A risk register is the board's tool for staying ahead of what could go wrong. Every organisation faces uncertainty, the question is whether you're tracking it systematically or relying on instinct.
This guide explains what a board-level risk register should contain, how to build one that actually gets used, and where the UK regulatory context adds specific requirements. There's a free downloadable template in Excel at the end.
A ready-to-use Excel template with a pre-built 5x5 risk matrix, automatic RAG scoring, and a board summary dashboard tab.
Download the free risk register template →
A risk register is a documented record of the risks an organisation faces, together with an assessment of their likelihood and impact, the controls or mitigations in place, and the person responsible for managing each risk.
At board level, the risk register is a governance document, not a project management tool. Its purpose is to give the board a clear view of strategic and operational risk, ensure risks are owned and being managed, and demonstrate to regulators, auditors, and stakeholders that the organisation has a systematic approach to risk oversight.
Two distinct documents often get confused:
Board (strategic) risk register: covers risks that could threaten the organisation's strategic objectives, financial viability, or licence to operate. Typically 15 to 30 risks. Reviewed quarterly by the board or its risk committee. Owned by the CEO or CFO.
Operational risk register: covers day-to-day risks at departmental or project level, health and safety, IT security, regulatory compliance, key person dependency. More granular, more frequent updates. Managed by operational leaders.
The board should receive a summary report from the operational register (typically flagging high-rated risks or changes in status), not the register itself.
The strategic register is what sits in the board pack, alongside the standing papers covered in our guide to building better board packs.
This guide focuses on the board-level strategic risk register.
Companies (for profit): the Companies Act 2006 imposes no specific risk register requirement, but directors' duty to exercise reasonable care and skill (section 174) implies systematic risk oversight.
The UK Corporate Governance Code (for premium-listed companies) requires the board to assess and monitor principal risks and include a viability statement in the annual report. Many unlisted companies adopt the same standard as good practice.
Charities: the Charity Commission's guidance CC26 requires trustees to manage risk as part of their duty of prudence. Larger charities (income over £500,000) must include a risk management statement in their annual report confirming they have reviewed the major risks and have systems in place to manage them. A maintained risk register is the evidence behind that statement.
Housing associations and regulated sectors: additional risk reporting requirements apply. A template that supports board-level oversight is the minimum.
A well-structured risk register captures the following for each risk:
|
Field |
Description |
|
Risk ID |
Unique reference number |
|
Risk title |
Short, clear description (e.g. “Loss of key contract”) |
|
Risk category |
Strategic / Financial / Operational / Regulatory / Reputational |
|
Risk description |
What could happen, and why it matters |
|
Inherent likelihood |
Score 1–5 before controls |
|
Inherent impact |
Score 1–5 before controls |
|
Inherent risk rating |
Likelihood × Impact |
|
Existing controls |
What's already in place to mitigate |
|
Residual likelihood |
Score 1–5 after controls |
|
Residual impact |
Score 1–5 after controls |
|
Residual risk rating |
Likelihood × Impact after controls |
|
Risk owner |
Named individual accountable for managing this risk |
|
Action required |
Any further mitigation planned |
|
Due date |
For outstanding actions |
|
Date last reviewed |
When was this risk last assessed? |
|
Status |
Open / Closed / Escalated |
Most UK boards use a 5x5 risk matrix. Likelihood and impact are each scored 1 to 5.
Risk rating equals Likelihood multiplied by Impact. Scores 15 to 25 are high (red), 8 to 14 are medium (amber), 1 to 7 are low (green). The board should focus attention on red-rated risks and any risks that have increased in rating since last review.
The full risk register can run to many rows. What goes in the board pack is a summary report, not the entire register. A good board risk report includes:
This summary format keeps the board focused on what matters without drowning them in the full detail.
The same discipline runs through good CEO reporting generally.
For UK charities, the Charity Commission expects risk management to be integrated into governance, not treated as a compliance exercise.
Specific considerations:
Fix: every risk needs a named individual, not a team or a department. The owner updates the register and reports to the board.
Fix: build risk review into the quarterly cycle. The board shouldn't be seeing risks for the first time in the board pack.
Fix: “Being managed” is not a control. Specify what is actually in place, insurance policy, contractual protection, redundant supplier, and so on.
Fix: a strategic risk register with 80 items is a register no one reads. Limit to 20 to 35 strategic risks. Operational risks belong in a separate document.
Fix: define when a risk gets escalated from operational to board level. New high-rated risks shouldn't wait for the quarterly review.
BoardPro's free Excel risk register template includes:
Free to download, in Excel format, with the 5x5 matrix and board summary dashboard built in.
Download the free risk register template →
Excel templates work for small organisations getting started. They become a liability as the organisation grows:
BoardPro's built-in risk management module connects risk directly to board governance. Risks are visible in the board pack, owners receive notifications, and the board has a live view, not a quarterly snapshot.
A board-level risk register is a governance tool, not a project management spreadsheet. It should cover strategic risks, score them consistently, assign clear ownership, and feed a summary report into each board pack. For UK charities, it's also a regulatory requirement. The template above gives you everything you need to start, or to improve what you already have.
See BoardPro's risk features
Explore how BoardPro connects risk management directly to your board pack and governance cycle.