LR-201c · Module 1

The Risk Register

3 min read

A risk that is identified but not documented does not exist — at least not in any useful way. The risk register is the central document that captures every identified risk, its assessment, its mitigation plan, and its current status. It is the single source of truth for the risk state of the system. Without it, risk management is a conversation. With it, risk management is a practice.

Do This

  • Document every identified risk in the register immediately — before the meeting ends
  • Include the risk source, the discovery technique that found it, and the affected stakeholder group
  • Assign every risk an owner who is accountable for monitoring and mitigation
  • Review the register at a fixed cadence — weekly during deployment, monthly in production

Avoid This

  • Keep risk knowledge in people's heads instead of a shared register
  • Document risks without assessment — an unscored risk cannot be prioritized
  • Leave risks without owners — unowned risks are unmanaged risks
  • Review the register only when something goes wrong — by then the register has failed its purpose

The register should be a living document, not a compliance artifact. When a new risk is identified — from a system change, a regulatory update, or an incident — it enters the register immediately. When a risk is mitigated, the register records what was done, when, and by whom. When a risk materializes, the register captures the impact and the lessons learned. Over time, the register becomes the institutional memory of your risk practice.