Building and Maintaining a Strategic Risk Register

Building and maintaining a strategic risk register

A strategic risk register sits at the top of the management system. It records the headline risks and opportunities that could affect the organisation as a whole, the ratings, what is being done about each, and the position after controls. Every ISO management system standard expects a register of this kind - ISO 9001, ISO 14001, ISO 45001, ISO 27001, ISO 22301, ISO 37001, ISO 22458 and ISO 42001 all require it under Clause 6.1 or its equivalent.

The register is simple to set up and easy to leave to drift. The most common audit finding in this area is a register that exists, was completed competently when the management system was set up, and has not been touched since. This article covers the practical work of building a register that does its job: what it is for, how it is structured, what good entries look like, and how to keep it live.

What a strategic risk register is for

The register has three primary purposes. First, it gives top management visibility of what could materially affect the business - threats and opportunities in one place. Second, it records the controls already in place and the residual position, so the organisation knows where action is still needed. Third, it provides the audit trail that an external auditor will look for to demonstrate risk-based thinking is happening in practice.

It is not a substitute for specialised assessment. Workplace hazards are recorded operationally with their own assessments. Information security risk uses asset, threat and vulnerability analysis. Business continuity uses business impact analysis. Environmental aspects are assessed for significance using a different methodology again. The strategic register sits above these, capturing the headline risks where they have business-wide implications - and keeping cross-references where a specialised risk has strategic significance.

The inputs that feed the register

A register that has been populated from a single workshop is incomplete. Five distinct sources should be feeding it on an ongoing basis.

Interested parties review. The needs and expectations of interested parties - customers, staff, regulators, suppliers, the community - are the primary external input. An expectation that the organisation cannot reliably meet is a risk. A need that is not yet served may be an opportunity.

SWOT and PESTLE. Internal and external factors as required by Clause 4.1. SWOT is the more common tool because it forces consideration of strengths and opportunities alongside weaknesses and threats - both halves matter. PESTLE complements it for the external factors specifically.

Audit results, incidents and complaints. Internal audit findings, customer complaints, supplier issues, near-misses and operational incidents all reveal risk that might otherwise stay hidden. The issues and actions register is where these typically surface, and a regular sweep of it should pick up patterns that warrant strategic-level entries.

Legal and regulatory change. New or pending legislation creates new risks and sometimes new opportunities. Changes to scope, new regulatory bodies, court decisions affecting interpretation of existing law - the legal register is the natural input here.

Business change. Changes the organisation makes to itself - new products, new contracts, restructures, new geographies, leadership change - each warrant a focused look at the register to surface the risks and opportunities they introduce.

None of these is one-off. The register is updated continuously as inputs arrive, with periodic formal reviews to look at the whole register as a coherent picture rather than entry-by-entry.

Structuring the register

A useful register has five core columns - sufficient detail to be meaningful, not so much detail that it becomes unwieldy.

Reference number - sequential, useful for cross-referencing from audit reports, the issues and actions register, and other documents.
Description and consequences - what the risk is, how it would manifest, and what the impact would be if it did.
Inherent rating - the likelihood and consequence rating before considering controls. Useful for understanding the underlying exposure.
Controls in place - what is currently being done to manage the risk. Real, specific, current controls only.
Residual rating - the rating after current controls have been applied. The position the organisation actually faces today.

Some registers add an Owner column (who is accountable for managing the entry), a Treatment Action column (what further action is planned where the residual rating is too high), and a Date Reviewed field. These are helpful but not essential - what matters is that ownership and action are tracked somewhere, even if not in the register itself.

For opportunities, the same structure works with the columns reframed: Opportunity Description, Opportunity Rating, Actions to Capture, Position After Action. Mixing risks and opportunities in a single table works well provided each entry is clearly labelled. Some organisations prefer separate sections; either is acceptable.

