Skip to content
Kellwick
← All articles
Risk Management

Risk register without theatre

Most risk registers are compliance props: generic entries, static scores, no owners. Here is what a register that actually drives decisions looks like.

By Kellwick Team · May 20, 2026 · 3 min read

Open most risk registers and you find the same thing. Twenty generic risks copied from a template, each scored a tidy "medium", no owner, no evidence that anyone has looked at them since the last audit. It satisfies a checkbox and changes nothing. A useful register is a management tool first and an audit artefact second.

The signs of a theatre register

You can spot a decorative register in under a minute:

  • Risks are abstract ("data breach", "insider threat") with no link to a specific asset, system or process.
  • Scores never move. The same likelihood and impact sit there quarter after quarter.
  • No named owner, or every risk is owned by "IT" or "the CISO".
  • Treatment is a single word like "mitigated" with nothing behind it.
  • The register only gets opened in the weeks before an assessment.

None of this helps anyone make a decision. It exists to be shown, not used.

What a real entry contains

A risk that drives action is specific and traceable. Each entry should carry:

  • A concrete scenario. Not "data loss" but "customer PII in the analytics database is exposed because access is not restricted by role."
  • The affected asset or process, so the risk connects to something real you can point at.
  • A named individual owner - a person, not a team. Someone accountable for the decision.
  • Likelihood and impact scored against a scale you have written down, so scores mean the same thing across the register.
  • A treatment decision: treat, tolerate, transfer or terminate, with a short rationale.
  • Actions with due dates and status, plus the residual score you expect once they land.

If you cannot describe the scenario in one clear sentence, it is not ready for the register.

Make scores mean something

Static scores are the clearest tell that no one is engaging. Two habits fix this. First, define your likelihood and impact scales in plain language so a "4" impact has an agreed meaning - financial, regulatory or customer-facing. Second, separate inherent risk from residual risk. The gap between them is where your controls earn their place. When a control changes, the residual score should change with it. A register where residual scores drift over time as treatment progresses is a register people are actually using.

Keep it alive between audits

The register earns its keep through routine, not through a pre-audit scramble.

  • Review high risks monthly and the full register quarterly, with the date and attendees recorded.
  • Tie new risks to real triggers: incidents, failed access reviews, new subprocessors, product launches.
  • Close risks explicitly. A risk that is genuinely resolved should be marked closed with a reason, not quietly deleted.
  • Report the top risks to leadership in a format they will read. If the register never reaches the people who allocate budget, it is not doing its job.

This cadence is also what produces clean evidence. Dated reviews, changing scores and completed actions show an auditor a living process without any special preparation.

Bottom line

A risk register is worth having only if it changes what you do. Concrete scenarios, named owners, defined scales and visible treatment progress turn it from a prop into a decision tool - and the audit evidence follows naturally. If you are not sure whether your register would hold up under questioning or actually guide a budget conversation, a short readiness review can show you where it stands and what to tighten first.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.