What is a risk register?

Key takeaways

• The risk register is the operational hub of a security program. Findings flow in; treatment decisions flow out; the document is the program's memory.
• A useful risk register has ten to fifteen fields per entry, not three. Too few fields and the register lacks action; too many and it becomes paperwork.
• Most risk registers fail by going stale, not by being wrong. The discipline of regular review is what makes the register useful.
• For mid-market manufacturers, qualitative scoring (high/medium/low) usually works better than quantitative scoring (dollar values) because the inputs to dollar values are themselves estimates.
• ARG delivers risk-register-ready findings from each engagement so the client's register stays current as a byproduct of the program.

What fields make up a useful risk register?

A risk register entry that actually drives action has approximately twelve fields. Fewer and the entry lacks the structure to be acted on; more and the register becomes maintenance work that gets skipped.

The minimum useful fields:

1. ID. A unique identifier for the entry. Sequential numbers are fine. The ID is what other documents reference.
2. Title. A short, descriptive name. "Vendor-mailbox BEC exposure in AP" rather than "Email risk".
3. Description. A paragraph explaining the risk: what could happen, how, why it matters. Written for someone reading the register a year from now.
4. Category. A taxonomy reference: which CSF function, which CIS Control, which Annex A clause, which 800-171 family. The category supports cross-framework reporting.
5. Likelihood. How likely the risk is to materialize in a defined time frame (typically twelve months). High, medium, or low; or a 1-5 scale.
6. Impact. What happens if the risk materializes. Severity and (where measurable) approximate dollar impact.
7. Current risk score. Likelihood times impact, in whichever scoring approach the organization uses.
8. Treatment decision. Accept, mitigate, transfer, avoid. The decision is explicit, not implicit.
9. Treatment description. What is being done. The specific controls, projects, or changes that address the risk.
10. Owner. Named individual responsible for the risk. Not a role; a person.
11. Target date. When the risk treatment should be complete (for mitigate decisions) or the next review date (for accept decisions).
12. Status. Open, in progress, treated, accepted, closed. Last updated date.

Optional but useful additions:

• Residual risk score. After treatment, what the score becomes. The delta is the value of the treatment.
• Related findings. Specific audit findings or engagement evidence that support this entry.
• Insurance relevance. Whether the risk maps to insurance policy questions or premium drivers.

The fields above produce a register that supports both day-to-day management and the structured reporting that audits, insurance renewals, and customer reviews expect.

Qualitative vs quantitative risk scoring: which is right for mid-market?

Two scoring approaches dominate. Each has trade-offs.

Qualitative. High/medium/low for likelihood and impact. Risk score is the combination (high × high = high; high × medium = medium; etc.) on a 3×3 or 5×5 matrix. Simple to understand, easy to maintain, defensible in conversation.

Quantitative. Dollar values for impact, probability percentages for likelihood, expected annual loss as the product. More precise on paper; requires inputs (probability, loss amount) that are themselves estimates.

For most mid-market manufacturers, qualitative scoring works better. The reasons:

1. Inputs are estimates. The probability of a specific BEC event and the loss amount if it occurs are both rough estimates. Quantitative scoring produces precise numbers built on imprecise inputs, which can mislead.
2. Executive consumption. Owners and CTOs at mid-market manufacturers respond to "this is high risk because [specific reason]" better than to "this risk has an expected annual loss of $187,234". The former drives action; the latter invites debate about the inputs.
3. Comparison across categories. Qualitative scoring compares cleanly across risk types (cyber, operational, financial, regulatory). Quantitative scoring requires the same input rigor across categories, which is rarely available.

Quantitative scoring is right when:

• The organization has insurance-quality loss data on specific risk categories.
• A specific decision (e.g., whether to invest $200k in a control) needs dollar-denominated framing.
• The organization is mature enough that the scoring rigor is sustainable.

A common pattern: qualitative scoring for the register, with quantitative analysis on specific high-priority risks where decision support requires it.

