WPP PROCUREMENT DICTIONARY™

Risk Register

A controlled record of identified risks, likelihood, impact, mitigation, owner and review status.

Tender PreparationBeginner2 min readReviewed July 2026
30-second answer

A risk register is a controlled record of delivery threats, their likelihood and impact, planned mitigation, contingency actions, owners and review status.

Detailed explanation

A useful register goes beyond listing generic risks. It describes the cause and consequence, assigns an accountable owner, identifies preventive controls, sets trigger points and records what will happen if the risk materialises.

In tender responses, the register demonstrates that the supplier understands the specific contract environment. Risks might include resident access, mobilisation delay, labour shortages, data migration, supply-chain failure, asbestos, weather, approvals or performance dependencies.

The document should become a live contract-management tool after award. Risks must be reviewed, escalated and closed with evidence rather than filed away after submission.

Why it matters

It demonstrates that delivery threats have been considered and will be actively managed.

How buyers use it

The buyer reviews risk information to assess delivery maturity, contract understanding and whether proposed controls reduce exposure to an acceptable level.

What suppliers should do

  1. Identify contract-specific causes and consequences.
  2. Score likelihood and impact consistently.
  3. Assign named owners and review dates.
  4. Define mitigation, triggers and contingency actions.
  5. Link key risks to mobilisation and governance.

Where it fits in the process

  1. 1Risk identified
  2. 2Likelihood and impact assessed
  3. 3Owner and mitigation assigned
  4. 4Triggers monitored
  5. 5Risk reviewed, escalated or closed

Frequently asked questions

How many risks should we include?

Include the material risks needed to demonstrate understanding; relevance matters more than volume.

What is the difference between mitigation and contingency?

Mitigation reduces likelihood or impact before the event; contingency describes the response if it occurs.

Should opportunities be included?

Some organisations maintain combined risk and opportunity registers, but follow the tender requirement.

Who should own a risk?

A named role with authority and responsibility to manage it, not a generic department.

Does the register need updating after award?

Yes. It should support mobilisation, governance and ongoing contract management.

Did this explanation help?Your feedback helps us improve the dictionary.
EmailShare on LinkedIn