A TSA risk register template is worthless as a static list and powerful as a living control. The buyer needs a register that scores each risk, names an owner, tracks a mitigation, and changes every time the committee meets. A working risk register is one of the clearest signals that a buyer is in real control of day one readiness rather than hoping for the best.
A useful risk register has a small, fixed set of fields. A description that states the risk as a cause and an effect, not just a topic. A likelihood and an impact score. A combined severity that drives prioritization. A single named owner. A mitigation action with a due date. A status that shows whether the risk is growing, stable, or receding. Anything beyond these fields tends to add bureaucracy without adding control.
Write each risk as a sentence with a cause and a consequence. A register line that says data migration is not a risk, it is a topic. A line that says the seller may not deliver the full data extract on time, which would delay migration and push the exit date, is a risk, because it states what could happen and why it matters. The discipline of writing risks as cause and effect forces clarity about what is actually being managed.
Score likelihood and impact on a simple scale, three or five points, and combine them into a severity that ranks the register. The scoring is not science, and precision is false comfort. Its value is forcing a consistent comparison so the committee spends its attention on the few high severity risks rather than the many low ones. A register that is not ranked by severity gets read top to bottom and the important risks get the same attention as the trivial.
Resist the urge to over engineer the scoring. A three by three or five by five matrix of likelihood and impact is enough. The goal is a defensible ranking, not a precise probability, and a register that claims a risk is 37 percent likely invites argument about the number rather than action on the risk. Coarse scoring that everyone understands beats fine scoring that no one trusts.
Score impact in the terms leadership cares about: effect on the exit date, effect on cost, and effect on service continuity. A risk that could push the exit date by a month scores high on schedule impact, which is the impact the deal model is most sensitive to. Scoring against the dimensions that matter to the investor keeps the register aligned with the decisions it is meant to inform.
Re score risks as they evolve rather than freezing the score at first entry. A risk whose mitigation is working should see its likelihood fall over successive reviews, and that falling score is the evidence the mitigation is effective. A risk whose score never moves is either not being worked or not being re assessed, and either way it signals a register that has gone stale.
Every risk has one owner, and the owner is accountable for the mitigation, not just for watching the risk. A risk with no owner is a risk nobody is managing, and a register full of unowned risks is a list of things the program is worried about rather than a control. The act of assigning an owner to every risk surfaces the risks that nobody wants, which are often the most dangerous.
The mitigation is a specific action with a due date, not a vague intention. Monitor the situation is not a mitigation. Obtain written confirmation from the seller of the data extract delivery date by the end of the week is a mitigation, because it is an action someone can do and the committee can check. The register tracks the mitigation to its due date and escalates if it slips, which is how a risk gets actively retired rather than passively watched.
Distinguish risks from issues. A risk is something that might happen; an issue is something that has happened. When a risk materializes, it moves out of the register and into the issue log with an owner and a resolution path, handled through the escalation playbook. Keeping the two separate stops the register filling with realized problems and losing its forward looking purpose.
Review the register at every steering committee meeting, and judge the review by whether the register changed. New risks added, scores updated, mitigations advanced, risks closed with a note explaining why. A risk register that looks identical between two meetings is a register that is not being used, and that is one of the clearest warning signs a program office can watch for.
Close risks deliberately, with a reason. A risk recedes because its mitigation worked, because the underlying condition changed, or because the window for it to occur has passed. Recording why a risk was closed builds the institutional memory and prevents the closed risk being quietly forgotten when it could still recur. A closed risk with a documented reason is a risk genuinely retired.
Keep the active register to the top fifteen or so risks that actually matter. A register of a hundred risks is a register nobody reads, and the important risks drown in the noise. Lower severity risks can be parked in a watch list and promoted to the active register if their severity rises. The discipline of a short, ranked active register is what keeps the committee focused on the risks that could move the exit.
The register exists to drive decisions, and the highest severity risks should each carry a clear ask to the committee: the decision needed, the resource required, or the escalation requested. A high severity risk that arrives at the committee with no ask wastes the committee's time, and a register that never produces asks is a register being maintained for its own sake rather than to control the program.
Tie the register to the milestones and the cost view. The risks that matter most are usually those threatening a critical path milestone or a planned takeout, and showing that link lets the committee see not just that a risk is severe but what it threatens. A risk to a milestone that gates a TSA charge ending is a risk to the savings, and connecting the two makes the consequence concrete.
Carry the register through to program close and use it as a learning asset. The risks that materialized, how they were caught, and how they were resolved are the most valuable lessons the program produces. Feeding that record into the lessons learned process means the next carve-out in the portfolio starts its register pre populated with the risks this exit actually encountered, which is how a portfolio gets better at exits over time.
A cause and effect description, likelihood and impact scores, a combined severity, a single named owner, a mitigation action with a due date, and a status showing whether the risk is growing, stable, or receding. More fields add bureaucracy without adding control.
On a coarse three by three or five by five matrix of likelihood and impact, scored against the dimensions leadership cares about: exit date, cost, and service continuity. The aim is a defensible ranking, not false precision that invites argument about the number.
A risk might happen; an issue has happened. When a risk materializes it moves from the register into the issue log with an owner and a resolution path, handled through the escalation process. Keeping them separate preserves the register's forward looking purpose.
It changes between meetings. New risks added, scores updated, mitigations advanced, and risks closed with a documented reason. A register that looks identical from one committee meeting to the next is not being used.
How a materialized risk becomes an issue that moves to resolution on a clock.
Read the article →The milestones that risks most often threaten, tracked on evidence.
Read the article →The view that surfaces open risk and aging to leadership at a glance.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →