How to Create a Project Risk Register

By Andy Marker | May 23, 2023

In order to properly identify, track, and manage potential risks to your project, you’ll need to create a strong project risk register. We’ve gathered expert tips and provided a step-by-step how-to on creating a risk register.

On this page, you’ll find details on what to include in a risk register and how to create one, as well as a project risk starter kit.

What Is a Project Risk Register?

A project risk register, also called a risk log, is a document that project team members use to identify and monitor potential risks to a project.

What Is the Purpose of a Project Risk Register?

A risk register helps the project team track potential risks to a project, which allows the team to lessen the impact of each risk, if not to prevent them altogether.

Many experts consider a risk register one of the most important project management documents. 

A risk register helps the project team do the following:

  • Identify Risks: In addition to identifying potential risks, you’ll gain details on their potential impact. This allows you to plan ahead for how your team will deal with them. 
  • “Otherwise, you're going to lose track of your risks,” Alan Zucker, Founding Principal of Project Management Essentials, says of the importance of creating and maintaining a risk register. “That’s the most basic reason. If you try to keep track of your risks in your head, you're going to forget things and you're not going to proactively manage and plan for that.”
  • Track Risks: The risk register also helps you track risks throughout the duration of the project.
  • Prevent Surprises: The risk register should include all possible risks the project team can contemplate and help determine the appropriate reaction to them. That should lower the chance of a risk popping up as a surprise to project and organization leaders.  
Luis Contreras

“Nobody likes surprises,” says Luis Contreras, President of and Principal Consultant at AzTech International, a California consultancy that helps organizations manage large, complex projects. “Stakeholders don’t like surprises. Shareholders don't like surprises. And the CEO doesn’t like surprises.”

Learn more about the broader goals and mission of project risk management in our in-depth article, along with expert tips and recommendations.

More Benefits of a Project Risk Register

A project risk register also offers benefits beyond helping you identify and deal with risks that could impact your project. In addition, it helps organizations clearly understand the opportunities and risks faced by their project and provides critical regulatory documentation.

These benefits are explained in more detail below:

  • Understand Opportunities and Risks: Using a risk register allows organizations to maintain a clear list and record of all potential opportunities and risks from the get-go. In turn, organization leaders and stakeholders can decide which risks are worth taking and which risks to avoid entirely.
  • Gain Regulatory Documentation: A risk register provides organizations with documentation on regulatory compliance that they will need in certain industries and on certain projects. For example, regulations that govern security around the data that organizations keep on customers require assessment of risk and defined mitigation measures. A risk register provides that information.

When to Use a Project Risk Register

Experts recommend that you use a risk register for almost every project. Some projects, such as very short endeavors that aren’t very resource-intensive, might not need one, but most do.

Create the risk register at the very beginning of the project, and enable the team to continually update the risk register as the project continues. The requirement of a risk register will likely be outlined in your team’s project risk management plan.

Who Creates the Project Risk Register?

The project manager is ultimately responsible for creating and updating the project risk register. But the manager might delegate the responsibility for the register to another person on the project team.

Everyone on the project team will have some responsibilities related to the risk register. For instance, they might participate in meetings where the register is updated, or each member might be able to add items to the register themselves. Various team members will be assigned as owners who are then responsible for understanding and monitoring various risks.

What Is Included in a Risk Register?

A risk register includes columns that represent different aspects of a risk the team is tracking. Even in simple risk registers, those columns will include the risk description, its potential impact, and details on the prevention plan.

Here are some common columns included on a risk register:

  • ID Number: Assign each risk an ID number in the far left column.
  • Date Raised: Here, detail when the specific risk was added to the register. This helps project teams take note of more recently recognized risks.
  • Project Category/Area: Include information on the broad project area. These categories will change with the type of project and the industry within which the project operates. For example, in construction, some broad categories might be materials, contracts, permits and regulations, and the construction site.
  • Risk Description: Give a summary description of the risk.
  • Impact Description: Summarize the potential impact of the risk.
  • Likelihood of Risk: Provide an educated guess on the likelihood of the risk. You might express it as a decimal (0.25 for a 25% percent chance of the risk happening) or as a number (for instance,1 for the lowest chance of the risk happening and 5 for the highest chance of the risk happening).
  • Impact of Risk: Provide a number that represents the potential impact of a risk. Project teams can choose the number range they want to use. A low number represents little impact; a high number represents significant impact. 
  • Risk Severity: Include a risk severity score, which you calculate by multiplying together the likelihood number and the risk impact number.
  • Likely Timing of Risk: Some risk registers might include details on when during the project the risk is most likely to happen. This helps team members better prepare for the risk and to monitor the risk. 
  • Prevention/Mitigation Plan: Most risk registers include a short description of what measures the project team will take to try to prevent the risk from happening or to effectively deal with the risk if it happens.
  • Status of Risk: Many risk registers include a status of the risk — for example, “open” or “closed.” The chance of some risks happening become zero, based on progress in the project or for other reasons. Your team will need to close out those risks so you can focus your attention only on ongoing risks.
  • Status of Mitigation: In this column, detail the status of the prevention or mitigation plan, such as progress on the plan, whether the prevention or mitigation is helping, or whether it needs to be adjusted.
  • Owner: List the owner responsible for tracking the risk.
  • Other Notes: Some risk registers might include a column for other notes that could be important to document.

