Risk Register:
A Practical Guide to Identifying, Managing and Reviewing Risk

A risk register is a practical management tool used to record, assess, manage and monitor risks that could affect an organisation, project, service, programme or decision.

At its simplest, a risk register answers five important questions:

1. What could go wrong or happen unexpectedly?
2. How serious would it be?
3. How likely is it?
4. What are we doing about it?
5. Who owns the risk and the response?

A risk register is not just a list of problems. It is a live document that helps decision-makers understand uncertainty, prioritise action and keep risk management visible. The Association for Project Management describes a risk register as a tool used to document risks, analysis and responses, and to assign clear ownership of actions.

Used properly, a risk register helps organisations make better decisions before issues become crises.

What is a risk register?

A risk register is a structured record of risks and the actions being taken to manage them.

A typical risk register includes:

1. Risk description
2. Risk category
3. Cause of the risk
4. Potential impact
5. Likelihood
6. Impact score
7. Overall risk rating
8. Existing controls
9. Further actions required
10. Risk owner
11. Action owner
12. Deadline
13. Status
14. Review date
15. Residual risk after controls

The purpose is to bring risk into management discussion. It allows boards, trustees, project teams and managers to see which risks matter most, who is responsible for them, and whether the organisation is taking appropriate action.

A good risk register does not eliminate risk. That is not realistic. Its purpose is to help the organisation understand, prioritise and manage risk intelligently.

What is risk?

Risk is usually understood as uncertainty that could affect the achievement of objectives.

In project management, the Northern Ireland Department of Finance defines risk as an uncertain event or set of events which, if it occurs, will affect the achievement of objectives.

This point is important. A risk only really matters in relation to an objective. Something may be uncertain, but if it does not affect delivery, performance, compliance, safety, reputation, finance or strategy, it may not be material.

A useful risk statement therefore links the uncertainty to the consequence.

For example:

Poor risk description:

“Staff sickness.”

Better risk description:

“High levels of staff sickness could reduce service capacity, delay response times and increase pressure on remaining staff.”

The second version explains why the risk matters.

History and development of risk registers

Risk management is not new. Organisations have always had to deal with uncertainty, including financial risk, operational risk, legal risk, safety risk, reputational risk and strategic risk.

However, modern risk registers developed as part of more structured approaches to governance, project management, audit, health and safety, corporate risk management and public sector accountability.

In project management, risk registers became a standard tool because projects involve uncertainty around scope, cost, time, quality, suppliers, stakeholders and delivery. The UK Government Project Delivery guidance states that the purpose of risk management is to make the objectives of a portfolio, programme or project more likely to be achieved, while considering uncertainty, unexpected events, threats and opportunities.

In corporate governance and public administration, risk registers became more prominent as boards and senior leaders were expected to demonstrate that they understood and managed the risks facing their organisations. HM Treasury’s Orange Book sets out principles and concepts for managing risk in UK government, and emphasises that risk management should be integral to informed decision-making from policy or project inception through to everyday delivery of public services.

International standards also shaped modern risk practice. ISO 31000 provides guidelines for managing risk faced by organisations, and states that the guidance can be customised to any organisation and its context.

The modern risk register therefore sits within a wider development: risk management moving from informal judgement to structured, documented and reviewable decision-making.

Why risk registers matter

Risk registers matter because organisations often fail to act on risks until they have already become issues.

A risk register helps management move from reactive firefighting to proactive control.

It supports:

1. Better governance
2. Clearer accountability
3. Stronger project control
4. Improved decision-making
5. Better allocation of resources
6. Earlier identification of problems
7. More informed board and trustee oversight
8. Better audit and compliance evidence
9. More disciplined management conversations
10. Improved organisational resilience

The UK Government’s Orange Book makes an important point for public bodies that applies more widely: organisations cannot simply be risk averse and successful, because risk is inherent in delivering objectives.

That is the right way to think about risk registers. They are not about avoiding all risk. They are about taking the right risks, with proper awareness, controls and accountability.

