Free resource

Risk Log Template (ISO 31000)

A free, ISO 31000-aligned risk register template — Excel and CSV. Ships with a 5×5 severity matrix, inherent vs residual scoring, and a treatment column. Open it in Excel, Google Sheets, or Numbers and start logging risks in under a minute.

No email required. Free to use, share, and adapt.

What's inside

  • 22 pre-labeled columns covering identification, analysis, treatment and monitoring
  • 5×5 severity matrix legend with Low / Medium / High / Extreme bands
  • Inherent and residual scoring side by side, so controls prove their worth
  • Sample row you can delete once you understand the layout
  • How-to-use sheet with the ISO 31000 five-step loop

How to keep a risk log

The template follows the ISO 31000 loop. Work each risk through these five steps — and revisit the loop on a schedule.

  1. Identify

    Add one row per risk. Give it a stable ID (R-001, R-002…), an owner, and a date. Describe the cause and the consequence separately — the register is only useful if a stranger can read the row and understand what could go wrong.

  2. Analyze

    Score inherent likelihood and inherent impact on the 5×5 matrix (1–5 each), before your controls are considered. The template computes severity for you.

  3. Evaluate

    Compare inherent severity to your organization's risk appetite. High and Extreme risks need a treatment; Low risks may just need monitoring.

  4. Treat

    Pick a strategy — Avoid, Reduce, Transfer, or Accept — and log the concrete actions, owners and deadlines. This is where a register proves its value.

  5. Monitor

    Once controls are in place, re-score for residual likelihood and impact. Set a next-review date. Update the status when reality changes.

When a spreadsheet stops working

A CSV is a great start — but once more than one person maintains it, or you need an audit trail of who changed what and when, or review reminders, it becomes fragile. EasyRisk.io keeps the same columns as this template and adds immutable change tracking, a live 5×5 matrix, and scheduled review reminders. Free forever for small teams.

FAQ

What is a risk log?

A risk log (or risk register) is the single source of truth for every operational risk your organization is tracking. Each entry records what could go wrong, how likely it is, how bad the impact would be, who owns it, and what you're doing about it. ISO 31000 treats the register as the living record of the identify → analyze → evaluate → treat → monitor loop.

What columns should a risk log contain?

At minimum: ID, title, category, owner, date identified, description, cause, consequence, inherent likelihood and impact (1–5), inherent severity, existing controls, treatment strategy (avoid / reduce / transfer / accept), treatment actions, residual likelihood and impact, residual severity, status, and next review date. The downloadable template above ships with all of these plus a 5×5 severity matrix legend.

What's the difference between inherent and residual risk?

Inherent risk is the risk before any controls are applied. Residual risk is what's left after your controls and treatments are working. Scoring both is what makes a register defensible — it shows the risk was real and the controls actually moved the number.

When should I move from a spreadsheet to a tool?

Spreadsheets stop working once more than one person maintains them, once you need an audit trail of who changed what, or once you need review reminders and matrix views. That's exactly what EasyRisk.io adds — you can start free and import the same columns from the template.