How to Build a Risk Register from Scratch: A Practical Guide for 2026
Learn how to build a risk register from scratch with this step-by-step guide. Covers risk identification, scoring methodology, ownership, treatment decisions, and how to move beyond spreadsheets to a living risk management tool.
Every risk management program starts with the same artifact: a risk register. Whether you're a startup preparing for SOC 2, a mid-size company formalizing operations, or an enterprise consolidating scattered risk data, the risk register is where it all lives.
The problem is that most organizations build their first risk register wrong — they either make it too complex to maintain or too simple to be useful.
What a Risk Register Actually Is
A risk register is a structured record of identified risks, their assessed severity, who owns them, and what's being done about them. It's the single source of truth for your risk posture.
At minimum, each entry captures:
- What the risk is (title and description)
- How bad it could be (likelihood and impact scores)
- Who is responsible (owner)
- What you're doing about it (treatment decision)
- When it gets reviewed next
That's it. Everything else — categories, controls, KRIs, residual scoring — is layered on as your program matures.
Step 1: Define Your Risk Categories and Scoring
Before you identify a single risk, establish two things: how you'll categorize risks and how you'll score them.
Risk Categories
Categories group risks by domain. A practical starting set:
| Category | What It Covers |
|---|---|
| Cybersecurity | Data breaches, ransomware, access control failures |
| Operational | Process failures, system outages, human error |
| Financial | Revenue loss, cost overruns, fraud |
| Compliance | Regulatory violations, audit failures, contractual breaches |
| Reputational | Brand damage, customer trust erosion, public incidents |
| Strategic | Market changes, competitive threats, failed initiatives |
You can always add categories later. Don't overthink this — 5-8 categories cover most organizations.
Scoring Methodology
The 5x5 likelihood-by-impact matrix is the industry default for good reason: it's simple enough for non-specialists to use but granular enough for meaningful differentiation.
Likelihood Scale:
| Score | Label | Definition |
|---|---|---|
| 1 | Rare | Less than 5% chance in 12 months |
| 2 | Unlikely | 5-20% chance in 12 months |
| 3 | Possible | 20-50% chance in 12 months |
| 4 | Likely | 50-80% chance in 12 months |
| 5 | Almost Certain | Greater than 80% chance in 12 months |
Impact Scale:
| Score | Label | Definition |
|---|---|---|
| 1 | Negligible | Minimal disruption, less than $10K loss |
| 2 | Minor | Limited disruption, $10K-$100K loss |
| 3 | Moderate | Significant disruption, $100K-$500K loss |
| 4 | Major | Severe disruption, $500K-$2M loss |
| 5 | Catastrophic | Existential threat, greater than $2M loss |
The risk score is simply Likelihood × Impact, producing a range of 1-25. Map these to levels:
- 1-5: Low (green)
- 6-12: Medium (yellow)
- 15-20: High (orange)
- 21-25: Critical (red)
Customize the definitions to fit your organization's context. A $10K loss might be negligible for a large enterprise but significant for a startup.
Step 2: Identify Your Risks
This is where most teams stall. They either try to boil the ocean or sit in a conference room guessing. Use multiple identification methods:
Workshop Approach
Bring together 5-8 people across departments. For each category, ask:
- "What could go wrong that would significantly affect our objectives?"
- "What has gone wrong in the past 2 years?"
- "What keeps you up at night?"
Timebox each category to 15 minutes. Capture everything, then consolidate duplicates.
Document Review
Pull from existing sources:
- Past incident reports and post-mortems
- Audit findings (internal and external)
- Compliance gap analyses
- Insurance claims
- Customer complaints
Industry Intelligence
Use industry-specific risk libraries as a checklist. Frameworks like NIST CSF, ISO 27001 Annex A, and COSO ERM provide structured risk catalogs you can filter for relevance.
Writing Good Risk Descriptions
A well-written risk has three parts: cause, event, and consequence.
Bad: "Cybersecurity risk"
Good: "Due to insufficient access controls on cloud infrastructure, an unauthorized party could access customer data, resulting in regulatory fines, breach notification costs, and customer churn."
The formula: "Due to [cause/vulnerability], [threat event] could occur, resulting in [business impact]."
Step 3: Score Each Risk and Assign Owners
With risks identified, assess each one:
- Rate likelihood — how probable is this in the next 12 months?
- Rate impact — if it happens, how severe is the consequence?
- Calculate the inherent risk score — Likelihood × Impact
- Assign an owner — who is accountable for this risk?
On Risk Ownership
Every risk must have exactly one owner. This is the person who:
- Monitors the risk and its indicators
- Ensures treatment plans are progressing
- Reports on the risk at review meetings
- Escalates when the risk exceeds tolerance
Risk owners are typically department heads or senior managers with the authority to allocate resources. Assigning risk ownership to someone without decision-making power guarantees the risk will be neglected.
