• Project management |
  • What is a risk register: a project mana ...

What is a risk register: a project manager’s guide (and example)

Team Asana contributor image

Looking for tools to set your team up for success? A risk register can do just that.

A risk register is shared with project stakeholders to ensure information is stored in one accessible place. Since it’s usually up to project managers (we’re talking about you!), it’s a good idea to learn how and when to use a risk register so you’re prepared for your next project. 

What is a risk register?

A risk register is a document that is used as a risk management tool to identify potential setbacks within a project. This process aims to collectively identify, analyze, and solve risks before they become problems. While usually centered around projects, other circumstances where risk management is helpful include product launches and manufacturing. 

A risk register document, otherwise known as a risk register log, tracks potential risks specifically within a project. It also includes information about the priority of the risk and the likelihood of it happening. 

A project risk register should not only identify and analyze risks, but also provide tangible mitigation measures. This way, if the risk becomes a larger threat, your team is prepared with solutions and empowered to solve the issues. 

When should you use a risk register?

There are many instances when a risk register comes in handy. Ideally, it should be used—or available for use when needed—for every project. It can be used for both small and large projects, though your risk log may look different depending on the scope and complexity of your initiative. 

While a small project may only include basic information about the risk such as likelihood, priority, and solutions, a more complicated project may require around 10 different document fields. 

While some companies employ risk management professionals to manage a risk log, it often falls on the project manager or team lead to oversee it. If your team doesn’t already use a risk management or incident management process, it may be helpful to know common risk scenarios to decide whether a risk register is right for you and your team. 

Some risk scenarios ranked by priority could include:

Low priority: Risks such as lack of communication and scheduling errors can leave projects open to scope creep and missed deliverables. 

Medium priority: Risks such as unplanned or additional work can cause teams to struggle with productivity and create unclear objectives. 

High priority: Risks such as data security and theft can leave your company open to revenue loss and should be prioritized. 

Once you know when to use a risk register, you can properly define high priority risks when you come across them. 

Common risk scenarios

Multiple risks could arise during a new project. Anything from data security to unplanned work can risk projects going over budget and scope. Nobody wants to imagine the consequences of missed due dates, which is why it’s important to identify potential risks before they happen.

Common risk scenarios

It’s a good idea to include common risk categories in your risk register log so you’re prepared when they occur. Learn a little more about these risks and determine which ones could apply to your team. 

Data security 

If you’re working on projects that could affect data security, it’s extremely important to track and mitigate potential risks. Unmanaged risks could result in:

Information being stolen: Without proper mitigation, your business could become vulnerable to private information being stolen. This is especially harmful if it’s customer information being stolen.

Credit card fraud: This is dangerous for a number of reasons, but could result in a loss of revenue and potentially require legal action. 

Data security is a top risk and should be prioritized accordingly in order to prevent long-term security issues.  

Communication issues

Communication issues can arise no matter the size of your project and team. While a risk register can help identify where communication areas live, it can be helpful to also implement work management software to streamline communication at work .

Here are some risks that could arise from lack of communication:

Project inconsistencies: Without proper communication, inconsistencies in deliverables can cause confusion. 

Missed deadlines: No one wants to miss a deadline but without clear communication, your team may not be aware of due dates for deliverables. 

Creating a proper communication plan can also help prevent risks from surfacing in the first place. 

Scheduling delays

If scheduling errors and delays go unnoticed, they can become a big problem when deadlines are missed. Tools such as timelines and team calendar software can help prevent scheduling errors in the first place. 

Project scheduling delays could result in:

Rushed deliverables: There’s nothing worse than a project that hasn’t been properly executed, which can cause goals to be missed and work to appear sloppy.

Confusion: Teams can become overwhelmed and confused without a proper schedule in place. 

Implementing a schedule can help keep deliverables on track for both daily tasks and one-off projects. 

Unplanned work

We’ve all been in a situation where a project goes over scope. It’s a common risk that can be fairly easy to mitigate if tracked properly. Catching unplanned work early on allows you to properly delegate it to the project lead. 

Without a proper risk register, you could experience:

Missed deliverables: If work slips through the cracks, you may be at risk of missing a deadline altogether. 

Employee burnout: Overscheduling your team members with unplanned work can create tension and even cause overwork and burnout. That’s why it’s important to scope projects correctly. 

If you do run into issues with unplanned work, implementing a change control process can help communicate additional work to your team members.  

Theft of materials

While hopefully uncommon, businesses that have a large inventory of products could run the risk of theft or reporting errors. By tracking inventory consistently and frequently, you can catch risks early on to determine the cause.  

Theft can leave your business open to:

Loss of revenue: Whether products are being stolen or there are errors in reporting, theft will have a negative impact on revenue. 

Uncertainty: When theft happens, employee and business uncertainty can cause internal stress. 

Misuse of time: Along with theft of tangible goods, there’s a risk of time theft. In a remote working environment, it can be more difficult to track where your team is spending their time. 

Similar to data security, theft is a high-priority risk that should be handled as quickly as possible. 

What’s included in a risk register?

A risk register is made of a list of risks and tracking fields. Your team’s risk log will most likely look different than others as you’ll have unique risks associated with your projects. 

What's included in a risk register

No matter the differences, most risk registers are made up of a few essential parts, including risk identification, risk likelihood, and risk mitigation. These parts work to create a fluid log of information on potential risks. These logs are also helpful to look back on when working on new projects that could face similar risks. 

Additional fields that are good to include are details like risk identification, description, and priority. The more specific you get, the more likely you’ll be prepared to mitigate whatever risks come your way. 

A great rule of thumb to keep in mind is the more complicated the project is, the more intricate your risk register is likely to be. That means it’s a good idea to be as specific as possible within your log for large projects that span multiple months and have a number of different stakeholders. 

Here are some of the most important fields to include in your project risk management plan. 

1. Risk identification  

One of the first entries included in a risk register is the identification of the risk. This is usually in the form of a risk name or identification number. A risk identification field should include:

The risk name

The identification date

A subtitle if needed

You don’t need to get super creative when naming your risks, a simple summary will do. On the other hand, if you want to get creative, you can craft personas for each type of risk. For example, using the persona “Daniela” as your data security risk name to help team members understand how to quickly identify risks. 

Along with a name, you may also choose to include a short subtitle and the date of the risk identification. This will help track how long mitigation methods are taking and allow you to identify which risks are taking the longest to resolve. 

2. Risk description

After the identification is complete, a short description should be added to your log. A risk description should include:

A short, high-level overview of the risk

Why the risk is a potential issue

How long you choose to make your descriptions is up to how detailed you want your log to be, but the average length is typically 80 to 100 characters.

More importantly than the length, a description should include the key points of the risk and why it’s a potential issue. The main takeaway is that a description should accurately describe the risk without getting in the weeds so it can be easily identified. 

3. Risk category

There are a number of risk categories that help quickly identify the potential risk. Quickly identifying the risk makes it easier to assign to the correct team—especially when working on a complicated project with multiple risks. A risk category could be any of the following:

Operations 

Information 

Project plan

To determine the category type, you’ll first need to evaluate where the risk is coming from and who can help solve it. You may need to work with department heads if the solution isn’t obvious. 

4. Risk likelihood

If risks are caught early enough, it’s possible the team will be able to sort them out before any real action is needed. So it’s possible that risks that are flagged on your risk register won’t actually become problems. 

The likelihood of a risk can be documented with a simple selection of: 

Not likely 

Very likely 

Categorizing your risks by likelihood can help identify which risks to tackle first and which you should wait on. 

5. Risk analysis

A risk analysis gauges the potential impact the risk could have on your project. This helps to quickly identify the most important risks to tackle. This is not to be confused with priority, which takes into account both likelihood and analysis. 

While teams document risk levels differently, you can start with this simple five-point scale:

If you’re struggling to identify the risk level, you may want to get a second opinion by working with a department head. This way you can accurately gauge how high the impact might be. 

6. Risk mitigation

A mitigation plan, also called a risk response plan, is one of the most important parts of a risk register. After all, the point of a risk management plan is to identify and mitigate possible risks. Basically, it’s an action plan. A risk mitigation plan should include:

A step-by-step solution on how to lessen the risk

A brief description of the intended outcome

How the plan will affect the impact 

While small risk assessments may be easy to mitigate, some risks are much more complex and don’t have obvious solutions. In this case, the mitigation plan will need a bit of teamwork to solve. This usually happens beyond the actual risk register document, such as during a meeting or team huddle. 

However you choose to conduct your mitigation plan, you should document a high-level description within the log for reference and clear communication. This will not only ensure everyone on the project team understands the response plans, but it will also help you visualize the solution. 

7. Risk priority 

While the impact of a risk will help determine priority, it’s good to also include this entry on your log. Priority should take into account both the likelihood of the risk and the risk analysis. Both of these aspects will make it clear which risks are likely to have harmful consequences on the project. 

Priority can be documented by a simple number scale:

If you’re looking to make your risk register more visually appealing, you may want to document priority by using a color-coded scale instead. This can be used in place of or alongside the three options. Love organizing by color? Then color-coding your log is the perfect option for you! 

8. Risk ownership

Once the risk has been identified, reviewed, and prioritized, it’s time to assign the mitigation deliverables to be implemented. Risk ownership should include:

The person assigned to oversee the implementation of deliverables

Any additional team members, if applicable

The risk ownership field can help quickly determine which department the risk should be handled by. It can also help visualize which team members have ownership of specific risks. 

9. Risk status

The last field to include in your risk register is the status of the risk. This helps communicate whether a risk has been successfully mitigated or not. A risk status field should be filled out with one of the following:

In progress

If you want to get more granular with your status options, you may choose a more specific list such as active, not started, hold, ongoing, and complete. 

Additional risk register fields

While there are a handful of main entries that every risk register should include, there are additional optional items you can include as well. It’s always better to over-prepare than be caught off guard when the time comes, so take a look at these additional fields to decide if you need them. 

Risk trigger: Adding a risk trigger entry can help you evaluate why the risk happened in order to prevent future risks. 

Response type: While many risks will be on the negative end of the spectrum, there is a possibility for a positive outcome. In this case, you can add a field for a positive or negative response. 

Timeline: You can also include the schedule or timeline of the mitigation plan within the log in order to keep information in one place. Timeline software is a great tool to help with this. 

How to create a risk register (with example)

A risk register contains a lot of information and can be challenging to create for the first time. While you may know what information you need to include, getting started can be difficult. That’s why we put together an example to help you get started on your own risk management plan. 

Here’s what your risk register log might look like:

[List View] Example risk register project in Asana

The key objective of a risk register is to log the information of potential risks, so don’t get too caught up in the details. You should choose the fields necessary to communicate potential risks to your team members. 

Some teams may only need a simple risk register with few fields, while others may need something more complex. It may be helpful to start simple and work your way up to a more complex log if needed.

Here’s an example of a risk register entry to get you started on your own risk log. 

Risk name: Design delay

Risk description: Design team is overbooked with work, which could result in a timeline delay. 

Risk category: Schedule

Risk likelihood: Likely

Risk analysis: Medium

Risk mitigation: Hire a freelancer to create project graphics. Move meetings from Kabir’s calendar during the week of 7/12 to free up time to edit graphics and send to Kat for final approval. 

Risk priority: 2

Risk ownership: Kat Mooney

Risk status: In progress

Once you get the hang of filling out your risk register, you can work to continuously improve and perfect your data log for future projects.   

Don’t risk your risk management plan

Identifying risks is a large part of any successful risk management strategy. While identifying and mitigating new risks isn’t always easy, it’s essential in order to keep your business on track for success. Once you nail down your risk register, project risks won’t seem as hard to manage. Plus, your team will have more time to spend on important things, like delivering impact. 

If you’re looking for additional resources on risk management, check out how to create a contingency plan to prevent business risks. 

  • Contact sales

Start free trial

How to Make a Risk Management Plan (Template Included)

ProjectManager

You identify them, record them, monitor them and plan for them: risks are an inherent part of every project. Some project risks are bound to become problem areas—like executing a project over the holidays and having to plan the project timeline around them. But there are many risks within any given project that, without risk assessment and risk mitigation strategies, can come as unwelcome surprises to you and your project management team.

That’s where a risk management plan comes in—to help mitigate risks before they become problems. But first, what is project risk management ?

What Is Risk Management?

Risk management is an arm of project management that deals with managing potential project risks. Managing your risks is arguably one of the most important aspects of project management.

The risk management process has these main steps:

  • Risk Identification: The first step to manage project risks is to identify them. You’ll need to use data sources such as information from past projects or subject matter experts’ opinions to estimate all the potential risks that can impact your project.
  • Risk Assessment: Once you have identified your project risks, you’ll need to prioritize them by looking at their likelihood and level of impact.
  • Risk Mitigation: Now it’s time to create a contingency plan with risk mitigation actions to manage your project risks. You also need to define which team members will be risk owners, responsible for monitoring and controlling risks.
  • Risk Monitoring: Risks must be monitored throughout the project life cycle so that they can be controlled.

If one risk that’s passed your threshold has its conditions met, it can put your entire project plan in jeopardy. There isn’t usually just one risk per project, either; there are many risk categories that require assessment and discussion with your stakeholders.

That’s why risk management needs to be both a proactive and reactive process that is constant throughout the project life cycle. Now let’s define what a risk management plan is.

What Is a Risk Management Plan?

A risk management plan defines how your project’s risk management process will be executed. That includes the budget , tools and approaches that will be used to perform risk identification, assessment, mitigation and monitoring activities.

risk register business plan

Get your free

Risk Management Plan Template

Use this free Risk Management Plan Template for Word to manage your projects better.

A risk management plan usually includes:

  • Methodology: Define the tools and approaches that will be used to perform risk management activities such as risk assessment, risk analysis and risk mitigation strategies.
  • Risk Register: A risk register is a chart where you can document all the risk identification information of your project.
  • Risk Breakdown Structure: It’s a chart that allows you to identify risk categories and the hierarchical structure of project risks.
  • Risk Assessment Matrix: A risk assessment matrix allows you to analyze the likelihood and the impact of project risks so you can prioritize them.
  • Risk Response Plan: A risk response plan is a project management document that explains the risk mitigation strategies that will be employed to manage your project risks.
  • Roles and responsibilities: The risk management team members have responsibilities as risk owners. They need to monitor project risks and supervise their risk response actions.
  • Budget: Have a section where you identify the funds required to perform your risk management activities.
  • Timing: Include a section to define the schedule for the risk management activities.

How to Make a Risk Management Plan

For every web design and development project, construction project or product design, there will be risks. That’s truly just the nature of project management. But that’s also why it’s always best to get ahead of them as much as possible by developing a risk management plan. The steps to make a risk management plan are outlined below.

1. Risk Identification

Risk identification occurs at the beginning of the project planning phase, as well as throughout the project life cycle. While many risks are considered “known risks,” others might require additional research to discover.

You can create a risk breakdown structure to identify all your project risks and classify them into risk categories. You can do this by interviewing all project stakeholders and industry experts. Many project risks can be divided up into risk categories, like technical or organizational, and listed out by specific sub-categories like technology, interfaces, performance, logistics, budget, etc. Additionally, create a risk register that you can share with everyone you interviewed for a centralized location of all known risks revealed during the identification phase.

You can conveniently create a risk register for your project using online project management software. For example, use the list view on ProjectManager to capture all project risks, add what level of priority they are and assign a team member to own identify and resolve them. Better than to-do list apps, you can attach files, tags and monitor progress. Track the percentage complete and even view your risks from the project menu. Keep risks from derailing your project by signing up for a free trial of ProjectManager.

