What is a risk register?
A risk register (also called a risk log or risk inventory) is a documented record of all identified risks facing an organization or project, along with their assessments, owners, controls, and status. It is the central artifact of any risk management program.
Done well, a risk register is a living management tool that drives decisions. Done poorly, it is a static spreadsheet that nobody reads and everybody updates once a year before an audit.
What to include in a risk register
Every risk register entry should capture at minimum:
- Risk ID — a unique identifier for tracking
- Risk title — a concise, plain-language name
- Risk description — what could happen, why, and what the consequence would be
- Risk category — strategic, operational, financial, compliance, reputational, etc.
- Inherent likelihood — probability before controls (typically scored 1–5)
- Inherent impact — severity before controls (typically scored 1–5)
- Inherent risk score — likelihood × impact
- Controls — existing controls that mitigate this risk
- Residual likelihood — probability after controls
- Residual impact — severity after controls
- Residual risk score — post-control composite score
- Risk owner — the person accountable for managing this risk
- Risk appetite / tolerance — is the residual risk within acceptable limits?
- Actions — remediation steps if residual risk exceeds appetite
- Last reviewed date
Step 1: Define your risk categories
Before identifying individual risks, establish the taxonomy of risk types relevant to your organization. Common categories include:
- Strategic — competitive position, market changes, M&A
- Operational — processes, people, systems, suppliers
- Financial — credit, liquidity, reporting accuracy
- Compliance — regulatory, legal, contractual
- Technology / Cyber — data breaches, outages, IT failures
- Reputational — brand, stakeholder trust
- ESG / Sustainability — climate, social, governance
Step 2: Build your scoring matrix
Agree on a consistent scoring scale before you start assessing risks. A 5×5 matrix is the most common:
- Likelihood: 1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Almost certain
- Impact: 1 = Negligible, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Catastrophic
Define what each score means in concrete terms for your organization. "Major impact" should specify: a financial loss threshold (e.g. €1M–€10M), a regulatory consequence (e.g. formal enforcement action), and an operational consequence (e.g. >24h service disruption). Concrete definitions prevent scoring drift across teams.
Step 3: Identify risks
Risk identification should not be a solo activity. Use multiple inputs:
- Management workshops — structured sessions with department heads to surface risks in their area
- Bottom-up surveys — ask operational staff what keeps them up at night
- Historical incidents — what has gone wrong before?
- Industry benchmarks — what risks are common in your sector?
- Regulatory guidance — what does your regulator flag as key risks?
- External environment scan — what macro trends (AI, regulation, geopolitics) are emerging?
For a first register, aim for 30–60 risks. More than 100 is usually a sign of insufficient filtering.
Step 4: Assess each risk
For each identified risk, score inherent likelihood and impact (before any controls), identify existing controls, then score residual likelihood and impact (after controls). The gap between inherent and residual tells you how much value your controls are adding.
Be honest. A culture where people inflate residual risk scores to look good — or deflate them to avoid scrutiny — produces a register that gives false comfort.
Step 5: Assign owners
Every risk must have a named owner. The owner is accountable for:
- Monitoring the risk and its controls
- Escalating when the risk level changes
- Completing assigned actions
- Providing updates at review cycles
Risk owners are typically first-line operational managers, not the risk function itself.
Step 6: Define actions for out-of-appetite risks
For risks where the residual score exceeds your risk appetite, define specific remediation actions with owners and deadlines. Actions should be SMART: Specific, Measurable, Achievable, Relevant, Time-bound.
Step 7: Review regularly
A risk register reviewed once a year is a compliance document. A risk register reviewed quarterly is a management tool. Define your review cadence and stick to it:
- Full register review: annually or semi-annually
- Top risks review: quarterly with senior management
- Triggered reviews: after incidents, major business changes, or external events
Common mistakes to avoid
- Writing risks as events rather than risk statements ("cyberattack" vs. "risk that unauthorized access to customer data leads to regulatory penalty and reputational damage")
- No real ownership — risks owned by a function rather than a named individual
- Scores that never change between reviews
- Actions that are always "in progress" with no closure
- A register that exists in a spreadsheet only the risk manager can access
From spreadsheet to platform
Many organizations start their risk register in Excel. That's fine for the first 20–30 risks. As the register grows — more risks, more owners, more controls, more audit trail requirements — spreadsheets become unmanageable. Version control breaks down, ownership is unclear, and reporting requires hours of manual formatting.
Platforms like Reesk give you a structured risk register with built-in ownership, scoring matrices, control linkage, and reporting — without the spreadsheet overhead.