A risk register is a central project management document used to identify, analyze, and track risks that could potentially affect project objectives. In this article, you’ll learn the key components of a risk register as well as best practices for creating and maintaining one, along with real-world examples across industries including construction, IT, and healthcare.
Included in this article, you’ll find the following:
Real-world risk registers often include detailed narrative fields — not just simple risk scores. Context fields are important for explaining the circumstances surrounding risks and as their root causes.
Even after enacting mitigation efforts, risk rarely hits zero. Some risk registers evaluate both initial risk and residual risk after mitigation.
Risk registers can be structured differently depending on the audience using them. For example, detailed risk registers can be made available to teams while leadership sees short, severity-ranked summaries.
Risk Register Examples by Industry
Real-world risk registers often include detailed narrative fields — not just simple risk scores. Context fields are important for explaining the circumstances surrounding risks and as their root causes.
Even after enacting mitigation efforts, risk rarely hits zero. Some risk registers evaluate both initial risk and residual risk after mitigation.
Risk registers can be structured differently depending on the audience using them. For example, detailed risk registers can be made available to teams while leadership sees short, severity-ranked summaries.
Project Management Risk Register Example
Project managers use risk registers to identify and assess potential risks, as well as to document mitigation strategies. This California Department of Transportation project risk register shows how a real-world team would do this for a public infrastructure project — in this case, a broken-down bridge.
Courtesy California Department of Transportation
Here are some example category labels and entries from this risk register:
Risk: Property owners may deny access for environmental or engineering studies, which could delay project approvals and increase costs.
Current Status/Assumptions: The next phase of the project requires access to private properties. Permits to enter (PTEs) will need to be requested.
Rationale: Landowners within the study area may restrict access, preventing teams from completing required preliminary environmental work.
Mitigation: Coordinate with environmental, right-of-way, and legal teams to secure property access. Maintain ongoing communication with landowners to support study completion.
Key Takeaway: Notice how this register uses detailed narrative fields, such as Rationale and Current Status/Assumptions, to explain the context surrounding each risk. Providing this level of detail helps project teams understand root causes and plan more targeted mitigation efforts.
Construction project risk registers help teams identify and manage risks related to safety, environmental conditions, and construction logistics. In this example from the Queensland Government, you can see the Townsville Ocean Terminal construction risk register, which includes sub-categories of risk related to waste, water resources, nature conservation, and more.
Courtesy Queensland Government
Here are example column headers and entries from this register for a risk related to climate:
Risk: Strong winds from tropical cyclones or low-pressure systems could impact the construction site.
Potential Consequences: Severe weather may cause injury or death and damage buildings or infrastructure.
Proposed Risk Treatment: Design structures to withstand extreme weather conditions, including cyclone-rated infrastructure and breakwaters. Implement a construction-phase disaster action plan with early warnings and evacuation procedures.
Key Takeaway: Even when mitigation measures are in place, risks don’t disappear. This register evaluates both the original risk, as well as the residual risk after mitigation.
Organizations use IT risk registers to identify threats to digital systems, evaluate their potential impact, and track mitigation strategies. This example risk register from the Western Australia government focuses specifically on cybersecurity risks, such as the potential loss of confidential information.
Courtesy Western Australia Government
Here are some sample category labels and entries from this IT risk register:
Risk Description: Confidential information from digital systems could be lost.
Consequence Type(s): Information loss impacts service delivery and organizational reputation.
Causes: Systems may be vulnerable to external intrusion due to outdated operating systems and web applications.
Controls/Risk Treatment: Implement identity and access management (IAM) systems and multi-factor authentication.
Review and Reporting Requirements: Report cyber intrusions and related events to leadership on a monthly basis.
Key Takeaway: This register evaluates risk from multiple perspectives, including worst-case impact, current exposure, and residual risk after mitigation. By doing so, the register helps teams determine whether they’ve reduced risk to an acceptable level.
Engineering projects carry considerable risk, from cost and schedule overruns to regulatory changes. The Oregon Department of Transportation’s engineering project risk register sample shows possible design risks from unexpected ground conditions.
Courtesy Oregon Department of Transportation
Here are sample category labels and example entries from this engineering risk register:
Risk Title: Design exception approval may not be granted.
Detailed Description of Risk Event: The project depends on approval for substandard design elements, such as super-elevation and spiral length. If approval is denied, the ramp would need to be redesigned to meet standard requirements, increasing project scope. Redesign would result in additional engineering costs and delays to the project schedule.
Response Action(s) To Be Taken: Coordinate early with approving authorities to secure buy-in.
Key Takeaway: Including columns for cost impact and critical path status helps teams prioritize mitigation for risks that could affect schedule or cost. Also note how in this register, potential impact is incorporated into the detailed risk description field. This allows teams to understand both the risk and its consequences in one place.
