Creating a risk register

Upon completion of a risk management plan, you must create a master document known as a risk register. Get a review of what a risk register is and why it’s important along with an easy-to-use Excel risk register template.

Why Do You Need a Risk Register?

Risk management is critical to the success of any project and must be developed during the planning stages of the project management process. A seven-step method for creating a risk management plan is outlined in A Practical Approach to Creating a Risk Management Plan. The next step is creating a risk register.

The Importance of a Risk Register

·         The risk register starts, of course, with a risk management plan. The project manager must seek input from team members as well as stakeholders and possibly even end users. The risk register or risk log becomes essential as it records identified risks, their severity, and the actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the most effective format is a table. A table presents a great deal of information in just a few pages.

·         Managers should view the risk register as a management tool through a review and updating process that identifies, assesses, and manages risks down to acceptable levels. The register provides a framework in which problems that threaten the delivery of the anticipated benefits are captured. Actions are then instigated to reduce the probability and the potential impact of specific risks.

·         Make your risk register visible to project stakeholders so they can see that risks are being addressed. They may flag risks you haven’t identified and give other options for risk mitigation.

Components of a Risk Register

There is no standard list of components that should be included in the risk register. The Project Management Institute Body of Knowledge PMBOK, PRINCE2 and the Business Analysis Body of Knowledge BABOK among other organizations make recommendations for risk register contents, but they are not set in stone. Some of the most widely used components are as follows:

Dates: As the register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.

Description of the Risk: A phrase that describes the risk.

Risk Type (business, project, stage): Classification of the risk: Business risks relate to delivery of achieved benefit; project risks relate to the management of the project such as time frames and resources, and stage risks are risks associated with a specific stage of the plan.

Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples are: L-Low (, M-Medium (31-70%), H-High (>70%).

Severity of Effect: Provides an assessment of the impact that the occurrence of this risk would have on the project.

Countermeasures: Actions to be taken to prevent, reduce, or transfer the risk. This may include production of contingency plans.

Owner: The individual responsible for ensuring that risks are appropriately engaged with countermeasures undertaken.

Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project. Example classifications are: C-current or E-ended.

Other columns such as quantitative value can also be added if appropriate.

Provided to the right are two sample risk registers. Sample 1 is a simple risk register with standard components. Sample 2 is more complex. It separates columns into Basic Information, Assessment, and Response. Download it here. You can flesh it out with additional columns if you like—for example, how the risk affects project costs or scheduling.

Tips for Using the Risk Register Template

·Just one of many project management forms, the risk register template can help you manage your project risks. Here are some tips for using the Template:

· Create your first risk register when the project plan is approved, using the risk section of the Project Plan as initial content.

·Change the title of this document by choosing View in the Tools Menu. Next, select Header and Footer and then Custom Header.

·Active risks in a period should be recorded in the Project Status Report for that period according to the thresholds for reporting risks in the risk management plan.

·Identifying new risks and updating this log should be part of an ongoing risk management process with clear roles and responsibilities. See the Risk Management Plan Template for suggestions on such parameters.

·Each risk should be assigned a number as a unique identifier that does not change over the life of the project and that is also used on the Project Status Report, Risk Identification Form, and Risk Impact Form.

·There should be specific definitions for the terms high, medium, low, near-term, medium-term, and far-term.

·If something is already occurring, it is an issue, not a risk. All risks that have become issues should go through an issue management process, but do not delete them from this record.


We recommended that you review your risk log regularly, especially before progressing to the next phase of the project. Ensure that your project sponsor is aware of the risks associated with the project.

Risks exist in all projects. Don’t skip the risk management process; failure to identify and document risks could end up killing the project. Creating, maintaining, and utilizing a risk register is a vital component of successful project management.