Risk register

A risk register is a structured document or database used to record, track, and update risks over time. It typically lists each identified risk along with key attributes such as description, likelihood, impact, owner, current controls, planned actions, and status. In industrial and regulated manufacturing environments it is a core tool for formal risk management.

Typical contents of a risk register

While formats vary, most risk registers capture at least the following information for each risk:

• Risk ID or unique reference
• Risk description, including cause and potential consequence
• Category (for example: safety, quality, compliance, cybersecurity, supply chain)
• Likelihood and impact ratings, often combined into a risk priority or score
• Current controls or mitigations in place
• Planned actions or additional mitigations, with target dates
• Risk owner responsible for monitoring and follow-up
• Status (for example: open, in progress, closed, accepted)
• Review dates and notes from periodic reassessments

Use in industrial and regulated environments

In manufacturing operations, a risk register commonly supports:

• Operational risk management, such as equipment failures, OT/IT downtime, or loss of utilities
• Quality and compliance risks, including process deviations, data integrity issues, or nonconformances
• Safety and environmental risks, alongside formal hazard analyses and safety studies
• Cybersecurity and OT risks, for example unauthorized access to control systems or loss of manufacturing data
• Supply chain and supplier risks, such as single-source materials or long lead times

The risk register may be maintained as a controlled spreadsheet, a module in a quality or risk management system, or part of broader governance, risk, and compliance (GRC) tooling. It is typically referenced during audits, management reviews, and change control, and is updated when new risks are identified or when controls change.

Common confusion

• Risk register vs. risk assessment: A risk assessment is the process and analysis used to evaluate risks. The risk register is the ongoing record where those evaluated risks and their current status are logged.
• Risk register vs. issue log: A risk register focuses on uncertain future events. An issue log records problems that have already occurred. In practice, issues may trigger new entries in the risk register.
• Risk register vs. hazard log: A hazard log is often specific to safety or environmental hazards. A risk register is broader and can include safety, quality, cybersecurity, and business risks in one place.