Identifying risks is a critical early step in planning a public event. As part of event planning, teams will create a risk register that outlines possible negative events. In this sample East Cambridgeshire District Council risk register, organizers assess potential hazards for a small outdoor music festival, such as crowd safety, weather conditions, and more.
Courtesy East Cambridgeshire District Council
Here are some sample entries from this register:
What Are the Hazards?: Weather-related risks can affect the event.
Who Might Be Harmed and How?: Staff and attendees could be injured by extreme weather conditions, such as wind-blown debris.
What Are You Doing Already? (Control Measures): Inform staff and volunteers to wear appropriate outdoor clothing, cancel activities during extreme weather, and ensure access to water to prevent dehydration.
What Further Action is Necessary?: Provide a pre-event briefing to participants on working in extreme weather conditions, including staying hydrated and protecting against sunburn.
Key Takeaway: This register uses simple, question-based categories such as What are the hazards? and Who might be harmed? Using plain language makes risk registers easier for event staff and volunteers to understand and apply.
Healthcare Project Risk Register Example
Healthcare organizations use risk registers to track risks that could affect patient safety, regulatory compliance, and the delivery of medical services. In this example from the University Hospitals Dorset NHS Foundation Trust, the register documents strategic and operational risks that could impact hospital performance and patient care.
Courtesy University Hospitals Dorset NHS Foundation Trust
Here are some example entries from this register:
Risk Title: Demand for acute inpatient beds may exceed available capacity, creating risks to patient safety, compliance, and organizational reputation.
Details: If demand exceeds capacity, patient care and safety may be negatively impacted.
Update From Last Review: Hospitals are experiencing high occupancy levels and have declared critical incidents due to poor operational flow, particularly affecting emergency department handovers. Improvement teams are working to address these issues across key areas.
Key Takeaway: This risk register separates high-level overviews from detailed information. It starts with abbreviated entries organized by severity level so leadership can easily identify critical issues. Then, they can use each risk’s unique reference number to find a more detailed record for deeper analysis when needed.
Public Sector Program Risk Register Example
Public sector programs often use risk registers to track factors that might impact the delivery of large government-funded projects. In this example from the U.S. Federal Transit Administration (FTA), the risk register framework is used to evaluate risks for major transit infrastructure projects.
Courtesy U.S. Federal Transit Administration (FTA)
Here are some examples of entries found in this register:
Risk Category: Risk can be requirements-related (as opposed to design-related, construction-related, and market-related).
Risk Description: Delays in reconfiguring a railroad connection could impact the project timeline.
Outcome: If the railroad connection is not completed on time, the entire project may face significant or indefinite delays.
Key Takeaway: This register includes a risk rating key that quantifies how probability, cost, and schedule impacts translate into risk levels. Providing this visual reference helps teams evaluate and prioritize risks consistently across a large project.
Maritime Engineering Risk Register Example
Maritime engineering projects involve many of the same risks as other construction projects, along with environmental concerns. This example from the Darwin Ship Lift project risk register includes a project risk assessment and a visual risk assessment that displays extensive risk mitigations.
Courtesy Darwin Ship Lift and AECOM
Here are sample categories and entries from this maritime engineering risk register example, including an environmental impact statement (EIS) mitigation plan:
Factor: Marine environmental quality can affect a project.
Phase: The register identifies the “construction and operations” phase of the project.
Aspect: There is a risk of reportable spills (such as hydrocarbons, chemicals, or paints) into the marine environment
EIS Mitigation: Coordinate with the Port of Darwin’s Environmental Protection Plan, implement a marine spill response plan aligned with contingency standards, comply with fuel storage and handling regulations, and ensure spill kits and trained personnel are available on site.
You’ll also find that the register includes a detailed description of the consequences for each risk area:
Courtesy Darwin Ship Lift and AECOM
Key Takeaway: Categorizing risks by project phase ensures teams focus on relevant threats at the right time.
To create a risk register, identify potential project risks and record them in a document or spreadsheet. Assign each risk an ID, description, likelihood, impact, and mitigation plan. Then designate a risk owner and regularly review and update the register to track changes and manage emerging risks throughout the project.
Best practices for using a project risk register include keeping the register accessible, simple, and consistent. Team leaders should also encourage open discussions, focus on high-impact risks while remembering low-impact risks, and document mitigation plans. It is also vital to review the register regularly to ensure the risk register remains up to date.
Here are expert-tested best practices to help you make the most of your project risk registers:
Keep the Register Accessible
Store the risk register in a location that is easy for all stakeholders and project team members to access. Making the register visible and available encourages participation in risk identification and ensures that team members can quickly reference potential risks and mitigation plans when needed.
