This Risk Register template is used by business analysts to give project risk its own dedicated tracking and review cadence, going deeper than a single column in a broader status document.
What Is a Risk Register?
A Risk Register is a standalone log purpose-built for tracking project risks — things that might happen and would harm the project if they did. Unlike a general status report that mentions risk in passing, a Risk Register scores each risk by likelihood and impact, records a specific plan to reduce it, records a separate fallback plan for if it happens anyway, and assigns a named owner who reviews it on a set cadence, not just when something goes wrong.
What Should a Risk Register Include?
- Risk ID and description — specific enough that two different reviewers would identify the same underlying risk
- Likelihood and impact — scored on a consistent scale (e.g. 1–5), not just “high/medium/low” with no shared definition of what each level means
- Risk score — likelihood × impact, used to rank which risks get discussed first
- Mitigation plan — the action being taken now to reduce likelihood or impact
- Contingency plan — the fallback plan already agreed for if the risk happens anyway
- Owner — a named individual with enough authority to actually act on the risk, not just monitor it
- Status — open, mitigating, closed, or realised (moved to the issue log)
Risk Register vs RAID Log — What’s the Difference?
A RAID log tracks risk at summary level alongside assumptions, issues, and dependencies — good for a fast, whole-project health check in one pass. A standalone Risk Register goes deeper specifically on risk: a scored likelihood and impact, a separate mitigation and contingency plan for each item, and its own dedicated review session rather than being one line item among four categories. Larger or higher-risk projects typically run both — the RAID log for the quick daily view, the Risk Register for the detailed one it summarises from.
Common Mistakes When Running a Risk Register
- Unscored or inconsistently scored risks. “High/medium/low” with no shared definition means every reviewer scores differently — use a numeric scale with written criteria for each level.
- Confusing mitigation with contingency. Mitigation reduces the chance of a risk happening; contingency is what you do if it happens anyway. A register that only records one is missing half the plan.
- Owner without authority. Assigning a risk to someone who can only monitor it, not act on it, means mitigation never actually happens.
- Reviewed once and forgotten. Risk profiles shift as a project progresses — a register reviewed only at kickoff is a snapshot, not a management tool.
What’s Included in This Template
- Pre-structured sections with guidance notes
- Worked examples from real BA projects
- Guidance for Agile, waterfall, and hybrid approaches
- Easy to adapt to your organisation’s standards
How to Use This Template
Set up the Risk Register at project kickoff and review it on a fixed cadence — weekly for higher-risk projects, at each milestone for lower-risk ones. Each section has guidance notes explaining what to include and why — based on real BA practice, not textbook theory. Remove sections that don’t apply and add organisation-specific fields.
When a risk materialises, it should move out of the Risk Register and into the issue section of your RAID Log — it’s no longer something that might happen, it’s something that needs resolving now.
Why Requirements Templates Matter
Consistent documentation is one of the most underrated BA skills. A well-structured document:
- Sets clear expectations from day one
- Reduces “we didn’t know that was in scope” conversations
- Creates an audit trail for decisions and changes
- Speeds up new team member onboarding
- Builds your credibility as a professional BA
Browse All Free Templates
Our free BA template library covers 15 core documents. For 175 practitioner-level templates covering the full BA lifecycle, see our BA Toolkit — Complete Pack. Free account required for the library, no payment.
Want to Master These Tools?
Templates are a starting point. Our BA training courses teach you how to apply them in real projects — with exercises, feedback, and examples from experienced BAs. Start with our free intro course.
Frequently Asked Questions
What is a Risk Register used for?
It tracks project risks in detail — likelihood, impact, mitigation, contingency, and a named owner — giving risk its own management cadence instead of being one column in a broader document.
What is the difference between a Risk Register and the risk section of a RAID log?
A RAID log covers risk at summary level alongside assumptions, issues, and dependencies. A Risk Register goes deeper, with scored likelihood and impact and separate mitigation/contingency plans. Larger projects often use both.
What is the difference between mitigation and contingency?
Mitigation reduces the chance or impact of a risk before it happens. Contingency is the fallback plan for if it happens anyway. A complete Risk Register records both.
Free download
Get the Free BA Templates & Toolkit
14 ready-to-use templates: stakeholder register, requirements document, process map, RAID log, and more — built from real BA project experience.
No spam, ever. Unsubscribe any time.
NZ's #1 BA Certification
Become a Certified Better Business Analyst
6-week self-paced certification. Real case studies. Globally recognised credential. From $349 NZD — vs USD $3,000+ for comparable programmes.
30-day money-back guarantee

