What's the difference between a risk register and a RAID log?

Cadence and audience. A RAID log is your weekly working tool, Risks, Assumptions, Issues, Dependencies in one place, simple scoring, reviewed by the team. A risk register is your quarterly governance tool, risks only, deeper P/I scoring, reviewed by the steering committee. Most programs need both.

What scoring scale does the template use?

5×5 (probability × impact), with severity auto-calculated. Probability is anchored to time (1 = next year, 5 = this month). Impact is anchored to delivery, scope, or financial exposure. The cheat sheet has the full rubric.

How often should I update it?

Top risks weekly (15-min review with the team, same cadence as the RAID log). Full register quarterly with the steering committee or program board. The cheat sheet has both rhythms.

Excel or Google Sheets?

Both. The template is .xlsx and opens cleanly in Google Sheets. Conditional formatting carries over.

All tools › Weekly Ops › Risk Register Template

Risk Management

Risk Register Template

A risk register built for weekly use. Probability/impact scoring, named owners, mitigation with real review dates. The one I keep open all week.

$29 one-time, instant download

✓ Excel + Google Sheets · ✓ Probability/impact matrix · ✓ PDF cheat sheet

Buy Now, $29

Secure checkout via Gumroad · 30-day refund

Or get all 17 PM tools for $99 ($533 value). The full toolkit ships every template in the catalog: status reports, RAID logs, charters, OKRs, and more. See what's in the bundle ›

What's in the download

Risk register with P/I matrix

Probability and impact scored 1-5 each, auto-calculated severity, conditional formatting that surfaces the top 5 risks at a glance.

Mitigation tracking with ownership

Every risk has a named owner, a mitigation plan, and a review date. No more orphan risks sitting on the register that nobody owns.

Quick-reference cheat sheet (PDF)

The five questions to ask before adding a risk, the difference between a risk and an issue, and the weekly review cadence that keeps the register alive.

Use forever, no subscription

One purchase, yours to keep. Use it on every program, customize for your team. Works in Excel and Google Sheets.

Why most risk registers go stale

Almost every risk register I've inherited has the same pattern. Thirty entries, none updated in six months, all owned by "PMO" or "TBD." When the audit happens, someone updates the dates. When the project blows up, someone says "we should have flagged that risk," and it's right there, untouched since kickoff.

The problem isn't the format. It's the missing review rhythm and the missing owner. A risk owned by "the team" is a risk nobody's working.

"A risk without an owner is a worry. A risk without a review date is a journal entry."

This template fixes both. Owner is a required field with a real name on it. Review date forces re-evaluation on a cadence you set. The cheat sheet gives you the script for the weekly 15-minute review that keeps the register honest.

How probability/impact scoring actually works

Most templates ship with 5x5 P/I scoring as a vague rubric. The discipline is in the definitions. This template uses:

Probability 1-5, anchored to time. 1 = "could happen in the next year"; 5 = "happening this month or already". Time-anchoring removes the subjectivity that turns probability into a vibe check.
Impact 1-5, anchored to delivery, scope, or financial exposure. 1 = "noisy but recoverable in-sprint"; 5 = "delays the program by a quarter or more, or triggers an exec escalation". The cheat sheet has the full rubric.
Severity = P × I with conditional formatting. Top 5 by severity surface automatically. The other 20 sit there until they move into the top 5 or close out.
Residual after mitigation, the column most templates skip. Once the mitigation is in place, what's the leftover risk? That's what you actually carry on the register.

Risk register vs RAID log: pick based on cadence

The risk register is the governance artifact: risks only, scored deeply, reviewed quarterly with a steering committee. The RAID log is the working artifact: Risks, Assumptions, Issues, Dependencies in one place, scored simply, reviewed weekly with the program team.

Most enterprise programs run both. The RAID log is where you do the actual work, flagging, mitigating, escalating, and the risk register is where the top risks live with deeper documentation for audit and governance. They're not competing tools. They're different cadences serving different audiences.

Risk Register Template

What's in the download

Risk register with P/I matrix

Mitigation tracking with ownership

Quick-reference cheat sheet (PDF)

Use forever, no subscription

Why most risk registers go stale

How probability/impact scoring actually works

Risk register vs RAID log: pick based on cadence

Often bought together

RAID Log

PM Status Report Generator

Program Charter

Or get all 17 tools, $99