A 2025 article on project risk management in construction from the Journal of Building Engineering proposed that knowledge sharing and organizational learning play a key role in effective risk management. “Project teams can leverage their shared understanding of past experiences, emerging trends, and cutting-edge technology by adopting a culture of knowledge management,” the authors write. “This allows them to shed light on the route that lies ahead in the construction by good understanding of the project risks.”
Keep the Register Simple
The layout and contents of a risk register may vary between projects, industries, and organizations. Using one of these free risk register templates can streamline the process and ensure that important information is captured without creating unnecessary complexity.
“I use an Excel spreadsheet for a project risk register and teach my clients to do the same. It’s easy, accessible, and sustainable.”
A structured approach to risk identification, like brainstorming potential issues during project planning, helps encourage an open dialogue. “People tend to shy away from risk discussions because they don’t know how to approach the question, the answers, or the potential scenarios,” explains Imbarrato. “If we can provide tips on making this a simple discussion with easy-to-understand questions and a follow-up task of capturing the risks in a spreadsheet, it just makes the process seem less daunting.”
Include Mitigation and Response Planning
Identifying risks is only the first step. Teams should also consider what actions they will take if a risk occurs. Documenting mitigation strategies, contingency plans, or response actions alongside each risk helps teams prepare for potential issues before they escalate.
“That’s where your team mix has a really important influence. On a good team, you should have someone who’s the book or fact nerd. It’s great to have someone say, ‘Does this relate to this?’”
— Michele Barry, Principal Consultant at Frontis Consulting & Mediation
Assign Unique Identifiers to Each Risk
Each entry in a project risk register requires an ID number. Clear identifiers make it easier to reference specific risks during discussions.
Business Continuity Consultant Alex Fullick of Stone Road LLC recommends using at least three digits for ID numbers to make sorting long lists easier.
Review and Update the Register Regularly
It’s not enough to create a risk register. New risks can arise at any point in the project, so you still need to review and update your register once the project is underway.
“In the vast majority of cases, issues should never suddenly appear. In that case, it means that a team or organization is now playing catch-up because they’ve ignored a potential risk and risk trigger events that are now impacting them.”
— Alex Fullick, Business Continuity Consultant at Stone Road LLC
Prioritize High-Impact Risks While Monitoring Lower-Impact Ones
Project risk registers do not need to be overly long to be useful. Focus on risks that could meaningfully affect the project’s objectives. Including too many low-value or redundant entries can distract from the most important or urgent risks and make the register harder to manage.
At the same time, however, teams should continue tracking lower-impact risks in case their likelihood or impact increases over time. “A risk with a low impact ignored for too long can escalate to a major risk if no action is taken against it,” says Fullick.
Reinforce Risk Management Through Leadership
The effectiveness of a risk register depends on how consistently the team uses it, and strong leadership can create a culture of consistency. “The culture of the project and the sponsor and collegiality of the team enable a risk register to be functional,” says Barry. “Yes, the automated items can remind you what needs to happen. And, yes, you must remember to use your checklists. But people can ignore those things. Using the risk register is only as strong as your leadership or your project sponsorship.”
When teams follow these risk register best practices, they are better equipped to prevent small issues from becoming major disruptions. In a 2024 study called “The Impact of Risk Management on Project Success: A Field Study at Humanitarian Organizations in Yemen,” published in the University of Science and Technology Journal for Management and Human Sciences, researchers found that risk management practices were significantly associated with project success, with the four risk management dimensions together explaining about 42 percent of the variance in project outcomes.
A project risk register contains a list of potential project risks along with key details used to track and manage them. Typical fields in a project risk register include a risk ID, risk name, description, likelihood, mitigation plan, and the risk owner. Many registers also include the date identified, risk category, and current status.
Additional columns may be added depending on the project type, organization, or risk management methodology. Find out everything you need to create your own project risk register in this guide.
Risk Register and Management Terminology
Formal risk management processes use consistent terminology to describe how risks are identified, monitored, and resolved. Using clear, standardized language helps ensure everyone on the project team interprets risk information the same way. This is especially important where team members change over time.
Use the following terms to describe risk status:
Identified: This is when a potential event that could affect the project has been recognized and identified . Each risk should be assigned a unique ID number so it can be easily tracked and referenced throughout the project.
Expired: A risk can expire when the timeframe during which it could affect the project has passed without the event occurring.
Realized: When a risk occurs and begins to affect the project, it becomes an issue. At this point, the risk is marked as realized in the risk register. The team may track the resulting problem in an issue log or issue tracker.
Retired: A risk may be removed from the register if it is no longer relevant to the project.
Closed or Resolved: Once a realized risk, or issue, has been addressed and resolved, it can be formally closed.
Using shared terminology helps teams interpret risk register updates consistently. This glossary helps teams standardize communication around project risks.
Easily Create, Share, and Update a Project Risk Register with Smartsheet
From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Discover a better way to streamline workflows and eliminate silos for good.
