Risk Register and Risk Treatment
Key Takeaways
- A risk register tracks identified risks, owners, likelihood, impact, treatment decisions, status, and residual risk.
- The four risk treatment options are mitigate, transfer, avoid, and accept.
- Risk ownership should be assigned to an accountable business or system owner, not a generic team.
- Residual risk is what remains after controls; risk appetite and risk tolerance set the threshold for what is acceptable.
- Risk decisions should include evidence, review dates, KRIs, and escalation when they exceed risk appetite.
What a Risk Register Is
A risk register is a structured, living record of risks the organization has identified and is tracking. It lets leaders see which risks exist, who owns them, how severe they are, what treatment was chosen, and whether the residual risk is acceptable. On SY0-701 the register appears in scenario items that ask you to pick the right treatment, identify a missing field, or decide who is allowed to accept a risk.
The register is the bridge between technical findings and business decisions: a vulnerability scanner produces thousands of tickets, but only the items that rise to enterprise significance are promoted into the register where they get an owner, a dollar or qualitative rating, and a tracked decision. This is also where inherent risk (before any control) is distinguished from residual risk (after controls), a distinction the exam tests directly.
Risk Register Fields
| Field | Purpose |
|---|---|
| Risk ID | Unique tracking reference |
| Risk statement | Threat + vulnerability + asset + impact in one sentence |
| Owner | Accountable person or role |
| Likelihood | Estimated chance of occurrence |
| Impact | Estimated business harm |
| Inherent risk | Risk before any treatment |
| Treatment | Mitigate, transfer, avoid, or accept |
| Control plan | Actions that reduce likelihood or impact |
| Residual risk | Risk remaining after treatment |
| KRI | Key Risk Indicator that signals the risk is rising |
| Review date | When the decision must be revisited |
| Status | Open, in progress, accepted, closed, or overdue |
The Four Risk Treatment Options
This is the single most-tested concept in the section. Memorize all four and the verb that signals each.
| Treatment | Meaning | Signal verb / example |
|---|---|---|
| Mitigate | Reduce likelihood or impact with controls | Patch, add MFA, deploy a WAF, segment the network |
| Transfer | Shift financial or operational impact to a third party | Buy cyber insurance; outsource under contract terms |
| Avoid | Stop the activity that creates the risk | Retire or never deploy an unsupported internet-facing app |
| Accept | Formally acknowledge residual risk without further treatment | An authorized owner signs off on low residual risk |
A fifth phrase you may see is risk exception or deterrence, but CompTIA's core four are mitigate, transfer, avoid, accept. Note that transfer does not remove accountability – insurance reduces financial exposure but the organization still owns due diligence, breach notification, and reputation.
Appetite, Tolerance, and Thresholds
Risk appetite is the broad amount and type of risk an organization is willing to pursue in pursuit of its objectives (CompTIA describes it as expansionary, conservative, or neutral). Risk tolerance is the acceptable variation around a specific risk or objective – the band within which a measured risk can move before action is required. A Key Risk Indicator (KRI) is a metric that signals a risk is approaching or crossing tolerance, such as a climbing count of failed logins or unpatched critical findings.
When residual risk exceeds the defined appetite, the correct action is to escalate to leadership with authority to accept it, not to accept it locally. Appetite is set by senior leadership and the board; it is not something an operator or analyst is empowered to override, which is why the "who can accept" question is a recurring exam theme.
Worked Risk Register Entry
| Field | Entry |
|---|---|
| Risk ID | R-2026-041 |
| Risk statement | Customer portal uses an unsupported library that could allow unauthorized access to confidential profile data |
| Owner | Director of Digital Services |
| Likelihood | High |
| Impact | High |
| Inherent risk | Critical |
| Treatment | Mitigate |
| Plan | Upgrade library, add WAF rule during change window, raise monitoring |
| Residual risk | Medium until upgrade completes, low after verification |
| KRI | Count of failed auth attempts on the legacy endpoint |
| Review date | 2026-05-15 |
| Status | In progress |
The entry creates accountability: it is clear who owns the risk, why it matters, which treatment was selected, what indicator is being watched, and when the decision is reviewed.
Decision Rules
| Situation | Likely treatment |
|---|---|
| Vulnerable public system can be patched | Mitigate |
| Commodity service has strong vendor controls and contract protections | Transfer part of the risk |
| Legacy application creates high risk and no business value | Avoid by retiring it |
| Low risk remains after controls and is within appetite | Accept with owner approval |
| Risk exceeds appetite | Escalate, do not accept locally |
Common Traps
- Recording risks without named owners.
- Confusing formal risk acceptance with informally doing nothing.
- Treating transfer as a way to erase all accountability.
- Leaving accepted risks with no expiration or review date.
- Logging vulnerabilities as isolated tickets without linking major items to the register.
Exam Focus
Lock in the four treatments: mitigate, transfer, avoid, accept. In a scenario, match the action to the verb – patching/controls equals mitigate, insurance/contracts equals transfer, stopping the activity equals avoid, signed sign-off equals accept. If a question says the residual risk is above the organization's risk appetite, the best answer is to escalate rather than to accept it at the team level.
A company retires an unsupported public web application because it no longer has business value and cannot be secured. Which risk treatment is this?
An organization buys cyber-liability insurance to cover potential breach costs. Which statement is most accurate?
Residual risk for a system is calculated as Medium, which is above the organization's stated risk appetite. What is the most appropriate next step?
Which fields belong in a useful risk register? Select three.
Select all that apply