Overview

Risk registers are the primary containers for organizing and managing your information security risks. Each register holds a collection of risks that can be assessed, treated, and tracked over time. You can create multiple registers to separate risks by business unit, project, compliance framework, or any other organizational boundary.

Managing Risk Registers

Viewing Registers

Navigate to Risk > Risk Register to see all registers in your organization. The list view shows:
ColumnDescription
NameRegister name
DescriptionPurpose of the register
DefaultWhether this is a system-created default register
Risk CountNumber of risks contained in the register
CreatedWhen the register was created

Creating a Register

1

Open the Register List

Navigate to Risk > Risk Register and click the New Register button.
2

Provide Details

Enter a name and description for the register. The name should clearly identify the scope (e.g., “Corporate Risk Register”, “Product Engineering Risks”, “HIPAA Risk Register”).
3

Save

Save the register. It appears in the register list and is ready to receive risks.
Most organizations start with a single default risk register. Create additional registers when you need to separate risks for different compliance programs, business units, or regulatory requirements.

Editing and Archiving

  • Edit — update the register name and description at any time
  • Archive — move a register to archived status when it is no longer active. Archived registers and their risks are preserved for historical reference but hidden from the active view.
  • Delete — permanently remove a register. This action cannot be undone and removes all associated risks.
Deleting a risk register permanently removes all risks within it. Archive registers instead of deleting them to maintain your audit trail.

Managing Risks

Click on a register to open its detail page and see all risks within it.

Creating a Risk

1

Open the Register

Navigate to the risk register detail page.
2

Click Add Risk

Click Add Risk to open the risk creation drawer.
3

Fill in Risk Details

Complete the following fields:Core Information
FieldRequiredDescription
TitleYesConcise name for the risk
DescriptionYesDetailed explanation of the risk scenario
CategoryYesRisk category (see Risk Overview for categories)
CIA CategoryNoConfidentiality, Integrity, or Availability classification
OwnerYesPerson or security role responsible for managing this risk
StatusYesCurrent workflow status
Inherent Risk Scoring
FieldDescription
Inherent Likelihood1-5 scale of probability before controls
Inherent Impact1-5 scale of severity before controls
Residual Risk Scoring
FieldDescription
Residual Likelihood1-5 scale of probability after controls
Residual Impact1-5 scale of severity after controls
Treatment
FieldDescription
TreatmentMitigate, Accept, Transfer, or Avoid
Treatment NotesExplanation of the treatment strategy
Treatment ReasonBusiness justification for the chosen treatment
Associations
FieldDescription
Linked ControlsControls that mitigate this risk
Linked VendorsVendors associated with this risk
4

Save

Save the risk. It appears in the register with calculated inherent and residual risk scores.

Risk Score Display

Each risk shows two calculated scores:
  • Inherent Risk Score = Inherent Likelihood x Inherent Impact (1-25)
  • Residual Risk Score = Residual Likelihood x Residual Impact (1-25)
Both scores map to a risk level badge (Critical, High, Medium, Low) using the standard risk matrix.

Risk Heat Map

The register detail page includes a visual risk heat map that plots all risks on a likelihood-impact matrix. Each cell shows the count of risks at that intersection, color-coded by severity. The heat map provides an at-a-glance view of where your risk concentration lies.

Risk Detail View

Click on any risk to open its full detail view, which includes:
Title, description, category, CIA classification, risk ID, and current status. Shows both inherent and residual risk scores with visual indicators.
Full breakdown of likelihood and impact values for both inherent and residual assessments. Visual comparison of before and after control effectiveness.
Selected treatment strategy (mitigate, accept, transfer, avoid) with notes and business justification. For mitigated risks, links to the controls providing mitigation.
Controls from your compliance frameworks that are linked to this risk. Shows control ID, title, framework, and implementation status.
Vendors associated with this risk. Vendor risks can be traced back to the vendor’s own risk assessment and compliance status.
Equipment needed, estimated cost, risk source (library or custom), identification date, and trend direction (increasing, stable, or decreasing).

Linking Risks to Controls

Linking risks to controls establishes a traceable relationship between identified risks and the measures implemented to mitigate them. This mapping is essential for:
  • Demonstrating control effectiveness to auditors
  • Identifying gaps where risks lack adequate controls
  • Prioritizing control implementation based on risk severity
When adding a mitigate treatment, always link at least one control. Auditors expect to see a clear connection between identified risks and the controls that address them.

Linking Risks to Vendors

Risks can be associated with one or more vendors, enabling vendor-specific risk tracking. This is particularly useful for:
  • Tracking risks introduced by third-party dependencies
  • Connecting vendor risk assessments to your internal risk register
  • Reporting on vendor-related risk exposure
The risk register detail view supports:
  • Text search — search by risk title or description
  • Status filter — filter by workflow status (Draft, Needs Review, Approved, etc.)
  • Category filter — filter by risk category
  • Risk level filter — filter by inherent or residual risk level

Exporting Risks

Export the risk register to CSV for reporting, executive briefings, or audit submissions. The export includes all risk fields, scores, and treatment details.

Snapshots from Registers

You can create a point-in-time snapshot directly from a risk register. This captures the current state of all risks in the register, including scores, statuses, and treatment plans. See Risk Snapshots for more details.

Best Practices

  • Assign clear owners to every risk — ownership drives accountability and timely treatment
  • Review risks quarterly at minimum, updating scores based on new information or control changes
  • Use the “Needs Review” status to flag risks that require attention at your next risk committee meeting
  • Link every mitigated risk to at least one control to demonstrate a clear mitigation path
  • Keep risk descriptions specific — “Data breach” is too vague; “Unauthorized access to customer PII via unpatched web application” is actionable
  • Create separate registers for distinct compliance programs when their risk scopes differ significantly
  • Take snapshots before major changes (quarterly reviews, control implementations, incident responses) to track the impact