Risk Register Generator

Project or scope:

This label appears in the register title, filenames, and JSON export.

Pick the operating context closest to how the register will be reviewed.

Risk rows:

Use pipe, tab, or CSV rows. A header row is optional; old five-column rows still work.

Scoring matrix:

Scores use likelihood x impact, then compare inherent and residual exposure.

Attention threshold:

Default is 15 on a 5x5 matrix. Values clamp to the selected matrix maximum.

points

Residual exposure keeps the treatment backlog focused after planned responses.

Risk appetite:

Use conservative for regulated, safety, financial, or customer-critical work.

Default review cadence:

Rows without dates receive generated review dates based on exposure band.

days

Assumed treatment effect:

Enter residual scores in the row when the team has already agreed them.

Include closed risks in exports

Leave off for an active working register; turn on when rebuilding an archive or audit packet.

Input review

{{ warning }}

ID	Risk statement	Category	Likelihood	Impact	Inherent	Residual	Owner	Response	Trigger	Review	Status	Copy
Paste at least one risk row to build a register.
{{ row.id }}	{{ row.risk }}	{{ row.category }}	{{ row.likelihoodLabel }}	{{ row.impactLabel }}	{{ row.inherentScore }} {{ row.inherentBand.label }}	{{ row.residualScore }} {{ row.residualBand.label }}	{{ row.owner }}	{{ row.response }}	{{ row.trigger }}	{{ row.reviewDate }}	{{ row.status }}

Priority	Risk	Owner	Next action	Response	Review	Residual	Copy
No active treatment queue rows at the current threshold.
{{ row.priority }}	{{ row.risk }}	{{ row.owner }}	{{ row.nextAction }}	{{ row.response }}	{{ row.reviewDate }}	{{ row.residualScore }}

{{ result.markdown }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A risk register is a working record of uncertain events or conditions that could change a project's cost, schedule, quality, security, service, or adoption outcome. Each row should name the risk, why it matters, who owns it, what would show that it is becoming real, and what response is planned before the next review.

The useful part is not the row count. A good register helps a team compare risks in a consistent way, choose which ones need treatment now, and see whether the planned response reduces exposure enough to keep work moving. It also keeps ownership visible, which matters because a serious risk without one accountable owner can sit in a meeting note for weeks without changing.

Diagram showing risk rows moving through likelihood and impact scoring into residual treatment, an attention queue, an exposure map, and register outputs.

Likelihood and impact scores are useful because they force a shared scale onto messy judgment. Inherent exposure describes the risk before the planned response. Residual exposure describes the remaining score after the response is applied or estimated. The residual score is often the better agenda item because it shows what still needs attention after the team has named an owner and a treatment.

A register is planning evidence, not proof that a risk is under control. Scores depend on the team's scale definitions, the quality of the risk statement, and whether the response is funded and active. Review dates, triggers, and residual scoring should change when new evidence appears.

Technical Details:

Risk scoring in this register uses a qualitative matrix. Likelihood and impact are converted to integer points on the selected scale, then multiplied. That product is exposure: a simple priority signal for comparing risks that were scored with the same matrix and the same appetite assumptions.

Residual exposure is not a forecast of exactly how much loss remains. It is a structured estimate after treatment. If a row supplies residual likelihood and residual impact, those values are used. If it does not, the response wording and treatment-effect setting estimate a reduction while keeping scores inside the selected matrix range.

Formula Core:

Each scored row starts with the same core calculation.

exposure = likelihood \times impact

Risk register scoring variables and meaning
Term	Meaning	How it appears in results
Likelihood	The chance or expected frequency of the risk event on the selected 3x3 or 5x5 scale.	Shown as the row's likelihood label and used in `Inherent`.
Impact	The consequence if the risk happens, again on the selected scale.	Shown as the row's impact label and used in `Inherent`.
Inherent exposure	Likelihood multiplied by impact before the response is considered.	Displayed in the `Inherent` column as score plus band.
Residual exposure	Residual likelihood multiplied by residual impact after entered or estimated treatment.	Displayed in the `Residual` column and used for the queue and chart.

The band names come from the score as a share of the matrix maximum. Boundaries are inclusive at the lower edge shown below. The 5x5 matrix has a maximum score of 25; the 3x3 matrix has a maximum score of 9.

