When to use this
Use this template to record each trans-inclusion risk on your organisational risk register — legal, reputational, operational, and data-protection risks alike. A risk that is not on the register, with no named owner, is a risk that will quietly mature. A named owner per risk is non-negotiable: without an owner, no one is accountable for the mitigations, the review, or the escalation.
How to use this template
Copy the field set for each risk. Score likelihood and impact on a 1–5 scale and record the reasoning behind the score — the number alone is not defensible. Review the register on a schedule, not only when something goes wrong.
Entry fields
Risk ID: Risk title: Category: (legal / reputational / operational / data-protection) Description: Root cause: Likelihood (1–5): Likelihood rationale: Impact (1–5): Impact rationale: Inherent risk score: (likelihood × impact) Current controls: Mitigating actions: Action owner: Target / residual risk: (after mitigations) Due date: Review date: Status: (open / monitoring / closed)
Illustrative example entries
The entries below are examples only — written to show the shape of a well-formed entry. Replace them with your own.
Example 1
Risk title: Blanket exclusion challenge Category: Legal Description: The organisation applies a blanket exclusion of trans people from a service without a case-by-case proportionality assessment. Root cause: Policy written as a blanket rule, not as a case-by-case exception. Likelihood: 3 — a complaint or challenge is reasonably foreseeable. Impact: 4 — a successful challenge could require policy change and carry reputational cost. Inherent risk score: 12 Current controls: None — policy is unexamined. Mitigating actions: Rewrite policy as a case-by-case process; complete an EqIA; train staff. Action owner: Head of Services Target / residual risk: 6 Review date: [set]
Example 2
Risk title: Inconsistent facilities decision across sites Category: Operational Description: Different sites apply different rules for trans-inclusive facilities, creating inconsistency and perceived unfairness. Root cause: No central guidance; each site manager decides locally. Likelihood: 4 — already happening. Impact: 3 — inconsistency undermines trust and invites complaint. Inherent risk score: 12 Current controls: None. Mitigating actions: Issue a single organisation-wide policy; brief all site managers. Action owner: Operations Director Target / residual risk: 4 Review date: [set]
Example 3
Risk title: Gender-history data over-collected Category: Data-protection Description: Forms collect gender-history fields that are not needed for any defined purpose. Root cause: Form copied from another context without a data-protection review. Likelihood: 3 — likely to be flagged on review. Impact: 4 — special-category data held without a lawful basis is a serious breach. Inherent risk score: 12 Current controls: None. Mitigating actions: Remove unnecessary fields; complete a DPIA; re-baseline the form against a defined purpose. Action owner: Data Protection Officer Target / residual risk: 4 Review date: [set]
Review
Register review schedule: Register owner: Next review date:
This template provides general information and does not constitute legal advice. It is a scaffold to support your own documented, proportionate decision-making. Adapt it to your context and take specialist advice where your decision warrants it.