Risk Register Generator

Project or scope:

This label appears in the register title, filenames, and JSON export.

Pick the operating context closest to how the register will be reviewed.

Risk rows:

Use pipe, tab, or CSV rows. A header row is optional; old five-column rows still work.

Input review

{{ warning }}

Scoring matrix:

Scores use likelihood x impact, then compare inherent and residual exposure.

Attention threshold:

Default is 15 on a 5x5 matrix. Values clamp to the selected matrix maximum.

points

Residual exposure keeps the treatment backlog focused after planned responses.

Risk appetite:

Use conservative for regulated, safety, financial, or customer-critical work.

Default review cadence:

Rows without dates receive generated review dates based on exposure band.

days

Assumed treatment effect:

Enter residual scores in the row when the team has already agreed them.

Include closed risks in exports

Leave off for an active working register; turn on when rebuilding an archive or audit packet.

ID	Risk statement	Category	Likelihood	Impact	Inherent	Residual	Owner	Response	Trigger	Review	Status	Copy
Paste at least one risk row to build a register.
{{ row.id }}	{{ row.risk }}	{{ row.category }}	{{ row.likelihoodLabel }}	{{ row.impactLabel }}	{{ row.inherentScore }} {{ row.inherentBand.label }}	{{ row.residualScore }} {{ row.residualBand.label }}	{{ row.owner }}	{{ row.response }}	{{ row.trigger }}	{{ row.reviewDate }}	{{ row.status }}

Priority	Risk	Owner	Next action	Response	Review	Residual	Copy
No active treatment queue rows at the current threshold.
{{ row.priority }}	{{ row.risk }}	{{ row.owner }}	{{ row.nextAction }}	{{ row.response }}	{{ row.reviewDate }}	{{ row.residualScore }}

{{ result.markdown }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A risk register is the working list of uncertain events that could change a project's cost, schedule, safety, compliance, reliability, customer readiness, or reputation. It gives each concern a name, an owner, a trigger, a planned response, and a review date before the concern turns into an issue. The register does not remove uncertainty; it makes uncertainty visible enough for people to discuss it with the same terms.

The line between a risk and an issue is important. A risk may happen, so it can still be watched, mitigated, transferred, accepted, avoided, or escalated. An issue has already happened and usually belongs in an incident record, defect tracker, decision log, or action list. "Vendor certificate renewal may be missed" is a risk. "The vendor certificate expired yesterday" is an issue that needs recovery work.

Many teams use qualitative scoring because exact probabilities are hard to defend during ordinary project review. Likelihood estimates how likely the event is, impact estimates the consequence if it occurs, and exposure combines those ratings into a sortable score. The score is a comparison aid, not a forecast. It only works when reviewers use the same scale and understand what each label means.

Risk statement: The uncertain event or condition being monitored, written clearly enough that an owner can act on it.
Likelihood: The chance or frequency rating on the selected scoring scale.
Impact: The expected harm to an objective if the risk occurs.
Inherent exposure: The score before a planned or existing response is considered.
Residual exposure: The score after entered residual ratings or an estimated treatment effect.

Risk appetite changes how the same score should be read. A payment release, a medical device change, a public launch, and an internal documentation update can all use a 5x5 matrix, but the score that triggers escalation should differ. The threshold should reflect the organization's tolerance for delay, cost, legal exposure, customer harm, and safety impact.

A useful register is maintained, not merely produced. New evidence can raise likelihood, a verified control can lower residual exposure, and a missed review date can make a quiet row urgent. The value comes from repeated review with clear ownership, not from a large table that is never revisited.

How to Use This Tool:

Enter one row per risk, choose the scoring assumptions, then use the register and queue outputs for review planning.

Enter Project or scope so the register title, exported filenames, Markdown, and JSON identify the work being reviewed.
Choose Register profile for the closest context, such as project delivery, product launch, security or compliance, vendor review, operations, or technical change. The profile affects category defaults and response language when rows are incomplete.
Paste Risk rows, drop a file onto the textarea, or use Browse CSV/TXT. Pipe-delimited, tab-delimited, and CSV rows are accepted. A header row can name fields such as risk, category, likelihood, impact, owner, response, trigger, review date, residual likelihood, residual impact, status, and notes.
Use Scoring matrix to pick a 5x5 register or a 3x3 workshop matrix. Text ratings such as Low, Medium, Moderate, High, and Very high are mapped to the selected scale.
Set Attention threshold and Register sort. If the threshold is too high for the selected matrix, the input review message shows the clamped value.
Open Advanced to adjust Risk appetite, generated review cadence, assumed treatment effect, and whether closed risks should appear in exports.
Read Input review. Add a header row if fields land in the wrong columns, keep imports under 1 MB, and restore any ignored line that is missing a risk statement.
Use Normalize rows after the parsed register looks right, then review Risk Register, Treatment Queue, Risk Exposure Map, Register Markdown, and JSON.