Risk score bands for 5x5 and 3x3 matrices
Band	Ratio boundary	5x5 score range	3x3 score range	Interpretation
Critical	`>= 0.72`	`18-25`	`9`	Exposure is high enough to demand management attention or a stronger response.
High	`>= 0.48`	`12-17`	`6`	The risk should be treated, reviewed soon, or justified against appetite.
Moderate	`>= 0.24`	`6-11`	`3-4`	The risk may be watched or treated depending on appetite, trigger, and owner confidence.
Low	`< 0.24`	`1-5`	`1-2`	The risk can usually be monitored unless the trigger, owner, or business context says otherwise.

Text ratings such as low, medium, moderate, high, and very high are converted to the selected scale, while numeric ratings are rounded and clamped to the scale. The output labels show the resulting points, so repeated reviews should keep the same matrix and wording conventions if the team wants a fair comparison.

How response wording and treatment settings affect residual estimates
Response signal	Standard estimate when residual values are blank	Strong planned control estimate
Avoid	Reduce likelihood and impact by one point.	Reduce likelihood and impact by two points.
Transfer	Reduce impact by one point.	Reduce impact by two points.
Mitigate or Escalate	Reduce likelihood by one point.	Reduce likelihood and impact by one point.
Monitor	Leave likelihood and impact unchanged.	Reduce likelihood by one point.
No estimated reduction	Use the inherent likelihood and impact as residual values.	Same result, because the reduction setting is off.

Status normalization keeps the working register readable. Closed and accepted rows are treated as inactive for the treatment queue, ownerless rows become Needs owner, and watch, treatment, escalation, and open language is normalized into consistent status badges. Auto-generated review dates are shorter for stronger residual bands and longer for low residual exposure.

Everyday Use & Decision Guide:

Start with one project, launch, vendor review, operational runbook, or technical change. Enter that scope in Project or scope, then choose the Register profile that best matches the review audience. The profile helps category defaults and summary wording stay close to the work being discussed.

Paste one risk per line in Risk rows. A header row is worth using when the source has more than the old five fields, because it lets owner, response, trigger, review date, residual scores, status, and notes land in the right columns. Pipe-delimited rows are easiest to scan, but CSV and tab-delimited rows are accepted too.

Use Load sample to see the expected shape before replacing the rows with your own register.
Use Normalize rows after the register parses successfully. It rewrites visible rows into the supported pipe-delimited order.
Use Scoring matrix before comparing runs. Switching between 5x5 and 3x3 changes the maximum score and band boundaries.
Set Attention threshold to the score that should slow the team down. Values above the matrix maximum are clamped.
Open Advanced when appetite, review cadence, residual estimates, or closed-row exports need to match your governance practice.

Good fits include release readiness reviews, migration risk logs, security exception review, vendor onboarding, operational change planning, and recurring delivery meetings where owners need a ranked list. Poor fits include incident logs where the event has already happened, formal quantitative risk models with monetary loss distributions, or risk acceptance decisions that require signed governance outside the register.

Read the summary before copying anything. A count such as need attention, a nonzero owner-gap badge, or a top residual exposure at the threshold should send you to Treatment Queue and Risk Exposure Map before the register becomes meeting material.

Step-by-Step Guide:

Build the register from the source rows first, then use the queue and exposure map to decide what needs review.

Enter Project or scope. The summary heading and structured outputs use this label, so keep it specific enough for a meeting pack or change review.
Choose Register profile. Use Security or compliance for control reviews, Vendor or third party for supplier risks, and Technical change for implementation work where reliability and rollback matter.
Paste rows into Risk rows, drop a CSV/TXT file onto the field, or use Browse CSV/TXT. If a selected file is over the size limit, the helper text reports that it was skipped.
Keep each row close to the supported fields: risk, category, likelihood, impact, owner, response, trigger, review date, residual likelihood, residual impact, and status. If Input review says a line was ignored, add a risk statement or fix the row delimiter.
Select Scoring matrix and set Attention threshold. If the warning area says the threshold was clamped, lower it to a valid score for the chosen matrix.
Open Advanced and set Risk appetite, Default review cadence, and Assumed treatment effect when the register has missing residual scores or review dates.
Check the summary badges, then open Risk Register. Confirm that Inherent, Residual, Owner, Response, Trigger, Review, and Status match the source evidence.
Open Treatment Queue for rows with Owner gap, Residual high, Treat now, or Watch. Use Next action as the meeting note to assign or strengthen the response.
Open Risk Exposure Map after the register looks right. The chart compares inherent and residual scores for the highest residual rows and marks the attention threshold.

