A risk register is a controlled record of delivery threats, their likelihood and impact, planned mitigation, contingency actions, owners and review status.
Detailed explanation
A useful register goes beyond listing generic risks. It describes the cause and consequence, assigns an accountable owner, identifies preventive controls, sets trigger points and records what will happen if the risk materialises.
In tender responses, the register demonstrates that the supplier understands the specific contract environment. Risks might include resident access, mobilisation delay, labour shortages, data migration, supply-chain failure, asbestos, weather, approvals or performance dependencies.
The document should become a live contract-management tool after award. Risks must be reviewed, escalated and closed with evidence rather than filed away after submission.
Why it matters
It demonstrates that delivery threats have been considered and will be actively managed.
How buyers use it
The buyer reviews risk information to assess delivery maturity, contract understanding and whether proposed controls reduce exposure to an acceptable level.
What suppliers should do
- Identify contract-specific causes and consequences.
- Score likelihood and impact consistently.
- Assign named owners and review dates.
- Define mitigation, triggers and contingency actions.
- Link key risks to mobilisation and governance.
Where it fits in the process
- 1Risk identified
- 2Likelihood and impact assessed
- 3Owner and mitigation assigned
- 4Triggers monitored
- 5Risk reviewed, escalated or closed
Frequently asked questions
How many risks should we include?
Include the material risks needed to demonstrate understanding; relevance matters more than volume.
What is the difference between mitigation and contingency?
Mitigation reduces likelihood or impact before the event; contingency describes the response if it occurs.
Should opportunities be included?
Some organisations maintain combined risk and opportunity registers, but follow the tender requirement.
Who should own a risk?
A named role with authority and responsibility to manage it, not a generic department.
Does the register need updating after award?
Yes. It should support mobilisation, governance and ongoing contract management.
Thank you — your feedback has been recorded on this device.
