A risk register is an important risk analysis tool used in enterprise risk management, financial risk management, IT risk management, and project management. The International Organization for Standardization (ISO) publication 73:2009, Risk management—Vocabulary defines “risk register” as “a record of information about identified risks.”

 Often used for regulatory compliance, risk registers also help project managers stay abreast of project risks. To develop a risk register, risk managers collect and list every bit of information they can find about every identified risk including its level of urgency, priority for a response should the risk become a threat, and what those responses should be. Risk team members usually work together to create the risk register.

 Risk register examples abound, and they all have certain things in common. 

A risk register usually takes the form of a risk log. A risk log could be a spreadsheet, a form, or a dashboard listing:


  • All identified risks associated with a project, enterprise, or business unit
  • The risk category. These may include:
    • Operational risk: Risks of loss because of improper processes, operational failures, or outside events.  
    • Schedule risk: Risks to a project’s proceeding according to its established schedule.
    • Budget risk: Risks that could cause the project to exceed its budget.
    • Business risk: Risks to the business’s or project’s functioning or continuity.
    • Technical environment risk: Risks to the environment in which technical work gets done, such as changes to the development environment.
    • Information security risk: Risks to the security of data or information.
    • Programmatic risk: External risks that are out of managers’ control.
    • Infrastructure risk: Risks to connectivity due to inadequate infrastructure.
    • Quality and process risk: Risks due to improper quality and process management. 
    • Resource risk: Risks to the project’s schedule, staff, budget and facilities.
    • Third-party risk: Risks caused by the use of third parties including vendors and suppliers.
    • Technology risk: Risks caused by changes in technology.
    • Technical and architectural risk: Risks caused by hardware and software.
    • Project management risk: Risks to the management of the project.
  • The likelihood of each risk becoming a threat, event, or incident–also known as a risk rating (High, medium, low).
  • The impacts or consequences, including financial impacts, of each risk becoming reality.
  • The costs to mitigate each risk.
  • Response plans: The specific steps required for mitigation of each risk.
  • The name or title of the risk owner, or person responsible for managing each risk.

    What is a risk register used for?

    A risk register is used to identify potential risks in a project or an organization, sometimes to fulfill regulatory compliance but mostly to stay on top of potential issues that can derail intended outcomes. 

    Risk managers and project managers alike need to use a risk register. Project management can’t succeed without having at least one of these important lists. 

    That’s because to create risk registers in project management requires a thorough understanding of all the obstacles to the success of a project. Risk register creation and updating is, therefore, a critical aspect of project management. For every project an enterprise undertakes, there should be an accompanying project risk register. It’s as simple as that.

    Once a project is underway, regular monitoring of risks and responses is key. A project risk register can simplify this task by showing in a glance what risks exist, which risks are most worrisome, and how the enterprise should deal with them. Should risk be accepted? Mitigated? How?

    Risks come and go, which is why every risk register for project management should be updated regularly. Project team meetings should include periodic reviews of the risk register — monthly, quarterly, or annually–as well as at the end of every phase in the project.

    How to create a risk register

    Those inexperienced with risk registers in project management may not know how to create a risk register. It’s a big job, especially for big projects–which is why businesses often use a risk register template. Excel spreadsheets are commonly used, as well.

    For enterprises, business units, or projects with many risks, however, juggling spreadsheets can be confusing and time-consuming. Keeping track of when to update risk registers and precisely what needs to be updated–risk register project management–can be a hassle, too.

    Software can make risk register project management so much easier than using spreadsheets. ZenGRC, a software-as-a-service, can guide you through the tasks of risk identification, risk prioritization, impact assessment, risk response, and risk updating using in-a-glance dashboards instead of spreadsheets and automation instead of tiresome manual labor.