Interpreting Results:

The most important result is the residual score beside its owner and next action. A high inherent score can be acceptable when the residual score is below appetite and the response is credible. A high residual score means the planned response has not reduced exposure enough for the selected threshold.

How to interpret risk register output cues
Output cue	What it means	Useful follow-up
`Residual high`	The residual score is at or above the attention threshold.	Escalate or strengthen the response before the next milestone.
`Treat now`	The inherent score meets the threshold even though residual exposure may be lower.	Confirm the response is funded, dated, and tied to the trigger.
`Owner gap`	The row has no usable owner and the status is `Needs owner`.	Assign one accountable owner before treating the row as managed.
`Watch`	Residual exposure is below the threshold but still moderate enough for review.	Keep the trigger and review date current.
`No active treatment queue rows`	No visible non-closed row meets the built-in queue rules at the current threshold.	Still verify the matrix, closed-row toggle, and source rows before archiving the register.

Do not read a low residual score as approval. It means the entered or estimated residual likelihood and impact fall below the current threshold. Confirm the response evidence, owner authority, trigger, review date, and appetite before marking the risk accepted or closed.

Worked Examples:

Beta launch access review:

3x3 quick workshop:

For a fast workshop, Support quickstart slips past launch date | Adoption | Medium | High | Aisha | Publish minimum quickstart and support macro | Docs freeze missed | 2026-05-10 | Low | Medium | Open can be scored on the 3x3 matrix with an attention threshold of 6/9. The inherent score reaches 6 High, while the residual score falls to 2 Low. That makes Treat now a useful cue: the response may be enough, but the owner should prove the quickstart and support macro are actually ready.

Missing owner cleanup:

A short row such as OAuth callback outage during cutover | Security | High | High still produces a register row, but Owner becomes Unassigned and Status becomes Needs owner. The summary owner-gap count increases, and Treatment Queue shows Owner gap with the next action to assign a single accountable owner before the next review.

FAQ:

Should I use the 5x5 or 3x3 matrix?

Use 5x5 matrix when a review needs more separation between moderate, high, and critical risks. Use 3x3 quick matrix for workshops where simple low, medium, and high judgments are more reliable than fine-grained scoring.

What if my rows do not have a header?

Header rows are optional. Without a header, the parser reads the supported column order. Older five-column rows still work when they look like risk, likelihood, impact, owner, and response.

Why did a line get ignored?

Input review ignores a line when it cannot find a risk statement. Add the risk text in the first recognized risk column, or fix the delimiter so the row is split into fields correctly.

Are residual scores calculated automatically?

Entered residual likelihood and residual impact values take priority. If those fields are blank, Assumed treatment effect and response wording estimate residual scores, then keep them within the selected matrix.

Why is a closed risk missing from the tables?

Closed rows are filtered from the visible register and exports unless Include closed risks in exports is switched on. Leave that switch off for an active working register.

What happens to pasted rows and selected files?

Rows and selected CSV/TXT files are read by the browser for scoring and display. Avoid sharing a page address that contains sensitive risk text, because entered values may be present in the address for saved state.

Glossary:

Risk register: A structured list of risks with scores, owners, responses, triggers, review dates, and status.
Inherent exposure: The likelihood multiplied by impact before the planned response is considered.
Residual exposure: The remaining likelihood multiplied by impact after entered or estimated treatment.
Risk appetite: The amount and type of risk the team is willing to carry while pursuing the objective.
Attention threshold: The score at or above which a risk is highlighted for queue review.
Treatment queue: The active list of risks that need owner assignment, stronger treatment, verification, or monitoring.
Trigger: The warning sign or event that should cause the owner to review or act on the risk.

References:

ISO 31000:2018, Risk management - Guidelines, International Organization for Standardization, 2018.
SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, National Institute of Standards and Technology, September 2012.
The Orange Book Management of Risk - Principles and Concepts, HM Treasury and Government Finance Function, updated 3 June 2025.