Interpreting Results:

The summary is the first triage signal. It reports active risks, treatment rows, owner gaps, and the top residual exposure. A row at or above the attention threshold needs review, but the score should not decide funding, launch approval, or formal acceptance by itself.

Compare inherent and residual exposure before acting. A lower residual score means the entered residual ratings or assumed treatment effect reduced likelihood, impact, or both. It does not prove that a control has been approved, funded, tested, or accepted by the accountable owner.

Owner gap is the highest queue priority because no single person is accountable for the row.
Residual high means the post-response score still meets or exceeds the attention threshold.
Treat now means inherent exposure reaches the threshold, so the response should have an owner, trigger, and review date.
Watch means residual exposure is at least Moderate even when it does not cross the threshold.
Monitor means the row remains below the queue threshold after the current scoring assumptions.

Risk Exposure Map plots the highest residual rows, compares inherent and residual scores, and draws the threshold line. Use it to spot concentration, then validate the row text, owners, and treatment assumptions before presenting the chart.

Technical Details:

Semi-quantitative risk scoring turns judgment labels into ordered numbers so rows can be sorted and compared. The method is useful when reviewers need a common language, but it remains judgment-based. Two teams can assign different likelihood ratings to the same event if their evidence, operating context, or risk appetite differs.

Exposure is calculated twice. Inherent exposure estimates the risk before treatment. Residual exposure estimates the remaining score after explicit residual ratings or an assumed treatment effect. Residual exposure is useful for queueing work, but it should be updated when a response is proven, rejected, delayed, or replaced.

Formula Core:

Exposure is the product of the selected likelihood and impact scores:

Exposure = Likelihood \times Impact

Risk exposure score construction
Quantity	Meaning	5x5 range	3x3 range
`Likelihood`	Estimated chance or frequency rating.	`1` to `5`	`1` to `3`
`Impact`	Estimated consequence rating.	`1` to `5`	`1` to `3`
`Inherent score`	Likelihood multiplied by impact before treatment.	`1` to `25`	`1` to `9`
`Residual score`	Likelihood multiplied by impact after entered or estimated treatment.	`1` to `25`	`1` to `9`

A 5x5 row with High likelihood and High impact scores 5 x 5 = 25. If residual likelihood is Medium and residual impact remains High, the residual score becomes 3 x 5 = 15.

Rating and Band Rules:

Text ratings are normalized to the selected scale. Numeric ratings are rounded to the nearest whole number and clamped inside the scale, so a 5x5 axis cannot go below 1 or above 5.

Risk rating text mapping
Entered rating	5x5 score	3x3 score	Notes
Very low or Low	`1`	`1`	Lowest rating on either matrix.
Medium low	`2`	`2`	Lower-middle wording rounds upward from the scale fraction.
Medium or Moderate	`3`	`2`	Also used as the fallback when a likelihood or impact cell is blank.
Medium high	`4`	`3`	Near the top of the selected scale.
High or Very high	`5`	`3`	Maximum rating on either matrix.

Risk exposure bands by normalized score
Band	Boundary rule	5x5 score range	3x3 score range
`Critical`	Score divided by matrix maximum is `>= 0.72`.	`18` to `25`	`7` to `9`
`High`	Ratio is `>= 0.48` and below `0.72`.	`12` to `17`	`5` to `6`
`Moderate`	Ratio is `>= 0.24` and below `0.48`.	`6` to `11`	`3` to `4`
`Low`	Ratio is below `0.24`.	`1` to `5`	`1` to `2`

Residual and Queue Rules:

Explicit residual likelihood and residual impact values take priority. When they are blank, the response text and selected treatment effect estimate whether likelihood, impact, or both should drop. Scores never fall below 1 on either axis.

Estimated residual treatment effect rules
Response strategy	Standard effect	Strong effect	Interpretation caution
Avoid	Drops likelihood and impact by `1`.	Drops likelihood and impact by `2`.	Use only when the activity or exposure path can truly be removed.
Transfer	Drops impact by `1`.	Drops impact by `2`.	Insurance, contract, or shared responsibility changes impact; it does not erase the event.
Mitigate or Escalate	Drops likelihood by `1`.	Drops likelihood and impact by `1`.	Confirm the response is funded, dated, and measurable.
Monitor	No score reduction.	Drops likelihood by `1`.	Monitoring should include a trigger that tells the owner when to act.
Accept or unknown	No score reduction.	No score reduction.	Acceptance should be a decision, not a default caused by missing response text.