Risk management feature in ProjectManager

2. Risk Assessment

In this next phase, you’ll review the qualitative and quantitative impact of the risk—like the likelihood of the risk occurring versus the impact it would have on your project—and map that out into a risk assessment matrix

First, you’ll do this by assigning the risk likelihood a score from low probability to high probability. Then, you’ll map out your risk impact from low to medium to high and assign each a score. This will give you an idea of how likely the risk is to impact the success of the project, as well as how urgent the response will need to be.

To make it efficient for all risk management team members and project stakeholders to understand the risk assessment matrix, assign an overall risk score by multiplying your impact level score with your risk probability score.

3. Create a Risk Response Plan

A risk response is the action plan that is taken to mitigate project risks when they occur. The risk response plan includes the risk mitigation strategies that you’ll execute to mitigate the impact of risks in your project. Doing this usually comes with a price—at the expense of your time, or your budget. So you’ll want to allocate resources, time and money for your risk management needs prior to creating your risk management plan.

4. Assign Risk Owners

Additionally, you’ll also want to assign a risk owner to each project risk. Those risk owners become accountable for monitoring the risks that are assigned to them and supervising the execution of the risk response if needed.

Related: Risk Tracking Template

When you create your risk register and risk assessment matrix, list out the risk owners, that way no one is confused as to who will need to implement the risk response strategies once the project risks occur, and each risk owner can take immediate action.

Be sure to record what the exact risk response is for each project risk with a risk register and have your risk response plan it approved by all stakeholders before implementation. That way you can have a record of the issue and the resolution to review once the entire project is finalized.

5. Understand Your Triggers

This can happen with or without a risk already having impacted your project—especially during project milestones as a means of reviewing project progress. If they have, consider reclassifying those existing risks.

Even if those triggers haven’t been met, it’s best to come up with a backup plan as the project progresses—maybe the conditions for a certain risk won’t exist after a certain point has been reached in the project.

6. Make a Backup Plan

Consider your risk register and risk assessment matrix a living document. Your project risks can change in classification at any point during your project, and because of that, it’s important you come up with a contingency plan as part of your process.

Contingency planning includes discovering new risks during project milestones and reevaluating existing risks to see if any conditions for those risks have been met. Any reclassification of a risk means adjusting your contingency plan just a little bit.

7. Measure Your Risk Threshold

Measuring your risk threshold is all about discovering which risk is too high and consulting with your project stakeholders to consider whether or not it’s worth it to continue the project—worth it whether in time, money or scope .

Here’s how the risk threshold is typically determined: consider your risks that have a score of “very high”, or more than a few “high” scores, and consult with your leadership team and project stakeholders to determine if the project itself may be at risk of failure. Project risks that require additional consultation are risks that have passed the risk threshold.

To keep a close eye on risk as they raise issues in your project, use project management software. ProjectManager has real-time dashboards that are embedded in our tool, unlike other software where you have to build them yourself. We automatically calculate the health of your project, checking if you’re on time or running behind. Get a high-level view of how much you’re spending, progress and more. The quicker you identify risk, the faster you can resolve it.

Free Risk Management Plan Template

This free risk management plan template will help you prepare your team for any risks inherent in your project. This Word document includes sections for your risk management methodology, risk register, risk breakdown structure and more. It’s so thorough, you’re sure to be ready for whatever comes your way. Download your template today.

Risk management plan template for Word

Best Practices for Maintaining Your Risk Management Plan

Risk management plans only fail in a few ways: incrementally because of insufficient budget, via modeling errors or by ignoring your risks outright.

Your risk management plan is one that is constantly evolving throughout the course of the project life cycle, from beginning to end. So the best practices are to focus on the monitoring phase of the risk management plan. Continue to evaluate and reevaluate your risks and their scores, and address risks at every project milestone.

Project dashboards and other risk tracking features can be a lifesaver when it comes to maintaining your risk management plan. Watch the video below to see just how important project management dashboards, live data and project reports can be when it comes to keeping your projects on track and on budget.

In addition to your routine risk monitoring, at each milestone, conduct another round of interviews with the same checklist you used at the beginning of the project, and re-interview project stakeholders, risk management team members, customers (if applicable) and industry experts.

Record their answers, adjust your risk register and risk assessment matrix if necessary, and report all relevant updates of your risk management plan to key project stakeholders. This process and level of transparency will help you to identify any new risks to be assessed and will let you know if any previous risks have expired.

How ProjectManager Can Help With Your Risk Management Plan

A risk management plan is only as good as the risk management features you have to implement and track them. ProjectManager is online project management software that lets you view risks directly in the project menu. You can tag risks as open or closed and even make a risk matrix directly in the software. You get visibility into risks and can track them in real time, sharing and viewing the risk history.

Risk management popup in ProjectManager

Tracking & Monitor Risks in Real Time

Managing risk is only the start. You must also monitor risk and track it from the point that you first identified it. Real-time dashboards give you a high-level view of slippage, workload, cost and more. Customizable reports can be shared with stakeholders and filtered to show only what they need to see. Risk tracking has never been easier.

Screenshot of the project status report in ProjectManager, ideal for risk management

Risks are bound to happen no matter the project. But if you have the right tools to better navigate the risk management planning process, you can better mitigate errors. ProjectManager is online project management software that updates in real time, giving you all the latest information on your risks, issues and changes. Start a free 30-day trial and start managing your risks better.

Click here to browse ProjectManager's free templates

Deliver your projects on time and under budget

Start planning your projects.

Northeastern University Graduate Programs

How to Create a Risk Management Plan for Your Project

How to Create a Risk Management Plan for Your Project

Industry Advice Management

A project manager has many responsibilities within their organization, all of which revolve around initiating, planning, executing, monitoring, and controlling projects that deliver on various strategic goals. 

While each of these discrete steps in the project life cycle is critical in its own right, the planning phase is perhaps the most impactful in how it can determine the success—or failure—of all of the phases that come after it. It’s for this reason that project managers are responsible for creating various plans for the projects they helm.

While the project plan is often considered the most important of these plans, it is not the only one. A number of subsidiary plans are also recommended and, in many cases, required. 

The risk management plan is one of the most crucial of these subsidiary plans, as it forces the project manager to plan for potential disruptions and opportunities the project may encounter. Below, we define what “risk” means in terms of project management, take a look at what the risk management plan actually is, and walk through steps you can follow to create a risk management plan for your next project. 

Download Our Free Guide to Advancing Your Project Management Career

Learn what you need to know, from in-demand skills to the industry’s growing job opportunities.

DOWNLOAD NOW

What is project risk?

When it comes to project management, the term “ risk ” specifically refers to factors or events which might influence the final outcome of the project. 

Some of the most common project risks are those which impact a project’s constraints . This includes the triple constraint of a project’s cost or budget, its timeline or schedule, and its scope—all of which can affect the final quality or performance of the project. Yet there are many other kinds of risk that project managers should be aware of, as well, and the risk management plan is used to identify each of these potential disruptors. 

While risk is often assumed to be a negative, it is important to note that project risk can also occasionally be positive, depending on how the event impacts the project. 

For Example: Consider a project that is heavily dependent upon the price of oil. In creating their project’s budget, the project manager would likely look to oil’s historical prices, and use those figures to forecast the project’s budget. If the cost of oil were to suddenly and unexpectedly drop, however (as it did during the depths of the Coronavirus lockdowns ), then the project would likely come in under budget. This is technically a positive risk, because it is an event which led to a positive outcome for the project.

Project manager’s should aim to understand not only the negative risks which might impact their project, but the positive risks as well, says Connie Emerson , assistant teaching professor for Northeastern’s Master of Science in Project Management program. 

She explains that by understanding those potential positive events, project managers can take steps to increase the probability of them occurring so that the project can take advantage of that and realize the benefits.

What is a risk management plan?

A risk management plan is a subsidiary plan which is usually created in tandem with a project plan. This plan outlines the approach for how the project team is going to conduct risk work , or those tasks related to project risk.

“By creating a risk management plan, you are seeking to understand how you are rating risks, how much risk your stakeholders will tolerate, how you will pay for risks in the event they become a reality, and more,” Emerson says. “So it’s critical to have conversations about your general approach, as a team, to risk work and also making sure that your key stakeholders agree.”

Risk Management Plan vs. Risk Register

Emerson notes that it’s important for project managers to understand that, while some individuals will use the terms interchangeably, the risk management plan and the risk register are in fact separate documents, though they are related and each is important to the success of the project.

While the risk management plan outlines your team’s risk management process and approach to handling risk work, Emerson says that “the risk register is your list of risks, your analysis of those risks, and what you are planning to do about them.”

Emerson goes on to note that while you might apply your risk management plan to several different projects, the risk register should be tailored to the specifics of a given project. 

How to Create a Risk Management Plan & Risk Register

1. define your approach through the risk management plan..

The first step in creating a risk management plan is to outline the methods that you and your team will use to identify, analyze, and prioritize risk. You should aim to answer the following questions:

  • How are we going to identify risks to the project?
  • What techniques are we going to use to analyze those risks?
  • How will we decide what to do in the event a risk becomes a reality?
  • What is the communication plan for a risk event?
  • Which stakeholders should be kept apprised of project risks?

You should also determine how you will communicate with key stakeholders about risk, as well as how you will respond to risk if and when it materializes. 

Emerson notes that this is also the point in the process where you should identify the key stakeholders for your project and work to measure their levels of risk tolerance. Just as an investment advisor should tailor their investment strategy to the risk tolerance of their clients, a project manager should tailor their risk management strategy to the risk tolerance of their project’s stakeholders. 

2. Use your risk management plan to create your risk register.

Once you have answered all of the questions above, crafted a risk strategy, and codified it in your risk management plan, you will then use that methodology to create a risk register for the project you are currently working on. 

While it’s important to be thorough in creating your risk register, Emerson notes that perfection can sometimes be the enemy of progress. Instead of viewing risk work as an item which must be crossed off of a checklist before a project can begin, Emerson recommends that project managers view it as an ongoing, iterative process.

“You don’t just create your risk register and then be done with it,” Emerson says. “It’s something you actively manage and modify throughout your project. This keeps you agile, while also allowing the project to actually begin. If you approach your risk register like something that must be exhaustive before the project can kick off, you’ll be doing risk work forever, and the project will never get done.”

3. Identify risk events and the potential impact of those risks. 

The next step is to actually go about identifying risk events for your project, which will form the basis for your project’s risk register.  

“Ask yourself: What are the risks?” Emerson says. “Some people might say, ‘Well, we might miss a date, and that’s a risk.’ But that’s not really a risk. That’s an impact of a risk. So why might we miss the date? What’s the root cause for that impact? If you can understand the root cause that drives a risk event, it’s possible to preempt it before it becomes an issue.”

Emerson notes that it is important not just to think about potential risks, but also the impact that risk might have on the project.

“When I’m writing my risk statements, I’m usually thinking: Because of X [event], Y [risk] might occur, causing a Z [impact],” she says.

It’s important at this stage to also review your list of potential risks with other members of your team, key stakeholders, key vendors and suppliers, and even subject matter experts who aren’t a part of your team. Each of these individuals will bring their own point of view to the challenge of identifying risk, which can ensure that you haven’t missed anything with the potential to affect your project.

4. Analyze, prioritize, and assign risk. 

Once you have built out a thorough list of all of the risks associated with your project, the next step would be to analyze those risks. 

“There are lots of ways to analyze risk, both qualitatively and quantitatively,” Emerson says. “For many companies, qualitative analysis is enough because you’re just trying to decide if you need to actively do something about a risk, or if you can just keep an eye on it.”

Exactly how you analyze your project risks will be dependent on the situation you find yourself in. Emerson notes that many organizations will grade risks based on probability and impact, and use those two scores to determine which risks warrant the most effort to control. Those risks which score high on both probability and impact are logically often prioritized in risk management plans, while those that score low on both probability and impact are deprioritized.

Risk Management

Using this understanding, you might then assign each member of your team one or several risks which they are responsible for monitoring and assessing throughout the course of your project.

5. Plan your risk response. 

Armed with your prioritized list of risks, it is now possible to plan the responsive action that you will take in the event that a risk becomes a reality.

“It’s a matter of using that analysis to guide what you do about the risk and trying to match your response to the risk,” Emerson says. “If it’s a little risk, you don’t want to spend millions of dollars dealing with it. At the same time, you don’t want to under-prepare either.”

Emerson notes that while risk work may seem reactive, a skilled project manager will be proactive in recognizing and minimizing risks before they become an active issue capable of derailing a project. 

6. Monitor and adjust accordingly.

Once you’ve identified your risks, prioritized them, and planned your response, the final step is to monitor your risk throughout the course of the project, says Emerson. Keep your risk register up to date, adding or removing risk events as necessary as the project unfolds. 

Additionally, after a project is completed, revisit your risk management plan and ask yourself: What worked? What didn’t? Is there anything that you can learn from the project that will allow you to adjust your risk management strategy to avoid similar issues in the future?

Emerson goes on to explain that if a risk event occurs, pay attention to it. Identify what happened, how you responded to it, how it impacted the project, etc. All of these insights can make you more effective at risk management in future projects.

Learning to Manage Risk

All projects will contain at least some level of risk. While a project manager cannot possibly prevent all risk events from occurring, it is the project manager’s duty to identify and plan for risk when possible. As such, risk management is a crucial skill for any current or aspiring project manager to develop.  

It’s for this reason that the Master of Science in Project Management at Northeastern emphasizes risk management as a central piece of the core curriculum required to complete the degree. Paired with courses on project scope management, project quality management, and project scheduling and cost planning, the program aims to train students who will graduate ready to immediately put their education into action managing projects.

To learn how a master’s degree in project management can help advance your career, download our free guide to breaking into the industry below.

Download Our Free Guide to Advancing Your Project Management Career” width=

Subscribe below to receive future content from the Graduate Programs Blog.

About scott w. o'connor, related articles.

Master’s in Project Management or an MBA: What’s the Difference?

Master’s in Project Management or an MBA: What’s the Difference?

6 Project Management Trends Emerging in 2023

6 Project Management Trends Emerging in 2023

Master’s Degree Comparison: Sports Leadership vs. Sports Management

Master’s Degree Comparison: Sports Leadership vs. Sports Management

Did you know.

Employers will need to fill 2.2 million new project-oriented roles each year through 2027. (PMI, 2017)

Master of Science in Project Management

Behind every successful project is a leader who forged its path.

Most Popular:

Tips for taking online classes: 8 strategies for success, public health careers: what can you do with a master’s degree, 7 international business careers that are in high demand, edd vs. phd in education: what’s the difference, 7 must-have skills for data analysts, in-demand biotechnology careers shaping our future, the benefits of online learning: 8 advantages of online degrees, how to write a statement of purpose for graduate school, the best of our graduate blog—right to your inbox.

Stay up to date on our latest posts and university events. Plus receive relevant career tips and grad school advice.

By providing us with your email, you agree to the terms of our Privacy Policy and Terms of Service.

Keep Reading:

risk register business plan

What to Expect in Graduate-Level Extreme Medicine Courses

risk register business plan

From Wilderness to War Zones: Comparing Extreme Medicine Training Programs

risk register business plan

What Is Extreme Medicine?

risk register business plan

What to Look for in an Online College: A Guide

Hyperproof

How to Build and Maintain a Risk Register (Plus Examples & a Risk Register Template)

Hyperproof Team

Last Updated on: Oct 18, 2023 | 18 Minute Read

Best guide to building a risk register

As security, compliance, and risk management professionals, we know that cyber-attacks are increasing in frequency, severity, and creativity. We’re working hard every day to ensure that cybersecurity risk receives adequate attention in our organizations. 

