Module 18: Risk Register
If a risk isn't documented, it isn't governed.
The risk register operationalizes everything from Domain 1 and Domain 2:
- Risk scenarios
- Inherent risk
- Residual risk
- Ownership
- Response decisions
- Escalation
CRISC does not treat it as administrative paperwork.
It treats it as a governance instrument.
What the exam is really testing
When risk register appears, CRISC is asking:
- Are risks documented consistently?
- Is ownership assigned?
- Is risk evaluated properly?
- Is status tracked?
- Is escalation triggered when required?
- Is aggregation possible?
If the register is incomplete, governance visibility fails.
What a risk register must include
CRISC does not mandate a specific template, but expects structured components.
At minimum, a mature risk register includes:
- Risk ID
- Risk description (complete scenario)
- Asset/process affected
- Threat source
- Vulnerability
- Inherent risk rating
- Control effectiveness
- Residual risk rating
- Risk owner
- Response strategy
- Status
- Review date
- Escalation flag (if applicable)
Missing ownership or residual risk is a major governance weakness.
Inherent vs residual in the register
This is commonly tested.
Inherent risk = before controls
Residual risk = after controls
If a register only shows one risk rating without distinction, maturity is low.
CRISC expects visibility into:
- Raw exposure
- Control-adjusted exposure
Ownership is not optional
Every risk must have a defined owner.
Ownership means:
- Accountability
- Decision authority
- Acceptance authority
- Escalation responsibility
If a register lists “IT” or “Security” generically without a named accountable party, governance clarity is weak.
CRISC prefers clear ownership.
Risk response tracking
The register must reflect the chosen strategy:
- Avoid
- Mitigate
- Transfer
- Accept
And the current status:
- Open
- In progress
- Accepted
- Closed
- Escalated
Without tracking, risk governance becomes static.
The most common exam mistakes
A lot of candidates treat the register like a filing cabinet: put something in, close the drawer, move on. But CRISC sees it differently. The register is not just for IT risks, documentation does not mean “done,” and having a control in place does not mean you stop tracking the risk. Aggregation also does not happen on its own — it requires consistent structure.
CRISC expects enterprise visibility, continuous review, formal acceptance documentation, and escalation when tolerance is exceeded.
Example scenario (walk through it)
Scenario:
A high-impact risk is identified and mitigation controls are implemented. The remaining exposure is within tolerance. The risk is removed from the register.
What governance weakness exists?
A. Lack of residual risk tracking
B. Poor mitigation
C. Failure to reassess inherent risk
D. Excessive risk appetite
Correct answer:
A. Lack of residual risk tracking
Even if residual risk is within tolerance, it should remain documented for monitoring and aggregation.
Escalation trigger
If residual risk exceeds tolerance:
- The risk register should reflect escalation
- Formal risk acceptance must be documented
- Leadership visibility is required
If the register does not capture escalation status, governance maturity is low.
Aggregation & reporting
The register supports:
- Risk profile development
- Trend analysis
- Enterprise aggregation
- Board reporting
If risk entries are inconsistent or incomplete, aggregation becomes unreliable.
CRISC favors structured standardization.
Advanced scenario
An organization tracks risks in multiple spreadsheets across departments with inconsistent formats and scoring methods.
What is the MOST significant governance issue?
A. Lack of centralized and standardized risk register
B. Weak threat modeling
C. Excessive risk tolerance
D. Poor asset inventory
Correct answer:
A. Lack of centralized and standardized risk register
Without standardization, enterprise aggregation and visibility fail.
Register vs log
The risk register is not:
- An incident log
- A vulnerability scan output
- A project task tracker
It documents exposure — not events that already occurred.
Incident logs record past events.
Risk registers document potential exposure.
CRISC expects you to distinguish this.
Quick knowledge check
1) What must be included in a mature risk register entry?
A. Only inherent risk
B. Only residual risk
C. Technical scan output
D. Assigned risk owner
Answer & reasoning
Correct: D
Ownership is mandatory for governance accountability.
2) Removing a risk from the register because it is “within tolerance” indicates:
A. Strong ERM
B. Excessive mitigation
C. Weak residual risk tracking
D. Asset misclassification
Answer & reasoning
Correct: C
Risks should remain documented even when within tolerance.
3) Why is standardization of risk register entries important?
A. Reduces documentation workload
B. Supports enterprise aggregation and comparison
C. Improves encryption
D. Lowers inherent risk
Answer & reasoning
Correct: B
Consistent structure enables aggregation and enterprise visibility.
Final takeaway
The risk register is:
- A governance tool
- A visibility mechanism
- A tracking system
- An escalation trigger
- A foundation for aggregation
If risks are not documented clearly, owned formally, and evaluated consistently, governance fails quietly.
Documentation is discipline, not bureaucracy. The exam consistently favors answers that treat the register as a living governance tool.