Risk Register
Track risk posture with ownership and evidence
Centralize risk scoring, mitigation plans, approvals, and residual risk monitoring in one register.
What it does
Connects findings, incidents, and control changes to risk records with clear accountability.
Who it is for
Risk managers, compliance officers, and security governance leads.
Key workflows
- Likelihood and impact scoring by asset class
- Mitigation planning and owner assignment
- Residual risk acceptance with reason logging
- Recurring review cadences with audit trails
Outcomes
Move from reactive firefighting to governed risk operations with auditable decisions.
Frequently asked questions
A risk register is a live record of identified privacy and compliance risks, each with an assessed likelihood and impact, a named owner, mitigating controls, and a residual risk rating after those controls are applied. It is the document that shows you knew about a risk and what you did about it.
Residual risk is what remains after your controls are in place. Inherent risk is the exposure before mitigation; residual is what you are actually carrying. Someone with authority has to formally accept the residual risk — and that acceptance should be recorded.
A data protection impact assessment is a structured evaluation of a processing activity's risk to individuals. Under GDPR it is required when processing is likely to result in high risk — large-scale profiling, systematic monitoring, or processing special-category data at scale.
The person who can actually do something about it — usually the business owner of the system or process, not the compliance team. Compliance tracks and escalates; ownership without authority to act produces a register that never changes.