Writing entries that work

The single most common weakness in strategic risk registers is generic entries. "Cyber attack", "loss of key staff", "supply chain disruption" without further detail are categories rather than risks. They cannot be assessed meaningfully because the consequence depends on which attack, which staff, which supply chain. They cannot be controlled effectively because the controls depend on the specifics.

Compare:

Weak: "Cyber attack"
Better: "Ransomware attack via email phishing - encrypts customer data and operational systems, prevents service delivery for 24-72 hours, regulatory notification required if personal data affected, reputational damage with customers and prospects"

The longer entry identifies the specific scenario, the route in, the operational impact, the regulatory dimension and the reputational consequences. Each of those gives the assessor something concrete to score and the controls section something specific to address.

Where a category genuinely covers multiple risks, it is usually better to record them as separate entries than to lump them together. "Supply chain disruption" might split into lost suppliers, late deliveries, quality failures and pricing pressure. Each can then be scored and controlled on its own merits.

Documenting controls that can be evidenced

The controls column is where the register either earns its keep or quietly fails an audit. Good entries describe controls that are real, specific and currently in place. Weak entries describe aspirations.

"Process in place" without saying which process is not a control. "Anti-virus software, weekly backups to offsite storage, quarterly phishing training, multi-factor authentication on all admin accounts" is a control statement that can be checked - an auditor can ask to see each one.

Where a stated control is partial or aspirational, the residual rating should reflect that. A risk that says "covered by training" but the training is annual and was skipped this year should not be rated Tolerable on residual - the control is not currently effective.

Cross-references to other documents are useful. "See Information Security Policy section 4" or "Covered by the supplier appraisal procedure" tells the assessor and auditor where to look without rewriting everything in the register itself.

Recording opportunities, not just risks

The clause is "actions to address risks and opportunities" - both words matter. The most common imbalance at audit is a register listing 30 risks and one or two opportunities. This is rarely a true reflection of the organisation; there are usually more opportunities sitting unrecorded than there are unrecorded risks.

The fix is to ask the question explicitly. SWOT helps because the Strengths and Opportunities quadrants force opportunity thinking. Reviewing customer feedback for unmet needs, looking at process inefficiencies that could be improved, considering market or technology changes that could be turned to advantage - all surface opportunities that would otherwise be missed.

Opportunity entries should be assessed and tracked the same way as risks. Recording an opportunity in the register without rating it or assigning action to capture it is recording it in name only.

Keeping the register live

A strategic risk register that has not changed in a year has stopped working. The fix is not better forms, more frequent reviews, or more elaborate formatting. It is treating the register as a working document with a clear owner and a low barrier to updating it.

The practical pattern is:

Continuous capture - new entries added as risks and opportunities surface through audit findings, incidents, customer feedback, regulatory change, business change. Owned by someone with authority to add entries without needing approval each time.
Periodic review - existing entries reviewed at planned intervals, ratings reassessed, controls verified, closed risks marked as resolved. Quarterly or six-monthly is common, annually as a minimum.
Formal review at management review - a structured pass through the register as part of the annual management review, with effectiveness of risk and opportunity actions formally evaluated. This is a required input under Clause 9.3.
Triggered review - significant business change, major incident or regulatory change prompts a focused review of affected entries.

The Reviewed By and Date Reviewed fields, where the register has them, are the first thing many auditors look at. They tell the auditor whether the register is being maintained or only opened for the audit visit. Keeping them current costs nothing; not keeping them current is one of the easiest ways to invite a finding.

The first thing I do with a strategic risk register at audit is look at the dates. When was it last reviewed. When were the most recent entries added. Are the dates spread across the year or all clustered at the start. That tells me whether the register is being used or just maintained for the audit visit.

The second thing is the controls column. I will pick three or four entries with higher ratings and ask to see evidence of the controls listed. Vague control statements with no evidence behind them undermine the whole register.

The biggest gap I see in strategic registers is between what the register claims and what is actually happening. The register might say a risk is rated Moderate because of certain controls, but the controls are partial, out of date or not really in place. Closing that gap takes more than tweaking the register. It usually takes some honest reassessment.