Step 4: Define Treatment Decisions
For each risk, choose a treatment strategy:
| Treatment | When to Use | Example |
|---|---|---|
| Mitigate | You can reduce likelihood or impact through controls | Implement MFA to reduce unauthorized access risk |
| Accept | The risk is within appetite and the cost of treatment exceeds the benefit | Accept the risk of minor website downtime during maintenance |
| Transfer | Another party can absorb the risk more efficiently | Purchase cyber insurance, outsource to a specialist |
| Avoid | The risk is unacceptable and no treatment is sufficient | Discontinue a product line that creates regulatory exposure |
For mitigated risks, document the specific controls and actions:
- What controls are in place or planned?
- What actions need to be completed?
- Who is responsible for each action?
- What is the target completion date?
After controls are applied, score the residual risk — the remaining risk level after treatment. Residual risk should never exceed inherent risk. If it does, your controls aren't doing what you think.
Step 5: Set Review Schedules and Operationalize
A risk register that isn't reviewed regularly is just documentation theater. Set review cadences based on risk level:
- Critical risks: Monthly review
- High risks: Monthly review
- Medium risks: Quarterly review
- Low risks: Semi-annual review
Beyond individual risk reviews, schedule a quarterly risk committee meeting where owners present their top risks, treatment progress, and any emerging threats.
When to Move Beyond Spreadsheets
Spreadsheets work for the first iteration of a risk register. They stop working when:
- Multiple people need to update risks concurrently
- You need an audit trail of who changed what and when
- Risk scoring should calculate automatically based on your methodology
- Review reminders need to fire without someone manually checking dates
- Leadership expects real-time dashboards instead of quarterly slide decks
- You're mapping risks to controls and compliance frameworks
At that point, a GRC platform eliminates the manual overhead and provides the workflow, automation, and reporting that spreadsheets can't.
Common Risk Register Mistakes
Listing risks too vaguely. "Cybersecurity" is not a risk — it's a category. Risks need specificity to be actionable.
No ownership. If every risk is "owned by the risk team," no one is really accountable. Distribute ownership to the people closest to each risk.
Scoring without definitions. If your team doesn't share a common understanding of what "Likelihood 4" means, your scores will be inconsistent. Define each level clearly and reference the definitions during assessments.
Set and forget. The biggest failure mode is building a risk register for an audit and never looking at it again. A risk register is a living tool, not a compliance artifact.
Too many risks too soon. Starting with 100+ risks guarantees that most will be poorly defined and never reviewed. Start with 15-20, manage them well, and expand deliberately.
Getting Started Today
You don't need a perfect risk register to start managing risk effectively. You need a register that's good enough to use, owned by people who will maintain it, and reviewed on a regular cadence.
Start with your top 10-15 risks. Score them honestly. Assign real owners. Set review dates. Iterate.
The organizations that manage risk well aren't the ones with the longest risk registers — they're the ones that actually use them.
Frequently Asked Questions
- What is a risk register?
- A risk register is a structured record of all identified risks facing an organization. Each entry typically includes a risk title, description, category, likelihood and impact scores, an overall risk rating, the assigned owner, treatment decision (mitigate, accept, transfer, or avoid), linked controls or actions, and a next review date. It serves as the central artifact in any risk management program.
- What columns should a risk register have?
- A practical risk register includes: Risk ID, Title, Description, Category (e.g. operational, cyber, financial), Likelihood (1-5), Impact (1-5), Inherent Risk Score, Risk Level (critical/high/medium/low), Owner, Treatment (mitigate/accept/transfer/avoid), Residual Likelihood, Residual Impact, Residual Risk Score, Linked Controls, Status, and Next Review Date. Start simple and add columns as your program matures.
- How many risks should a risk register have?
- There is no fixed number. A small business might start with 10-20 risks. Mid-size organizations typically manage 30-80 risks. Large enterprises may have 200+ across business units. Quality matters more than quantity — 15 well-defined, actively managed risks provide more value than 200 stale entries that no one reviews.
- Should I use a spreadsheet or software for my risk register?
- Spreadsheets work for getting started (fewer than 15 risks, single contributor), but they break down quickly: no audit trail, no automated scoring, version conflicts, and no workflow for reviews or approvals. Once you have multiple risk owners, need to track treatment progress, or must report to leadership regularly, a purpose-built GRC platform saves significant time and reduces errors.
- How often should a risk register be reviewed?
- Review the full risk register quarterly at minimum. Individual high or critical risks should be reviewed monthly. Trigger ad-hoc reviews when significant changes occur: new regulations, security incidents, organizational restructuring, or M&A activity. Automate review reminders so risks don't go stale.