ToolBelt

Risk Register

Track risks with severity, owner and mitigation.

Open tool

Overview

The Risk Register is a structured inventory of the things that could go wrong in your business and what you are doing about them. Each entry describes a risk, its likelihood, its potential impact, an overall severity score, an owner, and the mitigation plan in place. It is the discipline behind any serious approach to risk management, used by regulated industries by necessity and by well-run small businesses by choice.

Keeping a register changes the conversation from "what if" to "we know, and here is the plan." It also surfaces gaps: when you write down a risk, you immediately notice that the mitigation is theoretical, or that the owner is the same person on every line, or that the highest-severity items have no plan attached. Those discoveries are the whole point.

How it works

You add a risk by entering a title, a description, a category (operational, financial, legal, technical, people, reputational), a likelihood rating, an impact rating, and a calculated or assigned severity. Assign an owner who is accountable for monitoring and reducing the risk, and capture the current mitigation steps and any planned actions with target dates.

Filter the register by severity to focus on the items that matter most, and review it on a regular cadence. Risks evolve: some shrink with new controls, others grow as the business changes shape, and a periodic review keeps the register honest.

Examples

  • Key person dependency. Flag the single engineer who knows the legacy billing system as a high-severity risk, with cross-training as the mitigation and a target date.
  • Vendor concentration. Track the percentage of revenue from a single customer and the diversification plan that reduces exposure.
  • Compliance gap. Record a known control weakness, the deadline by which it must be closed, and the owner driving remediation.
  • Cyber risk. Capture the risk of a phishing-driven breach with severity, the email security controls in place, and the awareness training cadence.

FAQ

What scale should I use for likelihood and impact?
A simple 1-to-5 scale works well. Multiply them to get a severity score from 1 to 25, then group into bands such as low, medium, high, critical.

How often should the register be reviewed?
Monthly for active risks, quarterly for the full register. High-severity items deserve their own conversation in leadership meetings.

Should every minor risk be listed?
No. Focus on risks that warrant management attention. Trivial items clutter the register and obscure the real signal.

Who owns the register?
A single owner (often the COO or founder in a small business) keeps it current. Individual risks have their own named owners.

Is this a compliance register?
The structure works for compliance use cases but is not certified for any specific framework; treat it as the starting point.

Try Risk Register

An unhandled error has occurred. Reload ×