RAID Logs: The PM Tool Nobody Uses Right (And How to Fix It)
I have a confession. For the first three years I managed programs, my RAID log was a spreadsheet I updated the night before steering committee meetings. I'd scan my notes, add a few risks, mark some items resolved, and call it current. It was a compliance exercise, not a management tool.
Then a dependency I hadn't tracked properly slipped by four weeks and blew a release date at an aerospace company. The information was in my head. It was in Slack threads. It was in meeting notes. It was not in the RAID log. And when leadership asked why it wasn't flagged earlier, "I knew about it but didn't log it" was not an acceptable answer.
That was the moment my RAID log stopped being a checkbox and started being the operating system for how I ran programs.
What RAID actually stands for (and what each piece does)
R — Risks
Things that might happen and would hurt the program if they did. Each risk needs a probability, impact, owner, and mitigation plan. Not a vague worry. A specific scenario with a response.
A — Actions
Tasks that need to happen outside the normal workstream. The action item from the meeting that doesn't belong in Jira. The follow-up that falls between teams. The thing that gets lost without a tracking mechanism.
I — Issues
Risks that materialized. Problems that are happening now and need resolution. Every issue needs an owner, a target resolution date, and a clear description of impact. Issues without owners are just complaints.
D — Dependencies
Things outside your direct control that your program relies on. Another team's deliverable, a vendor timeline, a leadership decision. Each dependency needs an expected date, a status, and a contingency if it slips.
Most PMs know what the letters stand for. The problem isn't knowledge. It's practice.
Why most RAID logs become graveyards
I've reviewed hundreds of RAID logs across three companies. The failure patterns are remarkably consistent:
- Batch updating. The log only gets touched before a governance meeting. By then, half the items are stale, and the PM is reconstructing history instead of tracking reality. A RAID log updated once a week is a reporting artifact. A RAID log updated as things happen is a management tool.
- No owner discipline. Every item should have exactly one human name next to it. Not a team name. Not "TBD." A person who is accountable for either mitigating the risk, completing the action, resolving the issue, or monitoring the dependency. No owner means no accountability, which means no progress.
- Items that never close. I've seen RAID logs where risks logged in month two were still "open" in month nine with no update. If a risk hasn't changed status in 30 days, it's either been accepted (close it and note why) or the mitigation isn't working (escalate it). Stale items erode trust in the entire log.
- Wrong level of detail. A risk described as "timeline risk" is useless. A risk described as "API integration with Partner X may miss the March 15 milestone if their v2 endpoint isn't available by February 28, impacting our beta launch" is actionable. Specificity is what makes a RAID log useful.
- No connection to decisions. The log tracks items. But if those items never make it into the status report, never get discussed in standups, and never influence actual decisions, the log is just a place where information goes to die.
A RAID log that's built to stay alive
The RAID Log template comes in two versions: an Excel workbook for structured tracking with built-in aging and status fields, and an interactive HTML dashboard with filtering, sorting, and visual status indicators. Both are designed around the review cadence that keeps RAID logs from becoming graveyards.
Get the RAID Log Template — $29How to keep your RAID log alive
The tool matters less than the discipline around it. Here's the operating rhythm I've used since that aerospace dependency nearly cost me a release:
The daily scan (5 minutes)
At the end of every day, I spend five minutes scanning three things: did any new risk surface today? Did any dependency status change? Are there action items from today's meetings that need to be captured? This isn't a formal review. It's muscle memory. The same way you check your email before you leave, you scan your RAID log.
The weekly review (15 minutes)
Once a week, do a proper pass through every open item. Ask three questions for each one:
- Has the status changed? Update it.
- Is this still relevant? If not, close it with a note.
- Does this need to surface in the status report? Flag it.
This is also when I check for aging. If an action item has been open for more than two weeks with no progress, something is wrong—either the owner is blocked, the item isn't actually important, or it needs to be escalated.
The bi-weekly stakeholder review (30 minutes)
Every two weeks, pull the top risks and open issues into your steering committee or leadership check-in. Don't read the log line by line—nobody wants that. Surface the 3-5 items that need visibility or decisions. This is where the RAID log earns its keep. When a VP asks "what could go wrong with this program?" and you can immediately pull up a current, specific, well-maintained risk register, you've demonstrated exactly the kind of operational rigor that builds trust.
The monthly cleanup (20 minutes)
Once a month, archive resolved items, review closed risks to see if any are recurring patterns, and check that dependency dates still align with the program plan. This is also a good time to cross-reference your RAID log with your prioritization matrix—if high-priority items have unmitigated risks attached to them, that's a conversation worth having.
The RAID log as early warning system
Here's the shift that changed how I think about RAID logs: they're not a record of what happened. They're a forward-looking radar system.
At a global retailer, I managed a program with 40+ integration dependencies across internal teams and external vendors. The RAID log became the primary tool for predicting problems before they hit. When I saw three dependencies from the same team trending yellow at the same time, I didn't wait for the slip. I escalated the pattern, and we shifted resources before any of them went red.
That's the power of a well-maintained RAID log. Not the individual items—the patterns across items. Dependencies clustering around one team. Risks in one category multiplying. Action items stalling for the same reason. The log tells you where the system is stressed if you're paying attention.
Starting from scratch vs. reviving a dead one
If your RAID log is currently a graveyard, don't try to update everything at once. You'll spend hours and still end up with stale data. Instead:
- Close everything. Mark all existing items as "archived - legacy." Clean slate.
- Rebuild from current state. Spend 30 minutes listing only the risks, actions, issues, and dependencies that are real right now. Not the ones from three months ago.
- Set the cadence. Put a 5-minute daily scan and a 15-minute weekly review on your calendar. Not as optional. As standing blocks.
- Connect it to your reporting. Pull the top 3-5 items into your next status report. When leadership sees the RAID log driving the conversation, you've created the accountability loop that keeps it alive.
The tool doesn't keep itself current. You do. But having the right structure makes that discipline dramatically easier.
Two formats, one system
The RAID Log comes in both Excel and interactive HTML versions. The Excel version gives you structured tracking with formulas for aging, status rollup, and clean reporting output. The interactive version gives you instant filtering, sorting, and a dashboard view for stakeholder conversations. Use whichever fits your workflow—or both.
Get the RAID Log Template — $29