Risk register terminology

Inherent risk

Inherent risk is the level of risk before controls are applied.

For example, a building project may have a high inherent risk of cost overrun because of inflation, contractor availability and unknown site conditions.

Controls

Controls are the measures already in place to reduce likelihood or impact.

Examples include policies, procedures, insurance, contracts, training, segregation of duties, system controls, supervision, inspections, approvals and contingency plans.

Residual risk

Residual risk is the risk remaining after controls have been applied.

This is important because controls rarely remove risk entirely. They reduce it.

Risk appetite

Risk appetite is the amount and type of risk an organisation is willing to accept in pursuit of its objectives.

A start-up may accept higher commercial risk. A care provider should have very low appetite for safeguarding risk. A charity may accept some funding uncertainty but very little compliance or reputational risk.

Risk owner

The risk owner is the person responsible for monitoring and managing the risk.

This should usually be someone with enough authority and knowledge to influence the outcome.

Action owner

The action owner is responsible for completing a specific mitigation action.

The risk owner and action owner may be the same person, but they do not have to be.

Risk score

A risk score is usually calculated by combining likelihood and impact.

For example:

Likelihood x Impact = Risk Score

The scoring system is not perfect, but it helps prioritise attention.

When to use a risk register

A risk register is useful whenever uncertainty could affect objectives.

Common uses include:

1. Business planning
2. Project management
3. Charity governance
4. Board reporting
5. Audit preparation
6. Health and safety management
7. Financial control
8. Property management
9. IT and cyber security
10. Compliance and legal risk
11. Strategic planning
12. Change management
13. Public sector service delivery
14. Event planning
15. Supplier and contract management

A risk register is particularly useful when the organisation needs to demonstrate that risks are being identified, assessed, owned and reviewed.

Risk registers in different industries

SMEs and owner-managed businesses

For SMEs, a risk register does not need to be over-complicated. It should help the owner and management team focus on the risks that could seriously affect cash, customers, compliance, people and operations.

Typical SME risks include:

1. Cash flow pressure
2. Customer concentration
3. Key person dependency
4. Supplier failure
5. Cyber attack
6. Late payment
7. Staff shortages
8. Regulatory non-compliance
9. Poor management information
10. Loss of a major contract

For SMEs, the risk register should be practical and action-focused. It should not become a long document that nobody uses.

Manufacturing

Manufacturing businesses face risks around production, quality, safety, supply chain, energy, labour and equipment.

Typical risks include:

1. Machinery breakdown
2. Supplier failure
3. Input cost inflation
4. Quality defects
5. Health and safety incidents
6. Energy price volatility
7. Stock shortages
8. Labour shortages
9. Export disruption
10. Environmental compliance

A manufacturing risk register should be linked to maintenance plans, quality systems, health and safety reporting, stock control, supplier review and business continuity planning.

Retail and ecommerce

Retailers face risks around stock, margins, customer behaviour, systems, suppliers and reputation.

Typical risks include:

1. Weak consumer demand
2. Stock obsolescence
3. Website failure
4. Payment processing issues
5. High return rates
6. Supplier delays
7. Negative reviews
8. Data breaches
9. Rent increases
10. Margin erosion

For ecommerce businesses, cyber security, platform dependency, customer acquisition cost and fulfilment performance should be key parts of the register.

Professional services

Professional services firms need to manage client, quality, regulatory, people and reputation risk.

Typical risks include:

1. Missed deadlines
2. Professional negligence
3. Client concentration
4. Staff turnover
5. Poor file review
6. Weak engagement terms
7. Cyber security
8. Regulatory breaches
9. Conflicts of interest
10. Loss of key partners or senior staff

For accountants, solicitors, consultants, architects and advisers, the risk register should connect to professional standards, insurance, quality control and client acceptance procedures.

Charities and voluntary organisations

For charities, risk management is central to trustee oversight.

