BuildCopilot

How to Build a Construction Risk Register: Free Template and Step-by-Step Guide

A construction risk register is a living document that logs every project risk, scores it, and assigns an owner and a response. This guide shows what to include, how to score risk, a worked UK example, and how to build one fast with AI.

Intermediate11 min read

A construction risk register is a living document that records every risk that could affect a project, scores each one by likelihood and impact, and assigns an owner and a planned response. It is the central tool for managing risk across the whole job, from tender through to handover. A good register turns vague worries ("the ground might be bad", "the steel might be late") into a ranked, owned, actionable list that the team reviews and updates throughout the project.

This guide explains exactly what to put in a risk register, how to score and prioritise risks, gives you a worked UK example and a free risk register template, and shows how to build and maintain one in minutes with AI rather than hours in a spreadsheet.

Why every construction project needs a risk register

Construction is one of the highest-risk industries there is. Projects fail on cost, programme, and safety far more often than they should, and almost every failure traces back to a risk that was either never identified or never properly managed. The risk register is the single document that forces the team to think ahead instead of firefighting.

It serves several purposes at once:

  • Prioritisation. Not all risks are equal. Scoring them lets you focus management effort where it actually matters rather than spreading attention evenly across trivial and serious risks alike.
  • Accountability. Every risk has a named owner. A risk with no owner is a risk that no one is managing.
  • Communication. The register gives the client, the board, and the project team a shared, honest view of where the project is exposed.
  • Evidence and governance. Under CDM 2015 the principal designer and principal contractor must manage health and safety risk, and a documented register is strong evidence that risk was considered and controlled. For commercial risk, RICS guidance on risk management expects a structured, reviewed approach.
  • Contingency justification. A scored register is the basis for setting a sensible risk allowance or contingency rather than picking a round percentage out of the air.

What to include in a construction risk register

A risk register is a table where each row is one risk. The columns are what make it useful. Include at least the following:

  • Risk ID. A simple unique reference (R-001, R-002) so risks can be tracked and discussed without ambiguity.
  • Risk description. A clear cause-and-effect statement. Good practice is the "if, then" form: "If the existing ground is more contaminated than the survey suggests, then remediation will add cost and delay the substructure."
  • Category. Design, ground conditions, procurement, weather, health and safety, commercial, statutory, third party, and so on. Categories help you spot clusters.
  • Likelihood. How probable the risk is, usually scored 1 to 5.
  • Impact. How bad the consequence would be, also scored 1 to 5, ideally against cost, time, and safety.
  • Risk score. Likelihood multiplied by impact, giving a number from 1 to 25 that drives prioritisation.
  • Risk owner. The named individual responsible for managing that risk, not a department.
  • Response strategy. Avoid, reduce, transfer, or accept.
  • Mitigation actions. The specific things being done to reduce likelihood or impact, with dates.
  • Residual score. The score after mitigation, showing whether the actions actually move the needle.
  • Status. Open, in progress, closed, or occurred.
  • Review date. When the risk was last reviewed and when it is next due.

The cause-and-effect discipline matters. "Bad weather" is not a risk, it is a hazard. "If sustained heavy rain occurs during the groundworks phase, then the dig will flood and the slab pour will slip" is a risk you can actually score, own, and mitigate.

How to score and prioritise risk

The standard approach is a 5x5 risk matrix. You score likelihood from 1 (rare) to 5 (almost certain) and impact from 1 (negligible) to 5 (severe), then multiply them. The product places each risk in a band that tells you how to treat it.

Risk score (L x I)RatingWhat it meansAction
1 to 4LowTolerable, minimal managementMonitor, review periodically
5 to 9MediumNeeds active managementAssign owner, plan mitigation
10 to 15HighSignificant threat to projectMitigate actively, report to client
16 to 25Very high / criticalCould derail the projectEscalate now, board-level attention

The point of scoring is not precision, it is relative ranking. Two people will rarely agree that a risk is exactly a 12 rather than a 15, but they will almost always agree it is more serious than a 4. The register sorts the noise so the high and very high risks rise to the top and get the attention they deserve.

Once scored, every risk gets a response strategy:

  • Avoid. Change the plan so the risk cannot occur (redesign to remove the deep excavation entirely).
  • Reduce. Lower the likelihood or impact (intrusive ground investigation before committing the substructure design).
  • Transfer. Move the risk to a party better able to carry it (insurance, or a contractual mechanism that allocates it to the subcontractor).
  • Accept. Acknowledge it, set aside contingency, and monitor (a small risk that is not worth the cost of mitigating).

Risk register vs risk assessment vs issue log

These three terms get mixed up constantly, so here is how they differ.

DocumentScopeTime focusPrimary concern
Risk registerWhole projectFuture, what might happenCost, time, safety, commercial risk
Risk assessmentA specific task or activityPresent, how to do it safelyHealth and safety hazards
Issue logWhole projectNow, what has already happenedProblems that have already occurred

A risk assessment is a health and safety document focused on a particular activity, such as working at height or operating a particular piece of plant, and it underpins your RAMS. The risk register is broader and forward-looking, covering commercial, programme, design, and statutory risk as well as safety. An issue log records risks that have already materialised and become live problems. You can read more on the safety side in our AI risk assessment for construction guide.

A worked UK risk register example

Here is a short extract from the register for a realistic project: a four-storey residential block on a brownfield site in Leeds, JCT Design and Build, 14-month programme.

R-007 | Ground conditions Description: If the ground is more contaminated than the Phase 1 desk study indicates, then additional remediation and muck-away will add cost and delay the substructure. Likelihood 4, Impact 4, Score 16 (very high). Owner: Project Manager. Response: Reduce. Commission an intrusive Phase 2 ground investigation before finalising the substructure design and price. Hold a remediation provisional sum. Residual score after mitigation: Likelihood 2, Impact 4, Score 8 (medium). Status: In progress. Review date: next month.

