What is a Risk Register?
What is a Risk Register?
A risk register is a centralized document or tool that records identified risks, their assessment (likelihood and impact), assigned treatments, owners, and current status. It serves as the foundation of an organization's risk management program and is a key artifact required by frameworks including ISO 27001, SOC 2, and NIST CSF.
What a risk register contains
A well-structured risk register typically includes the following fields for each risk:
- Risk ID — a unique identifier for tracking
- Risk description — a clear statement of the risk, typically describing the threat, vulnerability, and potential impact
- Risk category — classification such as operational, technical, compliance, strategic, or third-party
- Likelihood — the probability of the risk materializing (often rated on a scale such as 1-5 or low/medium/high)
- Impact — the potential consequence if the risk materializes (rated similarly)
- Risk score — calculated from likelihood and impact (e.g., likelihood x impact)
- Risk owner — the person accountable for managing the risk
- Treatment option — mitigate, accept, transfer, or avoid
- Controls — the specific controls implemented to address the risk
- Residual risk — the remaining risk level after treatment is applied
- Status — current state (open, in treatment, accepted, closed)
- Review date — when the risk was last reviewed or when the next review is due
Building a risk register
Creating a risk register follows a systematic process:
- Identify risks — gather risks through workshops, interviews, threat modeling, vulnerability assessments, incident reviews, and industry threat intelligence
- Assess each risk — evaluate the likelihood and impact of each risk to determine its severity
- Prioritize — rank risks by their risk score to focus attention and resources on the most significant threats
- Assign ownership — designate a responsible owner for each risk
- Determine treatment — decide how each risk will be handled
- Document controls — record the specific controls that address each risk
- Calculate residual risk — assess the remaining risk after controls are applied
- Review and approve — have management review and approve the register
Maintaining the risk register
A risk register is only valuable if it is kept current. Regular maintenance includes:
- Periodic reviews — review the full register at least quarterly, with management review at least annually
- Triggered updates — update the register when significant changes occur (new systems, new services, organizational changes, incidents)
- New risk identification — continuously identify and add new risks as the threat landscape evolves
- Treatment progress tracking — monitor and update the status of risk treatment activities
- Residual risk reassessment — re-evaluate residual risk as controls are implemented or change
Risk register in compliance frameworks
Different frameworks require or recommend risk registers:
- ISO 27001 — clause 6.1.2 requires a risk assessment process, and the risk register is the standard artifact for documenting results
- SOC 2 — the Common Criteria CC3 series (risk assessment) expects organizations to identify, assess, and manage risks
- NIST CSF — the Identify function (ID.RA) addresses risk assessment activities that feed into a risk register
Common pitfalls
Organizations often struggle with risk registers due to:
- Making the register too complex or too simple
- Failing to review and update regularly
- Not assigning clear ownership
- Rating all risks as "high" without meaningful differentiation
- Treating the register as a compliance checkbox rather than a management tool
How episki helps
episki provides a built-in risk register with configurable likelihood and impact scales, automatic risk scoring, owner assignment, treatment tracking, and review scheduling. The platform links risks to controls and evidence, creating a complete chain from risk identification through treatment. Learn more on our compliance platform.
