Risk Register Template » History » Version 1
Redmine Admin, 12/26/2025 04:54 PM
| 1 | 1 | Redmine Admin | h1. Risk Register – Entry Template |
|---|---|---|---|
| 2 | |||
| 3 | *Purpose:* Capture, track, and manage risks in a consistent and auditable manner |
||
| 4 | *Scope:* Product, Technical, Operational, Compliance, and Business risks |
||
| 5 | |||
| 6 | {{toc}} |
||
| 7 | |||
| 8 | --- |
||
| 9 | |||
| 10 | h2. 1. Risk Identification |
||
| 11 | |||
| 12 | |_. Field |_. Value | |
||
| 13 | | Risk ID | RISK-YYYY-NN | |
||
| 14 | | Risk Title | Short, descriptive name | |
||
| 15 | | Risk Category | Product / Technical / Operational / Security / Compliance / Business | |
||
| 16 | | Affected Area | Product / Service / Team / Customer / Platform | |
||
| 17 | | Identified By | Name / Role | |
||
| 18 | | Identified Date | YYYY-MM-DD | |
||
| 19 | |||
| 20 | Guidelines: |
||
| 21 | * One risk per entry |
||
| 22 | * Title should clearly state the risk, not the symptom |
||
| 23 | |||
| 24 | Example: |
||
| 25 | *bq.* Inadequate audit logging may lead to HIPAA non-compliance. |
||
| 26 | |||
| 27 | --- |
||
| 28 | |||
| 29 | h2. 2. Risk Description |
||
| 30 | |||
| 31 | Describe the risk clearly and concisely. |
||
| 32 | |||
| 33 | Include: |
||
| 34 | * What could go wrong |
||
| 35 | * Why it matters |
||
| 36 | * Who or what is impacted |
||
| 37 | |||
| 38 | Avoid: |
||
| 39 | * Solutions |
||
| 40 | * Long narratives |
||
| 41 | * Speculation |
||
| 42 | |||
| 43 | --- |
||
| 44 | |||
| 45 | h2. 3. Risk Impact & Likelihood |
||
| 46 | |||
| 47 | |_. Attribute |_. Level | |
||
| 48 | | Impact | Low / Medium / High / Critical | |
||
| 49 | | Likelihood | Rare / Possible / Likely / Almost Certain | |
||
| 50 | | Overall Risk Level | Low / Medium / High | |
||
| 51 | |||
| 52 | Guidelines: |
||
| 53 | * Impact = severity of damage |
||
| 54 | * Likelihood = probability of occurrence |
||
| 55 | * Overall risk should reflect combined judgment |
||
| 56 | |||
| 57 | --- |
||
| 58 | |||
| 59 | h2. 4. Risk Consequences |
||
| 60 | |||
| 61 | Describe potential consequences if the risk materializes. |
||
| 62 | |||
| 63 | Examples: |
||
| 64 | * Regulatory penalties |
||
| 65 | * Customer trust erosion |
||
| 66 | * Service downtime |
||
| 67 | * Delivery delays |
||
| 68 | |||
| 69 | This section helps leadership understand *why the risk matters*. |
||
| 70 | |||
| 71 | --- |
||
| 72 | |||
| 73 | h2. 5. Mitigation Strategy |
||
| 74 | |||
| 75 | Describe how the risk is being managed. |
||
| 76 | |||
| 77 | |_. Field |_. Value | |
||
| 78 | | Mitigation Type | Avoid / Reduce / Transfer / Accept | |
||
| 79 | | Mitigation Summary | Short description | |
||
| 80 | | Owner | Role / Name | |
||
| 81 | | Target Date | YYYY-MM-DD | |
||
| 82 | |||
| 83 | Guidelines: |
||
| 84 | * Mitigation must be realistic |
||
| 85 | * One clear owner is mandatory |
||
| 86 | * “Monitor only” is acceptable if justified |
||
| 87 | |||
| 88 | --- |
||
| 89 | |||
| 90 | h2. 6. Current Status |
||
| 91 | |||
| 92 | |_. Field |_. Value | |
||
| 93 | | Status | Open / Mitigating / Monitoring / Closed | |
||
| 94 | | Last Reviewed On | YYYY-MM-DD | |
||
| 95 | | Next Review Due | YYYY-MM-DD | |
||
| 96 | |||
| 97 | Rules: |
||
| 98 | * Risks must be reviewed periodically |
||
| 99 | * Stale risks must be escalated or closed |
||
| 100 | |||
| 101 | --- |
||
| 102 | |||
| 103 | h2. 7. Related References |
||
| 104 | |||
| 105 | Link to relevant items for traceability. |
||
| 106 | |||
| 107 | Examples: |
||
| 108 | * Related Epics / Stories |
||
| 109 | * Compliance requirements |
||
| 110 | * Sprint(s) impacted |
||
| 111 | * Decision Records |
||
| 112 | * External regulations or policies |
||
| 113 | |||
| 114 | Use Redmine links where possible. |
||
| 115 | |||
| 116 | --- |
||
| 117 | |||
| 118 | h2. 8. Closure (If Applicable) |
||
| 119 | |||
| 120 | Complete this section only when closing a risk. |
||
| 121 | |||
| 122 | |_. Field |_. Value | |
||
| 123 | | Closure Date | YYYY-MM-DD | |
||
| 124 | | Closure Reason | Mitigated / No Longer Relevant / Accepted | |
||
| 125 | | Closure Notes | Short explanation | |
||
| 126 | |||
| 127 | *bq.* Closed risks must not be deleted — history must be preserved. |
||
| 128 | |||
| 129 | --- |
||
| 130 | |||
| 131 | h2. 9. Governance Rules |
||
| 132 | |||
| 133 | * Every active risk must have an owner |
||
| 134 | * High and Critical risks must be reviewed regularly |
||
| 135 | * Risks must not be hidden inside issues or comments |
||
| 136 | * This register is for *risks*, not *bugs or tasks* |
||
| 137 | |||
| 138 | --- |
||
| 139 | |||
| 140 | h2. 10. Final Statement |
||
| 141 | |||
| 142 | *bq.* Risks that are not written down are unmanaged risks. |
||
| 143 | |||
| 144 | This template ensures risks are visible, owned, and reviewed — |
||
| 145 | before they become incidents. |