Yet, many management teams and boards still struggle to grasp the extent to which cyber risks can impact organizational objectives. Many organizations have struggled with integrating cyber-security risk into an overall enterprise risk management (ERM) program .

What cybersecurity data should be collected? What sort of analysis should be performed? How should one consolidate cybersecurity risk information into an overall program? 

To answer these questions, and to help security professionals communicate the value of preventative security to their management teams, NIST recently released a document titled “ Integrating Cybersecurity and Enterprise Risk Management ” (NISTIR 8286). The focal point of this guidance is centered on the usage of a risk register – described as a “repository of risk information” — to effectively integrate cybersecurity risk management into an overall ERM program. 

So, what exactly is a risk register, what information should be tracked in it, and what are the strategic benefits of keeping your risk register up-to-date? That’s what we’ll dive into in the rest of this article.

vector image illustrating governance, risk, and compliance

What is a Risk Register? 

A risk register is an information repository an organization creates to document the risks they face and the responses they’re taking to address the risks. At a minimum, each risk documented in the risk register should contain a description of a particular risk, the likelihood of it happening, its potential impact from a cost standpoint, how it ranks overall in priority relevant to all other risks, the response, and who owns the risk.

Why is a risk register important?

All types of organizations face a broad array of risks, including cybersecurity, financial, legal, operational, privacy, reputational, safety, strategic, and supply chain risks. It can be difficult to know what risks matter the most and ensure that certain risks such as cybersecurity risks and supply chain risks have adequate attention. 

Risk registers are useful information gathering constructs: They help senior leaders and operators see the full spectrum of their organization’s significant risks and understand how to best manage the risks in order to achieve organizational objectives. Thus, any organization that wants to maintain a robust risk management process should not skip the important step of creating a risk register. 

A risk register can be integrated into any risk management methodology your organization uses. Many resources — such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the International Organization for Standardization (ISO) — document Enterprise Risk Management frameworks and processes. 

These different resources outline similar approaches: Identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. The risk register is a critical tool organizations should use to track and communicate risk information for all of these steps throughout the enterprise. It serves as a key input for risk management decision-makers to consider. 

NIST’s latest risk document, “ Integrating Cybersecurity and Enterprise Risk Management ” was born from their observation that most organizations do not assess or measure cybersecurity risk with the same rigor or consistent methods as other types of risks. 

NIST wanted to help public and private sector organizations uplevel the quality of cyber risk information they collect and provide to their management teams and decision-makers. In turn, this practice would support better cybersecurity management at the enterprise level and support the firm’s core objectives

Understand the critical steps your organization needs to take to effectively manage cyber risk

Read Article ›

risk register business plan

Evaluate Risks by Identifying Threats and Opportunities

For many, the term risks conjures up the idea of terrible events like data breaches, service disruptions, ransomware attacks, and natural disasters. Yet, NIST recommends that organizations take a balanced view when evaluating risks, encouraging cybersecurity and risk professionals to identify “all sources of uncertainty — both positive (opportunities) and negative (threats)” in their risk registers. 

For instance, launching a new online service provides an opportunity for a company to innovate and improve its revenues. Thus the leadership team may direct the organization to take a little more risk. This way, senior leaders can set the risk appetite and tolerance with threats and opportunities in mind.

When cybersecurity opportunities are included in a risk register, NIST recommends updating the risk response column using one of the following response types and describes the meaning of each: 

  • Realize : Eliminate uncertainty to make sure the opportunity is actualized 
  • Share : Allocate ownership to another party that is better able to capture the opportunity 
  • Enhance : Increase the probability and positive impact of an opportunity 
  • Accept : Take advantage of an opportunity if it happens to present itself 

NIST said the comment field of the risk register should be updated to include information “pertinent to the opportunity and to the residual risk uncertainty of not realizing the opportunity.” 

Additionally, each risk filed into a risk register should, at a minimum, contain the following information: 

  • A description of the risk
  • The impact to the business if the risk should occur (e.g. costs), 
  • The probability of its occurrence
  • The risk owner(s)
  • How it ranks overall relative to all other risks
  • The risk response. 

NIST noted that companies can add more data fields as they see fit, but each risk register should evolve as changes in current and future risks occur.

Need help getting started with a risk register?

Download Hyperproof’s Risk Register Template ›

risk register business plan

How to Maintain a Risk Register

When you maintain detailed cybersecurity risk information in your risk register, you’re able to manage your cyber risks in a more strategic way, focus on the right areas given limited resources, and secure additional resources because your leadership team will start to understand the value of preventative security. 

Here are the key benefits of putting cyber security risks into a risk register:  

1. Once information is entered into a risk register, you can start to identify patterns from threats and system failures that result in adverse impacts. 

2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a common scale for measuring risks across various business units (e.g. making sure everyone knows when to use a “high-risk exposure” vs. a “moderate risk exposure”). By normalizing the tracking of risk information across different units, you will provide senior leaders with more relevant information that will help them prioritize risk response activities.  

3. Company leaders will have greater confidence in the risk response choices they make because the responses will be informed by the right context, including detailed risk information, enterprise objectives, and budgetary guidance. 

4. A risk register forces risk owners to write down accurate risk responses for risks they “own”. To do so, risk owners will need to verify whether risks are mitigated to the extent they believe they’d done : Check whether certain policies are up-to-date and whether existing controls intended to mitigate threats are working as designed. Risk owners will talk to their compliance team or internal audit team to understand where risk management activities and compliance activities already intersect. These steps are important because they ultimately help decision-makers understand their potential exposure for achieving strategic operations, reporting, and compliance objectives.   

5. Maintaining a risk register makes it possible to produce enterprise-level risk disclosures for required filings and hearings or for formal reports as required, should your organization experience a significant incident.

Risk Register data analytics

What Data Should Go Into a Risk Register?  

At a minimum, each risk filed into a risk register should contain a description of the risk, the impact to the business if the risk should occur (e.g. costs), the probability of its occurrence, the risk owner(s), how it ranks overall relative to all other risks, and the risk response. 

NIST noted that companies can add more data fields as they see fit, but each risk register should evolve as changes in current and future risks occur. 

Here’s exactly what NIST provided in its document “ Integrating Cybersecurity and Enterprise Risk Management ”.

See how to conduct a security risk assessment

risk register business plan

Risk Response Types

You can download our free risk register template for Excel . It’s a starting point for building out your own risk register.

building out your own risk register template

The Case for Using Multiple Risk Registers

In Hyperproof, organizations can set up multiple risk registers to track different types of risks and customize the scales/risk scoring for each risk register. Companies might want to do this for several reasons: each department has different needs or considerations. For instance, IT focuses on IT assets, and Accounting focuses on sensitive information. Manufacturing focuses on processes and physical risks. Each of these departments might want its own risk register for tracking company risks at a more granular level.

The most common use cases to use multiple risk registers are to sort them by:

  • High/strategic risks vs. low operational risks
  • Corporate/strategic risks vs. domains/departmental risks
  • Corporate/parent company risks vs. subsidiary risks

A few less common use cases for leveraging multiple risk registers include:

  • Risk intake & filtering
  • Tracking items (e.g., vulnerabilities) related to risks
  • Upgrading/changing process (adding a new risk register for a new process)

A vector drawing of a risk registry calendar

The Benefits of Maintaining Robust Cybersecurity Risk Data

2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a standard scale for measuring risks across various business units (e.g. making sure everyone knows when to use a “high-risk exposure” vs. a “moderate risk exposure”). By normalizing the tracking of risk information across different units, you will provide senior leaders with more relevant information that will help them prioritize risk response activities.  

3. Company leaders will have greater confidence in their risk response choices because the responses will be informed by the proper context, including detailed risk information, enterprise objectives, and budgetary guidance. 

4. A risk register forces risk owners to write down accurate risk responses for risks they “own.”. To do so, risk owners must verify whether risks are mitigated to the extent they believe they’d done : Check whether specific policies are up-to-date and whether existing controls intended to mitigate threats are working as designed. Risk owners will talk to their compliance or internal audit teams to understand where risk management and compliance activities intersect. These steps are necessary because they ultimately help decision-makers understand their potential exposure for achieving strategic, operations, reporting, and compliance objectives.  

5. Maintaining a risk register makes it possible to produce enterprise-level risk disclosures for required filings and hearings or for formal reports as required, should your organization experience a significant incident. 

Continuous Monitoring Is Critical

Risks and threat vectors can change in a matter of minutes. Thus, it’s essential to keep an eye on your risks at all times. NIST’s latest guidance emphasizes the importance of continuous monitoring. It outlines several ways to monitor risks on an ongoing basis, including:

  • Setting up positive KPIs, such as the number of critical business systems that include strong authentication protections 
  • Setting up negative KPIs, such as the number of severe customer disruptions in the last 90 days 
  • Teaching employees about the types of cybersecurity risk issues most likely to occur within the organization
  • Showing employees how they can alert key personnel to cybersecurity risk issues before they become significant
  • Conduct risk response exercises to train employees in recognizing, reporting, and responding to cybersecurity incidents

If senior management and risk professionals take just one message from NIST’s guidance, it is this: If cybersecurity risks are to be truly understood by senior management, cyber security risk cannot be tracked in a vacuum but rather must be tracked in an enterprise-wide risk register. This ensures all decisions made by company leaders are weighed against the firm’s risk appetite and risk tolerance and that limited resources are put in the right places to support business objectives. 

Coworkers coming together to weigh risk appetite and risk tolerance

Move Past the Limitations of Spreadsheets

In our annual IT Compliance Benchmark Report we surveyed risk management, compliance, and security assurance professionals to understand their cybersecurity risk management processes, practices, and tech stack. In 2023, 10% of respondents said they use spreadsheets to manage their IT compliance vs. 43% in 2022.

In a positive trend, using spreadsheets to track risks is becoming less widespread, as using spreadsheets actually does more harm than good. In addition to other limitations, spreadsheets are not databases; they have no data integrity or referential integrity, and they provide no way to create and maintain relationships between data in other files, such as documentation of controls designed to ensure you meet regulatory requirements. Their data analysis and reporting capabilities are quite limited, and they do not generate the reports organizations need for IT compliance audits.

Instead, you’ll be much better off by maintaining a risk register in purpose-built software, such as Hyperproof. 

Hyperproof: Intuitive Risk Register Software

Hyperproof’s risk register

Purpose-built risk register software makes it easy for risk owners to document everything that should go into a risk register, make updates to risks on the fly, visualize changes to risks, and communicate risk information to leadership teams. 

Hyperproof offers a secure, intuitive risk register for everyone in your organization. With the application, risk owners from all functions and business units can document risks and treatment plans. You can link risk to control and gauge how much a specific risk has been mitigated by an existing control versus the residual risk that remains. With this clarity, your risk management , security assurance, and compliance teams can focus their energy on the risks you need to worry about.

Further, organizations using Hyperproof are able to save time and money by avoiding a common and expensive practice: Creating duplicative controls. Most organizations treat their risk reduction and compliance efforts as separate workstreams; separate teams typically initiate activities in response to individual events. 

Because Hyperproof offers a compliance operations platform that allows you to get all compliance work done efficiently and keeps all records, if you use Hyperproof’s risk module and the compliance operations platform, you can tie a control to risk and a compliance requirement.

A screen shot of Hyperproof's risk register module. Here you can see how much customization can be utilized when defining risks.

When you know that control that’s already there for meeting a cybersecurity framework’s requirement is the same control that would mitigate a certain risk in your risk register, you’ll avoid creating a redundant control in response to that risk. This means you’ll work less on controls testing, maintenance, and collecting evidence for internal and external IT compliance audits.

Last but not least, with Hyperproof’s dashboard, you can see how your risks change over time, identify which risks and controls to pay attention to at a given moment, and effectively communicate the potential exposure for achieving strategic operations, reporting, and compliance objectives to your executives. 

To see how Hyperproof can help your organization manage risks better and get work done more efficiently, sign up for a personalized demo . 

Monthly Newsletter

Get the Latest on Compliance Operations.

Subscribe to Hyperproof Newsletter

Related Posts

Hyperproof Risk Management Framework

Hyperproof Team

Hyperproof is a SaaS platform that empowers compliance, risk, and security teams to scale their workflows. With Hyperproof, teams can continuously manage organizational risks and their ever-growing workloads in one seamless platform without the burden of jumping between multiple legacy platforms and spreadsheets. Hyperproof is trusted by leading organizations like Instacart, Fortinet, Motorola, Blackberry, and 3M. To learn more about Hyperproof, visit https://hyperproof.io

Hyperproof

113 Cherry St, PMB 78059 Seattle, Washington 98104

833 497 7663  //   [email protected]

Product Integrations Frameworks

Blog Resource Library Glossary

About Careers Press Security and Trust Main Subscription Agreement Partner Program Benefits Contact

Current Customers

Log Into Hyperproof Support Help Center Developer Portal Status Page

G2 Crowd

© 2024 Copyright All Rights Reserved Hyperproof

Privacy | Cookies | Terms of Use

Risk Register: Examples, Benefits, and Best Practices

A project's success or failure typically depends on your ability to manage obstacles that crop up. While you can’t always accurately predict what issues you may encounter, you can control your ability to anticipate potential risks and deal with them effectively.

Tools like risk registers give project managers something to help them mitigate risks that can and will arise during a project. When they come up, you can fix them and move on while experiencing minimal impacts.

What is a risk register?

A risk register, or risk log, is a document set up by project managers to identify and track risks capable of impacting a project. It’s one thing to be aware of problems that could throw your project off track. A risk register lets you put it all in black and white and outline potential solutions beforehand. If the issue appears, you have a contingency plan ready to execute and help you overcome the roadblock.

Using a risk register lets you establish a hierarchy of risks, starting with the most impactful. Your goal should be to have a path to mitigating those risks, reducing the harm they cause, or eliminating them. Your register should also outline what’s considered an acceptable level of risk and how you can set up insurance to help offset the impacts.

Download a free risk register template from HyperComply

Why are risk registers important.

Your risk register also helps you make critical decisions like delaying a project or dealing with a specific risk by pulling in additional resources. Projects tend to get bigger and more complex, making it harder to manage everything. If something gets missed because you don’t have a centralized location for risk tracking, you could make a critical mistake that derails your project.

Even risks that appear minor at the time can have an impact. For example, what happens if critical information gets stolen by a hacker or a new piece of legislation passes that impacts your project? It’s hard to think of an industry that wasn’t affected by supply chain issues last year. What happens if a critical component you rely on gets held up overseas?

Monitoring these problems in a risk register lets you identify issues early in the project. Something that might seem unlikely to occur at the beginning of the project could become a real possibility as time passes. If you’re tracking that risk, you can spot changes early and have a risk management plan ready. In this way, risk registers insulate your business from third-party risks and improve your security posture.

When should a risk register be used?

Risk registers are an integral part of risk management, and you should always have one for complex or critical projects. It’s also helpful to have someone positioned as a risk manager or coordinator for the team. They would be responsible for the upkeep of the risk register. However, for most companies, that role falls upon the project manager.

However, one person should never have to shoulder the responsibility of tracking all potential risks. Other project team members, like personnel from IT or legal, should offer input on risks that could occur and offer ideas on mitigation. Stakeholders or clients may have insights on certain risks that may not be evident to other project team members.

Industries that use risk registers

Every professional tasked with running a project can benefit from using a risk register. Below are some examples of how specific industries use them.

