How to Build a Risk Register You'll Actually Use
Most risk registers die in the spreadsheet they were born in. Here's how to build one that survives contact with real operations — and actually drives decisions.
Risk registers are the most neglected artifact in compliance. Every auditor asks for one. Almost nobody uses theirs after the audit ends. The fix isn't making them more thorough — it's making them operational.
Start with a 5×5 heat map, not a spreadsheet
The foundation is likelihood (1–5) × impact (1–5), producing a 1–25 risk score. The heat map is the artifact your team actually looks at. The underlying spreadsheet is the artifact your auditor looks at. Both matter. The heat map drives decisions.
Link every risk to at least one control
This is the difference between a risk register that matters and one that gathers dust. For each risk, name the specific controls that mitigate it. When a control fails or goes stale, you can instantly see which risks are now unmitigated and pick them up in the next review.
This linkage also satisfies SOC 2 CC3.2 ("the entity identifies risks to the achievement of its objectives") and ISO 27001 Clause 6.1 in a way that auditors immediately recognize.
Every risk needs treatment
For each risk, pick one: Accept (document why), Mitigate (link the controls that reduce it), Transfer (insurance, vendor contract), or Avoid (stop doing the thing that causes the risk). "Unaddressed" is not an option. If a risk has been open for 6 months with no treatment, either treat it or accept it explicitly.
Set a review cadence that matches the risk
Critical risks (top-right of the heat map): reviewed monthly. High: quarterly. Medium: semi-annually. Low: annually. Bake the cadence into the register itself, with last-reviewed and next-due dates. Calendar the reviews.
Common mistakes
- Too many risks. If you have 200 risks, you have zero. Aim for 20–50 for an early-stage company.
- Too-fine granularity. "SQL injection in signup form" is not a risk; "Unpatched web application vulnerabilities" is.
- No ownership. Every risk needs a named human accountable for its treatment.
- Scoring theater. If every risk is scored 15 (moderate), your scoring isn't working. Force a distribution.
A good risk register changes what your team actually works on. A bad one is a document you update the week before the audit.
Stop managing compliance in spreadsheets.
Simpra is the AI-native platform that turns policies, controls, evidence, and risk into one live system of record.