Typical risks include:

1. Funding dependency
2. Loss of key grants
3. Safeguarding failures
4. Volunteer shortages
5. Staff burnout
6. Weak reserves
7. Reputational damage
8. Poor impact reporting
9. Regulatory non-compliance
10. Increased demand for services

A charity risk register should be reviewed by trustees and linked to reserves policy, safeguarding, funding strategy, governance and service delivery.

Public sector and local government

Public sector bodies use risk registers to support accountability, service delivery and governance.

Typical risks include:

1. Budget overspend
2. Failure to meet statutory duties
3. Service demand exceeding capacity
4. Legal challenge
5. Poor procurement
6. Cyber incident
7. Workforce shortages
8. Public dissatisfaction
9. Project delays
10. Weak data quality

HM Treasury’s Orange Book emphasises that risk management should be an essential part of governance and leadership, and should support informed decision-making.

Property and construction

Property and construction risks can be significant because projects often involve planning, funding, legal, contractor, cost and market uncertainty.

Typical risks include:

1. Planning refusal
2. Build cost inflation
3. Contractor failure
4. Utilities delays
5. Site contamination
6. Legal title issues
7. Interest rate increases
8. Market demand weakness
9. Tenant default
10. Health and safety incidents

For property and construction, the risk register should connect to cost plans, contracts, planning strategy, funding agreements, programme management and professional advice.

Technology and software

Technology businesses face fast-moving risks around product, data, security, competition and dependency.

Typical risks include:

1. Cyber attack
2. System outage
3. Data loss
4. Technical debt
5. Platform dependency
6. Poor product-market fit
7. Customer churn
8. Regulatory change
9. Skills shortages
10. AI or competitor disruption

Technology risk registers should be reviewed regularly because risks can change quickly.

Healthcare and social care

Healthcare and care organisations must manage risks around safety, quality, staffing, regulation and continuity.

Typical risks include:

1. Safeguarding failures
2. Medication errors
3. Staff shortages
4. Poor care quality
5. Inspection failure
6. Data protection breaches
7. Infection control issues
8. Funding pressure
9. Agency cost escalation
10. Service continuity failures

In care settings, a risk register should support professional judgement, not replace it. It should connect to safeguarding, quality assurance, incident reporting and regulatory compliance.

Education and training

Education providers face risks around safeguarding, quality, funding, curriculum, staffing and learner outcomes.

Typical risks include:

1. Safeguarding concerns
2. Poor learner outcomes
3. Funding changes
4. Staff recruitment difficulties
5. Low enrolment
6. Inspection findings
7. Cyber incidents
8. Poor attendance
9. Curriculum relevance
10. Estate and health and safety issues

For education, the risk register should link to governance, safeguarding, quality assurance and student outcomes.

How to create a risk register properly

1. Define the objective

Start by identifying what the risk register is for.

Is it for a whole organisation, a project, a department, a property portfolio, a charity, a programme or a specific event?

Risk only makes sense in relation to objectives. Before listing risks, be clear about the objective being protected.

For example:

1. Deliver a project on time and within budget.
2. Maintain financial sustainability.
3. Protect service users from harm.
4. Comply with legal and regulatory duties.
5. Maintain business continuity.
6. Deliver a strategic plan.
7. Protect reputation and public trust.

2. Identify risks

Risks can be identified through workshops, management meetings, audits, incidents, complaints, financial reviews, project reviews, staff feedback, external analysis and professional advice.

Useful prompts include:

1. What could stop us achieving the objective?
2. What has gone wrong before?
3. What nearly went wrong?
4. What assumptions are we relying on?
5. What are we dependent on?
6. What external changes could affect us?
7. What would damage finances, reputation, compliance or safety?
8. What risks are people reluctant to discuss?

The risk identification stage should be open and honest.

3. Write clear risk statements

A good risk statement should include the cause, event and consequence.

A useful structure is:

Because of [cause], there is a risk that [event], leading to [impact].

For example:

“Because the organisation relies heavily on one major funder, there is a risk that a funding reduction would create a significant deficit, leading to service cuts and use of reserves.”