Risks in healthcare have the potential to impact not only a company’s bottom line but the patients' health. A risk register used in a healthcare setting might include the following concerns:

  • What might cause harm to staff
  • What might cause harm to patients
  • Potential litigation
  • Loss of services at a facility
  • Having personally identifiable information lost or stolen
  • Negative media coverage

Construction

If an unexpected risk arises on a construction project, it could impact your ability to complete the job safely and on time. The risk management process can help construction firms have a plan in place for issues like weather events that might slow down progress. Other risks you should include in your risk register created for a construction project include the following:

  • Construction crew's experience
  • Ability to implement safe working conditions
  • Cost of materials and equipment needed for the project
  • Ability to obtain materials necessary to complete construction
  • Availability of workers needed to finish a project

Risk management is a critical component of the finance industry. Here, financial institutions aim to ensure financial solvency so they aren't penalized for not following industry regulations. The type of risks captured for the finance industry can vary depending on your line of work but can include:

  • Operational expenses
  • Banking regulations
  • Potential for data theft
  • Customers taking their accounts to another financial firm
  • Market fluctuations

No line of work is immune to dealing with risk, including software development. What happens if you spend years developing new software, then have a competitor undercut you by bringing a cheaper version to market? Setting up a risk register template for software projects can help you avoid mistakes like incorrectly budgeting the project, leading to ballooning costs.

The project’s scope might also continuously expand until it barely resembles the original idea. Some other risks you should account for when it comes to software projects include:

  • Technical risks impacting code quality
  • Need for proper documentation
  • Having the right-sized team to handle the project
  • Lack of knowledge among current staff
  • Cost of bringing in personnel to finish a project
  • Slow adoption rates of finished product

The main goal of most consulting firms is to avoid making their clients unhappy. Risk registers help consultants anticipate issues that could cause dissatisfaction and complaints, including:

  • Making sure to have documented requirements outlining the client’s expectations
  • Assessing the quality of any sub-contractors or third parties used for the project
  • Determining if you will have the supplies needed to complete the project when you need them
  • Tracking how well you are doing in adhering to deadlines
  • Protecting data against internal or external theft

Components of a risk register

Risk register components capture the elements recorded by project managers when tracking potential issues. Below is an overview of the various components included in a standard risk register template, regardless of industry.

Risk identifier

The risk identification number organizes risks into specific categories to help project managers track identified risks and responses. You can use either numbers or letters based on what makes sense for the project’s structure. The risk identifier should help readers spot a risk quickly when working the risk register.

Description of the risk

This section gives a very brief description of why the risk is an issue. Your description can be as long as you like, but it's best not to get into too much detail here. Stick to the most important details and keep it high-level — just enough to give readers a better understanding of a project’s feasibility and potential returns.

Systems and processes involved

Detail the processes and systems impacted by the project. This should include the people and technology involved and explain how the risk occurs. An example might be tapping into a specific database for information to feed your workflows. You should anticipate risks like needing additional access to system resources, having them available when needed, and having someone on-hand to deal with any technical issues.

Risk category

Risk categories help you quickly identify possible risks. Using categories makes it easier to determine who should bear the responsibility of taking care of the item. That becomes doubly important when working on a large, complex project.

Likelihood of risk occurring

Flagging a risk early gives your project team enough time to mitigate the issue without taking further action. Catching threats early can stop them from becoming a problem that impacts your project deliverables. You can document the likelihood of a common risk occurring using labels similar to the ones below:

  • Very likely

Potential impact of the risk

Here, you capture the results of a risk analysis performed to capture how a risk could impact your project. That gives you a better sense of which risks to take on first. Come up with a point scale that makes sense for your team, like the example below:

  • Extremely low
  • Extremely high

Risk response

Your risk response, or risk mitigation plan, is essential to your risk register. Here, you define the steps involved in lowering the risk level, describing the intended outcome and how your plan will change the risk’s impact. More negligible risks can be easier to deal with versus complex items without clear solutions. Your risk log gives your team a point of reference to help with communication and devise ways to solve your problem: mitigate/Reduce, avoid, accept, or transfer the risk (with insurance).

Risk priority level

Risk priority differs from risk potential in that you’re evaluating both the likelihood of a risk occurring and the analysis performed. These aspects help clarify what risks are most likely to lead to adverse project outcomes. You can use a scale similar to the one used to define your risk likelihood.

  • 4 (Extremely High)

Owner of risk response

After capturing, reviewing, and prioritizing your risks, you need to assign each mitigation item to someone for implementation. Document the person designated to oversee the risk (the risk owner) and associated team members.

Risk status

Your risk status field communicates whether the person responsible for overseeing the mitigation achieved success. Flags you can use to indicate risk status include the following:

  • In progress

Risk register examples

Using a risk register might seem daunting if you’ve never set one up for projects. Below are some risk register templates for potential issues you can use to get started.

Example 1: Encryption data sent to third party

Risk Name: Data encryption

Risk Description: The IT team must develop a process to encrypt data flowing from and to a third-party system.

Risk Category: Cybersecurity

Risk Likelihood: Likely

Risk Analysis: High

Risk Mitigation: Budget hours for IT to write a specialized process for encrypting the information from our database and into the client’s platform.

Risk Priority: 3

Risk Ownership: George Michael

Risk Status: Open

Example #2: Website design deadline

Risk Name: Web designer availability

Risk Description: The web designer tasked with the website layout has been tapped for a different project with a conflicting deadline.

Risk Category: Scheduling

Risk Analysis: Medium

Risk Mitigation: See if another design team member can fill in or hire a contractor to complete the job.

Risk Priority: 2

Risk Ownership: Janet Goodman

Risk Status: In progress

Example #3: Incorrect Project Timeline Estimation

Risk Name: Project Deliverable Timeline

Risk Description: The timeline initially agreed upon for the project may need to be longer.

Risk Analysis: Extremely High

Risk Mitigation: Schedule a meeting with the stakeholders and executives to review the roadblocks keeping the team from delivering the project by the original deadline and coming up with a more feasible one.

Risk Priority: 1

Risk Ownership: Bill Baher

Risk Status: In Progress

Benefits of using a risk register

Let’s look at ways different industries can benefit from adopting the practice of relying on risk management templates for their projects.

Identifies patterns from threats

Maintaining a risk register helps you spot threats that could throw your project off track. As you monitor your register, you may begin to see trends. This can help your risk management team adjust your strategies and make necessary changes to address the risks, improving your security posture. 

Helps develop stronger risk mitigation strategies

Documenting risks helps you develop mitigation patterns capable of lowering the threat level they present to your project. You can outline what resources might be needed and have them in place if the threat becomes more tangible.

Instills greater confidence in risk response

A risk register puts you in a position to maintain a proactive stance versus always having to come up with ad-hoc solutions. Your team and stakeholders can feel more confident in your ability to manage issues that might crop up during the project.

Best practices for maintaining effective risk registers

Below are a few suggestions for creating a risk register that makes project management smoother and more efficient.

Update your risk register often

Your risk register should always reflect an accurate snapshot of what’s happening with your project. That only happens if you and your team regularly update the document. Revisit the project risk register continuously — even if you don’t need to change anything.

Set user access rights accordingly

Make sure that team members tasked with identifying and mitigating risks have access to view the risk log and make updates. 

Monitor third-party risk continuously

Keep up with any risks associated with working with third parties or systems during your project. Make sure you keep track of anyone who gets access to your risk register and remove their access once they no longer need it.

Adjust risk management techniques over time

A risk register is an important tool that risk management decision-makers use to track and communicate risk, but how you deal with risks will change as you get new input or work with different team members. Don’t be afraid to adjust and refine your risk register to accommodate the project’s needs. 

Manage and mitigate risk easily with HyperComply

Dealing with risk is an essential element of project management. Identifying potential problems early gives you time to develop mitigation strategies, and risk register templates that cover common risks can help simplify the process.

Risk registers are one critical aspect of an effective risk management strategy, but ensuring the security of your third-party vendors is another: if they're at risk, so are you. HyperComply streamlines security reviews with automation, helping your business speed up the due diligence process and confidently onboard new partners . 

Try out HyperComply today to see how our platform solidifies your company's cybersecurity.

Newsletter Signup

Explore more posts, hypercomply's guide to sharing soc2 reports: making compliance easy and secure, using security to unblock sales: collaboration techniques for sales and security.

  • Privacy Policy
  • Get started
  • Project management
  • CRM and Sales
  • Work management
  • Product development life cycle
  • Comparisons
  • Construction management
  • monday.com updates

What is a Risk Register? [+ Templates]

risk register business plan

What exactly is a risk register? Project management experts say it could be one of your first lines of defense against the staggering statistic that somewhere between 50-70% of projects fail.  If you haven’t put in place a risk identification and risk response plan—not to fear. In this article, we’ll get into this important topic in project planning and show you how you can get one up and running fast with work management software like monday.com (we have a template for that!).

What is a risk register?

A risk register is a risk management tool used to collect potential risk events, organize them by risk categories, and assign team members who will address them. It also serves as a place to include additional information about each risk, like the nature of the risk and how it will be handled— this is especially useful for when you want to perform risk analysis throughout the project or even after an event occurred. You might also hear it referred to as risk matrix project management.

Why do we need a risk register?

Even though risk management has been identified as the second most valuable project process, nearly half of all project managers don’t do it effectively. Let’s review just a few of the ways using a risk register gives your organization a leg up.

Contingency planning

By identifying the potential risks to your project, you have the opportunity to plan how you’d deal with them should they become issues. This hopefully would reduce any additional consequences and stress surrounding a risk event.  Whether it’s the availability of specific resources or reliance on external contractors that contribute to your project’s risk, having a bullet-proof plan in place from the beginning will be worth your while. 

One of the key ways to mitigate risks is to build resource flexibility into the project schedule, whether that’s budget, time, or people. monday.com offers a Contingency Plan template as part of our 200+ customizable Template Center. 

risk register business plan

You can also learn more about contingency planning in our blog.

Stakeholder reassurance

Making an effort to identify and record risks and their potential mitigation strategies acts as reassurance to stakeholders that you’re taking risk management seriously.

It demonstrates that you’re invested in the success of the project and understand any potential limitations of the business environment you’re delivering the project in.

Risk ownership

When risks are identified and recorded in the project risk register they’re also assigned a risk owner . By working through the risk management process , there won’t be any scrambling or doubt as to the ownership of each risk.

It’s important to understand who is liable for any impact on the overall project outcome and also whose responsibility it is to make things better should a problem occur so you can execute quickly.

How do you write a risk register? 4 key steps

Risk management is one of ten key knowledge areas explained in the Project Management Book of Knowledge (PMBOK), which is the go-to resource in the industry. PMBOK offers four key steps to effectively manage risk using a risk register:

1. Identify risks

The first step is to identify potential risks to the project. Much of this information will be sourced from other project documentation, such as the cost management plan, resource planning, project schedule, stakeholder analysis documents, etc.

It might also be helpful to review wider business documentation such as SWOT analysis (Strengths, Weaknesses, Opportunities, Threats), supplier information, or any industry-specific requirements for external authority review or validation.

Each identified risk can be added to the Risk Register template to form the basis of a risk management plan .

risk register business plan

Read also: Creating a risk breakdown structure

2. Analyze risks

The process of analyzing risks should be done in conjunction with business stakeholders. Each individual risk will need to be given a rating according to:

  • The likelihood of it happening (probability).
  • How much of a problem it would be if it happened (impact).

Project managers can then complete a risk assessment, using a risk matrix to define the level of risk. Once this information has been assigned to each risk description in the risk register, project managers can prioritize those that need to be most carefully monitored and controlled.

Risk matrix with impact on the x-axis and likelihood on the y-axis and used to categorize risk level from low to extreme

( Image Source )

3. Plan risk response

Once risks have been analyzed and prioritized, the project team can work with the business to create strategies for dealing with risks that are a threat to the overall project success.

While we normally see risk as a negative thing, this is also the time to plan out responses to any positive risks — or opportunities — that have been identified.

4. Control risks

The risk register should be actively managed throughout the project lifecycle. Existing risks can be tracked and their risk status up or downgraded as the probability of occurrence and impact changes. If a new risk is identified during project execution it can be added to the risk log along with a mitigation strategy.

Statistical models — such as S-curves — can help track actual project performance against what was expected and highlight any growing risks in key variables such as project cost and availability of resources.

What are the 5 risk mitigation strategies?

While this list could vary between four and five in number, the basic, agreed-upon methods for risk management are:

  • Transferring 
  • Loss prevention and reduction

How can monday.com help me manage risk?

The key benefits of working within an integrated platform like the monday.com Work OS are visibility and ease of collaboration .These factors are important in risk management, as ownership may be spread across the project team and business areas.

Multiple stakeholders may need to be involved in order to monitor and control risks effectively and implement risk mitigation plans, should they be needed. And, if risks develop into issues, a rapid response is required to minimize the impact on the project.

It’s easy to collaborate within the monday.com platform itself to reduce email fumbles and multiple accounts or, if you already have a favorite tool, monday.com integrates with all the usual suspects.

Example of team collaboration on monday.com

Making judgments about the likelihood and potential impact of risks is subjective and it can be helpful to come up with a consensus viewpoint before assigning a risk rating. monday.com has a Vote column where all of your constituents can vote on issues and an Updates section for more in-depth discussions, as well as attaching files.

Information from key documents such as the project schedule, resource allocation plan, and budget tracker can also be easily integrated or uploaded from your existing documents to create a dynamic risk register that everyone can refer back to. Finally, our automations help keep everyone up to date at all times. If the status of a risk changes, notifications can automatically be sent to stakeholders, alerting them to take action.

Manage risk for better business outcomes

Proactively identifying and managing your risk doesn’t stop bad things from happening to good projects, but it ensures you have a plan in place if your risks turn into issues.

You might want to get started with our fully customizable risk register . 

  • Project risk management

Don’t miss more quality content!

Send this article to someone who’d like it.

Enterprise League

Business Insights

How to create a risk register: 5 tips to get you started, october 25, 2022.

How to create a risk register

As a business owner, leader, security expert, or project manager, you are already aware that the business environment has changed in past decades. Cyber attacks and other risks are more frequent and severe compared to the last three decades. You’re probably working hard to cushion your business from threats — that’s why developing a risk register is key to your business success.

What is a risk register?

You probably have heard about a risk register but haven’t paid close attention. This could be why your projects have derailed or you’re not earning revenues as anticipated.

A risk register, also known as a risk log, is an information repository that organizations use to create, document, and track risks that may occur and impact the company. Each risk identified is recorded in a risk register, including a risk description, the likelihood of its occurrence, its possible effects on business, how the risk ranks against other relevant threats, the response in place, and the personnel responsible for mitigating it when it occurs.

Like many other elements in a business, a risk log is an essential aspect of risk management. Risk management is not an event but an ongoing process throughout your project or business lifespan. At any time, you must remain abreast of any risk to your business, and a risk register saves you lengthy processes and financial costs involved in reactionary risk management. Undoubtedly, it’s key to implementing proactive risk management.

Although the content of a risk register may differ depending on the company type and project scope, it is essential in the planning and execution of every business project.

Why your business needs a risk register

 Each company needs a risk register to determine specific risks and mitigations. A risk register is your database for various threats your business is exposed to. The register enables you to identify all possible risks and rank them in order of importance, that is, the probability of each risk to occur as well as the potential impact on your business.

A risk register gives you a good starting point when beginning a project. Here, all stakeholders come together and identify risks that could disrupt a project. Doing this helps you remain focused on important elements of the projects while being ready to mitigate any threat to your business proactively.

How to start creating a risk register

Developing a risk register can be daunting when you’re inexperienced in project management. However, it’s a must-have tool in your business. Here are the essential steps for creating one:

Identifying risks

Gather all necessary stakeholders to brainstorm on possible risks. Each department has different functions and threats — therefore, it can identify possible risks associated. Involve everyone at the departmental level to bring out all important factors.

