Many organizations invest significant effort in creating a risk register, only to let it become stale within months. When risks change faster than the register is updated, the disconnect erodes trust and the register becomes a checkbox exercise rather than a decision-making tool.

i

What You'll Achieve

By the end of this tutorial, you will have established review cycles for your risk register, conducted a structured review of at least one risk, and documented the process for ongoing maintenance.

Step 1: Establish Review Cycles

Not all risks need the same review frequency. Base your cycle on risk level and volatility.

Recommended Review Frequencies

Risk Level Review Frequency Rationale
Critical (17-25) Monthly or more often High potential impact requires close monitoring
High (10-16) Monthly Active management needed
Medium (5-9) Quarterly Regular monitoring without excessive overhead
Low (1-4) Annually Ensure they haven't changed significantly

Trigger-Based Reviews

Beyond scheduled reviews, certain events should trigger immediate risk register updates:

  • Major organizational changes (M&A, restructuring, leadership change)
  • Significant external events (regulatory changes, market disruptions)
  • Risk materializations or near-misses
  • New projects or initiatives
  • Audit findings related to risk management

Step 2: Prepare for Review

Effective reviews require preparation. Rushing into a review meeting without context wastes everyone's time.

Pre-Review Checklist

  • Pull current risk data: Latest scores, controls, action items
  • Gather updates: Any incidents, changes, or new information since last review
  • Check action status: Which treatment actions are complete, in progress, or overdue?
  • Note external changes: Industry trends, regulatory updates, market conditions
  • Identify attendees: Risk owners and subject matter experts should participate
i

Send Pre-Read Materials

Distribute the risk report to participants 2-3 days before the review. This lets them come prepared with updates rather than discovering issues during the meeting.

Step 3: Validate Risk Status

For each risk under review, start by confirming its current status.

Questions to Ask

  • Is this risk still relevant? Has the underlying activity, process, or exposure changed?
  • Is the description still accurate? Do the cause, event, and consequence still apply?
  • Has anything materialized? Did part or all of this risk actually occur?
  • Should this be closed? Some risks are no longer applicable and should be archived.

Status Options

  • Open: Risk is active and being monitored
  • In Treatment: Active mitigation underway
  • Accepted: Risk accepted within tolerance
  • Closed: No longer relevant (document why)
  • Materialized: Risk event occurred (link to incident)

Step 4: Reassess Likelihood and Impact

Conditions change, and so should risk scores. Consider what's happened since the last assessment.

Likelihood Reassessment

Ask: Has the probability of this risk changed?

  • New controls implemented that reduce likelihood?
  • External factors that increase probability?
  • Near-misses that suggest higher likelihood than assumed?
  • Industry incidents that indicate increased threat?

Impact Reassessment

Ask: Would the consequences be different now?

  • Has the organization's risk tolerance changed?
  • Are there new dependencies or exposures?
  • Would regulatory response be different?
  • Has business criticality of affected areas changed?
Example

Score Change During Review

Risk: Cybersecurity breach exposing customer data

Previous Score: L3 × I4 = 12 (High)

Update: New MFA and encryption controls implemented

Revised Score: L2 × I4 = 8 (Medium)

Rationale: Controls reduced likelihood; impact unchanged because breach consequences remain severe regardless of controls.

Step 5: Review Controls and Actions

Controls and treatment actions are what actually manage your risks. Verify they're working.

Control Effectiveness

For each control mapped to the risk:

  • Is the control still in place?
  • Is it operating as designed?
  • Has its effectiveness been tested recently?
  • Are there gaps or weaknesses identified?

Action Item Status

For treatment actions:

  • Completed: Document completion and verify effectiveness
  • In progress: Confirm on track; escalate if delayed
  • Overdue: Understand why; reset timeline or escalate
  • Not started: Confirm still relevant; assign resources

The gap between inherent and residual risk reflects your control effectiveness. If residual risk is only slightly lower than inherent, your controls may not be as effective as assumed.

Step 6: Identify New Risks

Reviews aren't just about existing risks—they're an opportunity to capture emerging ones.

Sources of New Risks

  • Business changes: New products, markets, systems, or processes
  • External environment: Regulatory changes, competitor actions, market shifts
  • Incidents: Near-misses or actual events that reveal previously unknown risks
  • Stakeholder feedback: Concerns raised by employees, customers, or partners
  • Audit findings: Issues identified by internal or external auditors

New Risk Assessment

For each new risk identified:

  1. Write a clear description (cause, event, consequence)
  2. Assign to appropriate category
  3. Score likelihood and impact
  4. Identify existing controls
  5. Assign an owner
  6. Determine if treatment is needed

Step 7: Document and Communicate

Changes are only valuable if they're recorded and shared.

What to Document

  • Date of review and participants
  • Changes to risk descriptions, scores, or status
  • Rationale for significant changes
  • New risks added
  • Risks closed and why
  • Action item updates and new assignments

Communication

  • Risk owners: Notify of any changes to their risks
  • Leadership: Report significant changes, new critical risks, or emerging trends
  • Audit/Compliance: Ensure they have access to current information
i

Maintain an Audit Trail

Keep a history of changes. When auditors or stakeholders ask why a risk was rated a certain way, you should be able to show the assessment history and rationale.

Common Mistakes to Avoid

1. "No Change" Reviews

If every review results in no changes, you're either not looking closely enough or the risks are too static. Something has likely changed—find it.

2. Review Without Risk Owners

Centralized reviews without input from people closest to the risks miss important context. Involve risk owners.

3. Ignoring Near-Misses

Near-misses are valuable data. A risk that almost materialized deserves a likelihood reassessment.

4. Letting Actions Languish

Overdue action items indicate either unrealistic plans or lack of accountability. Address both.

5. Not Documenting Rationale

Scores without explanation become arbitrary over time. Document why ratings are what they are.

Key Takeaways

Summary

  • Set review frequencies based on risk level—critical risks monthly, low risks annually
  • Prepare before reviews by gathering current data and updates
  • Validate that each risk is still relevant and accurately described
  • Reassess likelihood and impact based on current conditions
  • Verify control effectiveness and action item progress
  • Capture new and emerging risks during each review
  • Document all changes with rationale and communicate to stakeholders

Outcome Checklist

Before completing your review, confirm:

  • Review frequency established for each risk level
  • Pre-review materials gathered and distributed
  • Each risk validated for continued relevance
  • Scores reassessed with documented rationale
  • Controls and actions reviewed for effectiveness
  • New risks identified and added to register
  • All changes documented with dates and participants
  • Stakeholders notified of significant changes