Risk Register Maintenance

Why it matters

A risk register that is actively maintained and reviewed is the only objective evidence that the organization has identified, assessed, and tracked remediation of material risks. Without a current, owned risk register, risks slip through cracks, duplicate mitigation efforts occur, and residual risk levels are unknown—exposing the organization to unexpected loss events and regulatory gaps. Auditors view a stale or incomplete risk register as a red flag that risk management is not operationalized.

Evidence to collect

• Risk register export (last 3 months) with columns: risk ID, description, owner name, inherent risk score, treatment decision, residual risk score, last review date
• Proof of quarterly risk review (calendar invite, meeting minutes, or GRC platform audit log showing review completion)
• Completed risk treatment plan for at least one remediated risk (showing original score, action taken, evidence of remediation, updated residual score)
• GRC platform configuration or policy document defining risk scoring methodology (e.g., CVSS, 5x5 matrix, numeric scale) and treatment options

Testing procedure

Retrieve the current risk register and verify that all open risks have a named owner, inherent and residual scores, and a documented treatment decision. Select a sample of 3–5 risks marked as remediated in the past 6 months and confirm that the remediation action was completed (e.g., patch installed, policy implemented, control tested) and the residual score was updated accordingly. Interview the risk owner for one active risk to confirm they understand their accountability and can describe the target remediation timeline. Verify the date of the most recent quarterly review falls within the last 90 days.

Common gotchas