Describing project risks

Once all potential risks are identified, you need to get a description of each risk. You need to understand how, where, and when each risk can occur. But keep it simple — having vague descriptions may hinder your team from understanding their manifestation. The description is followed by assigning leadership roles and ownership for each risk described.

Estimating risk impact

Assess every aspect of each risk likely to affect your business, and develop a robust risk management plan to deal with the risk. Remember to analyze the competitors and location to identify the possibility and the impact of a risk when it occurs to others.

Creating a risk response plan

Accord the necessary effort, resources, and time in developing your risk register. You must be thorough but not vague, keep it short and to the point, and conduct thorough research to take the right action in case it occurs. It’s important to have more than one approach in place.

Also, document response plans for all risks identified and analyzed, accompanied by your implementation strategies.

Prioritize the risks

Some risks to your business or project have a lower impact, while others can have catastrophic effects when they occur. This makes it ideal to decide which ones to prioritize, relegate, and ignore.

You can create a column on your register detailing risk levels as either high, medium, or low. This way, you’ll have an easier time assessing chances of occurrence and assigning resources to each.

A risk register is an essential tool for any organization to assess financial, enterprise, IT, and project management risks. Of course, predicting or anticipating every threat to your business or project is impossible.

But with a risk register in place, you prepare your business to respond efficiently when threats to your project become potential hindrances to realizing your objectives.

More must-read stories from Enterprise League:

  • Implement a   CRM strategy   for your business using this guide.
  • Wondering   what to do when a client doesn’t pay ? Read this.
  • Here is   how to be a good boss : 12 tips from experts .
  • Get entertained and educated with these   20 best business movies.
  • 17 warning   signs of a terrible boss   that everyone should be aware of.

Related Articles

26 common hiring mistakes: How to avoid them like a pro

26 common hiring mistakes: How to avoid them like a pro

Feb 13, 2024

If you’re curious about the most common hiring mistakes and how to avoid them, this article is for you. Learn how to dodge a bullet when hiring!

5 ways to fund your marketing campaign

5 ways to fund your marketing campaign

We’re diving into five simple ways you can get funds for your marketing campaign, dishing out practical tips that work for businesses of all shapes and sizes.

What is the best way to handle business debt in 2024

What is the best way to handle business debt in 2024

Learning and managing business debt is a critical aspect of ensuring the financial well-being and long-term viability of any business in the long run.

Most Popular

  • Top 17 creative food business ideas (2024) 16 Feb, 2024
  • 18 profitable real estate business ideas in 2024 16 Feb, 2024
  • Top 19 low-cost business ideas in 2024 16 Feb, 2024
  • Strategies for binary options trading in the cryptocurrency market 15 Feb, 2024
  • 18 profitable tech business ideas in 2024 15 Feb, 2024

risk register business plan

What is a Risk Register? A Complete Guide

Hannah whiteoak - guest contributor.

Header image for the blog article "What is a Risk Register? A Complete Guide"

What is a risk register?

What are the key features of a risk register, prepare your business for using a risk register, using a risk register in project management, integrating a risk register, risks are inevitable, but with a risk register in place, you can anticipate them..

Running projects at a small to midsize business requires you to juggle many things, including the risk of a project being derailed by an issue. But what if there was a way to mitigate that issue before it even happens?

Risk registers are used in project management to keep projects on track by proactively noting potential risks, and helping to set up mitigation strategies to steer a project back on track in case of failure. Risks are inevitable, but with a risk register in place, you can anticipate them.

A risk register, sometimes called a risk registry or risk management register, is a structured document that serves as a proactive tool for identifying, analyzing, and managing uncertainties that could impact a project's success. It also assigns responsibility to people within your organization for dealing with those risks.

Having a risk register to analyze the potential risks that could occur within a project is crucial for mapping out mitigation strategies and steering the project back on track if these risks materialize.

   What kind of business should consider a risk register?

Any business engaged in projects, especially SMBs with limited resources, should consider implementing a risk register. It becomes particularly crucial when dealing with projects that involve tight deadlines, complex dependencies, or significant financial investments.

A risk register typically includes sections for risk description, probability, impact, mitigation strategies, and responsible parties. It serves as a living document that evolves throughout the project life cycle.

While a risk register and a risk matrix share the objective of assessing risk levels and contributing to contingency and risk management plans, they differ in form. A risk matrix is presented visually, with risks shown in a grid structure that expresses their likelihood and severity, with color coding to indicate priority. In contrast, a risk register, presented as a spreadsheet, provides detailed information, encompassing risk descriptions, responses, and responsibilities for identification and mitigation.

The initial phase of risk register project management involves systematically identifying risks. For organizations engaged in recurring projects, historical data can be a valuable resource in identifying risk categories.

The project risk register not only identifies but also tracks risks throughout the project. Whether recorded on a spreadsheet or using project management software , this system allows for the monitoring of risk response actions, ensuring that the strategies in place effectively mitigate the impact of identified risks.

Monitoring project risks is facilitated by assigning risks to team members, ensuring accountability for implementing risk response actions. Resolving risks marks a significant milestone, providing control over the risk management plan and enhancing communication with everyone involved in the project.

While risk registers may vary in form, they commonly incorporate elements such as risk identification, risk description, risk categories, risk analysis, risk probability, risk priority, risk response, and risk ownership.

You can make your own risk register by following these steps:

    Risk identification: Gather the project team for collaborative brainstorming sessions, leveraging their expertise to identify potential risks.

    Describe project risks Provide a detailed yet concise description of each project risk, avoiding vagueness for a clear understanding.

    Estimate risk impact: Include all potential influences of the risk to develop robust strategies for dealing with it.

    Create a risk response plan: Dedicate effort to developing a comprehensive response plan, ensuring thoroughness without excessive detail.

    Prioritize project risks : Determine risk levels (high, medium, or low) to prioritize effectively, filtering the register for streamlined risk management.

    Define risk owners: Assign owners to each risk for accountability and proactive monitoring of potential issues.

/ An example of a risk register

Imagine your business manufactures widgets that need to be delivered on time to distributors. Your risk register would be a list of things that might go wrong to prevent you from meeting that deadline.

For example, one item on your risk register might be equipment manufacturing. Your risk register would include information about the impact of this risk, which could be a delay in production, and the level of risk it presents. You would then come up with mitigation steps to reduce the level of risk, such as having back-up equipment or carrying out regular maintenance.

Your risk register would also assign one or more owners to the risk, which might be a technician or the employee who uses the machine. These are the people who identify the risk and take action to resolve the issue.

As you embark on integrating a risk register into your organization’s project management practices, you equip your teams with a strategic tool to navigate uncertainties. The benefits of the risk register extend beyond documentation; it also fosters resilience, transparency, and success in managing project intricacies. 

Explore these resources to delve deeper into risk management and related tools:

What Is Project Risk Management? Here’s Everything You Need To Know

How To Create an Effective Risk Management Plan for Your Projects

4 Steps To Build an Effective Project Risk Management Process

Was this article helpful?

About the author.

Hannah Whiteoak is a freelance writer specializing in healthcare, science, and technology topics. They hold a bachelor's degree in natural sciences and a master's degree in experimental and theoretical physics from the University of Cambridge.

Related Reading

Nonprofit consultant explains how leaders can reduce mission creep, how hr can help the overworked, underappreciated middle manager, how to use technology to improve the guest experience, maximize your tax refunds: 6 smart tax planning tips for small businesses, how to create a public relations strategy: enhance your brand, what is financial accounting types and examples, retail strategist reveals how technology can deliver personalized and frictionless experiences, what is hr data analytics 7 useful applications, how to know if your business is ready for outsourced accounting services.

How to Create a Risk Register + Template

In a recent survey, 65% of senior finance leaders agree that the volume and complexity of corporate risks have changed “mostly” or “extensively” over the last five years. Despite the perceived high volumes and complexities of risks, many of these leaders don’t believe their risk management processes are keeping pace.

Adopting a risk register is one way that organizations can better identify, assess, and manage risks as well as risk activities in the context of their broader mission and business objectives. 

Below we’ll explain what a risk register is, what benefits it offers, and how to create one. We’ll also offer an example and template to help you get started building out your own risk register. 

What is a risk register?

A risk register is a repository or central record of current risks facing an organization and related information such as a description of the risk, the impact if the risk should occur, the probability of its occurrence, mitigation strategies , risk owners, and a ranking in order to help prioritize mitigation efforts.

Information should also be included about how risks change in terms of likelihood and impact based on the determined risk responses. The residual risk — or the remaining risk after applying risk responses — should also be recorded in the risk register.

Benefits of a risk register

Having a risk register offers several benefits. The most notable are:

  • Consistent communication of risk information : Using a risk register with agreed-upon criteria and categories provides consistency in how you capture and communicate risk information throughout the risk management process and across the enterprise. 
  • Improved risk-based decisions : A risk register can help key decision makers implement, monitor, evaluate the effectiveness of, and adjust risk responses to keep overall risk within the organization’s tolerance. 
  • Tracking risks over time and the progress of management processes : A risk register can help you continuously monitor risks and risk responses and provide feedback to improve processes and adjust risk criteria over time. 
  • Compliance: Risk management is part of most security and compliance frameworks . So by having a risk register as part of your risk management program, you’ll be ensuring compliance with multiple frameworks for your organization.

How to create a risk register

Follow the steps below to create a risk register. 

1. Identify and record the risks

Start by identifying all the risks that may impede your enterprise objectives. These are potential threats that might jeopardize your organization’s operations, assets, or individuals. When recording them in the risk register, you can assign each risk an ID like “R-1.”

2. Describe the risks

Next, briefly explain the risk scenario that may impact the organization. A cause and effect format can be useful. A sample risk description in this format is: “[Web application] is using a deprecated and unsecure protocol. If exploited, this vulnerability could allow a hacker to decrypt web app traffic.”

3. Categorize the risks

Next is risk categorization. The goal is to use an organizing construct that enables you to consolidate multiple risk register entries. For example, you may use the NIST SP 800-53 Control Families. These are: 

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Contingency Planning
  • Control Assessment
  • Authorization and Monitoring
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical and Environmental Protection
  • Risk Assessment
  • System and Services Acquisition
  • System and Information Integrity
  • System and Communications Protection
  • Program Management
  • PII Processing and Transparency
  • Supply Chain Risk Management

Using these control families, the risk described in step 2 would be categorized as System and Information Integrity.

Recommended reading

risk register business plan

Supply Chain Risk Management: A Breakdown of the Process + Policy Template

4. Assess the likelihood and impact of each risk

Now it’s time to analyze the risks. This requires estimating the likelihood that each identified risk event will occur (before a risk response is applied) and estimating the potential consequences of the risk event (if no risk response is applied). 

Below are two methods for risk analysis: 

  • Qualitative analysis involves descriptors, such as very low, low, moderate, high, or very high. The scale can be informed by external sources, such as industry benchmarks or standards, metrics from similar previous risk scenarios, or findings from inspections and assessments.
  • Quantitative analysis involves numerical values based on statistical probabilities and a monetized valuation of loss or gain. 

Here are examples of a qualitative and quantitative scale that Secureframe uses for its risk register.

risk register business plan

Let’s take a look at an example of using these scales from NISTIR 8286 . Say you’re trying to estimate likelihood and impact of consequences of a critical business server becoming unavailable to an organization’s financial department. Subfactors that would affect the likelihood of this risk scenario are:

  • The age of the server
  • The network on which it resides
  • The reliability of its software

For example, if the server is five years or older, then the likelihood of failure may be moderate on a (on a qualitative scale) or a 6-14 (on a quantitative scale). 

Subfactors that would affect the impact of this risk scenario are: 

  • Number of customers relying on the server
  • Financial materiality of customers using the server

If another server is highly available through a fault-tolerant connection, for example, then the impact of the loss of the initial server may be low (on a qualitative scale) or a 2-5 (on a quantitative scale).

5. Determine the exposure rating of each risk

You can then calculate the exposure rating for each risk based on the likelihood that a threat event will occur and result in an adverse impact. Just as with risk analysis, you can use both qualitative and quantitative models for calculating and communicating about exposure.

Risks should be prioritized based on their exposure value, among other factors. 

6. Determine the type of risk response

Next, determine what type of risk response would be best for handling each identified risk.

The different types of risk response are: accept, mitigate, transfer, resolve, and avoid.

  • Risks that fall within your organization’s risk tolerance levels can be accepted. The only risk response needed is monitoring.
  • Risks that can be reduced to an acceptable level in a cost-effective way should be mitigated or transferred. You may respond to these risks by implementing controls that help prevent or limit the loss if a threat event occurs.
  • Risks that cannot be reduced to an acceptable level in a cost-effective way should be avoided.
  • If a solution or remediation is implemented, a risk can be resolved.  

7. Describe the response to each risk

Briefly describe the action you are taking to respond to each risk. An example to the risk described in step 2 might be to upgrade the [web application]’s authentication protocol. 

8. Calculate the cost of the risk response

Calculate the estimated cost of applying the risk response. For the example above, if your organization already has the tools necessary to complete the upgrade, then the cost would be $0.

The risk exposure cost should be compared to the cost of the risk response to determine if it is worth trying to mitigate or transfer the risk. 

9. Assess and record residual risk

After risk responses are determined, consider analyzing and recording the risk that remains after a response is applied. This is known as residual risk. You can assess the likelihood and impact of a residual risk using the same methods as you do for inherent risks to determine if any additional risk response is needed.

10. Assign a risk owner

Assign a designated party who is responsible and accountable for ensuring that the risk is maintained in accordance with organizational requirements. This party may work with a designated Risk Manager who is responsible for managing and monitoring the selected risk response.

11. Add a status

Add a status to track the current condition of the risk and any next activities. Examples of statuses might be “open,” “in progress,” or “complete.”

What is a risk mitigation plan?

A risk mitigation plan refers to the documented organizational strategy for mitigating risk. It generally highlights and outlines all the potential risks facing an organization along with different strategies and practices that risk managers and other employees should use to mitigate those risks.

The key to creating an effective plan is to identify the risks that are the most likely to occur or to have the biggest impact if they occur and prioritize mitigation efforts for them.

A risk matrix can be helpful in identifying your biggest priorities. You can then begin mitigating risks at the highest level and continue addressing the lower levels as time and resources allow.

Risk register example

Below is an example of a risk register. The first row contains categories that are based on the notional risk register in NISTIR 8286 . The second row contains an entry for the risk described in the section above.

Risk register example with one risk filled out

Risk register template

We created a template to provide guidance and useful information for completing and using a risk register and integrating it with your overall risk management strategy.

risk register business plan

Risk register software

Risk register software can make it easier to create a risk register and keep it up-to-date with new risks and information.

With Secureframe for example, you can start building out your risk register with templated risks from our risk library or with custom risks. Once you import a risk description using a pre-built risk from the risk library or fill in a risk description and owner, you can use Comply AI for Risk to auto-fill most fields in the risk assessment workflow including risk score, justification, treatment, and more. At the end of the workflow, you can review and validate that the output is accurate and complete the risk assessment. 

In addition to saving you valuable time and resources, this functionality ensures each risk is reported in a consistent and repeatable manner and you won’t need to spend time brainstorming categories or conducting risk formula math. 

The Secureframe risk register is easy to update and view at-a-glance so your organization can stay aware of and assess risk changes, review risk and performance results, and continually improve its risk management processes to help the organization achieve its objectives.  Learn more about Secureframe's new Risk Management tool.

