Many teams struggle with scattered risk information, inconsistent assessments, and surprises that should have been anticipated. A well-structured risk register solves these problems by creating a single source of truth for organizational risks.
What You'll Achieve
By the end of this tutorial, you will have a working risk register with clearly identified risks, consistent scoring criteria, assigned ownership, and a monitoring framework—ready for real use in your organization.
What is a Risk Register?
A risk register (also called a risk log) is a document that records identified risks, their severity, and the actions needed to manage them. Think of it as a living database that captures everything your organization knows about the threats and uncertainties it faces.
A well-structured risk register typically includes:
- Risk ID: A unique identifier for tracking
- Risk Description: A clear statement of what could happen
- Category: The type of risk (operational, financial, strategic, compliance, etc.)
- Likelihood: How probable the risk is to occur
- Impact: The potential consequences if it does occur
- Risk Score: A combined measure of likelihood and impact
- Current Controls: Existing measures that mitigate the risk
- Risk Owner: The person responsible for managing the risk
- Treatment Plan: Actions to further reduce the risk
- Status: Current state of the risk and treatment actions
Why Your Organization Needs One
Organizations without a formal risk register often experience:
- Repeated surprises from risks that should have been anticipated
- Inconsistent risk responses across departments
- Difficulty demonstrating due diligence to stakeholders and regulators
- Wasted resources on low-priority risks while critical ones go unaddressed
- Loss of institutional knowledge when key employees leave
A properly maintained risk register addresses all of these issues by creating a single source of truth for risk information.
Step 1: Define Your Scope
Before identifying any risks, you need to establish clear boundaries for your risk register. Ask yourself:
- What is covered? The entire organization, a specific business unit, a project, or a process?
- What timeframe? Are you looking at risks for the next quarter, year, or five years?
- What risk categories? Operational, financial, strategic, compliance, reputational, or all of the above?
- Who are the stakeholders? Who will use this register and what decisions will it inform?
Pro Tip
Start with a manageable scope. It's better to have a thorough register for one business unit than a superficial one for the entire organization. You can always expand later.
Step 2: Identify Risks
Risk identification is often the most time-consuming step, but it's also the most important. Use multiple methods to ensure comprehensive coverage:
Brainstorming Sessions
Gather cross-functional teams to identify risks. Include people from different levels and departments to get diverse perspectives. Use prompts like "What could prevent us from achieving our objectives?" or "What has gone wrong in the past?"
Historical Analysis
Review past incidents, near-misses, audit findings, and lessons learned. Your organization's history is one of the best predictors of future risks.
Industry Research
Look at industry reports, competitor incidents, and regulatory guidance. Risks that affect others in your industry will likely affect you too.
Writing Effective Risk Descriptions
A good risk description follows this format: [Event] caused by [Cause] resulting in [Consequence]
Risk Descriptions
Poor: "Cybersecurity risk"
Better: "Data breach caused by phishing attack resulting in customer data exposure and regulatory fines"
Poor: "Supply chain issues"
Better: "Production delays caused by single-source supplier failure resulting in inability to meet customer commitments"
Step 3: Assess Each Risk
Once you've identified risks, you need to evaluate their severity using likelihood and impact scoring. The most common approach is to assess two dimensions:
Likelihood (Probability)
How likely is this risk to occur? Use a consistent scale:
| Rating | Descriptor | Definition |
|---|---|---|
| 1 | Rare | May occur only in exceptional circumstances (less than 5% chance) |
| 2 | Unlikely | Could occur but not expected (5-25% chance) |
| 3 | Possible | Might occur at some point (25-50% chance) |
| 4 | Likely | Will probably occur in most circumstances (50-75% chance) |
| 5 | Almost Certain | Expected to occur in most circumstances (greater than 75% chance) |
Impact (Consequence)
If this risk occurs, how severe would the consequences be?
| Rating | Descriptor | Financial Impact |
|---|---|---|
| 1 | Insignificant | Less than $10,000 |
| 2 | Minor | $10,000 - $100,000 |
| 3 | Moderate | $100,000 - $1,000,000 |
| 4 | Major | $1,000,000 - $10,000,000 |
| 5 | Catastrophic | Greater than $10,000,000 |
Important
Customize these scales to your organization's context. A $100,000 loss might be catastrophic for a small business but insignificant for a large corporation. The key is consistency in how you apply the scales.
