Cyber Horizon
Back to Blog
Risk ManagementRisk RegisterGetting Started

Building Your First Risk Register: A Step-by-Step Guide

5 June 2026·8 min read·Cyber Horizon Team

A risk register is the backbone of any security programme — and the first thing an ISO 27001 or SOC 2 auditor asks to see. Yet most first attempts are a sprawling spreadsheet that nobody updates after week two. Here is how to build one that is genuinely useful and stays that way.

What a risk register is for

A risk register is a living inventory of the things that could go wrong, how bad they would be, what you are doing about them, and who owns each one. Its job is not to look impressive in an audit — it is to drive decisions about where to spend limited time and money.

What each entry should capture

Risk description: A clear cause-and-effect statement, not just a one-word label.
Owner: A named person accountable for managing the risk.
Inherent risk: How bad it is before any controls — likelihood × impact.
Controls: What you already have in place to reduce it.
Residual risk: How bad it remains after those controls.
Treatment & status: The plan (mitigate, accept, transfer, avoid) and where it stands.

Write risks as cause and effect: not “phishing,” but “an employee is tricked by a phishing email, leading to credential theft and unauthorised access to customer data.” The second version tells you what to measure and what to fix.

How to find your risks

Two complementary approaches work well together. Asset-based: list your important assets — systems, data, people, suppliers — and ask what threatens each. Scenario-based: brainstorm plausible bad days (ransomware, a key vendor outage, an insider, a lost laptop) and work backwards. Run a workshop with people from across the business; risk is rarely visible from one desk.

Scoring without over-engineering

Start simple: rate likelihood and impact on a small scale, multiply for a score, and rank. Capture both inherent and residual risk so you can see what your controls are actually buying you. As you mature, move from colour-coded scores towards financial quantification — expressing exposure in money makes prioritisation and budget conversations far easier. Our risk quantification guide covers that next step.

The four treatment options

Mitigate: Add or strengthen controls to reduce likelihood or impact.
Transfer: Shift the risk to a third party, e.g. via insurance or contracts.
Accept: Consciously tolerate a risk within appetite — and record why.
Avoid: Stop doing the activity that creates the risk altogether.

“Accept” is a valid, common choice — but only when made deliberately by the risk owner and documented. An accepted risk with a rationale is governance; an ignored risk is negligence.

Keeping it alive

The register only earns its keep if it is reviewed on a cadence — monthly for top risks, at least quarterly overall — and whenever something material changes. Assign owners, set review dates, and make it part of a regular risk meeting. A register that is touched once a year is theatre.

Build a living risk register in Cyber Horizon

Track inherent and residual risk, link risks to controls and frameworks, assign owners and review dates, and quantify exposure in financial terms — all in one place.

Book a Demo