Why most risk registers go stale within six months

Risk registers fail predictably. The failure modes:

1. Created during an audit, never maintained. The audit produces a register; the register sits. By month six, the entries reflect the environment of six months ago. The register fails as a working document.
2. Owner unclear. No named owner means nobody maintains it. The register accumulates errors until it loses credibility.
3. No review cadence. Without scheduled review, no one notices the register is stale until an external event (audit, breach, insurance renewal) surfaces the gap.
4. Too many fields. A register with 40 fields per entry requires more work to maintain than the team can sustain. The fields stop getting filled; the register decays.
5. No flow path for new findings. A new finding from an engagement, a vulnerability scan, or an incident has no documented path into the register. Findings accumulate elsewhere; the register lags.
6. Closed-loop treatment not tracked. Risks marked "in progress" stay in progress forever. The treatment never closes; the register never gets clean.
7. Disconnected from operational rhythm. The register lives in a folder no one opens. Decisions get made without reference to the register; the register documents nothing useful.

Each failure is preventable. The discipline required is small but sustained. A register that runs through a quarterly review with named owner and clear flow paths stays useful for years.

Examples of risk-register entries from manufacturing engagements

What real entries look like at mid-market manufacturers. Three representative examples:

Entry: Vendor invoice fraud in AP

• Category: NIST CSF Identify (ID.RA-04), CIS Control 6, 800-171 3.5.x
• Likelihood: High
• Impact: High (~$300k potential per event based on average vendor wire size)
• Treatment: Mitigate. Implement two-person, out-of-band approval for new vendor banking; callback verification to ERP-sourced vendor contact; quarterly vendor-master audit.
• Owner: Controller
• Target date: Q3 2026
• Status: In progress (50% complete)
• Insurance relevance: SEF endorsement compliance

Entry: Engineering workstation as IT-to-OT pivot

• Category: NIST CSF Protect (PR.AA, PR.AC), CIS Control 4, 800-171 3.1.x and 3.13.x
• Likelihood: Medium
• Impact: Very High (production stoppage potential ~$50k-$200k per day)
• Treatment: Mitigate. Application allowlisting on engineering workstations; restricted network access; EDR where vendor-supported; physical security on engineering rooms.
• Owner: IT Lead
• Target date: Q2 2026
• Status: In progress (30% complete)
• Insurance relevance: Cyber renewal questionnaire

Entry: Push-based MFA susceptible to fatigue attacks

• Category: NIST CSF Protect (PR.AA-03), CIS Control 6, 800-171 3.5.3
• Likelihood: Medium
• Impact: Medium (account compromise -> ransomware staging or BEC)
• Treatment: Mitigate. Enable number matching on Microsoft Authenticator; pilot FIDO2 hardware keys for executives and finance; migrate to passkeys company-wide over 9 months.
• Owner: IT Lead
• Target date: Q1 2027
• Status: Started (planning complete)
• Insurance relevance: Material premium driver

Each entry has a specific category mapping, a specific treatment, a named owner, and a date. The register reads as a working document, not a compliance artifact.

How to maintain a risk register without burning analyst time

For a mid-market manufacturer without dedicated risk-management headcount, the maintenance discipline matters more than the tool sophistication.

1. Single named owner. One person responsible for the register's structure and the flow of entries through their lifecycle. The owner does not own every risk; the owner owns the register.
2. Quarterly review cadence. A scheduled meeting (60 to 90 minutes per quarter) where the owner walks through the register with the executive sponsor. Open items reviewed for status; closed items archived; new items added.
3. Capture findings at the source. Engagement findings, vulnerability scan results, incident lessons, audit observations all flow into the register through a documented path. The path can be email-to-owner; the existence of the path is what matters.
4. Defined lifecycle. Each entry has states: identified, assessed, in treatment, treated, accepted, closed. Movement between states is documented; the lifecycle is the audit trail.
5. Tooling matched to scale. Excel or Google Sheets with disciplined formatting works for organizations with under 100 active entries. GRC tools (Vanta, Drata, OneTrust, AuditBoard) start paying back at larger scale or for organizations needing automated evidence collection.
6. Quarterly archive. A snapshot of the register at quarter-end goes into version control. Audit trails matter for insurance and compliance.
7. Executive surface metric. Two or three numbers from the register go to the executive team monthly: high-risk count, time-to-treatment for the highest-priority items, treatment-on-schedule percentage. The numbers drive the conversation; the register holds the detail.