Step 4: Prioritize Risks
Calculate risk scores by multiplying likelihood by impact. This gives you a basis for prioritization:
Risk Score Formula
- Critical (20-25): Requires immediate executive attention and action
- High (12-19): Needs active management and monitoring
- Medium (6-11): Should be monitored with periodic review
- Low (1-5): Accept and monitor periodically
Focus your resources on critical and high risks first. Low risks might not need active treatment, but should still be documented and reviewed periodically.
Step 5: Define Controls and Mitigation
For each significant risk, identify the controls that reduce it. Understanding the difference between inherent and residual risk is crucial here—inherent risk is before controls; residual risk is what remains after controls are applied.
Existing Controls
What measures are already in place that reduce this risk? Consider:
- Policies and procedures
- Technical controls (systems, automation)
- Physical controls (security, safety equipment)
- Training and awareness programs
- Insurance coverage
- Contractual protections
Treatment Options
For risks that remain unacceptable after existing controls, choose a treatment strategy:
- Avoid: Eliminate the activity that creates the risk
- Reduce: Implement additional controls to lower likelihood or impact
- Transfer: Shift the risk to another party (insurance, outsourcing)
- Accept: Acknowledge the risk and monitor without further action
Step 6: Assign Ownership
Every risk needs a single, accountable owner. The risk owner is responsible for:
- Monitoring the risk status
- Ensuring controls are functioning
- Implementing treatment actions
- Reporting on the risk to stakeholders
- Escalating when the risk exceeds tolerance
Pro Tip
The risk owner should be as close to the risk as possible. A VP doesn't need to own routine operational risks - empower managers and team leads to own risks in their areas.
Step 7: Implement Monitoring
A risk register is only valuable if it's kept current. Establish a monitoring framework:
Review Cycles
- Critical risks: Weekly or bi-weekly review
- High risks: Monthly review
- Medium risks: Quarterly review
- Low risks: Annual review
Key Risk Indicators (KRIs)
Define measurable indicators that signal changes in risk levels. For example:
- Number of security incidents (cybersecurity risk)
- Employee turnover rate (key person risk)
- Supplier delivery delays (supply chain risk)
- Customer complaints (quality risk)
Common Mistakes to Avoid
1. Creating a "Check-the-Box" Register
A risk register that's only updated for audits provides no real value. It should be a living document that informs daily decisions.
2. Inconsistent Scoring
If different assessors use different interpretations of your scales, scores become meaningless. Train everyone on consistent application.
3. Too Many Risks
A register with 500 risks is unmanageable. Focus on material risks that could significantly impact your objectives. Consolidate similar risks.
4. Vague Descriptions
"Market risk" tells you nothing. Be specific about the cause, event, and consequence.
5. No Action Follow-Through
Identifying risks is pointless if treatment actions never get implemented. Track action items and hold owners accountable.
Summary
- Start with a clear, manageable scope before identifying risks
- Use multiple methods to identify risks comprehensively
- Apply consistent likelihood and impact scales for scoring
- Focus resources on critical and high risks first
- Assign clear ownership and establish regular review cycles
- Keep the register as a living document, not a compliance checkbox
Frequently Asked Questions
Is a risk register mandatory?
It depends on your industry and jurisdiction. Many regulatory frameworks require risk registers, including ISO 31000, SOX compliance, and financial services regulations. Even when not legally required, a risk register is considered a fundamental component of enterprise risk management best practices.
How often should a risk register be updated?
Critical and high risks should be reviewed monthly or more frequently. Medium risks quarterly, and low risks annually. Additionally, update the register whenever significant organizational changes occur, new projects launch, or external conditions shift materially.
What's the difference between inherent and residual risk?
Inherent risk is the level of risk before any controls are applied. Residual risk is what remains after controls are implemented. Your risk register should track both to understand the effectiveness of your controls and identify gaps.
How many risks should a risk register contain?
There's no magic number, but a manageable register typically contains 20-50 material risks for a mid-size organization. Having too many risks (200+) makes the register unwieldy. Focus on risks that could materially impact your objectives and consolidate similar risks.
Can I use a spreadsheet for my risk register?
Spreadsheets work for small organizations or when starting out. However, as your risk program matures, dedicated risk management software provides better collaboration, audit trails, automated scoring, and reporting capabilities.
Who should own the risk register?
The Chief Risk Officer or equivalent typically owns the overall risk register. However, individual risks should be owned by the executives or managers responsible for the business areas where those risks reside. The CRO facilitates and consolidates, but risk ownership should be distributed.