What Are the Categories of Risk in a Project Risk Register?

Many risk registers include a column that provides information on the broad project area where the risk occurs. This helps the project team better organize the risks and coordinate the team’s response.

 The register might have general categories such as the following:

  • Budget
  • Operations
  • Schedule
  • Security

The Project Management Institute recommends including the following four broad categories:

  • External
  • Organizational
  • Project management
  • Technical

Many project registers include categories that vary depending on the type of project or the industry the project team is working in. For example, a construction project might have categories such as materials, contracts, and permits and regulations, while an IT project includes categories for hardware and software failures, system architecture issues, and operational failure issues.

How to Create a Risk Register

To create a project risk register, follow six basic steps: gather relevant past documents, gather input, enter potential risks into the risk register, prioritize risks based on risk score, assign an owner to each risk, and continually update the register.

Creating a risk register is an important early part of project risk analysis. The six steps are defined in more detail below:

  1. Gather Relevant Past Documents: Have the project team gather risk registers for completed projects that were similar in scope to the current project. You should also gather lessons learned and similar documents from relevant past projects. 
Wendy Romeu
  1. “Say you had a risk register template for software development; you would preload that template with things that have happened to other software projects,” says Wendy Romeu, PMP, President and CEO of Alluvionic, a project management and cyber security firm. “Do that with your core project team, and it gets their juices flowing” to think about all possible risks.
  2. Gather Input: After reviewing relevant documents for past projects, gather thoughts and opinions about risk from stakeholders, team members, and anyone else who will be involved in the project or who understand its goals and challenges.

    This often means gathering a group of people in one meeting to talk about potential project risks. You can also gather input asynchronously, such as through digital surveys or over email.

    This process is all part of project risk identification.

    “Typically, we will have a risk and opportunity review,” says Contreras, from AzTech International. “You want to do those early on in the project and really get the team in the room. And it's really a brainstorm. You're trying to ask people to think of all the bad things that can happen and all the good things (or positive risks) that could happen.”
  3. Enter Potential Risks into the Risk Register: As your team gathers input, have the team enter potential risks into the register. Also add other important details about the potential risks, including your team’s opinions on the likelihood of the risk, along with the potential impact. You’ll want to include measures your team plans to take to prevent or mitigate the risks as well.
  4. Prioritize Risks Based on Risk Score: After you have documented all the potential risks, assess the likelihood of each risk, along with its potential impact.

    Multiply likelihood by impact to get the risk score or risk severity score. Then prioritize the risks, giving the most attention to those risks with the highest risk severity scores.
  5. Assign an “Owner” for Each Risk: Designate a person who will be responsible for monitoring the risk and updating the team on whether it’s close to happening or has happened. The owner also might have some responsibility for creating and implementing a prevention or mitigation plan. 
Jean Ballard
  1. “You want to make sure that, if that risk presents itself, who do you go to?” says Jean Ballard, a Senior Manager for Actualize Consulting, a professional services firm. “You don't want to find out when the risk manifests itself … you don’t want to wonder: ‘Who do I talk to? Is it this area or that area?’ You want to know who's on point for that risk.”
  2. Continually Update and Adjust the Risk Register: It’s vital that your team revisits the risk register throughout the project, as circumstances will change and, with them, so will risks. For instance, some new risks may crop up, or the likelihood and impact of other risks will change. Assess all of that regularly, and make changes to its prevention and mitigation plans where needed.