This is much stronger than simply writing “funding risk”.

4. Categorise the risks

Categories help organise the register.

Common categories include:

1. Strategic
2. Financial
3. Operational
4. Legal and compliance
5. Health and safety
6. People
7. IT and cyber
8. Reputational
9. Environmental
10. Project
11. Governance
12. Safeguarding
13. Supplier
14. Property

Categories also help identify whether certain areas are being overlooked.

5. Assess likelihood and impact

Each risk should be assessed for likelihood and impact.

A simple five-point scale is often enough:

Likelihood:

1. Rare
2. Unlikely
3. Possible
4. Likely
5. Almost certain

Impact:

1. Minor
2. Moderate
3. Significant
4. Major
5. Severe

The overall score is often calculated by multiplying likelihood by impact.

For example:

Likelihood 4 x Impact 5 = Risk Score 20

The point is not mathematical precision. The point is prioritisation.

6. Identify existing controls

Controls are the measures already in place.

For example:

1. Insurance
2. Written policies
3. Approval procedures
4. Staff training
5. Contracts
6. System backups
7. Health and safety checks
8. Fire alarms
9. Budget monitoring
10. Safeguarding procedures
11. Professional review
12. Supplier due diligence

Be realistic. A control only counts if it actually exists and works.

7. Assess residual risk

After recording existing controls, reassess the risk.

This gives the residual risk.

For example, cyber risk may have a high inherent score. If strong controls exist, such as multi-factor authentication, backups, staff training, endpoint protection and incident response planning, the residual risk may reduce.

However, if controls are weak or untested, the residual risk may remain high.

8. Decide the response

Risk responses usually fall into several broad categories:

1. Avoid: stop the activity creating the risk.
2. Reduce: take action to reduce likelihood or impact.
3. Transfer: use insurance, contracts or outsourcing to transfer some risk.
4. Accept: tolerate the risk because it is within appetite.
5. Share: manage the risk through partnership or collaboration.
6. Exploit: where the risk includes opportunity, take action to benefit from it.

Not every risk needs more action. Some risks should be accepted and monitored. Others require urgent intervention.

9. Assign owners and deadlines

Every significant risk should have a risk owner.

Every action should have an action owner and deadline.

This is where many risk registers fail. They identify risks but do not assign accountability.

A risk without an owner is unlikely to be managed properly.

10. Review regularly

A risk register is a live document.

It should be reviewed regularly, especially when:

1. A project changes
2. A new risk emerges
3. A risk becomes an issue
4. Controls fail
5. External circumstances change
6. New legislation applies
7. A major incident occurs
8. Budgets change
9. Key staff leave
10. The board or trustees review strategy

The APM notes that project risk management is dynamic, capturing emerging risks and reflecting new knowledge in existing risk analysis.

Common mistakes in risk registers

Mistake 1: Listing issues rather than risks

A risk is something that may happen. An issue is something that has already happened.

For example:

Risk: “There is a risk that the contractor may miss the completion date.”

Issue: “The contractor has missed the completion date.”

Both matter, but they should be managed differently.

Mistake 2: Writing vague risks

Terms such as “financial risk”, “staff risk”, “IT risk” or “compliance risk” are too vague.

A useful risk statement should explain what could happen and why it matters.

Mistake 3: Creating too many risks

A register with hundreds of risks becomes unusable.

The aim is not to record every minor uncertainty. The aim is to focus management attention on the risks that matter.

Mistake 4: Scoring everything as high risk

If every risk is scored as high, the register does not help prioritise.

Scoring should be honest and consistent.

Mistake 5: Ignoring controls

Some registers list risks but do not record existing controls. This makes it difficult to understand whether the risk is already being managed.

Mistake 6: Ignoring residual risk

The key question is not only “how bad could this be?” It is also “how bad is it after the controls we have in place?”

Residual risk is what management usually needs to focus on.

Mistake 7: No ownership

A risk register without named owners is weak.

