Risk Register Templates

This article provides instructions and templates for two primary approaches to building Risk Registers. The examples provided are based on enterprise risk but apply to other risk disciplines, including project risk, operational risk, technology risk, health & safety, and more.

Approach 1 - Classic Risk Registers

Classic risk registers are organized by risk and include many of the elements shown in the example below. This image was taken from the Essential ERM software system, but a downloadable spreadsheet template is included below. 

Some key considerations from the example above:

1. Link Risks to Objectives.  Starting with your goals and linking them to risks helps you to focus on the risks that truly matter. What events, if they were to occur, would impact your ability to hit your goals?  Is the pursuit of new objectives leading you to face new risks? This is a key best practice that will help you to deliver business value with your risk register and stop your register from ballooning unnecessarily. 

2. Inherent Versus Residual Risk.  Inherent risk is the level of risk that you would face if you took no steps to control the risk. Residual risk is the level of risk that remains after taking your controls into account. Risk levels are usually calculated by multiplying the likelihood of the risk occurring with its potential impact. There are good reasons to evaluate inherent risk, but note that it can cause confusion for some individuals who have trouble envisioning a situation without your existing controls. If in doubt, start with residual risk and add inherent later when needed. 

3. Risk Appetite.  A risk’s residual score is only part of the story when assessing risks. Organizations can have a different willingness to accept certain levels of risk (“risk appetite”) in different situations, and depending on how strongly the risks could impact key objectives. For example, a well-capitalized business may be prepared to accept higher levels of financial risk, while simultaneously having a low tolerance for safety risks.  Common values in the Risk Appetite column include within, above and below. 

Other columns not shown in the image above that you may wish to consider include:

• Root causes
• Pre-event mitigations
• Post-event mitigations
• Consequences
• Control effectiveness
• Target likelihood
• Target impact 
• Target risk score
• Action plans & status
• Date created
• Date assessed
• Tags for filtering & reporting

Approach 2 - Objective-Centric Risk Registers

The second example shown below takes the concept of objective-centric risk management to the next level.  In this approach, your objective categories or priority areas become the primary headings with specific goals and related risks shown underneath them. This approach is more difficult to maintain in spreadsheets and presentation documents, but is more engaging and focused for senior leadership and business managers.  In effect, you are starting your strategic/departmental plan (or project charter) and weaving your register into that structure. 

Systems Versus Spreadsheets

Getting started on a spreadsheet is fast and easy and we are happy to share the template example below. Before you get started, however, you may want to consider a few important points.  First, spreadsheets will force you into a row structure, with one line per risk.  This makes it very difficult to represent the true many-to-many relationships that exist between risks and other factors. For example, one risk may impact several objectives.  One control may apply to multiple risks. Individual risks often have multiple action plans. Spreadsheets are also difficult and time consuming to maintain and usually restrict risk management activities to a single risk manager.

See Article “Why Spreadsheets Are a Risk to Your Risk Program” 

In contrast, modern risk register tools handle many-to-many relationships easily, while providing automated reporting, risk libraries, multi-user access, change logs, history/trend tracking, and more. Modern tools will allow you to build a register in minutes and will make keeping it current and collaborating with others a breeze.

The right ERM system will be much faster and easier to set up and maintain than a spreadsheet, as this short video explains.

‍
Try Essential ERM and build a risk register - Free 14 Day Trial

Download Risk Register Template