Risk Register Template for UK Boards
A risk register is the board's tool for staying ahead of what could go wrong. Every organisation faces uncertainty, the question is whether you're tracking it systematically or relying on instinct.
This guide explains what a board-level risk register should contain, how to build one that actually gets used, and where the UK regulatory context adds specific requirements. There's a free downloadable template in Excel at the end.
Download the free risk register template
A ready-to-use Excel template with a pre-built 5x5 risk matrix, automatic RAG scoring, and a board summary dashboard tab.
Download the free risk register template →
What is a risk register?
A risk register is a documented record of the risks an organisation faces, together with an assessment of their likelihood and impact, the controls or mitigations in place, and the person responsible for managing each risk.
At board level, the risk register is a governance document, not a project management tool. Its purpose is to give the board a clear view of strategic and operational risk, ensure risks are owned and being managed, and demonstrate to regulators, auditors, and stakeholders that the organisation has a systematic approach to risk oversight.
Board risk register vs operational risk register
Two distinct documents often get confused:
Board (strategic) risk register: covers risks that could threaten the organisation's strategic objectives, financial viability, or licence to operate. Typically 15 to 30 risks. Reviewed quarterly by the board or its risk committee. Owned by the CEO or CFO.
Operational risk register: covers day-to-day risks at departmental or project level, health and safety, IT security, regulatory compliance, key person dependency. More granular, more frequent updates. Managed by operational leaders.
The board should receive a summary report from the operational register (typically flagging high-rated risks or changes in status), not the register itself.
The strategic register is what sits in the board pack, alongside the standing papers covered in our guide to building better board packs.
This guide focuses on the board-level strategic risk register.
UK regulatory context
Companies (for profit): the Companies Act 2006 imposes no specific risk register requirement, but directors' duty to exercise reasonable care and skill (section 174) implies systematic risk oversight.
The UK Corporate Governance Code (for premium-listed companies) requires the board to assess and monitor principal risks and include a viability statement in the annual report. Many unlisted companies adopt the same standard as good practice.
Charities: the Charity Commission's guidance CC26 requires trustees to manage risk as part of their duty of prudence. Larger charities (income over £500,000) must include a risk management statement in their annual report confirming they have reviewed the major risks and have systems in place to manage them. A maintained risk register is the evidence behind that statement.
Housing associations and regulated sectors: additional risk reporting requirements apply. A template that supports board-level oversight is the minimum.
What goes in a risk register?
A well-structured risk register captures the following for each risk:
|
Field |
Description |
|
Risk ID |
Unique reference number |
|
Risk title |
Short, clear description (e.g. “Loss of key contract”) |
|
Risk category |
Strategic / Financial / Operational / Regulatory / Reputational |
|
Risk description |
What could happen, and why it matters |
|
Inherent likelihood |
Score 1–5 before controls |
|
Inherent impact |
Score 1–5 before controls |
|
Inherent risk rating |
Likelihood × Impact |
|
Existing controls |
What's already in place to mitigate |
|
Residual likelihood |
Score 1–5 after controls |
|
Residual impact |
Score 1–5 after controls |
|
Residual risk rating |
Likelihood × Impact after controls |
|
Risk owner |
Named individual accountable for managing this risk |
|
Action required |
Any further mitigation planned |
|
Due date |
For outstanding actions |
|
Date last reviewed |
When was this risk last assessed? |
|
Status |
Open / Closed / Escalated |
Risk scoring: the 5x5 matrix
Most UK boards use a 5x5 risk matrix. Likelihood and impact are each scored 1 to 5.
Likelihood
- Rare, unlikely to occur in the next five years
- Unlikely, may occur in the next three to five years
- Possible, could occur within three years
- Likely, expected to occur within one to two years
- Almost certain, expected to occur within the year
Impact
- Negligible, minimal effect on objectives
- Minor, limited effect, manageable
- Moderate, significant but recoverable
- Major, threatens key objectives
- Critical, threatens organisational viability
Risk rating equals Likelihood multiplied by Impact. Scores 15 to 25 are high (red), 8 to 14 are medium (amber), 1 to 7 are low (green). The board should focus attention on red-rated risks and any risks that have increased in rating since last review.
How to structure the board risk report
The full risk register can run to many rows. What goes in the board pack is a summary report, not the entire register. A good board risk report includes:
- Risk heatmap, a visual 5x5 grid showing all risks by current residual rating
- Top 5 to 10 risks, the highest-rated risks with brief descriptions and owner
- Changes since last review, risks that have increased or decreased in rating, new risks added, closed risks
- Outstanding actions, any risk mitigation actions past their due date
- Emerging risks, risks on the horizon not yet formally assessed
This summary format keeps the board focused on what matters without drowning them in the full detail.
The same discipline runs through good CEO reporting generally.
Charity risk register: additional considerations
For UK charities, the Charity Commission expects risk management to be integrated into governance, not treated as a compliance exercise.
Specific considerations:
- Trustee awareness: all trustees, not just the finance lead, should understand the top risks. The risk register should be accessible in a format trustees can actually use.
- Charity-specific risk categories: include safeguarding risk, funding dependency risk (what happens if a major grant ends?), volunteer management risk, and reputational risk as standard categories.
- Annual report statement: your risk register needs to support the risk management statement in the annual report. Document review dates and board sign-off.
- Smaller charities: even if under the £500k threshold, a basic risk log is good governance and increasingly expected by major funders during grant applications.
Five reasons risk registers fail (and how to fix them)
1. Risks aren't owned
Fix: every risk needs a named individual, not a team or a department. The owner updates the register and reports to the board.
2. The register is only updated before the board meeting
Fix: build risk review into the quarterly cycle. The board shouldn't be seeing risks for the first time in the board pack.
3. Controls aren't documented
Fix: “Being managed” is not a control. Specify what is actually in place, insurance policy, contractual protection, redundant supplier, and so on.
4. Too many risks
Fix: a strategic risk register with 80 items is a register no one reads. Limit to 20 to 35 strategic risks. Operational risks belong in a separate document.
5. No escalation process
Fix: define when a risk gets escalated from operational to board level. New high-rated risks shouldn't wait for the quarterly review.
Risk register template download
BoardPro's free Excel risk register template includes:
- Pre-built 5x5 risk matrix with conditional formatting (RAG status automatic)
- All standard fields pre-populated
- Category dropdown lists
- Summary dashboard tab for board reporting
- Guidance notes on each field
Get the risk register template
Free to download, in Excel format, with the 5x5 matrix and board summary dashboard built in.
Download the free risk register template →
Moving beyond spreadsheets: risk management in BoardPro
Excel templates work for small organisations getting started. They become a liability as the organisation grows:
- Multiple versions across departments
- No audit trail for changes
- Manual RAG calculations that get broken
- Risk owners who don't know their risks have changed
BoardPro's built-in risk management module connects risk directly to board governance. Risks are visible in the board pack, owners receive notifications, and the board has a live view, not a quarterly snapshot.
Summary
A board-level risk register is a governance tool, not a project management spreadsheet. It should cover strategic risks, score them consistently, assign clear ownership, and feed a summary report into each board pack. For UK charities, it's also a regulatory requirement. The template above gives you everything you need to start, or to improve what you already have.
See BoardPro's risk features
Explore how BoardPro connects risk management directly to your board pack and governance cycle.
Related guides
Share this
You May Also Like
These Related Stories

Board Paper Template: How UK Boards Write Better Board Papers
/Blog-image-ceo-report-that-delights-the-board.jpg)
CEO Report Template: What UK Boards Need from Their Chief Executive

