Risk Repository

Definition

Risk Repository (a.k.a., Risk Log, Risk Register): a risk management work product that stores the significant risks to the success of an endeavor

As illustrated in the preceding figure, Risk Repository is part of the following inheritance hierarchy:

The typical responsibilities of a Risk Repository are to:

A Risk Repository typically has the following contents:

Risks with associated Risk Metadata
For each risk:
- Name and description
- Date identified
- Asset or business process at risk
- Threats to these assets and business processes.
- Vulnerabilities to these threats (e.g., high/medium/low).
- Estimated risk impact (a.k.a.,loss magnatude) (e.g., high/medium/low).
- Estimated risk (i.e., loss, probability of occurrance) probability (e.g., high/medium/low).
- Risk Level (e.g., High/Medium/Low)
- Status (e.g., Accepted, Avoided, Mitigated, Transferred)
- Risk Control (e.g., risk acceptance, avoidance, mitigation, and transfer) and Risk Monitoring Techniques Used
- Risk control and risk monitoring actions taken including date actions taken
- Owner
- Resources utilized

A Risk Repository typically has the following stakeholders:

A Risk Repository is typically produced and maintained during the following phases:

A Risk Repository can typically be started if the following preconditions hold:

A Risk Repository typically has the following inputs:

This is a living repository that must be maintained and updated as risks change.
Minimize redundancy between the risk repository and risk monitoring report.
Use the procedure in the associated work flow to produce this work product.
If you tailor this work product, then tailor its associated standard, template, and inspection checklist.

Risk Repository is typically constrained by the following conventions: