Risk Register and Risk Treatment
Key Takeaways
- A risk register tracks identified risks, owners, likelihood, impact, treatment decisions, status, and residual risk.
- Risk treatment options include mitigate, transfer, avoid, and accept.
- Risk ownership should be assigned to an accountable business or system owner, not left with a generic team.
- Residual risk is the remaining risk after controls or treatments are applied.
- Risk decisions should include evidence, review dates, and escalation when they exceed risk appetite.
Risk Register and Risk Treatment
A risk register is a structured record of risks the organization has identified and is tracking. It helps leaders see which risks exist, who owns them, how severe they are, what treatment was chosen, and whether the remaining risk is acceptable.
Risk Register Fields
| Field | Purpose |
|---|---|
| Risk ID | Unique tracking reference |
| Risk statement | Clear description of threat, vulnerability, asset, and impact |
| Owner | Accountable person or role |
| Likelihood | Estimated chance of occurrence |
| Impact | Estimated business harm |
| Inherent risk | Risk before treatment |
| Treatment | Mitigate, transfer, avoid, or accept |
| Control plan | Actions that reduce likelihood or impact |
| Residual risk | Risk remaining after treatment |
| Review date | When the decision must be revisited |
| Status | Open, in progress, accepted, closed, or overdue |
Risk Treatment Options
| Treatment | Meaning | Example |
|---|---|---|
| Mitigate | Reduce likelihood or impact with controls | Add MFA and conditional access to reduce account takeover risk |
| Transfer | Shift some financial or operational impact | Buy cyber insurance or outsource a managed service with contract terms |
| Avoid | Stop the activity that creates the risk | Cancel use of an unsupported internet-facing application |
| Accept | Formally acknowledge risk without further treatment for now | Business owner accepts low residual risk until system retirement |
Risk transfer does not eliminate responsibility. Insurance or outsourcing may reduce financial exposure, but the organization still needs governance, due diligence, and oversight.
Worked Risk Register Example
| Field | Entry |
|---|---|
| Risk ID | R-2026-041 |
| Risk statement | Customer portal uses an unsupported library that could allow unauthorized access to confidential profile data |
| Owner | Director of Digital Services |
| Likelihood | High |
| Impact | High |
| Inherent risk | Critical |
| Treatment | Mitigate |
| Plan | Upgrade library, add WAF rule during change window, increase monitoring |
| Residual risk | Medium until upgrade is complete, low after verification |
| Review date | 2026-05-15 |
| Status | In progress |
The register creates accountability. It is clear who owns the risk, why it matters, what treatment was selected, and when the decision will be reviewed.
Decision Rules
| Situation | Likely treatment |
|---|---|
| Vulnerable public system can be patched | Mitigate |
| Commodity service has strong vendor controls and contract protections | Transfer part of the risk |
| Legacy application creates high risk and no business value | Avoid by retiring it |
| Low risk remains after controls and is within risk appetite | Accept with owner approval |
| Risk exceeds risk appetite | Escalate instead of accepting locally |
Common Traps
- Recording risks without named owners.
- Confusing risk acceptance with doing nothing informally.
- Treating risk transfer as a way to remove all accountability.
- Leaving accepted risks without expiration or review dates.
- Tracking vulnerabilities as isolated tickets without connecting major items to the risk register.
Exam Focus
For SY0-701, know the four treatment choices: mitigate, transfer, avoid, accept. In scenarios, choose the treatment that matches the action. Patching and adding controls are mitigation. Insurance and contractual shifting are transfer. Stopping the risky activity is avoidance. Formal approval to live with residual risk is acceptance.
A company retires an unsupported public web application because it no longer has business value and cannot be secured. Which risk treatment is this?
What does residual risk mean?
Which fields belong in a useful risk register? Select three.
Select all that apply