What Should Be Included in the Risk Register

If you don’t know what should be included in the risk register, there’s a good reason why. Like all project documents, it should be tailored to fit the needs of the project and the performing organization. So, it may look a little different each time you see it.

On some projects, the risk register is a simple, one-page document with several columns. On other projects, it works in conjunction with additional risk management documents like the risk statement and the risk response document.

This post will share information about the register, and some practice experience. If you are in a hurry, skip ahead to the section titled, “What Should be Included in a Risk Register.”  Then, grab this risk register template which includes everything in that list.

If you read through this post, we hope it provides you with a broader understanding of the risk register and its purpose. Our aim is for you to be able to competently select and tailor the risk management documents you need. 

What is a Project Risk Register?

Let’s begin by defining the register. 

PMBOK Guide, Seventh Edition defines the project risk register as, “A repository in which outputs of risk management processes are recorded.”(Project Management Institute, 2021, p.248)  

We like this broad definition because it leaves room to develop a document that fits the varying needs of every project. 

What is the Purpose of a Risk Register?

The purpose of a project risk register is to provide a standardized location to log and track risks associated with initiating, performing, and closing a project.

Some sources relate the purpose of the register is to identify potential project risks. Although identified risks are logged on the risk register, it’s not the purpose of risk register to identify risks. The register is incapable of doing this. We identify risks while planning, reviewing lessons learned, interviewing stakeholders, crunching data, and so forth. After risks are identified, they are simply recorded on the register. 

Why is a Risk Register Important and Why Do We Need One?

The register provides an “at-a-glance” view, making it easier for the project manager to monitor and report the status of numerous risks. For this reason alone, having one supports project success. 

We need a risk register for the very reason it is important. Having one supports project success.

What Should be Included in the Risk Register?

Typically, the risk register should include:

  • project identifying information,
  • risk identification number,
  • risk name,
  • risk description,
  • probability of the risk occurring, 
  • impact to the project should the risk occur, 
  • risk score,
  • risk priority,
  • the person responsible for managing the risk (risk owner) and,
  • other information such as a high-level status of the risk.

Recall, the register should include the outputs of risk management processes. In practice, its content varies depending upon project needs. On projects with few identified risks, the register may include all outputs of risk management. 

On larger or more complex projects, the outputs of risk management are recorded on several risk management documents, in detail. High-level information is then transferred to the risk register. This leaves the register available to serve its purpose, without becoming unnecessarily voluminous.

How Do You Create a Register?

Create a risk register by considering its definition and reviewing: your experiences, lessons learned, the needs of your project, and the input of project stakeholders. Then, you use your professional judgement to select the appropriate risk management processes. Thereafter, you construct the register, ensuring it fits project needs and meets relevant requirements.

Alternatively, you can begin with a risk register template as your starting point and go through the same process. Regardless of how you prepare a register, to must fit the needs of your organization and meet relevant requirements.

Where Do I find a Template?

You can find risk register templates by performing an internet search. I prefer this project risk register template as my starting point.

Besides containing each of the sections identified above, it’s designed to work with a collection of templates that expedite development of project management plans. That’s why it is included in the e-book, The Practitioner’s Book of Project Management Templates.

The e-book contains the following project risk management templates:

  • Risk Management Plan
  • Risk Probability and Impact Assessment
  • Risk Breakdown Structure
  • Risk Identification Questionnaire
  • Risk Register
  • Risk Report
  • Risk Report
  • Risk Statement
  • SWOT Analysis

Who is Responsible for the Risk Register?

The risk register is a project management document which is a part of the risk management plan. The risk management plan is a subsidiary plan of the project management plan. The project manager owns the project management plan. Hence, the project manager is responsible for the register.

Specifically, the project manager is responsible for:

  • creating the register, 
  • ensuring it becomes an approved project document, 
  • updating the register with newly identified project risks,
  • performing or leading risk analysis,
  • tracking risk analysis,
  • prioritizing risks,
  • assigning risk owners,
  • monitoring the status of project risks,
  • initiating change requests that are associated with project risk,
  • updating and obtaining approval of changed plans when needed, and
  • logging lessons learned associated with the register.

How to Use a Risk Register

The register may or may not be used in concert with other risk management documents, so the contents will vary, depending on project needs. For this reason, the way it is used may vary, depending upon how it is constructed.

Typically, the risk register is used throughout the project lifecycle. It is used as a repository for: 

  • identified risks;
  • identifying information such as a risk ID, risk name, and risk description;
  • the assigned risk owner(s);
  • information from the risk analysis process;
  • prioritized risks;
  • the status of each risk; and
  • information for risk reporting.

    Because the register provides “at-a-glance” information, it is often used for sharing information with project stakeholders.

    When to Use a Register

    Project risk registers are used throughout the project life cycle. They are used:

    • when reviewing lessons learned,
    • during project planning,
    • during stakeholder interviews and engagement activities,
    • when requests for change are initiated, and
    • when change requests are analyzed.

    When Should the Register Be Updated?

    The register should be updated when:

    • new risks are identified,
    • when risk identifying information is added or changed,
    • when the risk owner is assigned or changes,
    • after probability and impact assessment,
    • each time risks are prioritized or reprioritized,
    • when the status of a risk changes, and
    • after an approved change to the risk register template.

    Ready to Draft a Risk Register?

    You know what a risk register is and what it should include. Download your template and get started.


    Project Management Institute. (2021). A guide to the Project Management Body of Knowledge (PMBOK guide) (7th ed.). Newtown Square, PA: Project Management Institute.

    About the Author

    Kimberlin R. Wildman, JD, PMP is a former attorney, a PMP certified project manager, a federal proposal manager, and the founder of MyPM. She has two decades of experience interviewing subject matter experts, spotting opportunities, and leading projects to successful closures. Author Bio