Skip to content
A group of ice skaters move slowly across the ice, hand in hand - they look like beginners, being led by a professional

What's a risk register... and why do we need one?

A risk register is a simple and effective tool that can help you identify, document, and manage the risks facing your organisation.

It sets out the known risks associated with your organisation.

It also assesses their likelihood and impact. 

In this section, you can discover why they're important - and what you'll need to consider... 

Risk Q&A

  • What's a risk assessment?

     A risk assessment focuses on managing the health and safety aspects of your organisation. 

    This includes the activities you carry out and the equipment you use. It covers your participants and visitors.  

    It helps you to assess and control the risk of accidents or injuries. 

    You need to do this to comply with health and safety law.

    It's also usually needed by insurance providers and national governing bodies. 

    A risk register is an important tool for risk assessment. 


  • What's a risk register?

    A risk register is a document that sets out and assesses the risks that may directly affect the day-to-day running and sustainability of your organisation.

    It’s a tool that should be used to help manage and govern your organisation and is sometimes a requirement of compliance processes. 

  • What are the benefits of using a risk register?

    There are many benefits of using a risk register. 

    These include: 

    • Reducing unforeseen circumstances. 
    • Promoting transparency so that you can own the risks with your committee, trustees, volunteers, staff, and other relevant partners. 
    • Providing a focus for you to review risks, and identify any resources, training needs or actions to manage them. 
    • Supporting your continuity, emergency, and succession planning.
  • What should a risk register cover?

    As a minimum, you should include:

      • The date each risk was added to the register. 
      • A description of each risk.
      • The level of risk.
      • The risk owner.
      • The mitigating actions.
      • The status (for example, if it’s current, ongoing, future, or completed).

    Steps for developing a risk register

    Developing a risk register should be a straight-forward process.

    Our seven-step guide, which we’ve adapted from PRINCE 2 (a management method), will help you develop your own risk register. 

    Involve the right people and get their buy in
    Involve and obtain the support of all of your committee members or trustees, as well as trusted senior staff.

    This will help to ensure that risks and issues have been considered across all areas and that there is agreement on the likelihood, impact, and mitigating actions to be taken.

    Give at least one person the responsibility for creating and maintaining the register. 
    Identify and categorise risk
    Categorise the risks under different headings. Consider general organisational risks as well as any unique considerations that you're facing now or are likely to face in the future.

    See the section on this page about possible categories of risk.
    Assessing the likelihood, impact and overall rating of the risks
    Once you’ve identified the key risks that could affect your organisation, the next step is to assess their likelihood and impact.

    Draw up your list of risks.

    Then give each risk a number, based on how likely it is to happen.
    1 = very unlikely
    2 = unlikely
    3 = neither unlikely or likely
    4 = likely
    5 = very likely

    You should then give each risk another rating, based on the possible impact (internal and external).
    1 = very low impact
    2 = low impact
    3 = medium impact
    4 = high impact
    5 = very high impact

    You’ll then be able to calculate its overall risk rating.
    To do this, multiply the likelihood score by the impact score (for example, 3 x 4 = 12).

    You can then grade each risk low, medium, or high.
    You could also colour code them green, amber, or red (RAG). 

    Low (green): 1-8
    Medium (amber): 9-17
    High (red): 18-25

    Please note that any risk that is rated as medium or high should be reviewed regularly by your committee or trustees and senior officials. It should ideally be a standing agenda item on your regular committee and trustee management meetings.  
    Identifying mitigating actions
    Mitigating actions are actions you’ve designed to lessen the likelihood and/or impact of each risk.

    These might include the application of good practice, embedding clear policies and procedures, staff training, regular reporting, regular communications with participants and volunteers, and establishing finance and audit sub-committees.
    Appoint a risk owner
    For each risk identified, select the most appropriate person within your organisation to monitor and manage it. They’ll be responsible for assessing the risk, identifying, and implementing mitigating actions. They should also update the committee and trustees.

    There can be more than one owner for risks (for example, if your club or organisation has sub-committees).
    Arrange regular risk reviews
    Your risk register should be kept as a live document with updates reported to your committee, trustees and leadership team on a regular basis.

    Any changes to a risk’s likelihood or potential impact should be discussed and reflected in the risk register.

    Any mitigating actions should be included too.

    Flag up any medium or high risks at regular committee meetings and discuss mitigating actions. 
    Recording risks
    When completing your risk register, it’s important to include basic details that you can refer to and update as appropriate.

    These should, as a minimum, include the date the risks were added to the register, a description of the risk, the level of risk, the risk owner, the mitigating actions, and its status (for example, if it’s current, ongoing, future, or completed).

    It’s important to provide a clear description of the risk so your committee, trustees, or leadership team aren’t required to remember specific details from one meeting to the next, and their status can be easily tracked.

    Categories of risk

    Here are some possible categories of risk for you to consider. 

    You may also have unique risks associated with your sport or group.   

    Vision, aims, and objectives
    There may be risks that will stop your organisation achieving its overall vision, aims and objectives. 
    Legal structures
    These are risks relating to the way that your organisation is structured, and if your structure is fully understood and appropriate. 
    There could be risks relating to your organisation’s liabilities and that of its participants, members, or volunteers.

    For example, is anyone liable for any costs or damages associated with the club or organisation based on your legal structure?
    These are risks relating to good governance practices.  
    These are risks associated with how your committee is run, or its succession planning (if committee members are to leave their positions). 
    Policies and procedures
    These risks are associated with the completeness and coverage of your policies and procedures (for example safeguarding policy, normal and emergency operating procedures, and codes of conduct). 
    Finance and sustainability
    These are risks relating to the financial management and financial sustainability of your organisation.

    For example, do you have sufficient reserves in place for emergencies? Are your income streams secure?
    Legal and reporting requirements
    These risks are related to the requirements of statutory laws, statutory bodies, and funders (for example, health and safety, VAT and Tax). 
    These are risks related to having sufficient insurance cover in place to meet your needs.
    These are risks related to keeping children and adults safe (for example, the recruitment, deployment, and retention of volunteers/staff or reporting procedures from a safeguarding perspective). 
    Data protection and GDPR
    These risks are associated with data protection and security including data breaches or GDPR issues.  
    Inclusion and equality
    These risks that would prevent your organisation from being open and accessible to all prospective members, participants, and volunteers. 
    Membership and participant numbers
    These are risks associated with a drop or surge in your membership and participant numbers. 
    Volunteers or staff numbers
    These are risks associated with the volunteers, coaches, and other staff that you need to run your activities and facilities safely and efficiently. 
    Experience satisfaction
    These are the risks associated with low levels of satisfaction in the activities and services you offer and the experience of your members, participants, parents and carers, volunteers, or any staff. 
    These are risks associated with any potential damage to your organisation’s reputations.  
    Facilities and equipment
    These are risks associated with the condition or availability of facilities and equipment. 

    Example risk register

    When developing your own register, you can use this as a guide:

    Risk 1 2 3 4
    Date logged        
    Risk category        
    Risk description/issues        
    Risk owner        
    Likelihood (1-5)        
    Impact (1-5)        
    Overall rating (LxI) and RAG rating        
    Proximity (current/ongoing/future/completed)        
    Mitigating actions