Risk Register: How to Build One + Things to Keep in Mind

Find out what a risk register is, things to consider, and how to create one to help you get ahead of potential threats.
Richard Stevenson

by Richard Stevenson

September 30, 2022
Media - Blog - Risk Register

In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Many organizations know they need to take risks seriously, but they may not have awareness about what they’re most likely to face and how to handle a threat.

In this post, we’ll cover what a risk register is, and how to create and use one to help you get ahead of potential threats.

What is a Risk Register?

A risk register is a list of all the risks that you identify and your organization’s plans to respond.  The purpose of the risk register is to help you get a complete picture of your threat landscape and ensure that you have risk management processes in place. 

Why Do You Need a Risk Register?

A risk register is a documented way to understand risks, their likelihood and impact, and the actions you intend to take to address those risks. It’s an essential tool for leaders and stakeholders to track and communicate security concerns before problems arise. 

Simply put, it benefits your company by making it easier to: 

  • Identify and track risks that might derail your organization.

  • Decide which risks are worth acting on (and which ones aren’t).

  • Determine how to react if something goes wrong—whether it’s the best way to recover from an unexpected delay or ensuring that a critical change doesn’t wreak havoc.

Who Manages a Risk Register?

Leaders and cybersecurity professionals within your organization will typically use the risk register as a reference to make sense of cybersecurity threats and make moves towards proactive security. A well-managed risk register can also be used as part of an audit trail within your organization if you are required to keep records of risk management activities.

Before Starting Your Risk Register: Key Considerations

The most important thing about creating a risk register is setting aside time to do it. If you’re working with a team, make sure everyone agrees on who will be responsible for making sure things get done.

The next step is deciding how detailed to get on your list. The more details you include, the better equipped you’ll be when something goes wrong. However, as your list gets more complex, it becomes even more important to keep things organized and consider automation.

What Do You Include in a Risk Register?

A risk register should include a description of each risk and the probability and impact it could have. It should also include responses to risks or plans for how you will deal with them. 

Including responses in your register will help you demonstrate an awareness of not just the threats themselves, but that you’ve put thought into how you can manage them. Failing to include them can be seen as “risk blindness,” since there was no real consideration given towards how those threats might happen or what would be done if they did occur.

How to Create a Risk Register

When you’re ready to try out this process for yourself and create a risk register for your organization, the National Institute of Standards and Technology (NIST) Framework acts as a good guideline. 

You can put the NIST Cybersecurity Framework to work in your business in these five areas: 

  • Identify

  • Protect

  • Detect

  • Respond

  • Recover

Here’s what that looks like in the context of a risk register. 

First, do some digging to think about all of your potential risks. This may include problems that your organization has dealt with in the past, upcoming threats, or risks that are most common in your particular industry. What actions can you take to protect your organization from risks right now? 

Next, ask yourself: How serious is each risk? At this stage, you’ll want to create a risk rating. There are several factors that may go into that rating. Those may include how likely the risk is to have an impact and what level of impact it would have. From there, you can organize the risks based on how serious they are to you.

Then you’ll start taking a closer look at the impact. How will the risks on your list influence operations if they become an issue? What can you do to lessen that impact and respond to the threat? This is one of the most critical parts of your risk register—it’s the starting point for your plan of action.

Finally, what will you do after an attack? How will you recover in the event that information does get compromised? You’ll also have to think through ways to keep everyone informed both internally and externally.

Where Does Your Risk Register Go?

Once you put in the work to create your risk register, you need to have it in a place that’s accessible for review. The right choice here will depend on your team. You can use a spreadsheet, a project management system, or an internal database.

No matter what you decide, be sure to review this information regularly. This isn’t something you should set and forget. Instead, you’ll need to make updates and changes as risks continue to evolve. 

Bottom Line

A risk register plays a key role in ensuring security and mitigating potentially catastrophic consequences for your organization. If you want help implementing automated processes that monitor both risk and compliance, Drata can help. Schedule a demo here.

Trusted Newsletter
Resources for you
PCI Audits hero

PCI DSS Audit: What It Is + How to Prepare

G2 Fall Reports Thumb

Drata Shines in G2 Fall Reports

Cyberattacks on Local Govs Hero

Cyberattacks on Local Governments on the Rise, Highlighting a Need for Enhanced Security

Richard Stevenson
Richard Stevenson
Richard Stevenson is Manager of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs and security policies that meet security compliance requirements. Richard is an AWS Certified Cloud Practitioner, CompTIA CySA+, and Shared Assessment Certified Third-Party Risk Assessor specializing in SOC 2, ISO 27001, NIST 800-53, NIST 800-171, SOX, HIPAA, third-party risk management, and enterprise risk management.
Related Resources
Penetration testing hero

Penetration Testing: Why It’s Important + Common Types

Recovery point objective hero image

Recovery Point Objective (RPO): What It Is + Why It Matters

How to Conduct a Business Impact Analysis

How to Conduct a Business Impact Analysis


Risk Management Should Drive Organizational Accountability