What is a Risk Register?
A risk register is a structured overview of all identified risks within an organisation, including their assessment, impact, likelihood, controls and ownership.
It is a living document that helps you make risks visible, manageable and demonstrable — essential for ISO 27001, NIS2, GMP and IEC 62443, among others.
🎯 The aim of a risk register
- Gain insight into threats and vulnerabilities
- Assess impact and likelihood (risk scoring)
- Plan and track controls
- Support audits and compliance
- Provide a basis for continuous improvement and risk-driven working
📄 What goes in a risk register?
| Column | Description |
|---|---|
| Risk ID | Unique identifier (e.g. RISK-001) |
| Description | What is the risk or scenario? |
| Cause | What can lead to this risk? |
| Consequence | What is the impact (e.g. data leak, downtime, injury)? |
| Likelihood | How likely is it to occur? |
| Impact | How severe is the consequence? |
| Risk score | Likelihood × impact (e.g. 3 × 4 = 12) |
| Classification | High / medium / low / acceptable |
| Controls | Which controls or actions are planned or in place? |
| Owner | Who manages this risk? |
| Status / deadline | When will it be reviewed or resolved? |
🔐 Risk register in OT and IT
In industrial and hybrid environments, the register often contains risks such as:
- Failure of a PLC, SCADA or Historian
- Ransomware via remote access or the update process
- Unauthorised access to the production network
- Loss of batch data or Tracking and Tracing information
- Breaches of standards such as GMP, SIL or ISO 27001
📊 Risk matrix
A risk matrix (heatmap) is often used to classify risks:
| Likelihood ↓ / Impact → | Low (1) | Medium (2) | High (3) | Critical (4) |
|---|---|---|---|---|
| Very low (1) | 1 | 2 | 3 | 4 |
| Low (2) | 2 | 4 | 6 | 8 |
| Medium (3) | 3 | 6 | 9 | 12 |
| High (4) | 4 | 8 | 12 | 16 |
The risk score determines whether action is required.
✅ Benefits of a risk register
- Transparency about where risks are
- Measurable and repeatable risk assessment
- Controls are traceable and verifiable
- Helps with decision-making and prioritisation
- Required or recommended in ISMS, GxP, ISO 9001 and ISO 27001
🛠 Tools and formats
- Excel/Sheets (simple and quick)
- GRC platforms (ServiceNow, Riskonnect, LogicGate)
- ISMS tools with automatic risk logic
- OT tools such as Tenable.ot or Claroty can feed risks in automatically
📌 In summary
A risk register maps threats, vulnerabilities and their consequences — and helps to systematically manage risks within your IT/OT environment.