Building a Risk Register That Actually Works

April 18, 2026 · 4 views

The risk register is the workhorse artefact of any risk program. Done well, it is the single source of truth that drives treatment decisions and board reporting. Done badly, it is a spreadsheet created for an audit and never opened again. The difference comes down to what you capture, when you update it, and whether anyone makes decisions from it.

When to start populating it

A frequent exam point: you begin populating the risk register during the risk identification phase, not after analysis or treatment. The register is a living record that grows as you learn — entries start as identified risks and are enriched with analysis, ownership and treatment over time. Waiting until everything is analysed defeats the purpose.

What a useful entry contains

• Risk description — written as a scenario (threat exploits vulnerability, leading to impact), not a vague label like "cyber risk."
• Risk owner — a named, accountable individual with the authority to make treatment decisions. A register full of unowned risks is a register of orphans.
• Inherent assessment — likelihood and impact before controls.
• Existing controls and their assessed effectiveness.
• Residual assessment — likelihood and impact after controls. This is what management actually decides on.
• Treatment decision — avoid, mitigate, transfer or accept, with the rationale.
• Status, dates and review date — so the register stays current.

The residual-risk decision

The entire point of the register is to surface residual risk — what remains after controls — and put it in front of the person with authority to accept it. Effective risk management is not "every risk has a control"; it is "residual risk is within the organisation's risk appetite," formally accepted by the right owner. Risks above appetite cannot be quietly accepted; they must be escalated, treated further, or trigger a deliberate change in appetite.

Keeping it alive

A register is updated as a matter of routine, not as an annual event. Update it when a vulnerability is identified, when a control is closed, when a business process change alters exposure, and after any significant risk decision. The trigger phrase on exams — and in good practice — is that documenting the decision and its rationale is the near-universal correct action after any significant risk event. That documentation is also your strongest defence in a subsequent legal or regulatory review.

Signs yours is working

You know your register is healthy when leadership references it in decisions, when every entry has an owner and a review date, when residual risk is explicitly compared against appetite, and when it changes between audits because the business changed. If none of those are true, you have a compliance document, not a risk tool.