Use trust to accelerate growth

Grc overview, what is grc and why is it important, the 3 components of grc, navigating cybersecurity governance, 14 common types of cybersecurity attacks in 2023, data governance: definition, principles, and frameworks, how to build a smart data governance strategy, data governance metrics and kpis, what is a risk management strategy + examples, risk assessment: purpose, process, and software + template, what is risk mitigation + strategies, how to write a business continuity plan + template, how to create an incident response plan + template, what is a change management process + template, what is third-party risk management + policy, compliance and auditing, security compliance: how to keep your business safe & meet regulations, 15 essential regulatory and security compliance frameworks, what is continuous compliance + how to achieve it, how to conduct an effective internal compliance audit, how to implement a grc program, how to implement a grc program + checklist, success metrics for grc programs, how to measure grc maturity, grc tools and resources, grc automation, what is grc software and how does it work, top benefits of adopting grc software, how to choose a grc software solution.

stakeholdermap.com logo

Risk Management, Risk Analysis, Templates and Advice

  • #1 Mind Mapping Tool
  • Collaborate Anywhere
  • Stunning Presentations
  • Simple Project Management
  • Innovative Project Planning
  • Creative Problem Solving

Mind Maps

The Top 50 Business Risks And How To Manage them!

Risk is simply uncertainty of outcome whether positive or negative ( PRINCE2, 2002, p239 ). Business risk is uncertainty around strategy, profits, compliance, environment, health and safety and so on. stakeholdermap.com

The Top 50 Business Risks and how to manage them

The Top 50 Business Risks

  • Insure assets
  • Compliance with fire & building regulations
  • Early warning systems e.g. smoke alarms, sprinklers.
  • Credit checks
  • Set credit limits
  • Set payment terms for suppliers
  • Use debt collection agency
  • Check financial background
  • Use business intelligence agencies
  • Early warning indicators e.g. late payment
  • Avoid single source dependence
  • Good record keeping
  • Use analytics to measure engagement/CTR etc.
  • Provide personalized useful insights
  • Less may be more
  • Create creative, entertaining content
  • Have a clear vision
  • Set clear goals and objectives
  • Regularly review strategy against market conditions
  • Improve cashflow management
  • Review costs and inventory
  • Accountancy software use/replacement
  • Careful use of long and short term financing
  • Use customer success managers
  • Engage throughout the customer lifecycle
  • Sell to the right customers
  • Provide value
  • Monitor trigger events e.g. change of ownership/Senior management team
  • Gather intelligence and assess risk
  • Deploy a defensive strategy
  • Flip the negative messages e.g. if competitor says your company is too small, push your agility and ability to focus on your customers
  • Use an industry research and advisory firm like Gartner or Forrester, to scan for competitive risk
  • Invest in intelligence tools e.g. social media monitoring
  • Improve competitive analysis
  • Outsource to or engage consultants e.g. BrandTotal
  • Reduce contractual disputes with contract advice and standard terms and conditions
  • Train employees on legislation, e.g. around harassment, bribery, etc
  • Insure against the risk of legal action
  • Have inhouse counsel or retain a legal firm
  • Employee training and refresher courses
  • Seek legal advice on contracts, new legislation and industry specific regulations
  • Create a quality assurance team
  • Implement more quality and safety checks
  • Register work via a copyright registration service
  • Mark all work with a copyright notice, include in all footers etc
  • Take prompt action on infringment
  • Train employees to recognise infringment and to avoid infringing copyright in the materials they produce on behalf of your business
  • Use stock footage and images
  • Develop a dedicated strategy for components that are subject to volatility
  • Use financial and operational hedging
  • Monitor pricing trends
  • Manage inventory to soften impact of price changes e.g. stockpile
  • Identify the source of low satisfaction e.g. is it difficult to do business with your company or is product quality the problem
  • Use Customer Relationship Management Software
  • Review product quality increase quality controls
  • Implement CSAT surveys or similar to monitor sentiment
  • Invest in employee including sales training
  • Get the essentials in place e.g. anti-virus, firewalls, password use, whitelisting, access control, SSL, SSO
  • Network and data encryption
  • Conduct component driven and system driven risk assessments
  • Conduct security audits
  • Lock down hardware e.g. company laptops, disable USB, company image if employees bring their own device
  • Have a procedure which will be triggered in the event of loss or a suspected attack
  • Consider focussing on solutions rather than the product
  • Review marketing materials, sales plays, provide additional sales training
  • Are the right customers/markets/locations being approached?
  • Identify the unique selling point
  • Improve market research and Research and Development
  • Repurpose product
  • Decomission product
  • risk to employees of extreme weather - ensure safe temperatures at work, access to water, home working in bad weather, support with travel, accomodation etc
  • risk to facilities, buildings, resources , materials - insurance e.g. buildings and contents, invest in storm protection, fire prevention etc
  • Develop an emergency prevention and recovery plan
  • Identifying your most valuable data and conduct a risk assessment
  • Establish effective security policy - such as prohibiting password sharing and bringing your own devices to work
  • Maintain efficient data access policy
  • Secure your infrastructure. such as firewall and anti-virus, separate valuable data from your corporate network and prohibit access to it. Protect border routers and establish screen subnets
  • Educate employees e.g. teach them about simple security practices, that they should incorporate in their daily workflow - lock unattended laptop, use strong passwords, challenge people without ID etc
  • Conduct background checks
  • Create proper termination procedure
  • Monitor employee activity
  • Accept the risk and buy or sell currency in the spot market
  • Fix rate via a forward exchange contract
  • Insure against the Forex risk
  • Use an Forex structured product
  • Back up generators and/or off grid solutions
  • Water storage on site or own bore hole
  • Move location for more reliable supply e.g. rural locations have more/longer black outs
  • Change products/processes to reduce reliance on utilities e.g. require less water
  • Create a health and safety policy
  • Identify hazards
  • Evaluate the risks and complete a risk assessment
  • Provide staff training e.g. on manual lifting
  • Have procedures for reporting incidents.
  • Consider flexible working options e.g. working from home and hot desking
  • Obtain longer leases or buy freehold office space
  • Consider relocation
  • Use government scheme e.g. apprenticeships
  • On the job training
  • Offer relocation packages for skilled recruits
  • Use employee incentive or bonus schemes
  • Check pay reflects industry (going rate)
  • Identify top performers and reward/offer incentives to stay
  • Remove hygiene factors e.g. poor parking, lack of flexible working
  • Identify risks ask, "How can political actors or conditions impact our business?"
  • Diversify sources of materials, suppliers, site locations, markets
  • Influence the political landscape via lobbying, networking, assisting candidates/parties
  • Agreed fixed rates, prices. Hedge against price volatility.
  • Follow recommended servicing and maintenance schedules
  • Keep stock of parts
  • Have contract with emergency/24/7 repair services
  • Train employees on safe use, maintenance and basic repair
  • Make use of early adopters to refine the product
  • Ask your existing customer base what they want/need
  • Invest in beta testing
  • Shadow test - open product for pre-ordering
  • Investment risk models
  • Use value at risk in measuring portfolio risk
  • Monte Carlo simulation
  • Sensitivity and scenario risk measures
  • Identify natural hazards
  • Measure vulnerability to natural hazards
  • Connect to early warning systems if required
  • Use forecasts to measure proximity of risk e.g. use weather forecast to decide date for shipment
  • Create plans for responding to natural disasters
  • Insure against losses were possible
  • Conduct due diligence
  • Identify new stakeholders
  • Identify challenges e.g. curroption/lack transparency in new emerging markets
  • Use shadow testing and beta testing to reduce exposure and test acceptance in the new market
  • Used recognised Operational Risk Management (ORM) process
  • Assess risks for each operational area e.g. IT, HR, finance, security
  • Automate operational workflows
  • Use risk-based capital
  • Improve people management
  • Additional training
  • Invest in infrastructure
  • Implement process to respond to patent notice letters, patent assertions and lawsuits
  • Budget for patent defense expenses
  • Develop standing litigation teams inhouse and outside
  • Join Patent Pool
  • Use Rational Patent Exchange (RPX) Corporation
  • Review recruitment processes - employ great managers
  • Don't use promotion to a management role as reward for long service
  • Invest in training for your managers
  • Have open transparent process for raising grievances, whistleblowing
  • Take out Political Risk Insurance (PIR)
  • Assess risk in the country, use consultants or government advice e.g. U.S. Department of State's background notes
  • Negotiate compensation terms with a country before locating there
  • Create contingency plans
  • Diversify overseas investments
  • Ensure realistic forecasting and sales pipeline. Understand what % of opportunities won't win.
  • Improve quality of leads, before handing opportunities to sales
  • Adjust sales pipeline multiplier
  • Prevent orders being shipped without payments clearing in advance
  • Have revenue incentives for suppliers who meet targets
  • Increase sales quotas
  • Reduce costs e.g. downsize office space by moving to hot desking or consider outsourcing some functions
  • Undertake operational savings initiatives with a strong ROI
  • Prioritise initiatives that enable high value customers to be identified and retained
  • Take out key person insurance in case of redundancy
  • Revise decision making processes to make them more nimble and faster
  • Freeze recruitment i.e. don't replace leavers
  • Review supplier list check that alternatives are available
  • Invest in compliance consultants
  • Train employees on regulations e.g. GDPR
  • Use analytics and technology monitor compliance activities
  • Conduct a compliance risk assessment
  • Reputational risk occurs when performance doesn't match expectations. Track evolving stakeholder expectations to manage the risk
  • Put a plan in place to manage a reputation crisis
  • Monitor sentiment online using social media monitoring tools, engage promptly
  • Use variance analysis and comparisons to highlight potential inaccuracies in forecasts
  • Set high, low and expected forecasts (30, 50 and 70 percent probabilities)
  • Measure forecasts against actual results to improve accuracy
  • Update forecasts regularly e.g. monthly
  • Consider a complete shutdown during off-peak periods to reduce costs
  • Adapt your services/product to the seasons e.g. skiing in winter, walking in summer
  • Market in off-peak times
  • Reduce opening times during off-peak periods
  • Provide medical insurance with a well-being program/incentives
  • Log sickness, and trigger sickness absence procedures after x days
  • Separate sick pay from annual leave so that it can be tracked
  • Have a fit for purpose sickness absence policy
  • Know the location of your suppliers and their suppliers facilities
  • Meet with your suppliers and understand their rerouting procedures and risk management procedures
  • Check your suppliers are compliant with local regulations
  • Diversify your approved suppliers
  • Outsource and/or use Software as a Service
  • Continuously review the market and technological advances
  • Invest in new technology companies e.g. buy shares, acquire the company
  • Invest in Research and Development team
  • Beta test new technology
  • Build in redundancy and use data back ups
  • Use SaaS model to reduce onsite hardware
  • Have power and cooling back ups e.g. generators
  • Invest in monitoring and early warning systems
  • Invest in security hardware and personnel
  • Invest in cyber security, encryption, VPN etc
  • Retail style alarms on products
  • Strict access control, badges, scanners, search etc
  • Integrate innovation into your business
  • Assign revenue goals for the R and D/ innovation team
  • Cultivate pilot ready customers or market segments
  • Automate the development process
  • Purchase Marine Insurance which covers sear or air transit
  • Chose a suitable freight forwarder
  • Understand value of shipments, split high value shipments
  • Be clear on the impact of losses in the supply chain on corporate financials
  • Have a contract with a temp agency for HR resources needed over peak periods
  • Outsource provision of human resources e.g. Amazon warehouse model
  • Set expectations with customers and stakeholders around lead times
  • Invest in automation and AI to free up resource from repetitive time-consuming work
  • Keep some inventory (stockpile)
  • Diversify supply chain
  • Adjust supply for seasonal fluctuations e.g. holiday periods.
  • Diversify locations
  • Have data and warehouse backups in different locations
  • Insure against war, terrorism and political violence

Download the full list of Business Risks

Word download - the top 50 business risks (word), pdf download - the top 50 business risks (pdf), 20 common project risks - example risk register, checklist of 30 construction risks, overall project risk assessment template, simple risk register - excel template, business risk - references and further reading, read more on risk management.

  • Risk Assessment
  • Construction Risk Management
  • Risk Management Glossary
  • Risk Management Guidelines
  • Risk Identification
  • NHS Risk Register
  • Risk Register template
  • Risk Management Report
  • Risk Responses
  • Prince2 Risk Register
  • Prince2 Risk Management Strategy

About the risk register and treatment plan template

Use the risk register to identify risks that could affect your business, the likelihood of it happening and the possible consequences.

Once you've identified possible risks to your business, create a risk treatment plan to prioritise them and record actions you can take to prevent the issue or lessen its impact.

Project Risk Register Examples: IT, Construction, Transportation, and More

By Kate Eby | October 29, 2023

  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Link copied

Risks are unexpected occurrences that can derail or boost a project. Project managers often use risk registers to record and track risk. We gather the best real-world examples of registers for project management, software, construction, IT, and more.

Included in this article, you’ll find a risk register example for project management , construction , I T and software , engineering ,  and more. Project management experts share best practices for using risk registers .

Project Risk Register Examples

Project risk register examples show how project managers use them to record potential problems and mitigation tactics. These real-world risk register examples from a variety of industries provide insight into how to use them across verticals. 

Risk is often defined as the known unknown that might either positively or negatively affect project objectives. Typically, project managers will document any risks associated with a project during the planning phase. A risk register is in flux throughout the project lifecycle. New risks are added. Irrelevant risks expire, which means their probability goes to zero. Ideally, project leaders don’t want any risk to rise to issue status. Learn more about a project risk register and how to use it. 

Project managers create risk registers as part of the project risk management process. This step  usually occurs after a risk assessment and includes ways the team might mitigate or prevent a risk. Read this guide on project risk mitigation and download a free starter kit to begin.

Project Management Risk Register Example

Development projects use risk registers to identify financial and physical risks and how to manage them. This project management risk register from the Bedford Borough Council shows the high-level risks involved in road and building upgrades. The study identified such risks as the following: responsible parties don’t deliver projects, a lack of clear governance or capabilities, and others. 

Bedford Borough Council Risk Register Example

Download the Bedford Borough Council risk register and risk management plan example

See this collection of project management risk register templates for other options.

Construction Project Risk Register Example

Highway maintenance has a significant impact on the supply chain, public transportation, and safety, not to mention the environment. The Colorado Department of Transportation’s risk register example for a project on I-25 represents a classic quantitative register displaying such risks as utilities in need of relocation and approvals required for a railway bridge redesign. 

Colorado Department of Transportation

Download a free construction risk register template

IT Project Risk Register Example

Protecting personally identifiable data (PID) and preventing intrusions into IT systems are primary concerns for corporations, educational institutions, healthcare providers, and other organizations. An information security risk register records all possible risks to data and approaches to mitigate issues. The Western Australia government IT software project risk register example lists loss of confidentiality as one possible risk. 

Western Australia Government IT Software Project Risk Register Example

Download a free IT risk register template

Engineering Project Risk Register Example

Engineering projects carry considerable risk, from cost and schedule overruns to regulatory changes. The Oregon Department of Transportation’s engineering project risk register sample shows possible design risks from unexpected ground conditions. The register includes additional columns to indicate the impact cost of risks if they occur and whether the item is on the project’s critical path. Learn more about the role of critical path in project management.  

Oregon Department of Transportation Project Risk Register Example

Download the Oregon Department of Transportation’s engineering project risk register sample

Public Event Project Risk Register Example

Considering risks is a critical early step for a project that includes a public event. Accidents and other problems can occur easily. As part of project planning, project managers will create a risk register that examines and plans for such eventualities before the day of the event. Depending on the size and nature of the event, local permitting authorities might require you to complete a risk register beforehand. Risks can include catering and equipment problems, crowd control, medical, and security issues. This risk register with sample data from the Australian City of Mandurah shows a trip hazard as a possible event risk. The form uses plain English to describe the adverse outcomes as “an unwanted event” and answers the question of what could go wrong.

