Skip to content

Risk Register

The Risk Register surfaces project risks in a dedicated Risks tab within the project workspace. Each risk is scored by probability × impact, tracked through a lifecycle, and can be linked to the tasks it affects.

Severity is probability × impact, computed from two 1–5 integer fields. A 5×5 grid gives scores 1–25 across five bands:

ScoreBandColor
20–25CRITICALRed
12–19HIGHAmber
6–11MEDIUMAmber (lighter)
2–5LOWNeutral
1MINIMALNeutral (muted)

The severity is read-only in the UI — it is always derived from the two inputs, never stored as a separate value.

StatusMeaning
OPENIdentified and being monitored
MITIGATINGActive mitigation in progress
RESOLVEDMitigation succeeded — threat no longer applies
ACCEPTEDRisk acknowledged; no further action
CLOSEDArchived

The risk matrix on the register view treats OPEN and MITIGATING as active risks. RESOLVED, ACCEPTED, and CLOSED risks are hidden by default; use the Show closed toggle to include them.

Above the risk table, a segment filter narrows the list to the slice that needs attention:

FilterShows
AllEvery risk (default)
HighSeverity ≥ 12 (HIGH and CRITICAL)
UnmitigatedRisks still OPEN or MITIGATING — the live threats
MineRisks you own

The segment filter composes with the exposure-matrix cell filter (clicking a P×I cell): both apply together, and each is shown as a removable token with a Clear all reset. The exposure matrix and the critical/high count chips always reflect the full risk set, not the filtered view.

The Severity column header sorts the table — click to cycle descending → ascending → back to the default order (most impactful first). Unmitigated risks also carry an always-on left-edge highlight so live threats stand out regardless of the active filter.

A Hide low severity toggle in the toolbar will also collapse LOW-severity risks (score 1–5) out of the table — a client-side declutter that composes with the segment and matrix-cell filters. Your choice is remembered in the browser, so the register opens the same way next time.

Each risk can be assigned one response strategy:

StrategyMeaning
AvoidChange the plan to eliminate the threat
MitigateReduce probability or impact
TransferShift the consequence to a third party (insurance, contract)
AcceptConsciously accept the potential impact

Risks can be tagged with a standard source category:

  • Technical — technology, quality, complexity
  • External — market, regulatory, vendor
  • Organizational — resources, funding, prioritization
  • Project Management — estimation, planning, communication

A risk can be linked to one or more tasks to indicate which tasks are exposed to it. The link is advisory — it does not affect CPM scheduling — but it does surface in two places:

  • Task detail drawer → Risks section shows linked risks with severity chips
  • Board cards — the linkedRisksCount and linkedRisksMaxSeverity fields power the risk badge on board cards so teams can see at a glance which tasks are exposed

Every risk receives a project-scoped short ID (e.g. R-00000003) that shares the same counter as tasks. Short IDs appear in the risk drawer header, comments, and audit logs.

Export the full register to CSV from the Export CSV toolbar action. The file carries every column shown in the table: ID, title, status, category, response, probability, impact, severity, owner, mitigation due date, trigger, contingency, and description.

The symmetric Import CSV action (Member and above) seeds or tops up a register from a spreadsheet — it sits next to Export CSV on the toolbar and on an empty register, so a new project can be populated from a file. Upload a CSV with a Title column; every other column is optional and matches the export header, so a file exported from one project imports cleanly into another. The ID and severity columns are ignored on import (severity is always derived, and IDs are assigned per project).

Import is partial by design — one valid row never blocks another:

  • Valid rows are created; invalid rows are skipped and reported with the offending row number, field, and reason.
  • Probability and impact must be whole numbers 1–5; a blank value defaults to 1.
  • An unrecognized status, category, or response is coerced to the default and flagged as a warning rather than failing the row.
  • The Owner column is matched against project members by email or username. A value matching no member leaves the risk unassigned and adds a warning — risks are never assigned to people outside the project.

A single import is capped at 2 MB and 500 rows. The result summary shows how many risks were imported and how many were skipped, with the full error and warning lists, so you can correct the source file and re-import.

ActionMinimum role
View risksViewer
Create / edit / delete risksMember
Import risks from CSVMember
Add risk commentsMember

Creating, updating, or deleting a risk broadcasts a risk_created / risk_updated / risk_deleted WebSocket event to all connected project members. Board cards and task drawers update without a page refresh. A CSV import emits a single batched risks_imported event after the rows commit, so collaborators see the whole import in one refresh rather than one event per row.