Risk Register

Documenting, Tracking, and Managing Organizational Risks

1What & Why
2Key Fields
3Builder
4Quiz

What is a Risk Register?

A risk register (or risk log) is a centralized document that tracks all identified risks facing an organization. It serves as the single source of truth for risk management, enabling consistent tracking from identification through resolution.

Purpose

  • Visibility: Executives and teams can see all active risks
  • Accountability: Each risk has an assigned owner
  • Prioritization: Risks are ranked by severity for resource allocation
  • Compliance: Demonstrates due diligence to auditors and regulators
  • Trending: Track how risk posture changes over time

Sample Risk Register

ID Risk Description Category Severity Owner Status Due Date
R-001 Unpatched Exchange servers vulnerable to ProxyLogon Vulnerability Critical J. Smith Mitigating 2026-01-10
R-002 Third-party vendor lacks SOC 2 certification Compliance High M. Johnson Open 2026-02-15
R-003 Phishing success rate above threshold (15%) Human Medium A. Williams Mitigating 2026-01-31
R-004 Legacy system EOL with no migration plan Operational High T. Brown Open 2026-03-01
R-005 Weak password policy on admin accounts Access Control Low J. Smith Closed 2025-12-15

Essential Risk Register Fields

While organizations customize their registers, these fields are commonly included:

Risk ID

Unique identifier for tracking (e.g., R-001, RISK-2026-042)

Description

Clear, concise statement of what the risk is

Category

Classification (Technical, Compliance, Operational, Human, Financial)

Likelihood

Probability the risk will materialize (1-5 scale)

Impact

Severity if risk occurs (1-5 scale)

Risk Score

Calculated: Likelihood × Impact

Risk Owner

Person accountable for managing this risk

Mitigation Plan

Actions to reduce likelihood or impact

Status

Current state (Open, Mitigating, Closed, Accepted)

Residual Risk

Risk remaining after controls are applied

Target Date

Deadline for mitigation completion

Last Review

When risk was last assessed/updated

Risk Register Entry Builder

Practice creating a risk register entry. Fill in the fields to see your entry formatted:

Create New Risk Entry

Risk Register Quiz

Test your understanding. You need 80% (4/5) to pass.

Q1. What is the PRIMARY purpose of a risk register?
To replace vulnerability scanners
To centrally track and manage identified risks
To store security policies
To log security incidents
Q2. Who is the "Risk Owner" in a risk register entry?
The person who discovered the risk
The CISO or security manager only
The person accountable for managing and mitigating the risk
The CEO
Q3. What does "Residual Risk" refer to?
Risk remaining after controls are applied
Risks that have been closed
The original risk before any mitigation
Risks transferred to insurance
Q4. Which is NOT a typical risk register status?
Open
Mitigating
Accepted
Escalated
Q5. A risk has Likelihood=4 and Impact=5. What is the risk score?
9
20
45
1

Quiz Complete!

0/5