Risk Register
Also known as: Risk Log, Risk Tracker, Risk Repository
A centralized document or database that records identified risks, their assessment, owners, mitigation plans, and status — serving as the primary operational tool for ongoing risk management.
Quick Reference
Memory Aid
ID it → Rate it (Likelihood × Impact) → Own it → Plan for it → Track it → Review it.
TL;DR
A Risk Register is the operational backbone of risk management: document each risk, assess likelihood and impact, assign an owner, plan the response, and review regularly. Keep it simple, keep it current, and focus on the risks that matter most.
What Is Risk Register?
A master list of all identified risks with key information: what the risk is, how likely and impactful it is, who owns it, what's being done about it, and what's the current status.
On Making Risks Visible
Risk management is not about preventing all risks. It is about knowing which risks you are taking, ensuring they are the right ones, and managing them well.
— David Hillson, 'The Risk Doctor,' author of Managing Risk in Projects
A Risk Register is the operational backbone of any risk management program. It captures each identified risk with standardized information including description, category, likelihood rating, impact rating, overall risk score, risk owner, mitigation strategy, current status, and review dates. It transforms ad-hoc risk awareness into systematic risk management by creating visibility, accountability, and a basis for prioritized action. While conceptually simple, an effective risk register requires discipline in maintenance and regular review.
Risk Heat Map
A likelihood-impact matrix used to visualize and prioritize risks in the register.
Watch
High likelihood, Low impact — monitor and manage
Critical
High likelihood, High impact — immediate action required
Accept
Low likelihood, Low impact — accept and review periodically
Mitigate
Low likelihood, High impact — have contingency plans ready
Impact (Low → High)
Origin & Context
Evolved from project management practice as the standard tool for documenting and tracking risks. Now a fundamental element of all risk management frameworks.
Core Components
Risk Identification
Clear description of each risk including its cause and potential impact.
Example
Risk #17: 'Key supplier dependency — sole supplier for critical component could fail to deliver, causing production stoppage.'
Risk Assessment
Standardized ratings for likelihood and impact, producing an overall risk score.
Example
Likelihood: 3/5 (Possible), Impact: 5/5 (Critical), Risk Score: 15/25 (High).
Risk Response
The chosen strategy and specific actions to address each risk.
Example
Response: Reduce — qualify a second supplier within 6 months. Accept residual risk of 30-day supply disruption.
Risk Monitoring
Ongoing tracking of risk status, triggers, and effectiveness of responses.
Example
Status: In progress. Second supplier qualification 60% complete. Next review: April 15. Trigger: any delivery delay >5 days.
Did You Know?
A study by PwC found that organizations maintaining active, regularly reviewed risk registers experienced 28% fewer project cost overruns and 33% fewer schedule delays compared to those without formal risk tracking. The single most important factor was not the register's sophistication, but the frequency of review — weekly reviews correlated with significantly better outcomes than monthly or quarterly reviews.
When to Use Risk Register
Project risk management
Problem it solves: Project risks are discussed informally but not tracked systematically.
Real-World Application
A project manager maintains a risk register reviewed at weekly team meetings, tracking 25 active risks with clear owners and actions.
Enterprise risk management
Problem it solves: The organization lacks a comprehensive view of its risk landscape.
Real-World Application
A CRO maintains an enterprise risk register aggregating the top risks from all business units, reported to the board quarterly.
Audit and compliance
Problem it solves: Auditors and regulators require evidence of systematic risk management.
Real-World Application
During an audit, the company presents its risk register showing identified risks, assessments, mitigations, and review history.
Quality Over Quantity
A risk register with 200 risks that's never reviewed is worthless. A register with 20 well-managed risks is invaluable. Focus on material risks and keep the register manageable.
How to Apply Risk Register: Step by Step
Before You Start
- →Defined risk categories and assessment criteria
- →Identified risk owners
- →A shared tool or platform for the register
Design the register structure
Define the fields, rating scales, and categorization for your risk register.
Tips
- ✓Keep it simple — too many fields reduce adoption
- ✓Use a 5×5 likelihood × impact matrix
Common Mistakes
- ✗Over-engineering the template with too many fields
Populate initial risks
Conduct risk identification workshops to populate the register with current known risks.
Tips
- ✓Include both current and emerging risks
- ✓Cover all risk categories relevant to your scope
Common Mistakes
- ✗Only including obvious operational risks; missing strategic and emerging risks
Assign owners and responses
For each risk, assign a named owner and define the risk response strategy.
Tips
- ✓Owners must be individuals with authority to act
- ✓Define specific actions, not just strategies
Common Mistakes
- ✗Assigning ownership to teams rather than individuals
Review and update regularly
Establish a regular review cadence to update risk assessments, add new risks, and close resolved risks.
Tips
- ✓Monthly review for active project registers
- ✓Quarterly for enterprise registers
Common Mistakes
- ✗Not closing risks that have been effectively mitigated — keep the register current
Value & Outcomes
Primary Benefit
Provides a single source of truth for all identified risks, enabling systematic tracking and management.
Additional Benefits
- ✓Creates accountability through risk ownership
- ✓Enables risk-based prioritization of resources
- ✓Provides evidence of risk management for auditors and regulators
What You'll Learn
- →How to document and assess risks consistently
- →How to prioritize risks based on likelihood and impact
- →How to track risk mitigation progress
Typical Outcomes
Best Practices
📋 Preparation
- •Define consistent rating scales before populating the register
- •Agree on risk categories that match your organization
🚀 Execution
- •Review the register at every project/team meeting
- •Focus discussion on the highest-rated risks and action progress
- •Add new risks immediately as they're identified
🔄 Follow-Up
- •Archive closed risks for historical reference
- •Analyze risk trends over time
- •Celebrate successful risk mitigations to reinforce the practice
💎 Pro Tips
- •Create a risk heat map from the register for executive communication
- •Flag 'trending' risks — those with increasing likelihood or impact over recent reviews
The #1 risk register failure is creating it once and never updating it. A risk register must be a living document, reviewed regularly (at least monthly) to remain useful.
London 2012 Olympics: Risk Register Excellence
The London 2012 Olympic Delivery Authority maintained one of the most comprehensive risk registers ever created for a major project, tracking over 500 risks across venues, transport, security, and legacy programs. The register was reviewed weekly by risk owners and monthly by the executive team. When construction of the Olympic Stadium identified unexpected contaminated soil, the pre-registered mitigation plan (alternative foundation methods and pre-qualified remediation contractors) was activated immediately, keeping the project on its landmark delivery — on time and under the £9.3B budget.
Limitations & Pitfalls
Only captures known risks — unknown risks (black swans) won't appear
Mitigation: Supplement with scenario analysis, emerging risk scanning, and diverse perspectives
Risk scores are subjective and can vary between assessors
Mitigation: Use calibration sessions and clear rating scale definitions
Apply Risk Register with Stratrix
Turn this framework into a professional strategy deck in under a minute. Stratrix applies Risk Register automatically to your business context.
Try Stratrix Free