That is a very good question, and one that our Quality Manager just asked me yesterday. He wanted to kow what was the evidence of the review of the risk register.
In our company, we use the risk register right up front, in requests for quotes, reviewing an order and entering an order. Then bringing all together again to go through all the details of a job. Sales can see what has happened in the past, what can happen, and how we have mitigated it to reduce the risk. We went as far as to document a question on our contract review form and supplemental contract review form asking if the risk register has been reviewed. This requires the sales person to do a quick check, in his areas listed on the register, and sign. This form and the supplemental contract review form both have the question, and once filled out during the reviews, it is put into the sales file, or scanned in for the electronic file.
Evidence of the review of the risk register is the person's name on the checklists, which also gets dated.
One of the new questions when doing internal audits, is at what point in your job is the risk register reviewed? Followed with- and how are you indicating the review? A simple print out of that departments review of risks associated with their area of responsibilities, can be printed, signed, dated and forwarded to sales for inclusion into the file.
Our engineering department does FEMA and FEMDA's on their end, so that is associated to the design file.
It is a new process for us also. We really did not know how to approach it either. As an auditor, I have a finding history that I have kept for 10+ years. I always review back to that file when something is noted in an audit that I know is a blast from the past. A lot of times something will occur again when we beef up our staff with new people or when we are swamped! So people tend to try to hurry, skip a step, fail to question, or whatever we as people tend to do. That history, to me, meant is was possible to do it because we at some point did it, but, we had a corrective actioin for it, and that was where I started. These things did happen and could happen again. Luckily we had a way to midigate the risk, and that was by looking at the documentation that was provided when it was and opportunity for improvement or a finding.