Bringing it together (risk register)

Duration: 60 minutes

Materials: All previous cards and materials, template or spreadsheet

The exercise

Consolidate your work into a usable risk register that becomes a living document.

Step 1: Create your register structure (10 minutes)

Simple columns work best:

Risk ID

Asset

Vulnerability

Likelihood

Impact

Risk Level

Treatment

Owner

Status

Review Date

Add columns relevant to your context (compliance refs, costs, etc.).

Step 2: Document each risk (30 minutes)

Transfer risks from your matrix systematically:

  1. Start with Critical and High risks

  2. For each risk, capture:

    • Clear description (asset + vulnerability + potential impact)

    • Current likelihood and impact ratings

    • Calculated risk level

    • Chosen treatment approach

    • Specific actions to implement

    • Owner (person responsible)

    • Target completion date

    • Current status

  3. Don’t lose the context: Include notes on reasoning, dependencies, assumptions

Step 3: Add metadata (10 minutes)

For each risk:

  • Link to relevant policies or standards (ISO 27001 controls, NIS2 requirements)

  • Note any compliance obligations

  • Flag any risks linked to incidents or near-misses

  • Add references to related risks

Step 4: Set review schedule (10 minutes)

Risks change. Build in regular reviews:

  • Critical risks: Monthly review

  • High risks: Quarterly review

  • Medium risks: Semi-annual review

  • Low risks: Annual review or as needed

Assign review owners and calendar it.

Output

  • Complete risk register with all priority risks documented

  • Clear ownership and timelines

  • Review schedule established

  • Living document ready for operational use

Templates and tools

Start simple:

  • Spreadsheet (Excel, Google Sheets)

  • Shared document with tables

  • Project management tool (if you already use one)

Add sophistication later:

  • GRC platforms (Archer, ServiceNow, etc.)

  • Risk management software

  • Integration with ISMS tools

Don’t let tools delay action. Start with what you have.

Common pitfalls

“Too detailed to maintain” → Keep it lean. Update when risks change, not continuously

“No one owns it” → Assign a risk register owner (often CISO, compliance, or risk manager)

“Set and forget” → Schedule reviews and actually do them

“Disconnected from reality” → Link to actual incidents, audit findings, control testing