What is a risk register?

A risk register is a structured list of all identified risks in an organisation or project, along with assessment, ownership, actions, and status. It's operational, it should be read, updated, and reviewed regularly.

The register is not a risk report. The report is a snapshot (PDF to board) drawn from the register. The register is the living data.

In ISO 27001 the risk register is a mandatory part of the ISMS (clauses 6.1.2 and 8.2). In ISO 31000 it's the standard output of the process. In NIS2 Art. 21 it's the prerequisite for risk-based cybersecurity.

A complete risk register typically has these fields per risk:

• ID

  Unique number or code (R-001, R-002...). Makes it possible to reference the risk without writing the whole description.

• Description

  What is the risk? Write 1–2 sentences. Avoid vague phrasing (“risk of IT problems”), be specific (“downtime in the invoicing system over 4 hours”).

• Category/domain

  Operational, financial, strategic, compliance, cyber, project. Makes filtering and reporting easy.

• Likelihood (1–5)

  How probable it is that the risk occurs. Use a defined scale.

• Consequence (1–5)

  How serious it is if the risk occurs. Can be assessed separately for financial, operational, reputational, compliance.

• Score / severity

  L × C = 1–25. Translates to low/medium/high/critical.

• Owner

  Named person accountable for the risk. Without an owner nothing gets done.

• Action

  What's being done about the risk? Accept, reduce, transfer, or avoid. Concrete action plan if reducing.

• Status

  Open, in treatment, treated, closed. Changes over time.

• Dates

  When was the risk identified? When last reviewed? When next?

• Residual risk

  Likelihood and consequence after treatment. Shows whether the action is enough.

For an SME (15–50 people): **10–30 risks** is typical. Fewer and you likely miss important things. More and the register becomes hard to manage.

For a mid-sized organisation (100–500 people): **30–80 risks** across domains.

For large organisations: **100+ risks**, often split by business area or domain.

A project: **10–20 risks**, updated per sprint or steering meeting.

• The register is never updated

  Created for ISO certification, then sits still. Value lost within 6 months.

• No owner per risk

  Without an owner the risk is theoretical. Named person with mandate.

• Risks with no action

  Documenting a risk with no plan is documenting failure. Every risk should have a chosen response (accept/reduce/transfer/avoid).

• Too abstract phrasing

  “Risk of IT incidents” is not a risk. “Ransomware attack that makes the invoicing system unavailable for over 4 hours” is a risk.

• Nobody in management reads it

  If nobody in management actively uses the register, the process hasn't been anchored. Fix that first, not the format.

Excel works for small registers (under ~15 risks) but quickly becomes problematic: version drift, broken formulas, no audit trail, hard to share with control, no role-based access.

A dedicated tool like RiskNote gives you version history per risk, sharing via link with roles, AI suggestions for identification, and PDF export directly from data, rather than manual report assembly.

See our guide to [Excel alternatives for risk registers](/en/alternativ-till-excel-riskregister).