Risk Register

Governance Glossary

Published: April 14, 2024

Risk register

Having a risk register is a critical part of a non-profit’s toolkit for managing risks. If your organisation regularly plans large, long, or complex projects, collects personal information, or works with vulnerable people, it can become difficult to manage the risks as they grow.

Developing internal resources to manage important risk areas like cyber security, climate, protecting vulnerable people, avoiding financial abuse, and ethically working with partners becomes critical.

What is a Risk Register?

A risk register is a qualitative analysis tool used to track and monitor the risks that could impact the work of your not-for-profit organisation. It is normally used together with a risk action plan. Also called a risk log, the risk register is an important part of the risk management process. Risk Registers can help you record all the risks you identify and the likelihood that they will occur. It documents the potential consequences of each risk and assists organisational leaders in develop strategies that respond to risk priorities.

The register becomes a living document that is revised regularly as circumstances change. It should be integrated into a formal risk management planning process and the overall project plan. A similar tool is the risk matrix. Both documents assess the level of risk and are an important visual tool for measuring the seriousness and probability of a risk. However, risk registers are usually in the form of a spreadsheet with no graphics and are much more detailed. A risk matrix, on the other hand, is more visual and is presented as a grid with colour elements.

What is the Purpose of a Risk Register?

The purpose of a risk register is to identify, record, and track potential risks related to your work and help you plan a strategy for responding to something unexpected. The register allows individuals and teams to assess the level of risk and act when needed. With the help of a risk register, you can brainstorm individual and group risks, develop ways of addressing potential problems before they arise, and quickly manage issues as they occur.

The objective of developing a risk register is to encourage directors, managers and staff to think about the risks that may arise because of the decision they make and projects they develop and implement. The knowledge you gain from your register can inform decisions about which project to approve, and how they should be designed to reduce potential negative impact. This work should be done before the project team begins its work and should be integrated (and tested) in all aspects of operations. The environment, services, and systems of each non-profit with help determine the risk areas that are most likely to create potential issues.

Risk Categories for a Risk Register

Risk Categories can help you list and monitor potential problems and build a strategy for reducing risk and the negative impact. The aim is to choose categories that reflect your organisation’s projects and activities so that you can tailor your risk management program to the needs of your staff and clients. Some of the more common risk areas can involve data security, non-compliance or law breaches, and catastrophic events or natural disasters.

In the non-profit sector, other risk areas such as protecting vulnerable people and their data, avoiding financial abuse or misconduct, and working with partners become important. On a practical level these categories will involve the day-to-day work your staff are responsible for doing such as equipment purchases and maintenance, ground conditions and upkeep, confidentiality, and privacy, building security, exposure to dangerous situations or physical harm, and fire safety and emergency exits. Your risk categories will become your register headings.

Who is responsible for the risk register?

The responsibility for creating a risk register falls on the project manager and every individual on the team should be involved in identifying and acting against risks. Employees, and volunteers should be empowered to help identify risks. Even clients and partners may be aware of potential problems and the organisation should have a mechanism for collecting the information and acting on it. In Australia, whistleblower protection allows people who see crimes or misconduct to share the information anonymously and requires incorporated entities to comply with provisions in the Corporations Act 2001.

A risk register or risk log is often designed as a database or repository of risk information that includes critical data to help understand and manage risk over time. In larger non-profits and companies, the responsibility of keeping the repository or database up to date may fall to the project manager or risk manager on the team. They will make frequent updates to the central record of current risks and the mitigation plan in place. While risk management is essential for all non-profits regardless of size, some organisations may not have the resources to assign an individual to this role. The work then falls on the delegate the work of managing risks.

What is a Risk Rating?

A risk rating is a qualitative risk assessment method for assessing whether the risk is low, medium, or high. A risk register should include a section with the rating scale for determining the negative impact of each risk item. For example, if there is a high chance that the risk will occur and the organisation will be negatively impacted, the individual using the risk register will probably indicate a high (4) risk level. Items that score higher on the risk rating scale should be prioritised.

What to Include in a Risk Register

Risk registers are essentially a usable spreadsheet, table, or form intended as a decision-making tool for boards and management. When creating the register, ask yourself if existing controls are adequate or a new approach is needed. Make a list of each risk and briefly describe it. Then, identify who is responsible to acting during an incident. Your register should have some sort of scale for evaluating the level of risk (Low, Medium, High) and the user can assign a risk rating to each item as they are evaluated. This will help you assess the potential impact of each risk.

The Register should include a proposed action plan. First, decide what are the organisations’s priorities and preferred options for avoiding or managing risks. Then add concrete strategies to the register such as implementing training, verifying the qualifications of new staff, liaising with media, or using communication strategies to build public trust. As you develop the register, you can add headings like Risk, Description, Impact, Risk Level (1 to 5), Mitigation Plan, and Person Responsible.

Straw Poll


Board Portal

Further Resources

Integrating ESG into Not-for-Profits: Managing Risks and Opportunities

Strengthening Risk Management at the Board Table

Volunteering Australia’s Guide Running the Risk: Risk Management Tool For Volunteer Involving Organisations

How ASIC Handles Whistleblower Reports and How Reforms Will Apply to Your Organisation

The Board and Risk Management



Better Boards connects the leaders of Australasian non-profit organisations to the knowledge and networks necessary to grow and develop their leadership skills and build a strong governance framework for their organisation.

Found this article useful or informative?

Join 5,000+ not-for-profit & for-purpose directors receiving the latest insights on governance and leadership.

Receive a free e-book on improving your board decisions when you subscribe.

Unsubscribe anytime. We care about your privacy - read our Privacy Policy .