Risk Register: Living Document of What Keeps You Up at Night

📋 Risk Register: Living Document of What Keeps You Up at Night

"A risk register updated only for audits is just expensive fiction. Real risk registers change weekly."

🍎 The Golden Apple: Dead Registers vs. Living Documents (or: Compliance Theater vs. Actual Risk Management)

Most organizations have risk registers. They're created for ISO 27001 audits, filled with generic threats copy-pasted from templates, assigned arbitrary likelihood/impact scores that make executives feel comfortable, and forgotten until next year's audit. It's security kabuki. Performance art for auditors.

That's not risk management—that's compliance theater. FNORD. The risk register says "low risk of ransomware" while the CFO's laptop is already encrypted by REvil. Cognitive dissonance is a feature, not a bug.

A real risk register is a living document (emphasis on living, not zombie). Updated when new threats emerge (weekly, because attackers don't wait for quarterly reviews). Revised when vulnerabilities are discovered (daily, if you're doing it right). Referenced when making security investment decisions (not vendor pitches or FUD). A working tool, not audit decoration. The difference between a living risk register and a dead one is whether you'd bet your job on its accuracy. Would you? Are you sure? FNORD.

ILLUMINATION FOR PSYCHONAUTS: If your risk register hasn't been updated in six months, it's not tracking risks—it's documenting history (badly). Threats evolve faster than annual audit cycles. Zero-days don't wait for your quarterly review meeting. The conspiracy is real and it's moving faster than your documentation process. Welcome to Chapel Perilous. Update your risk register or the risk register updates you.

🛡️ The Five Elements of an Effective Risk Register

1. Identified Risks

What can go wrong?

Threat sources, vulnerabilities, attack scenarios. Specific, not generic. "Ransomware via phishing" > "cyber attack." Update when new threats emerge.

2. Risk Assessment

How bad is it?

Likelihood (how probable?). Impact (financial, operational, reputational). Risk score = Likelihood × Impact. Prioritizes treatment decisions.

3. Existing Controls

What already mitigates this?

Technical controls (MFA, EDR, backups). Process controls (change management, access reviews). Residual risk after controls applied.

4. Treatment Plans

What are you doing about it?

Accept (tolerate residual risk). Mitigate (add controls). Transfer (insurance). Avoid (eliminate risk source). Each decision requires owner and deadline.

5. Monitoring & Review

Is risk changing?

Track risk trends over time. Reassess quarterly or when threat landscape changes. Review treatment effectiveness. Update as controls implemented.

CHAOS ILLUMINATION: Risk assessment is prediction, not certainty. Assign likelihood/impact knowing they're educated guesses. Wrong numbers with right methodology beat no numbers with perfect methodology.

📋 Hack23's Risk Register Approach

Our risk register is public (sanitized version): ISMS-PUBLIC Repository | Risk Register

Continuous Updates: Risk register updated within 48 hours of new threat intelligence from CVE feeds, CISA alerts, industry reports
Threat Intelligence Integration: Automated feeds trigger risk reviews, not annual audit cycles
Quarterly Formal Reviews: Re-assess likelihood/impact scores every 3 months, validate existing controls, track treatment plan progress
Risk-Based Investment: Security budget prioritized by risk register scores (not vendor pitches or "best practices")
Transparent Communication: Executive summaries show top 10 risks, trend analysis (improving/worsening), treatment progress percentage
Documented Rationale: Every risk score includes evidence-based reasoning, not arbitrary assignment

META-ILLUMINATION: Publishing a sanitized risk register publicly (like we do) forces intellectual honesty. Can't bullshit when the world can see your risk assessments.

🎯 Risk Register Anti-Patterns (What Not To Do)

❌ Annual-Only Updates

The Problem: Threat landscape changes faster than audit cycles.

Reality: New zero-days, emerging attack techniques, industry breaches—all change risk profile continuously.

Fix: Quarterly reviews minimum, ad-hoc updates for major threats.

❌ Generic Risk Descriptions

The Problem: "Cyber attack" tells you nothing.

Reality: Ransomware via phishing vs. supply chain compromise vs. insider threat—different attacks, different mitigations.

Fix: Specific threat scenarios with attack paths.

❌ Arbitrary Scoring

The Problem: Likelihood/impact assigned without reasoning.

Reality: If you can't explain why ransomware is "High Likelihood," your assessment is fiction.

Fix: Document scoring rationale, cite evidence.

❌ Treatment Plans Without Owners

The Problem: "Implement MFA" without assigned owner or deadline.

Reality: Unowned tasks don't get done. No deadline means never.

Fix: Every treatment plan: owner, deadline, success criteria.

❌ Ignoring Residual Risk

The Problem: Assume controls eliminate risk completely.

Reality: MFA reduces phishing risk—doesn't eliminate it. Document what remains.

Fix: Calculate residual risk after controls, decide if acceptable.

🔍 The Five Questions for Risk Register Quality

When was it last updated? - >3 months = stale, >6 months = fiction, >12 months = audit prop
Are risks specific or generic? - "Ransomware via RDP" > "cyber attack"
Can you justify scores? - Explain likelihood/impact rationale or admit you're guessing
Do treatment plans have owners? - Unowned work doesn't happen
Does register drive decisions? - Security investment aligned with risk scores? If not, register is decoration

ULTIMATE ILLUMINATION: Risk registers reveal organizational priorities. If your register says ransomware is Critical but you haven't deployed EDR, your register is lies or your priorities are broken.

🎯 Risk Register vs. Risk Assessment

These are different things:

Risk Assessment Methodology - How you identify, analyze, and evaluate risks (process definition)
Risk Register - Catalog of identified risks, their scores, controls, and treatment plans (living data)

Risk assessment methodology is relatively static. Risk register changes constantly. Methodology defines process. Register documents results.

🎯 Conclusion: Keep Your Risk Register Alive

A risk register is only useful if it's current. Update continuously, review quarterly, use actively.

Identify specific threats. Score with evidence. Document existing controls. Plan treatments with owners and deadlines. Monitor trends over time.

A stale risk register is audit decoration. A living risk register drives security investment decisions.

Need expert guidance on risk management? Discover Hack23's consulting approach that treats security as an enabler, not a barrier.

All hail Eris! All hail Discordia!
"Think for yourself, schmuck! Question your risk scores—especially when they haven't changed in a year."
🍎 23 FNORD 5
— Hagbard Celine, Captain of the Leif Erikson