Best practices for surfacing risk-register data to executives

The register is a working document; executive consumption requires a different surface.

1. Heat map summary. A two-by-two or three-by-three heat map with risk count per cell. Executives see the distribution at a glance.
2. Top ten list. The ten highest-priority entries, with title, current status, owner, and target date. Updated monthly.
3. Movement narrative. What moved up, what moved down, what closed, what was newly added. The narrative is more decision-useful than the absolute state.
4. Outliers and trends. Risks that have been open longer than expected, treatments that are slipping, new risks emerging in specific categories.
5. Map to executive priorities. Strategic objectives (a new market, an acquisition, a product launch) have associated risks. The mapping connects the register to the business conversation.
6. Avoid risk theatre. A register that reports "all risks in good standing" is not credible. Executives respond to honest assessment, including risks where treatment is behind.
7. Frequency matches consequence. Monthly reporting is appropriate for an active program; quarterly works for a stable one. Weekly is over-cadence for most mid-market manufacturers.

Risk register FAQs

Is a risk register required for compliance?

Yes, explicitly or implicitly, in most frameworks. NIST CSF 2.0, ISO 27001, NIST SP 800-171, and CMMC all require risk assessment with documented results. The risk register is the standard form of those results. The exact format varies; the existence of the document is what matters.

What is the difference between a risk register and a risk treatment plan?

A risk register identifies and tracks risks; a risk treatment plan describes what the organization will do about each risk (accept, mitigate, transfer, avoid). The risk register usually includes the treatment decision as a field; the risk treatment plan is the detailed implementation document for the chosen treatment.

Should the risk register live in Excel or a GRC tool?

For a 50 to 500 person manufacturer with fewer than 100 active risks, Excel or Google Sheets works well if maintained. Above that size, a GRC tool starts adding workflow value. The tool does not matter as much as the discipline; an unmaintained risk register in a sophisticated GRC tool is worse than a maintained spreadsheet.

Who owns the risk register?

Usually the IT lead or a designated security owner, with executive sponsorship. Individual risks have individual owners (the operations lead owns operational risks, the IT lead owns IT risks). The register as a whole has a single named owner responsible for maintaining structure and ensuring entries flow through the lifecycle.

How ARG delivers risk-register-ready findings from each audit

Every ARG engagement produces findings in a format that drops directly into the client's risk register. The mapping is part of the report structure, not an after-the-fact translation.

The output is led by David Ashby, drawing on a quality, safety, and compliance background at Quality Electrical Systems that included ISO 9001-mapped audit work and structured nonconformity processing. The discipline transfers: nonconformity reports in quality work and risk-register entries in security work follow the same fundamental structure.

Each ARG finding includes:

• Title and description. Suitable for direct entry into the client's register.
• Category mapping. NIST CSF 2.0, CIS Controls, and (where applicable) NIST SP 800-171, CMMC, and ISO 27001 Annex A references.
• Likelihood and impact assessment. With qualitative scoring and (where data supports it) approximate dollar impact.
• Recommended treatment. Specific actions, sequenced, with estimated effort.
• Suggested owner. The role most likely to be appropriate; client decides the named individual.
• Suggested target date. Based on remediation effort and risk priority.
• Insurance relevance. Where the finding maps to renewal questionnaires or premium drivers, the mapping is noted explicitly.

The client receives a register-ready document at the end of each engagement. New findings from the continuous adversarial simulation layer flow into the same format on a monthly cadence. Re-tests of closed entries either confirm closure or surface drift; the register stays current as a byproduct of the program.

For founding clients, the engagement explicitly supports register maintenance, with quarterly review participation by ARG if the client wants the external perspective. The discipline is the client's; ARG provides the evidence and the structure.

Apply as a founding client or see how the engagement works for the full delivery cycle.