R-012 | Procurement Description: If the structural steel package is not let by week 6, then fabrication lead time pushes the frame erection past the programme date and delays the whole job. Likelihood 3, Impact 5, Score 15 (high). Owner: Commercial Manager. Response: Reduce. Prioritise the steel tender, pre-qualify two fabricators now, and place an early advance order on key sections. Residual score: Likelihood 2, Impact 5, Score 10 (high). Status: Open. Review date: this week.

R-021 | Weather Description: If sustained heavy rain occurs during the groundworks phase (Q1), then the excavation will flood and the slab pour will slip, with knock-on programme delay. Likelihood 4, Impact 3, Score 12 (high). Owner: Site Manager. Response: Reduce and accept. Programme groundworks to allow weather float, keep pumps on standby, and hold programme contingency. Residual score: Likelihood 4, Impact 2, Score 8 (medium). Status: Open. Review date: next month.

Notice how the residual score shows whether mitigation is actually working. R-007 drops from 16 to 8 because the ground investigation genuinely reduces uncertainty. R-012 only drops from 15 to 10 because the lead-time impact cannot be removed entirely, just managed, which tells you it still needs close attention.

How to build a risk register in minutes with AI

A blank risk register is daunting, and the slow part is the first draft: thinking of every plausible risk, writing it up in proper cause-and-effect form, categorising it, and suggesting sensible mitigations. This is exactly the kind of structured drafting AI does well.

The workflow is straightforward:

  1. Describe the project. Give the AI the project type, location, contract form, programme, and any known constraints (brownfield site, tight access, fixed completion date).
  2. Ask for a starter register. Prompt it to generate a risk register covering the standard categories, each risk in cause-and-effect form, with a suggested likelihood, impact, owner role, response strategy, and mitigation.
  3. Review and challenge. This is the critical step. The AI gives you a thorough first draft, but you apply project knowledge: delete what does not apply, add the site-specific risks only you know about, and adjust the scores to reflect reality.
  4. Maintain it. Each review cycle, paste in what has changed and have the AI update statuses, residual scores, and review dates.

The AI does the heavy lifting of breadth and structure so you do not stare at an empty spreadsheet, and you provide the judgement that makes the register accurate. A first draft that took half a day now takes twenty minutes. Our generate project risk register workflow gives you the exact prompt, and the full set of construction prompts is in the BuildCopilot Prompt Pack. Project managers will also find the wider AI for project management collection useful for the rest of the PM workflow.

Common risk register mistakes

  • Writing it once and filing it. A register that is not reviewed is worthless. The risk profile changes constantly as the project moves through its phases. Review it at every project meeting.
  • Vague risk descriptions. "Design risk" is not a risk. Use the if-then form so the risk can be scored and managed.
  • No named owner. "The team" does not own anything. One named person per risk.
  • Mitigations with no dates. An action without a date is a hope, not a plan.
  • Ignoring residual risk. If your mitigation does not move the score, it is not mitigation. Track the residual score to prove the actions work.
  • Scoring inflation or deflation. Be honest. Talking yourself out of a high score to make the project look better is how projects fail.

Free risk register template

Use our free construction risk register template to set up a properly structured register with scoring, ownership, and residual risk built in. Pair it with the AI workflow above and you get a thorough, well-structured register without the hours of spreadsheet work, plus a maintenance routine that keeps it alive through the whole project.

Frequently asked questions

What is a construction risk register?

A construction risk register is a living document that lists every risk that could affect a project, scores each one by likelihood and impact, and records an owner, a response strategy, and mitigation actions. It is the central tool for identifying, prioritising, and managing project risk from tender through to completion.

What should be included in a risk register?

Each risk should have a unique ID, a clear cause-and-effect description, a category, a likelihood score, an impact score, a combined risk score, a named owner, a response strategy (avoid, reduce, transfer, or accept), mitigation actions with dates, a residual score after mitigation, a status, and a review date.

How do you score risk in construction?

The standard method is a 5x5 matrix. You rate likelihood from 1 (rare) to 5 (almost certain) and impact from 1 (negligible) to 5 (severe), then multiply them for a score from 1 to 25. Scores group into low (1 to 4), medium (5 to 9), high (10 to 15), and very high (16 to 25), which determines how much management attention each risk needs.

What is the difference between a risk register and a risk assessment?

A risk assessment is a health and safety document focused on the hazards of a specific task, such as working at height, and it underpins your RAMS. A risk register is broader and forward-looking, covering commercial, programme, design, statutory, and safety risk across the whole project. The assessment manages how to do a task safely now; the register manages what might go wrong later.

Who owns the construction risk register?

The project manager typically owns the register as a whole and is responsible for keeping it reviewed and up to date, but each individual risk has its own named owner who manages that specific risk. Under CDM 2015 the principal designer and principal contractor have specific duties to manage health and safety risk.

How often should a risk register be reviewed?

Review the register at every project or progress meeting, at minimum monthly, and whenever a major change occurs such as a new phase starting, a significant variation, or a risk materialising. A register that is not reviewed regularly quickly becomes out of date and stops reflecting the project's real risk profile.

Want more templates like this?

Get new AI workflows and construction templates delivered weekly. Free.

Subscribe Free

No spam ever.

Related resources

Free Weekly Newsletter

Get Construction AI Tips in Your Inbox

New workflows, prompts, and templates delivered weekly. Join construction professionals already saving hours with AI.

No spam. Unsubscribe anytime.