How to create a Risk Register?

We looked at the basics of a Risk Register including all the attributes involved in my last post - Basics of a Risk Register. At the end of the post we mentioned that the most important artifact/tool of Risk Management, the Risk Register gets built step-by-step. It is built over the different phases of risk management. Let’s take a quick look at which attributes get added when.

However, do note that during each of the stages that we identify below, previously added attributes may get updated, clarified and even expanded.

Stages through which a Risk Register gets built

Stages through which a Risk Register gets built


During the identification stage, you identify the risks based on your and your team’s experiences on similar projects and technologies. During this stage you would start entering the risks in the register by logging a unique id, the name of the risk and a basic description. And yes, an initial status will also be assigned.


In this stage you would analyze the risk, expand on the description, start tracking it through its status and assign a category to the risk.


During this stage, you identify the probability/frequency and impact and derive the risk composite index. This obviously helps to prioritize the risk accordingly. These changes could obviously result in re-categorization of the risk as well as updates to the status and the description.


In this stage you would define the mitigation plan and also put in a contingency strategy. An owner for the risk is also formally assigned in this stage.

Monitoring and Controlling

While no new attributes are added in this stage, all attributes will get updated and expanded. Status is one of the key attributes that will get updated, as the risk is being monitored and controlled.

While it might be tempting to take these stages of risk management and form phases in a project, the best way to consider these will be as stages in the lifecycle of a specific risk. As most of risks identified initially in the project moves towards the “Monitoring and Controlling” stage, newer risks will get identified and will start progressing in their lifecycle.