Ownership creates accountability.

Mistake 8: No deadlines

Actions without deadlines often drift.

A good risk register should show what action is due, who is responsible and when it will be completed.

Mistake 9: Not reviewing the register

A risk register that is prepared once and left untouched is almost useless.

Risks change. Controls change. Circumstances change. The register must be updated.

Mistake 10: Treating the register as compliance paperwork

The biggest mistake is treating the risk register as a document to satisfy auditors, trustees or funders.

A good risk register is a management tool. It should support real decisions.

Limitations and weaknesses of risk registers

Risk registers are useful, but they have limits.

They can create false confidence

A completed register can make an organisation feel that risk is under control.

That may not be true. Risks may be poorly described, controls may be weak, scores may be optimistic, and actions may not be completed.

They can become bureaucratic

If the register becomes too detailed, too long or too formal, it may stop being useful.

The register should serve management, not the other way around.

They depend on judgement

Risk scoring is not pure science. People may disagree about likelihood and impact.

That is not a reason to avoid scoring, but it is a reason to discuss assumptions openly.

They can miss emerging risks

A risk register is only as good as the thinking behind it.

New technology, market changes, regulation, cyber threats and social issues can create risks that were not previously considered.

They may focus too much on threats

Risk management should also consider opportunity. The UK Government Project Delivery guidance explicitly refers to threats and opportunities when discussing risk management.

A mature approach considers both what could go wrong and what could be gained if uncertainty is managed well.

They may not show interdependencies

Risks are often connected.

For example, staff shortages may increase service quality risk, which may increase reputational risk, which may affect funding or customer retention.

A simple register may not show these connections clearly.

They do not replace leadership judgement

A risk register supports decision-making. It does not make decisions by itself.

Senior leaders still need judgement, experience, challenge and accountability.

Risk register compared with other tools

Risk register and SWOT

SWOT identifies strengths, weaknesses, opportunities and threats.

A risk register takes specific threats, and sometimes opportunities, and turns them into managed actions with owners and review dates.

Use SWOT for strategic diagnosis. Use the risk register for ongoing risk management.

Risk register and PESTLE

PESTLE identifies external political, economic, social, technological, legal and environmental factors.

Those external factors may create risks that should be transferred into the risk register.

For example, a legal change identified in PESTLE may become a compliance risk in the register.

Risk register and Porter’s Five Forces

Porter’s Five Forces examines competitive pressure.

The risks identified may include supplier power, buyer concentration, new entrants, substitutes or intense rivalry.

Use Five Forces to understand market risk. Use the risk register to manage the response.

Risk register and TOWS

TOWS turns SWOT into strategy.

WT and ST strategies often identify risks that need active management. These should feed into the risk register.

Risk register and Business Model Canvas

The Business Model Canvas shows how an organisation creates, delivers and captures value.

The risk register can then identify what might break that model.

For example, customer concentration, supplier dependency, weak channels or high fixed costs may all become register risks.

Risk register and Balanced Scorecard

The Balanced Scorecard tracks strategy delivery through objectives, measures, targets and actions.

A risk register tracks uncertainty that could affect those objectives.

Used together, they provide a strong view of both performance and risk.

Alternatives and complementary frameworks

Risk matrix

A risk matrix plots likelihood against impact. It is useful for visual prioritisation.

It should support the risk register, not replace it.

Issue log

An issue log records problems that have already happened.

Use it alongside a risk register in project management.

Assumptions log

An assumptions log records important assumptions that need testing.

This is useful where risks depend heavily on uncertain assumptions.

Bow-tie analysis

Bow-tie analysis maps causes, controls and consequences.

It is useful for complex operational, safety or compliance risks.

Scenario planning

Scenario planning explores different possible futures.

Use it where uncertainty is high, such as economic conditions, regulation, technology or funding.

Business continuity plan

A business continuity plan explains how the organisation will continue operating after disruption.

A risk register may identify disruption risks, but a continuity plan sets out the response.

