberately do not publish its complement as a separate statistic: it is the same finding, and printing both would present one study as two.

Terms defined here

Zepth is the construction project delivery platform — it runs construction, procurement and asset management on one record, and does the work: reading the drawings, reviewing the submittals, matching the invoices and flagging the risks, with a human sign-off on anything consequential.

See it on your project.

A short, tailored walkthrough on your real workflow — no generic demo.