ELI5: What is a Risk Register?
It’s a master list of every danger the company knows about — who’s in charge of watching it, what’s being done about it, and how serious it still is. Think of it like a to-do list for safety that never gets thrown away; it just gets updated.
Definition
A risk register is a living document (typically maintained as a spreadsheet, database, or GRC platform record) that catalogs all identified risks facing the organization, along with their likelihood and impact ratings, assigned risk owners, planned or implemented responses, current status, and residual risk ratings. It serves as the central record of the organization’s risk posture and is reviewed regularly by the security team, governance committees, and management.
Key Details
- Key fields: risk description, category, likelihood, impact, risk score, risk owner, treatment strategy, controls in place, residual risk, review date
- Risk treatment strategies recorded in the register: mitigate, transfer, avoid, or accept
- The risk register is a living document — new risks are added, existing risks are updated, and resolved risks are archived
- Findings from audits, security assessments, and vulnerability scans should be tracked in the risk register
- Exam tip: the risk register is the authoritative source of truth for an organization’s risk posture; it connects risk identification, assessment, and treatment into a single artifact
Connections
- Parent: risk-management — the risk register is the central artifact of the risk management program
- See also: risk-matrix-heat-map
- See also: findings-and-remediation