How is the risk score calculated?

The risk score is probability multiplied by impact, each rated 1 to 5. This produces a score from 1 to 25, which the tool maps to bands: 1-4 Low, 5-9 Medium, 10-14 High, 15-25 Critical.

What is the difference between probability and impact?

Probability is how likely the risk is to occur, while impact is how severe the consequences would be if it did. A rare but catastrophic risk and a common but minor one can have the same score, so both dimensions matter.

Who should own a risk?

The risk owner is the single person accountable for monitoring the risk and triggering the mitigation plan. It is usually the team member with the most control over the risk area, not necessarily the project manager.

Do I need to mitigate every risk?

No. Common responses are avoid, transfer, mitigate, or accept. Low-score risks are often simply accepted and monitored, while high and critical risks always need an active mitigation strategy.

Is my data saved anywhere?

No. The entire register is built in your browser and nothing is sent to a server. Closing the tab clears it, so copy the Markdown export to keep your work.

Risk Register Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

A risk register is the backbone of project risk management: a living list of everything that could go wrong, scored so the team knows where to focus. This builder lets you capture each risk, score it, plan a response, and export a clean table you can paste into a project plan, wiki, or report.

How it works

Each risk is scored on two independent five-point scales. Probability answers “how likely is this to happen?” and impact answers “how bad would it be if it did?” The two are multiplied to give a risk score between 1 and 25. The score is then mapped to a rating band so the most dangerous risks rise to the top:

score = probability (1-5) × impact (1-5)

1-4   → Low
5-9   → Medium
10-14 → High
15-25 → Critical

This probability-times-impact model is the standard approach used in PMBOK, PRINCE2, and most ISO 31000-aligned frameworks. Multiplying the two scales means a risk only reaches Critical when it is both reasonably likely and seriously damaging.

Tips and example

A well-formed risk reads as a cause-and-effect statement. Instead of writing “server problems,” write “the payment provider may rate-limit us during a launch spike, blocking checkouts.” That clarity makes the mitigation obvious: pre-warm capacity and add a fallback provider.

Keep your register short and current. Five well-managed risks beat forty stale ones. Review scores at each milestone, retire risks that have passed, and add new ones as the project evolves. Assign every risk an owner so accountability never falls through the cracks.