Australian City of Mandurah Risk Register Example

Download the project risk register sample for a public event from the city of Mandurah

Maritime Engineering Risk Register

Maritime engineering projects involve regular construction risks and environmental concerns. The example from the Darwin Ship Lift project risk register includes a project risk assessment and a concise colorful chart that displays extensive risk mitigations. The example also categorizes risks by three characteristics: factor, project phase, and aspect or type of risk. 

Darwin Ship Lift Project Risk Register

You’ll also find that the register includes a detailed description of the consequences for each risk area.

Maritime Risk Register Consequence Descriptions

Best Practices for Using a Project Risk Register

It might be easy to write a project risk register and then forget about it. But risk management experts recommend several best practices, such as keep it simple, make it approachable, and how to use it for reference.

Project manager pros share these useful tips to help everyone keep project risk management top of mind: 

  • Store the Project Risk Register Where the Team Can Find It: Store the risk register in a location that’s easy for all stakeholders and project team members to access.

Mary Beth Imbarrato

  • Make Project Risk Discussions Approachable: One way to approach a risk register is to start with creating a project risk management plan and identifying potential issues — essentially, starting a list for the risk register. “People tend to shy away from risk discussions because they don't know how to approach the question, the answers, or the potential scenarios,” explains Imbarrato. “If we can provide tips on making this a simple discussion with easy-to-understand questions and a follow-up task of capturing the risks in a spreadsheet, it just makes the process seem less daunting.”

Garrett Smith

  • Consider Risks and Consider Them Well: Barry explains that listing project risks isn’t a magical act that makes them disappear. It’s vital to consider what you would do if they become issues. “And that's where your team mix has a really important influence. On a good team, you should have someone who's the book or fact nerd. It's great to have someone say, ‘Are you sure? Does this relate to this? Or is it something else?’” she adds.
  • Avoid Nasty Surprises: It’s not enough to create a risk register; you still need to refer to it once the project is underway. “In the vast majority of cases, issues should never suddenly appear because if they do, it means that the issue wasn’t identified as a risk at the start of a project,” says Fullick. “In that case, it means that a team or organization is now playing catch up because they’ve ignored a potential risk and risk trigger events that are now impacting them.”
  • Remember the Small Risks: Fullick notes that just because high-impact risks require attention, it doesn’t mean a project manager should ignore lesser-impact risks. He adds, “A risk with a low impact ignored for too long can escalate to a major risk if no action is taken against it. Remember, from small acorns do mighty oaks grow. Ignore low-rated risks at your peril.”
  • Use It as a Reference Tool: A project risk register makes a valuable reference tool at regular meetings. Create a separate register to track continuing issues for areas not directly related to the project.
  • Lean on Leadership: “The culture of the project and the sponsor and collegiality of the team enable a risk register to be functional,” says Barry. “Yes, the automated items can remind you what needs to happen. And, yes, you must remember to use your checklists. But people can ignore those things. Using the risk register is only as strong as your leadership or your project sponsorship.” 

“The Risk of Risk Registers — Managing Risk Is Managing Discourse Not Tools” in the Journal of Information Technology warns that risk registers become ineffective when managers mistake abstract risk entries for concrete risks. For example, listing a failed product as a customer service risk draws focus from other potential customer service risks. 

Nevertheless, the article maintains that risk registers provide a means to communicate risks across functions throughout an organization. Documenting risks helps focus effort and resources on addressing risk root causes. See this risk management benefits guide and this article on identifying project risks to learn more about the importance of creating a project risk register. This article on enterprise project planning defines how risk registers play a vital role in successful projects.

What’s In a Project Risk Register?

A project risk register is usually a spreadsheet that documents a project’s potential risks. The register includes a possible mitigation plan and a response owner. A risk listing has a risk name, ID number, description, and priority or risk score.

In addition to the essential identification fields, risk registers often include a date, the risk category, risk mitigation details, who owns or is responsible for tracking the risk, and risk status. Other columns might be added to the register based on the project type.

Risk Register and Management Idiom

A formal risk management process has its idiom to describe finding and managing risks. “Just because we're reading the same thing doesn't mean we understand the same thing. Using common terminology is something I always emphasize because you might start on the project, but personnel changes over time. You must make sure the new person joining the project can understand what things mean,” adds Barry.

Use the following terms to describe risk status: 

  • You identify a risk. That’s why each risk has an ID number. Unique individual numbers are critical because risks in different categories can have similar names, leading to confusion.
  • You expire a risk. Use this terminology when the timeframe for the risk to become a problem has ended. You can also use it when you address the problem to eliminate that risk.
  • A risk is realized . When a risk becomes an issue and affects your project, then it’s realized. Flag the risk as realized in the risk register and open an issue describing the issue and its impact on your project. If you don’t have a tracking system, use this project issue tracker template . 
  • You withdraw a risk when it is no longer valid. 
  • You close or resolve an issue once you’ve addressed it or if it becomes an issue .

Easily Create, Share, and Update a Project Risk Register with Smartsheet

From simple task management and project planning to complex resource and portfolio management, Smartsheet helps you improve collaboration and increase work velocity -- empowering you to get more done. 

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.

Discover a better way to streamline workflows and eliminate silos for good.

Is the Risk Register a red herring for Business Continuity Planning?

Risk Register

It feels that a logical starting point for the Business Continuity Planning process would be the major risks that the business faces and, therefore, the Risks identified in the Risk Register. But when building Resilience, the Risk Register can be a red herring.

Let's first state the obvious that (commercial) organisations exist to generate income, profit and a return for shareholders by delivering their products and services, that is the reason for existing. They do this by utilising their Assets and Resources, and anything that disrupts this capability, whether an internal or external factor, is a risk to the business and needs to be addressed.

risk register business plan

Let’s consider the purpose of the Risk Register

A Risk Register is a document that records your organisation's identified risks, the likelihood and consequences of a risk occurring, the actions you take to reduce those risks and who is responsible for managing them.

It enables you to store your risk information in one easily accessible location. Its simple, consistent format makes it easier for people to understand the presented information and provide feedback.

A Risk Register is also an important mechanism for the Board to demonstrate good governance to stakeholders.

Importantly, a Risk Register specifies the ways your team commits to managing the identified risks and who is responsible for doing so. The Risk Register is event-based.

17th March 2000, Albuqurque, New Mexico*. 

A power line was struck by lightning in an electrical storm, causing a power surge which in turn started a small fire in Philips' chip manufacturing plant, which supplied both Ericsson and Nokia, 40% of its production capacity.

The sprinkler system put out the fire in 10 minutes with slight building damage. However, in the process of the incident, thousands of chips being manufactured were destroyed. The sprinkler activation and smoke contamination rendered millions of chips obsolete.

Ericsson, at the time Sweden's largest company with an annual revenue of $30 billion, had been moving to single sourcing as a means of controlling cost and efficiency and used this plant as the sole supplier of radio frequency chips. Even though this wasn't a major fire, it still took 6 months for production levels to reach 50% of the pre-incident volume. Ericsson reported that the total fire cost was more than $400 million (approx $700 million: 2022), which contributed to a $1.7bn (approx $3bn: 2022) loss in the mobile phone division for the year. Ericsson subsequently withdrew from handset production and outsourced manufacturing to Flextronics International.

risk register business plan

Given the far-reaching consequences of this event, where did this figure in the Ericsson Risk Register, or was this such an unforeseen event that it didn't register?

In many ways, this highlights why the Risk Register and Business Continuity Planning need to be kept separate

The Risk Register focuses on the major organisational risks and assesses the Likelihood and Consequence of the risk. It then defines risk management and mitigation measures. But it can miss the unknown risks, the so-called Black Swans and lower-level operational risks, as in the example above.

If we think about the Covid Pandemic, most organisations hadn’t planned for it and didn't list Global Pandemic on their Risk Register.

Many office-based businesses had the infrastructure in place (Microsoft Office 365, Teams etc) so that they could flip the operations to a virtual set-up. They had planned, perhaps inadvertently, for the loss of the working environment, regardless of the cause, in this case, "Lock-down".

It also highlights the difference between the Disaster Recovery Plan (DRP) - for dealing with major events and the Business Continuity Plan - the ability to continue delivering your products and services regardless of what the business experiences.

The DRP reacts should a major event occur.

The Business Continuity Plan (BCP) should minimise disruption in the first place, in the example above, by utilising a dual-, multi-supplier policy or Just-in-Case supply chain strategies as Nokia had and allow the business to recover its operations within its Tolerance for Disruption.

A key element to this is the Analysis phase of the Business Continuity process, particularly Business Impact Analysis, which will help identify where the programme design needs to be targeted. In many respects, a robust BCP effectively ignores "Likelihood" and focuses on Consequence – “it doesn’t matter why the supplier isn’t able to supply, we have a plan b”.

Black swan event

Ignoring Likelihood

In some recent planning work with a business, a key part of the process, distribution of product, was outsourced to a national company. Whilst there can be an assumption that larger organisations will have robust Disaster Recovery and Business Continuity in place, again, as highlighted above, this is not always the case. So, as part of their Programme Design, they started to address the "Loss of Distribution Capability" and within 6 weeks, their distribution partner served notice on them. A non-event-specific approach meant they were already able to deal with this.

With another business that we worked with, one of their Business Continuity Objectives was to put in place a dual-supplier strategy to remove the risk of a critical component in their product; a new supplier would take upwards of 20 weeks to bring on board, they had a Minumum Tolerable Period of Disruption (MTPD) of 12 weeks. Within 6 months of the new supplier coming online, they had to invoke this business continuity measure as their original supplier came close to financial collapse.

And unlike the DRP, the BCP is constantly operating, using readily deployable arrangements and resources to reinstate its business functionality, regardless of the severity of the incident. 

So how should the Risk Register interact with the Business Continuity Plan?

One way is quite simply that Business Continuity or Resilience (i.e. the ability to continue delivering product/service......) should be one of the risks identified on the Risk Register, the treatment for which is the Business Continuity Plans. The plans should be how the organisation deals with unknown or unforeseen risks.

The second is to use the Risk Register to validate the outcomes of the BCP – does it deal with our major risks?

It is important to understand that they are separate risk tools.

More information on Business Continuity Planning

If you’d like more advice on Business Continuity Planning, download our 9 Steps to Business Continuity Guide , which can help fast-track and focus your BC Planning with the minimum of jargon and practical tips on how to keep the process effective and productive.   Or get in touch for a chat about how we may be able to help you move your business continuity planning forwards. 

If you found this article useful, you may also be interested in our related insights such as:-

  • Creating buy-in to Business Continuity
  • Choosing the right BC strategy
  • What is a Business Continuity Management System

Free e-book: 9 Steps to Business Continuity

Fast-track and focus your Business Continuity Planning with the minimum of jargon and practical tips on how to keep the process effective and productive.

Download Now

Download to save, print or share this insight.

Related Insights

Business Continuity

Choosing the right Business Continuity Strategy

Choosing the right Business Continuity Strategy

Choosing the right business continuity (BC) strategy for your business will depend on your business’ tolerance for disruption and recovery objectives.

A boardroom of people have a discussion in front of a whiteboard, print outs of graphs on the table in front of them

Our 4 Step process, a Business Continuity case study

We can support your existing risk management team with specialist knowledge, provide additional resources to expedite projects or help develop in-house expertise. Consultancy support forms a key component in our 4 step process.

Choosing the right Business Continuity Strategy

Business Continuity vs. Disaster Recovery Plan

Business Continuity and Disaster Recovery Plan are two phrases that are sometimes used interchangeably but are they the same?

Creating buy-in to Business Continuity

Creating buy-in to Business Continuity 

It is not part of the human psyche to want to explore the nastier things in life.

Build your solution

If you have a particular issue or concern when managing risk then use this tool to build your solution.

If you can’t find your problem listed, feel free to contact us on 0800 879 99 81 or arrange a meeting with our team below.

You must enable JavaScript to use the solution tool. Click here to learn how.

How can we help you?

Our friendly expert team are here to help. If you have a specific question about one of our solutions or need our help assessing your company needs contact us . If you would like a meeting to understand the benefits of BCarm, schedule a time and date convenient for you here.

  • Case Studies

3 Selecta vending machines in an office lobby

Vending Machine Suppliers

Tindle Newspaper Group

Regional Newspaper Group

Live Music Venue

Music Production and Promotion

Laminate solutions

Laminate Systems

145 High Street

  • Consultancy
  • Insights & News
  • BCarm Podcast

© 2024 BCarm. All rights reserved.

Cookie Policy

Privacy Policy

Terms & Conditions

Turn your needs into solutions

Find out how we could support your risk management

Initialising form...

If this text doesn't change, this form has crashed. We apologise for the inconvenience.

U.S. Department of the Treasury

Treasury publishes 2024 national risk assessments for money laundering, terrorist financing, and proliferation financing.

Reports Confirm and Update Key Illicit Finance Concerns in Response to Evolving Threat and Risk Environment 

WASHINGTON –  Today, the U.S. Department of the Treasury published the 2024 National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. These reports highlight the most significant illicit finance threats, vulnerabilities, and risks facing the United States. 

The reports detail recent, significant updates to the U.S. anti-money laundering/counter-financing of terrorism framework and explain changes to the illicit finance risk environment. These include the ongoing fentanyl crisis, foreign and domestic terrorist attacks and related financing, increased potency of ransomware attacks, the growth of professional money laundering, and continued digitization of payments and financial services. These assessments also address how significant threats to global peace and security—such as Russia’s ongoing illegal, unprovoked, and unjustified war in Ukraine and Hamas’s October 7, 2023 terrorist attacks in Israel—have shaped the illicit finance risk environment in the United States.

Today’s publications are the fourth iterations of the money laundering and terrorist financing risk assessment, and the third update of the proliferation financing risk assessment, in less than a decade. The public and private sectors can use these updated risk assessments to better understand the current illicit finance environment and inform their own risk mitigation strategies. 

“Whether it’s terrorism, drug trafficking, Russian aggression, or corruption, illicit finance is the common thread across our nation’s biggest national security threats,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “Treasury, through our National Risk Assessments, is at the cutting edge of analyzing the global risk environment to protect the U.S. and international financial systems from abuse by illicit actors. We urge both the public and private sectors to engage with these reports, as well as our forthcoming National Strategy for Combatting Terrorist and Other Illicit Finance.”

Key findings:

  • Money Laundering : Criminals use both traditional and novel money laundering techniques, depending on availability and convenience, to move and conceal illicit proceeds and promote criminal activity that harms Americans. The crimes that generate the largest amount of illicit proceeds laundered in or through the United States remain fraud, drug trafficking, cybercrime, human trafficking and human smuggling, and corruption. The United States continues to face both persistent and emerging money laundering risks related to: (1) the misuse of legal entities; (2) the lack of transparency in certain real estate transactions; (3) the lack of comprehensive AML/CFT coverage for certain sectors, particularly investment advisers; (4) complicit merchants and professionals that misuse their positions or businesses; and (5) pockets of weaknesses in compliance or supervision at some regulated U.S. financial institutions. 
  • Terrorist Financing : The United States continues to face a wide range of terrorist financing threats and actors, both foreign and domestic. Consistent with the 2022 risk assessment, the most common financial connections between individuals in the United States and foreign terrorist groups entail individuals directly soliciting funds for or attempting to send funds to foreign terrorist groups utilizing cash, registered money services businesses, or in some cases, virtual assets. The 2024 report also discusses Hamas and the ways they exploit the international financial system, including through solicitation of funds from witting and unwitting donors worldwide. Additionally, domestic violent extremist movements have proliferated in recent years, posing an elevated threat to the United States and continued challenges for law enforcement.
  • Proliferation Financing : Russia and the Democratic People’s Republic of Korea (DPRK) presented heightened risk since the 2022 assessment. To support its unlawful war in Ukraine, Russia has expanded efforts to illegally acquire U.S.-origin goods with military applications using a variety of obfuscation techniques, such as the use of front companies and transshipment points around the world. Networks linked to the DPRK increasingly exploit the digital economy, including through hacking of virtual asset service providers and the overseas deployment of fraudulent information technology workers.

