glossary
Risk Register: Definition, Example & How to Create One
Governance GlossaryPublished: April 14, 2024 Last Reviewed: March 9, 2026
Key Takeaways
- A risk register is a document that records identified risks, their likelihood, impact, and planned mitigation actions.
- It is a living document that should be reviewed and updated regularly as circumstances change.
- Risk registers support board oversight by providing a structured record of how the organisation manages risk.
- Responsibility for maintaining the register typically sits with the CEO or risk manager, with board oversight.
- A risk register works alongside a risk matrix — the register holds detail, the matrix provides a visual summary.
If your organisation plans complex projects, collects personal information, or works with vulnerable people, the number of risks you need to track grows fast. A risk register is how you keep that list manageable — it is part of any non-profit’s toolkit for managing risks.
Without one, it is hard to stay on top of areas like cyber security, climate risk, financial abuse prevention, and the obligations that come with working with partners.
What is a risk register?
A risk register (also called a risk log) is a document that records each risk your organisation has identified, how likely it is, what the consequences would be, and what you plan to do about it. Each entry begins with a risk statement — a concise description of the event, its cause, and its potential impact. The register is normally used alongside a risk action plan.
AS/NZS ISO 31000:2018, the risk management standard used in Australia and New Zealand, describes the risk register as a core record within the risk management process.
The register is a living document — you revise it as circumstances change, and it should be part of your formal risk management process. A related tool is the risk matrix. The difference: a risk register is a detailed spreadsheet with descriptions, owners, and action plans. A risk matrix is a visual grid that maps risks by likelihood and impact using colour coding. Most organisations use both.
What is the purpose of a risk register?
A risk register makes risk visible. It gives directors, managers, and staff a shared record of what could go wrong, how serious it would be, and who is responsible for doing something about it. You use it to brainstorm risks, develop responses before problems arise, and act quickly when they do.
The register also forces structured thinking about risk before a project begins. What you learn from maintaining one feeds directly into decisions about which projects to approve and how they should be designed. The specific risk areas that matter most will depend on your organisation’s environment, services, and systems.
Risk categories for a risk register
Choose categories that match your organisation’s actual projects and activities. Common ones include data security, regulatory compliance, and natural disasters.
In the non-profit sector, the ACNC governance toolkit highlights additional areas: protecting vulnerable people and their data, preventing financial abuse or misconduct, and managing partner relationships. At a practical level, your categories will cover day-to-day concerns — equipment maintenance, building security, confidentiality and privacy, physical safety, and fire exits. These categories become the headings in your register.
Practical Risk for Company Directors Course
Our on-demand risk course has been designed to equip you with practical knowledge and tools to confidently navigate the complexities of risk management at the board level.
What to include in a risk register
A risk register is usually a spreadsheet or table with columns for each element. Start by listing each risk with a brief description and the person responsible for responding to it. Add a rating scale (for example, 1 to 5) so you can score each risk by likelihood and impact.
The register should also include an action plan for each risk. Decide on the organisation’s priorities, then add concrete strategies — staff training, qualification checks for new hires, media liaison plans, or communication strategies to build public trust. Typical column headings: Risk, Description, Impact, Risk Level (1 to 5), Mitigation Plan, and Person Responsible.
Example risk register entry
| Risk | Description | Impact | Risk Level (1-5) | Mitigation Plan | Person Responsible |
|---|---|---|---|---|---|
| Data breach | Unauthorised access to member records due to outdated access controls | Privacy Act breach, reputational damage, potential fines | 4 | Quarterly access reviews, MFA rollout by Q3, staff training | IT Manager |
How often should a risk register be reviewed?
There is no single rule, but most governance frameworks recommend a formal review at least quarterly, with updates whenever a significant change occurs — a new project, a legislative change, or an incident. The board should sight the risk register at every regular meeting, even if the detailed review is done by management. The ACNC recommends that charities review their risk management practices at least annually.
Frequently Asked Questions
Frequently Asked Questions
Who is responsible for the risk register?
The responsibility for maintaining a risk register typically sits with the CEO or risk manager, with board oversight. In project-specific contexts, the project manager may own the register. Every individual on the team should be involved in identifying and acting against risks. Employees and volunteers should be empowered to help identify risks. Even clients and partners may be aware of potential problems and the organisation should have a mechanism for collecting the information and acting on it. In Australia, the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 strengthened protections for people who report crimes or misconduct. Not-for-profit organisations that meet the definition of a 'trading or financial corporation' under the Corporations Act 2001 must comply with the whistleblower protection regime. The obligation to maintain a formal whistleblower policy applies specifically to public companies limited by guarantee with annual consolidated revenue of $1 million or more.
A risk register or risk log is often designed as a database or repository of risk information that includes critical data to help understand and manage risk over time. In larger non-profits and companies, the responsibility of keeping the repository or database up to date may fall to the project manager or risk manager on the team. They will make frequent updates to the central record of current risks and the mitigation plan in place. While risk management is essential for all non-profits regardless of size, some organisations may not have the resources to assign an individual to this role. The work then falls on Board members or the executive director to manage risk and maintain an up-to-date risk register, and delegate the work of managing risks. A board register tool can help your organisation maintain and track risk registers alongside other essential governance documents.
What is a Risk Rating?
A risk rating is a qualitative risk assessment method for assessing whether the risk is low, medium, or high. A risk register should include a section with the rating scale for determining the negative impact of each risk item. For example, if there is a high chance that the risk will occur and the organisation will be negatively impacted, the individual using the risk register will probably indicate a high (4) risk level. Items that score higher on the risk rating scale should be prioritised.
Related terms
Further Resources
Practical Risk for Company Directors Course
Integrating ESG into Not-for-Profits: Managing Risks and Opportunities
Strengthening Risk Management at the Board Table
Volunteering Australia’s Guide Running the Risk: Risk Management Tool For Volunteer Involving Organisations
ASIC: Whistleblower Protections for Not-for-Profit Organisations
Our Cat Herder: Board Registers — A tool for managing your organisation’s governance registers
Recommended Reading
Recommended Viewing
Author
- About
-
Better Boards connects the leaders of Australasian non-profit organisations to the knowledge and networks necessary to grow and develop their leadership skills and build a strong governance framework for their organisation.
Found this article useful or informative?
Join 5,000+ not-for-profit & for-purpose directors receiving the latest insights on governance and leadership.
Receive a free e-book on improving your board decisions when you subscribe.
Unsubscribe anytime. We care about your privacy - read our Privacy Policy .