Risk review date and treatment queue rules
Rule area	How the row is handled	Review impact
Missing owner	Blank owner becomes `Unassigned`, and status becomes `Needs owner`.	The row enters the treatment queue as `Owner gap`.
Missing review date	Critical rows are pulled to at most 3 days, High rows to at most 7 days, Moderate rows to 7 to 14 days, and Low rows to at least 21 days.	Generated dates are review hints, not approved due dates.
Attention threshold	The threshold is rounded and clamped from `1` to the matrix maximum.	Switching from 5x5 to 3x3 can lower an out-of-range threshold.
Closed rows	Closed risks are excluded from the working register unless closed rows are included.	Keep them out for active triage; include them for archive or audit packets.

Accuracy and Privacy Notes:

A scored register is a decision aid, not an approval workflow or a substitute for the organization's formal risk method. Scores help compare rows, but evidence, budget, legal obligations, accountable owners, and governance decide what happens next.

Keep the scoring matrix, risk appetite, and threshold consistent when comparing registers over time.
Review estimated residual scores when a response is vague, unfunded, untested, or not yet operating.
Check generated review dates against real milestone, certificate, contract, audit, and release calendars.
Pasted rows and CSV/TXT imports are read in the browser session. Treat confidential registers carefully on shared or untrusted devices.

Worked Examples:

Security beta launch. A row for unresolved access roles uses High likelihood, High impact, owner Chen, and a mitigation response. On the 5x5 matrix, Risk Register shows 25 Critical inherent exposure. If residual likelihood is Medium and residual impact remains High, the residual score is 15 High, so the Treatment Queue marks it Residual high when the threshold is 15.

Missing owner before support readiness. A support quickstart risk with Medium likelihood and High impact reaches 15 High on a 5x5 matrix. If the owner is blank, the row displays Unassigned, status becomes Needs owner, and queue priority becomes Owner gap.

Switching to a 3x3 workshop matrix. A High likelihood and High impact row scores 9 Critical instead of 25 Critical. If Attention threshold was left at 15, the input review message notes that the threshold was clamped to 9.

Cramped import cleanup. If a CSV has no header and the visible register places owner, response, or review values in the wrong columns, add a header row that names the fields. After the table reads correctly, use Normalize rows to rewrite the textarea into the preferred pipe-delimited shape.

FAQ:

What columns should I paste?

Use a header row with risk, category, likelihood, impact, owner, response, trigger, review date, residual likelihood, residual impact, status, and notes when possible. Older five-column rows still work when they contain risk, likelihood, impact, owner, and response.

How are Low, Medium, and High converted?

The text is mapped to the selected matrix. On a 5x5 scale, Low is 1, Medium or Moderate is 3, and High is 5. On a 3x3 scale, Medium or Moderate maps to 2 and High maps to 3.

Why did the review date change?

Rows without a review date receive one from the residual exposure band and the default review cadence. Critical and High rows are pulled forward, Moderate rows stay inside a 7 to 14 day window, and Low rows are pushed to at least 21 days.

Does a lower residual score mean the risk is controlled?

No. A lower residual score means the entered residual ratings or assumed treatment effect reduced the score. Confirm the response is approved, funded, dated, and working before treating residual exposure as accepted.

Why are closed risks missing from my active register?

Closed rows are hidden unless Include closed risks in exports is turned on. Leave it off for active triage and turn it on when preparing an archive or audit packet.

What should I do if the import looks wrong?

Check that each row has a risk statement and add a header row when the columns are not obvious. Files over 1 MB are skipped, and rows without a risk statement are ignored.

Glossary:

Risk appetite: The amount and type of risk an organization is willing to accept while pursuing its objectives.
Trigger: An early warning sign or condition that tells the owner to review or activate a response.
Treatment: The response chosen for a risk, such as avoiding, mitigating, transferring, accepting, monitoring, or escalating it.
Owner gap: A risk row with no single accountable owner assigned.
Residual exposure: The remaining exposure after entered residual ratings or estimated treatment effect.
Attention threshold: The score at or above which a row is highlighted for review and queueing.

References:

ISO 31000:2018 Risk management - Guidelines, ISO, 2018; reviewed and confirmed 2023.
SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, National Institute of Standards and Technology, September 2012.
Risk, NIST Computer Security Resource Center Glossary.
Risk Management - Beyond the Textbooks, Project Management Institute, 2019.