Treasury’s Office of Terrorist Financing and Financial Crimes led the assessment process and coordinated closely with offices and bureaus across the Department, relevant law enforcement and regulatory agencies, staff of the federal functional regulators, and across the intelligence and diplomatic communities.

In the coming weeks, Treasury will release the 2024 National Strategy for Combatting Terrorist and Other Illicit Finance, a strategic plan directly informed by the analysis contained in the risk assessments. In the strategy, Treasury will share recommendations for addressing the highlighted issues. This valuable feedback has aided Treasury in assessing and addressing illicit finance risk identified in prior iterations of the strategy to support improvements to the AML/CFT regime, including the launching of the new beneficial ownership reporting requirement that went into effect on January 1, 2024, and informing forthcoming proposed rules to address illicit finance vulnerabilities in the residential real estate sector and for certain investment advisers.

The 2024 National Money Laundering Risk Assessment

The 2024 National Terrorist Financing Risk Assessment

The 2024 National Proliferation Financing Risk Assessment

We've detected unusual activity from your computer network

To continue, please click the box below to let us know you're not a robot.

Why did this happen?

Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy .

For inquiries related to this message please contact our support team and provide the reference ID below.

Featured Content

" "

Cost Management

" "

Artificial Intelligence

Meet BCG X banner

BCG X Product Library

Subscribe to receive bcg insights on the most pressing issues facing international business..

" "

International Trade

/ update, these four chokepoints are threatening global trade.

Right now, more than 50% of global maritime trade is at threat of disruption in four key areas of the world.

While the conflict in the Red Sea has been high in the news agenda, there are three other maritime passageways that risk becoming chokepoints due to either geopolitical or environmental factors.

risk register business plan

1. The Suez Canal and Bab El-Mandeb Strait.

The Suez Canal, which connects the Red Sea to the Mediterranean, normally accounts for about 12% of global maritime trade.

  • Since the start of Houthi attacks on international shipping in late 2023, some 470 container vessels have already been re-routed. Sending ships around the Cape of Good Hope adds between 9 and 17 days of transit time.

2. The Strait of Hormuz.

This strait, between Iran to the north and UAE and Oman to the south, is significant for both energy and goods shipping.

  • Some 20%—30% of oil trade passes through this strait, and a significant amount of global shipping volumes.

If Iran were to be drawn more directly into the ongoing conflict in the Middle East, the free passage of vessels through the strait could be at risk.

3. The Straits of Malaca and Taiwan.

The Strait of Malaca, between Singapore, Malaysia and Indonesia, is the shortest shipping route between East Asia and the Middle East and Europe and accounts for 30% of global trade.

  • Two-thirds of China’s trade passes through the strait of Malacca each year, including 80% of its energy imports.

There is an ongoing dispute between China and several members of the ASEAN trade area over a large area in the South China sea.

  • Also in the region, the strait of Taiwan is another important shipping lane—40% of the world’s container fleet pass through it.

Both trade routes are subject to heightened geopolitical uncertainty.

4. The Panama Canal.

The canal, which links the Atlantic Ocean and the Pacific Ocean, accounts for 5% of total global container trade, and some 46% of the trade from the US East Coast to East Asia.

It is facing a severe drought due to the El Niño weather phenomenon.

The authority that manages the canal has responded to low water levels by temporarily reducing both the number of transits and ensuring the weight of the cargo is suitable.

The So What

“These geopolitical risks could turn into a physical impossibility of moving goods to certain destinations. In the short term it will extend lead times on goods. In the longer term, it is likely to make firms seek shorter supply chains because of the risk and higher capital costs associated with maritime transport,” says Michael McAdoo , a BCG partner and director, and one of the authors of BCG’s Future of Trade report.

“The financial impact is likely to impact producers most as they adapt their routes to market. But, as with almost any disruption, there are also opportunities, especially for freight companies to bring new solutions,” says Peter Jameson , a BCG managing director and partner who specializes in shipping.

  • Diversify shipping routes , and transport choices. Shippers should proactively work with their logistics providers to build new solutions. Options to consider include alternative shipping routes through the Arctic, combining ship and air (for example by shipping to Dubai and then flying to Europe), or using rail for parts of the journey to avoid choke points.
  • Escort vessels. The use of military or private escorts could be considered to protect ships carrying cargo. Some governments will have a strong national interest in protecting both trade and/or their national shipping companies.
  • Prioritize advanced communications. Leveraging advanced technologies, especially artificial intelligence, is key for proactive risk management, allowing for the anticipation of disruptions and rapid response. Ships should become even more connected to each other, sharing locations and observations. Customers will also benefit from real-time updates on the progress of cargo.
  • Build inventories and storage. Companies need to plan for resilience, and may need to update or expand infrastructure, including port capacity or storage facilities. Reassessing the design and capacity of warehouses, for example, could help create a hedge around potential disruptions. As happened at the height of the COVID pandemic, companies and governments will need to assess their strategic priorities.
  • Step up contingency planning. Companies should examine how different bottlenecks may emerge or could be alleviated, and pinpoint specific areas where they are structurally exposed. Digital twins and modelling can help here. They can also look for existing points of redundancy in existing supply chains to free up capacity. Strengthening financial strategies, including comprehensive insurance and prudent financial planning is also vital to safeguard against the economic setbacks of unexpected logistical challenges. Pricing strategies may also need to be reconsidered in order to protect margins.

ABOUT BOSTON CONSULTING GROUP

Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.

Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.

© Boston Consulting Group 2024. All rights reserved.

For information or permission to reprint, please contact BCG at [email protected] . To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com . Follow Boston Consulting Group on Facebook and X (formerly Twitter) .

Related Content

What’s Next

Read more insights from BCG’s teams of experts.

" "

Right Now from BCG

Newsletter: Expert Analysis of Topics in the News

" "

Jobs, National Security, and the Future of Trade

As global trade patterns change due to disruption, regional trade blocs with protectionist leanings gain influence.

" "

Harnessing the Tectonic Shifts in Global Manufacturing

Trade disruptions have prompted many global companies to shift where they produce and source goods. But getting the desired results requires a difficult balancing act.

" "

Supply Chain Management

BCG helps organizations focus on building resilience and sustainability into their supply chains to mitigate disruptions and trade instability. We also help maximize the return on these critical investments.

The Federal Register

The daily journal of the united states government, request access.

Due to aggressive automated scraping of FederalRegister.gov and eCFR.gov, programmatic access to these sites is limited to access to our extensive developer APIs.

If you are human user receiving this message, we can add your IP address to a set of IPs that can access FederalRegister.gov & eCFR.gov; complete the CAPTCHA (bot test) below and click "Request Access". This process will be necessary for each IP address you wish to access the site from, requests are valid for approximately one quarter (three months) after which the process may need to be repeated.

An official website of the United States government.

If you want to request a wider IP range, first request access for your current IP, and then use the "Site Feedback" button found in the lower left-hand side to make the request.

IMAGES

  1. 53 Useful Risk Register Templates (Word & Excel) ᐅ TemplateLab

    risk register business plan

  2. 11+ Data Center Risk Assessment Template

    risk register business plan

  3. Sample 45 Useful Risk Register Templates Word & Excel Templatelab Project Management Risk

    risk register business plan

  4. Business Risk Register Template Excel And Construction Risk Register Template Excel

    risk register business plan

  5. 5 Steps to Any Effective Risk Management Process

    risk register business plan

  6. Financial Risk assessment Template New Risk Register Template

    risk register business plan

VIDEO

  1. RISK MANAGEMENT

  2. Vendor risk management #procurement supplier risk, supplier mapping

  3. B2 115 118 Workshop Risk Management Risk Register นพ พิเชฐ ผนึกทอง เปาโล รังสิต

  4. 11 1 Plan Risk Management

  5. #risk in #business

  6. Risk Register (5)

COMMENTS

  1. Risk Register: A Project Manager's Guide with Examples [2023] • Asana

    Team Asana December 5th, 2022 10 min read Jump to section Looking for tools to set your team up for success? A risk register can do just that. A risk register is an important component of any successful risk management process and helps mitigate potential project delays that could arise.

  2. What Is a Risk Register & How to Create One

    A risk register, or risk log is a risk management tool that's used to identify potential risks that could affect the execution of a project plan. While the risk register is mostly used during the execution of the project, it should be created during the project planning phase.

  3. How to Build a Risk Register for Your Business

    A risk register, also called a risk log, is a tool businesses use to document and track risks across the organization. Envision a spreadsheet or database document that lists the risks you face, along with a variety of relevant factors for each one.

  4. How to Make a Risk Management Plan (Template Included)

    Risk Register: A risk register is a chart where you can document all the risk identification information of your project. Risk Breakdown Structure: It's a chart that allows you to identify risk categories and the hierarchical structure of project risks.

  5. How to Create a Risk Management Plan & Risk Register

    How to Create a Risk Management Plan & Risk Register 1. Define your approach through the risk management plan. The first step in creating a risk management plan is to outline the methods that you and your team will use to identify, analyze, and prioritize risk. You should aim to answer the following questions:

  6. Risk Register Template and Examples

    2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a standard scale for measuring risks across various business units (e.g. making sure everyone knows when to use a "high-risk exposure" vs. a "moderate risk exposure").

  7. Risk Register: Examples, Benefits, and Best Practices

    A risk register, or risk log, is a document set up by project managers to identify and track risks capable of impacting a project. It's one thing to be aware of problems that could throw your project off track. A risk register lets you put it all in black and white and outline potential solutions beforehand.

  8. How to Use a Risk Register in 2024

    Step 2: Analyze those risks. No two risks are the same so it's important to rank them, considering the probability and cost of each. Some risks will rank very low, such as your office building ...

  9. What is a Risk Register? [+ Templates]

    A risk register is a risk management tool used to collect potential risk events, organize them by risk categories, and assign team members who will address them.

  10. How to create a risk register: 5 tips to get you started

    Here are the essential steps for creating one: Identifying risks Gather all necessary stakeholders to brainstorm on possible risks. Each department has different functions and threats — therefore, it can identify possible risks associated. Involve everyone at the departmental level to bring out all important factors. Describing project risks

  11. Free Risk Register Templates

    Use this basic risk register template to evaluate risks to your business, calculate the priority based on probability and potential impact, make notes on mitigation strategies, and assign it to a team member to manage. Risk Register Template Download Risk Register Template Excel | Word | PDF | Smartsheet

  12. What is a Risk Register? A Complete Guide

    What kind of business should consider a risk register? Any business engaged in projects, especially SMBs with limited resources, should consider implementing a risk register. It becomes particularly crucial when dealing with projects that involve tight deadlines, complex dependencies, or significant financial investments.

  13. 20 Common Project Risks

    20 Common Project Risks - Example Risk Register Want to a kick start to your Risk Management? Want to make sure you have identified key project risks? Not sure what actions you can take to reduce the likelihood of key project risks? Look no further! Download our risk register of 20 key common project risks.

  14. How to Make a Project Risk Management Plan

    Some components include a risk register, a risk breakdown structure, and a risk response plan. Here are components or tools that a project risk management plan often includes or describes: Risk Register: A risk register is the document your project team will use to identify, log, and monitor potential project risks.

  15. Increase Project Success With A Risk Register + Easy Template

    The Project Management Institute identifies a risk register as a document used to track and report on project risks and opportunities throughout the project's life cycle. It is an essential part of your risk management plan . The plan outlines your process and approach to risk management so key stakeholders understand how it will apply to their ...

  16. How to Create a Risk Register + Template

    Benefits of a risk register. Having a risk register offers several benefits. The most notable are: Consistent communication of risk information: Using a risk register with agreed-upon criteria and categories provides consistency in how you capture and communicate risk information throughout the risk management process and across the enterprise.; Improved risk-based decisions: A risk register ...

  17. Risk Register Definition

    Risk is evident in everything we do. When it comes to project management, understanding risk and knowing how to minimize its impacts (or take full advantage of its opportunities) on your project are essential for success. (Heldman, 2013. chap 6).The Risk Register or Risk Log is essential to the management of risk. As risks are identified they should be logged on the register and actions should ...

  18. The Top 50 BUSINESS RISKS and how to manage them

    20 Common Project Risks - example Risk Register Checklist of 30 Construction Risks Overall Project Risk Assessment Template Simple Risk Register - Excel template Business Risk - references and further reading Baker, S and K. (2000). The Complete Idiot's Guide to Project Management, alpha books. F. O'Connell, (2004).

  19. Risk register and treatment plan template

    About the risk register and treatment plan template Use the risk register to identify risks that could affect your business, the likelihood of it happening and the possible consequences.

  20. 10 Effective Steps to Create a Risk Register

    Mitigation Identify The Risk Priority State The Risk Owners Risk Status Improve Your Risk Management Department Using a Risk Register What is a Risk Register? A risk register is a tool used in risk management to identify potential risks.

  21. What Is a Risk Register? (11 Common Components and Tips)

    A risk register is a document where project managers and specialists record potential risks and response plans for a project. Also called a risk log, this tool helps those in project management to manage hazards and plan for the future, supporting the financial success of the businesses. Preparing for the possible impacts of risks can mitigate ...

  22. Real-World Project Risk Register Examples

    By Kate Eby | October 29, 2023 Risks are unexpected occurrences that can derail or boost a project. Project managers often use risk registers to record and track risk. We gather the best real-world examples of registers for project management, software, construction, IT, and more.

  23. Is the Risk Register a red herring for Business Resilience ...

    A Risk Register is a document that records your organisation's identified risks, the likelihood and consequences of a risk occurring, the actions you take to reduce those risks and who is responsible for managing them. It enables you to store your risk information in one easily accessible location.

  24. Treasury Publishes 2024 National Risk Assessments for Money Laundering

    Reports Confirm and Update Key Illicit Finance Concerns in Response to Evolving Threat and Risk Environment WASHINGTON - Today, the U.S. Department of the Treasury published the 2024 National Risk Assessments on Money Laundering, Terrorist Financing, and Proliferation Financing. These reports highlight the most significant illicit finance threats, vulnerabilities, and risks facing the United ...

  25. ECB's New Top Regulator Wants Banks to Plan for Emerging Risks

    The European Central Bank's new top regulatory official said she will push lenders to come up with more detailed plans for how they would respond to emerging risks that could hurt their business.

  26. These Four Chokepoints Are Threatening Global Trade

    Geopolitical uncertainty is putting key shipping routes—and the resilience of supply chains—at risk. Geopolitical uncertainty is putting key shipping routes at risk with more than 50% of global maritime trade being at threat of disruption. ... AI can deliver significant business impact, but companies can maximize value with an end-to-end ...

  27. Federal Register :: Financial Crimes Enforcement Network: Anti-Money

    Other investment advisers typically register with the State in which the adviser maintains its principal place of business. SEC-Registered Investment Advisers. Unless eligible to rely on an exception, Start Printed Page 12110 investment advisers that manage more than $110 million AUM must register with the SEC, as well as submit a Form ADV and ...