A risk register (sometimes called a risk log) is the central artifact of an organization's risk management process. It records each identified risk along with attributes that make the risk actionable: a unique ID, description, category, probability rating, impact rating, a calculated risk score, the assigned owner, planned mitigation or contingency measures, current status, and review dates. Registers are typically maintained as spreadsheets, in dedicated GRC platforms (such as Archer or ServiceNow IRM), or as modules inside project management tools.
In professional practice, risk registers are required or recommended by several widely used frameworks. The ISO 31000 standard on risk management treats the register as a tool for documenting the risk assessment process. The PMBOK Guide published by the Project Management Institute lists the risk register as a key output of the "Identify Risks" process and an input to subsequent planning processes. Public-sector bodies such as the UK government's HM Treasury Orange Book explicitly call for departmental risk registers.
Typical fields include:
- Risk ID and title – for traceable referencing.
- Description and cause – what could happen and why.
- Likelihood × Impact – often on a 1–5 scale, producing a heat-map score.
- Inherent vs. residual risk – before and after controls.
- Response strategy – avoid, transfer, mitigate, or accept.
- Owner and due date – accountability and timing.
- Status – open, monitoring, closed.
For think-tank researchers and MUN delegates studying institutional behaviour, risk registers offer a window into how governments, NGOs, and corporations formally rank threats — from cyber intrusion and supply-chain disruption to reputational damage and regulatory change. Reviewing a published register (for example, the UK Cabinet Office's National Risk Register, updated periodically since 2008) can reveal an organization's stated priorities and risk appetite. Limitations include subjective scoring, stale entries, and a tendency to under-weight low-probability/high-impact "black swan" events.
Example
The UK Cabinet Office's National Risk Register, republished in 2023, listed pandemic influenza, hostile cyber activity, and CNI failure among the highest-impact risks facing the United Kingdom.
Frequently asked questions
Overall custody usually sits with a risk manager, PMO, or chief risk officer, but each individual risk is assigned to a named owner responsible for monitoring and mitigation.
Keep learning