    “Things [on the risk register] change; things become stale,” says Contreras. “Also, people will refine the risk. When they discuss it more, they'll say: ‘Well, turns out this could really be the impact instead.’ As time goes on, some risks become less likely to happen after all, and then some may become even more likely to happen. You want to adjust that probability or likelihood column.” 
Kris Reynolds
  1. “Depending on where you are in the project lifecycle, that risk probability, or that risk impact, can absolutely change,” says Kris Reynolds, Founder and CEO of Arrowhead Consulting in Tulsa, Oklahoma. “You may have had a risk score of 4.9 two weeks ago. But now that you're in the middle of a supply chain issue, the impact and the probability of that risk have potentially grown.”

    Romeu says your team will want to assess risks during your scheduled status meetings, which might be once per week or once every other week. Contreras says your team should review the risk register “at least monthly. For any project that’s a year or longer, you'd want to do it at least monthly. Obviously, if it’s a shorter project, you might even do it more frequently.”

Other Expert Tips for Risk Registers

Beyond the basic steps, experts offer some important tips to create and maintain a risk register. The tips will help ensure that the risk register prepares your team to handle all risks in the best possible way.

  • Don’t Ignore Anything: Even if a possible risk event seems unlikely or unlikely to affect the project, get the team together to think about it. Likely, you will include it on the risk register.

    “I have a specific memory of a project that my team took over,” Zucker says. “They were building a new [mobile] application. Before the app needed to go into production, they needed to buy a new server. We’ve got like a month before we’re ready to go into production. And the project manager says, ‘We're going to have to delay the implementation, the deployment of the project.’ I asked: ‘How come?’ He said they needed to buy a new server, and there was an issue with getting the server. My immediate question was, ‘Was that identified in the risk register?’ He said, ‘No. We kept talking about it, but we never actually did anything in terms of tracking it.’ There would have been plenty of opportunities to do something different, but because they weren't really formally tracking it, it fell through the cracks.”
  • Use If-Then Statements in Thinking About Risks: Your team will want to fully explore what would happen if a risk occurs. That means directly using if-then statements, says Zucker.“

    ‘If this risk occurs, then this is the impact,’” he says, referring to what project teams should be exploring. “The reason I like doing that is it forces us to think about all of the possible impacts of a risk event. If there's a hurricane, I can lose power. I can lose internet. I can have a tree limb fall in my house. I could have a tree limb fall on my car. I could have my roof blown off. If I just said: ‘There's gonna be a hurricane,’ I haven't thought of those different risk events, so each one of those different risk events may have a different likelihood and may have a different response strategy associated with it.”
  • Think About Positive Risks, Too: Your team must also think about positive risks — things that could happen that would positively impact the project. For example, if recently inflated materials costs decrease, then a government grant might become available.

    “Too many projects don't start with the good things,” says Contreras. “But look for the opportunities. First, it changes the flavor of the (risk exploration) meeting. You can discuss the opportunities and people might like that more — rather than the risks (only) being pretty negative or pessimistic.”
  • Think Deeply About Appropriate Risk Mitigation Measures: As it builds the risk register, think and talk deeply about the possible prevention and mitigation measures for each risk. Will they really work? Does your organization have the capacity to ensure the measures happen?Ballard, from Actualize Consulting, gives an example of risks that can happen in a software development project:

    “Let’s say there was a risk of the [computer] system going down. That always can happen whenever you introduce new code,” she says. “Who would you talk to about that [if that happened]? What are the options? You'd want to know the options in advance. Are you going to have to back out all the code together? Can you just back out parts of it? Who makes that call? You've got to know all that upfront.”

Project Risk Register Examples

Project Risk Register Advanced Example

Download the Advanced Risk Register Example for Excel
Download the Basic Risk Register Example for Excel

Project risk register examples can help you understand how risk registers work and understand the best issues to cover and content to include in the register.

Use the advanced project risk register template to identify and track project risks, as well as provide details on how your team will deal with risks. The template includes columns for the risk category and description, along with the risk severity score, risk triggers, and the response and mitigation plan.

Use this basic project risk register template to quickly identify and track project risks, as well as provide details on how your team will deal with risks. The template includes basic columns for the risk description, along with the risk severity score and the response and mitigation plan.

You can also look over and download a large assortment of other example risk registers.

Project Risk Register Starter Kit

Project Risk Register Starter Kit

Download the Project Risk Register Starter Kit

This starter kit includes a checklist on assessing possible project risks, a risk register template, an example qualitative risk impact matrix, and a template for a quantitative risk impact matrix. The kit will help your team better understand how to identify and assess risks and use a project risk register.

In this kit, you’ll find:

Get the Most Out of Your Risk Register with Smartsheet for Project Management

From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.


Discover a better way to streamline workflows and eliminate silos for good.

Try Smartsheet for Free Get a Free Smartsheet Demo