Blog

Risk Register Template for UK Boards

Written by Ben Luxon | 08-Jul-2026 09:20:01

A risk register is the board's tool for staying ahead of what could go wrong. Every organisation faces uncertainty, the question is whether you're tracking it systematically or relying on instinct.

This guide explains what a board-level risk register should contain, how to build one that actually gets used, and where the UK regulatory context adds specific requirements. There's a free downloadable template in Excel at the end.

Download the free risk register template

A ready-to-use Excel template with a pre-built 5x5 risk matrix, automatic RAG scoring, and a board summary dashboard tab.

Download the free risk register template →

What is a risk register?

A risk register is a documented record of the risks an organisation faces, together with an assessment of their likelihood and impact, the controls or mitigations in place, and the person responsible for managing each risk.

At board level, the risk register is a governance document, not a project management tool. Its purpose is to give the board a clear view of strategic and operational risk, ensure risks are owned and being managed, and demonstrate to regulators, auditors, and stakeholders that the organisation has a systematic approach to risk oversight.

Board risk register vs operational risk register

Two distinct documents often get confused:

Board (strategic) risk register: covers risks that could threaten the organisation's strategic objectives, financial viability, or licence to operate. Typically 15 to 30 risks. Reviewed quarterly by the board or its risk committee. Owned by the CEO or CFO.

Operational risk register: covers day-to-day risks at departmental or project level, health and safety, IT security, regulatory compliance, key person dependency. More granular, more frequent updates. Managed by operational leaders.

The board should receive a summary report from the operational register (typically flagging high-rated risks or changes in status), not the register itself.

The strategic register is what sits in the board pack, alongside the standing papers covered in our guide to building better board packs.

This guide focuses on the board-level strategic risk register.

UK regulatory context

Companies (for profit): the Companies Act 2006 imposes no specific risk register requirement, but directors' duty to exercise reasonable care and skill (section 174) implies systematic risk oversight.

The UK Corporate Governance Code (for premium-listed companies) requires the board to assess and monitor principal risks and include a viability statement in the annual report. Many unlisted companies adopt the same standard as good practice.

Charities: the Charity Commission's guidance CC26 requires trustees to manage risk as part of their duty of prudence. Larger charities (income over £500,000) must include a risk management statement in their annual report confirming they have reviewed the major risks and have systems in place to manage them. A maintained risk register is the evidence behind that statement.

Housing associations and regulated sectors: additional risk reporting requirements apply. A template that supports board-level oversight is the minimum.

What goes in a risk register?

A well-structured risk register captures the following for each risk:

Field

Description

Risk ID

Unique reference number

Risk title

Short, clear description (e.g. “Loss of key contract”)

Risk category

Strategic / Financial / Operational / Regulatory / Reputational

Risk description

What could happen, and why it matters

Inherent likelihood

Score 1–5 before controls

Inherent impact

Score 1–5 before controls

Inherent risk rating

Likelihood × Impact

Existing controls

What's already in place to mitigate

Residual likelihood

Score 1–5 after controls

Residual impact

Score 1–5 after controls

Residual risk rating

Likelihood × Impact after controls

Risk owner

Named individual accountable for managing this risk

Action required

Any further mitigation planned

Due date

For outstanding actions

Date last reviewed

When was this risk last assessed?

Status

Open / Closed / Escalated

Risk scoring: the 5x5 matrix

Most UK boards use a 5x5 risk matrix. Likelihood and impact are each scored 1 to 5.

Likelihood

  • Rare, unlikely to occur in the next five years
  • Unlikely, may occur in the next three to five years
  • Possible, could occur within three years
  • Likely, expected to occur within one to two years
  • Almost certain, expected to occur within the year

Impact

  • Negligible, minimal effect on objectives
  • Minor, limited effect, manageable
  • Moderate, significant but recoverable
  • Major, threatens key objectives
  • Critical, threatens organisational viability

Risk rating equals Likelihood multiplied by Impact. Scores 15 to 25 are high (red), 8 to 14 are medium (amber), 1 to 7 are low (green). The board should focus attention on red-rated risks and any risks that have increased in rating since last review.

How to structure the board risk report

The full risk register can run to many rows. What goes in the board pack is a summary report, not the entire register. A good board risk report includes:

  • Risk heatmap, a visual 5x5 grid showing all risks by current residual rating
  • Top 5 to 10 risks, the highest-rated risks with brief descriptions and owner
  • Changes since last review, risks that have increased or decreased in rating, new risks added, closed risks
  • Outstanding actions, any risk mitigation actions past their due date
  • Emerging risks, risks on the horizon not yet formally assessed

This summary format keeps the board focused on what matters without drowning them in the full detail.

The same discipline runs through good CEO reporting generally.

Charity risk register: additional considerations

For UK charities, the Charity Commission expects risk management to be integrated into governance, not treated as a compliance exercise.

Specific considerations:

  • Trustee awareness: all trustees, not just the finance lead, should understand the top risks. The risk register should be accessible in a format trustees can actually use.
  • Charity-specific risk categories: include safeguarding risk, funding dependency risk (what happens if a major grant ends?), volunteer management risk, and reputational risk as standard categories.
  • Annual report statement: your risk register needs to support the risk management statement in the annual report. Document review dates and board sign-off.
  • Smaller charities: even if under the £500k threshold, a basic risk log is good governance and increasingly expected by major funders during grant applications.

Five reasons risk registers fail (and how to fix them)

1. Risks aren't owned

Fix: every risk needs a named individual, not a team or a department. The owner updates the register and reports to the board.

2. The register is only updated before the board meeting

Fix: build risk review into the quarterly cycle. The board shouldn't be seeing risks for the first time in the board pack.

3. Controls aren't documented

Fix: “Being managed” is not a control. Specify what is actually in place, insurance policy, contractual protection, redundant supplier, and so on.

4. Too many risks

Fix: a strategic risk register with 80 items is a register no one reads. Limit to 20 to 35 strategic risks. Operational risks belong in a separate document.

5. No escalation process

Fix: define when a risk gets escalated from operational to board level. New high-rated risks shouldn't wait for the quarterly review.

Risk register template download

BoardPro's free Excel risk register template includes:

  • Pre-built 5x5 risk matrix with conditional formatting (RAG status automatic)
  • All standard fields pre-populated
  • Category dropdown lists
  • Summary dashboard tab for board reporting
  • Guidance notes on each field

Get the risk register template

Free to download, in Excel format, with the 5x5 matrix and board summary dashboard built in.

Download the free risk register template →

Moving beyond spreadsheets: risk management in BoardPro

Excel templates work for small organisations getting started. They become a liability as the organisation grows:

  • Multiple versions across departments
  • No audit trail for changes
  • Manual RAG calculations that get broken
  • Risk owners who don't know their risks have changed

BoardPro's built-in risk management module connects risk directly to board governance. Risks are visible in the board pack, owners receive notifications, and the board has a live view, not a quarterly snapshot.

Summary

A board-level risk register is a governance tool, not a project management spreadsheet. It should cover strategic risks, score them consistently, assign clear ownership, and feed a summary report into each board pack. For UK charities, it's also a regulatory requirement. The template above gives you everything you need to start, or to improve what you already have.

See BoardPro's risk features

Explore how BoardPro connects risk management directly to your board pack and governance cycle.

Start a free trial →

Related guides