Internal audit

Internal audit tests whether controls are designed and operating effectively.

A risk register can help inform the audit plan.

Risk appetite statement

A risk appetite statement explains the level of risk the organisation is willing to accept.

It helps decide which risks must be reduced and which can be tolerated.

A practical risk register template

A useful risk register should include the following columns:

1. Risk reference
2. Risk category
3. Risk description
4. Cause
5. Potential impact
6. Inherent likelihood
7. Inherent impact
8. Inherent score
9. Existing controls
10. Control effectiveness
11. Residual likelihood
12. Residual impact
13. Residual score
14. Risk response
15. Further actions
16. Risk owner
17. Action owner
18. Deadline
19. Status
20. Review date
21. Commentary

Example:

Risk reference: R001
Category: Financial
Risk description: Because the organisation relies on one major customer for 45% of income, there is a risk that the loss of that customer would significantly reduce cash flow and profitability.
Inherent score: High
Existing controls: Regular account management, contract review, service quality monitoring.
Residual score: Medium to high
Further actions: Develop new customer pipeline and reduce dependency to below 30% within 12 months.
Risk owner: Managing Director
Action owner: Sales Director
Review date: Monthly

Questions to ask when reviewing a risk register

Risk identification

1. What could stop us achieving our objectives?
2. What are we relying on?
3. What has changed recently?
4. What has gone wrong before?
5. What nearly went wrong?
6. What are staff worried about?
7. What are customers or service users telling us?
8. What external factors could affect us?
9. What risks are not being discussed?
10. What would surprise us if it happened?

Risk assessment

1. How likely is the risk?
2. What would the impact be?
3. Is the score realistic?
4. Are we being too optimistic?
5. Are we being too cautious?
6. Is this risk increasing or decreasing?
7. What is the timescale?
8. Could this risk trigger other risks?
9. What evidence supports the rating?
10. Who has challenged the assessment?

Controls

1. What controls are already in place?
2. Are they documented?
3. Are they working?
4. When were they last tested?
5. Who is responsible for them?
6. Are there control gaps?
7. Are controls proportionate?
8. Are controls too expensive or too weak?
9. What would happen if a control failed?
10. Is there evidence that the control is effective?

Actions

1. What further action is needed?
2. Who owns the action?
3. Is the deadline clear?
4. Is the action realistic?
5. Is funding required?
6. Is senior approval needed?
7. What will success look like?
8. Has progress been made since the last review?
9. Should the action be escalated?
10. Should the risk be accepted instead?

Governance

1. Who reviews the register?
2. How often is it reviewed?
3. Which risks go to the board or trustees?
4. Is there a clear escalation process?
5. Does the register inform decisions?
6. Does it link to strategy?
7. Does it link to audit?
8. Does it link to performance reporting?
9. Is risk appetite clear?
10. Is the register actually being used?

The best way to think about a risk register

A risk register is not a prediction document. It is a management discipline.

A good risk register should be:

1. Clear
2. Specific
3. Honest
4. Prioritised
5. Owned
6. Reviewed
7. Linked to action
8. Connected to objectives
9. Supported by evidence
10. Used in decision-making

A weak risk register is vague, static and ignored.

The key question is not simply:

What risks do we have?

The better question is:

Which risks could affect our objectives, what are we doing about them, and who is responsible?

Conclusion: a risk register turns uncertainty into managed action

A risk register is one of the most practical tools in management.

It does not remove uncertainty. It does not prevent every problem. It does not replace judgement. But it does help organisations identify what could affect their objectives, assess how serious those risks are, assign ownership and track action.

Used badly, a risk register becomes a compliance document that is updated before a board meeting and forgotten afterwards.

Used properly, it becomes a live management tool. It helps leaders, managers, trustees and project teams focus on the risks that matter most.

The real value is not in the spreadsheet. It is in the conversation, challenge and action that the register creates.

A good risk register helps an organisation make better decisions, prepare for uncertainty and improve its chances of achieving its objectives.