The other recurring issue is the residual rating. People are reluctant to leave a residual at the highest band because it implies more action is needed. So they soften the residual to make the register look tidier. That defeats the point. High residuals are not a failure of the register. They are the register doing its job, telling you where to focus.

A strategic risk register is one of the most useful documents in the management system if you treat it as a live register. It is one of the least useful if you fill it in once and put it on the shelf.

Practical Compliance Guidance

IMS1 Section 1.6 covers risk-based thinking and the family of risk registers at the management system level. It sets out which registers apply for which standards, who is responsible for each, and how they connect to the management review and the issues and actions register.

The alphaZ documents below are the working set around the strategic register - the inputs that feed it, the register itself, and the issues and actions register where treatment actions are tracked.

alphaZ document	How to use it
ISO 9001/14001/45001 IMS Toolkit	Integrated toolkit including IMS1 and F-IMS23 alongside the specialised registers used across multiple ISO standards.
ISO 9001 Management System Toolkit	Quality-only toolkit including IMS1, F-IMS23 and supporting documents. Suitable where ISO 9001 is the only standard in scope.
F-IMS23 Opportunities and Risks Register	The strategic register itself. Includes a SWOT analysis section, the 3 by 3 risk rating matrix, and the key risks register table with inherent rating, controls and residual rating columns.
F-IMS22 Interested Parties Register	Records interested parties and their needs and expectations. The primary input to the SWOT and the strategic register itself.
ER1 Issues and Actions Register	Where treatment actions arising from the strategic register are tracked through to closure, alongside other improvement actions.
F-Q3 Management Review	The management review form, which takes the strategic register as a structured input under Section 1.2 (Opportunities, Risks and Interested Parties).
F-IMS38 Climate Change Review	Climate change risk and opportunity review feeding into the strategic register where climate change is a relevant external factor.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Should operational risks go on the strategic register?

The strategic register is for risks affecting the business as a whole. Operational risks usually live on specialised registers - workplace hazards, information security, business continuity, consumer vulnerability. An operational risk that has strategic implications, such as a recurring incident type or a hazard that could threaten the business, can also be reflected on the strategic register so top management retains visibility.

Who owns the strategic risk register?

Top management is accountable for risk management at the strategic level. Day-to-day ownership of the register usually sits with the quality manager, SHEQ manager or compliance lead - whoever has authority to add entries, request information from process owners and keep reviews on schedule.

How do we record risks that have already been treated?

Treated risks stay on the register with their controls listed and the residual rating reflecting the position after treatment. They do not need to be removed - keeping them shows the risk has been considered and is being managed. Risks that are no longer relevant (the underlying activity has stopped, the legal requirement no longer applies) can be closed or archived with a note explaining why.

Should opportunities use the same scoring as risks?

The same matrix can be used with the levels reframed - likelihood becomes the chance of capturing the opportunity and consequence becomes the positive impact if captured. The rating bands reframe as low priority, worth pursuing and high priority. Some organisations prefer a simpler qualitative score for opportunities (high, medium, low). Either is acceptable provided opportunities are scored consistently.

What if our register has no high-rated entries on residual?

It can mean the organisation has its risks well-controlled, or it can mean the register is being scored too generously. A register with nothing rated in the highest band on residual is worth a sense check - is everything genuinely well-controlled, or has the assessor avoided harder ratings to make the register look tidier. The point of the residual rating is to flag where further action is needed; if it never does that, it is not doing its job.

UK Legislation relevant to strategic risk registers

A strategic risk register is a contractual requirement of ISO certification rather than a legal one, but several pieces of UK legislation require organisations to identify and document specific categories of risk. The strategic register typically provides the high-level evidence for these obligations alongside specialised registers. Organisations outside the UK should identify the equivalent legislation in their jurisdiction.

Further Resources