Skip links
Published on: Uncategorized

Build a simple Risk Register in just Five Steps

Author: webteam

If you’re a small or medium-sized business, you’ve probably heard phrases like “risk register”, “risk assessment” and “risk management framework”. They can sound like something only big corporates with large compliance teams would bother with.

In reality, a simple risk register is one of the most useful tools an SME can have because it turns vague worries like “we’d be in trouble if our systems went down” into a clear, prioritised list of what could hurt your business and what you’re doing about it. Recent UK government surveys show that around 43% of businesses report a cyber breach or attack, yet only about a third have carried out any kind of risk assessment. You don’t need complex software or a lengthy policy. A basic spreadsheet and five clear steps are enough to get started. If you can use a spreadsheet, you can build a risk register.

 Step 1: List what you’re trying to protect

Start with a simple question: “What are the things we really care about?” In the jargon, these are known as assets.

For most SMEs this includes:

  • Key software e.g. Microsoft 365, finance software and payroll, appointment systems, telephony etc.
  • Information e.g. customer and employee data, financial records, key contracts, intellectual property etc
  • People: who are the key people to the business?
  • Processes:  what are the key processes that the business needs to operate?
  • Machines: are there key devices that are necessary for normal business operations e.g. a tyre fitter may need an air compressor to operate, a commercial oven for a bakery etc.
  • Third parties: key suppliers, cloud services.

Create a basic table (a spreadsheet is ideal) and give each asset a row:

  • Asset name
  • What it’s used for (and why it matters)
  • Where it lives (in the office, in the cloud, with a supplier, etc.)
  • Business Value (e.g. High / Medium / Low importance for your business)

The key thing is that you shouldn’t try to make it perfect on day one. If you’re debating whether to include something, include it as you can refine later. The goal is to capture the big things that would genuinely hurt if they were not available, corrupted or broken.

Step 2: Identify what could go wrong

For each of the assets you have identified, ask a second question. “What could realistically go wrong with this?” Do this in the order of their importance to normal operations and keep it practical and business focused. Avoid vague risks like ‘cyber attack’ and be specific about what would happen to your systems, data, or customers. Typical examples for SMEs include:

  • Ransomware or malware has encrypted business files
  • Cloud service outage (e.g. Microsoft 365 is down)
  • Internet connection failure (e.g. BT is down)
  • Unauthorised access (e.g. someone outside your users has got into a system)
  • Compromised user account via phishing (someone has clicked on a malicious email)
  • Weak or shared passwords
  • Ex-employee access not removed
  • Data loss or damage
  • Accidental deletion
  • System mis-configuration (e.g. M365 has many settings to consider)
  • Third party issue
  • Personal data sent to the wrong person

You don’t have to get the technical wording perfect. The aim is for a clear, business-friendly description of what could go wrong and why it matters for your business.

Add a column to your spreadsheet for “Risk description” and a brief sentence tying the asset, the problem you’ve identified and the consequence that will occur if it arose . For example:

“Microsoft 365 compromised via phishing, leading to fraudulent invoices being sent to customers.”

“Appointment app unavailable for a day, don’t know which customers were due and future appointments can’t be taken.”

Keep it in plain English. If a non-technical director can read it and understand the concern, that’s spot on.

Step 3: Score Likelihood and Consequence (using a simple 1–5 scale)

Add three more columns to your spreadsheet: “Likelihood”, “Consequence” and “Risk Score”. Give each risk a rough score for:

Likelihood: how probable is it in the next 12–24 months?

Consequence:  how bad would it be for the business if it happened?

You don’t need to overthink this. A simple 1–5 scale works well in most businesses.

Likelihood

1 – Very unlikely

2 – Unlikely

3 – Possible

4 – Likely

5 – Very likely / expected

Consequence

1 – Negligible (minor inconvenience, no real cost)

2 – Low (small cost, quickly resolved)

3 – Moderate (noticeable disruption, some financial / reputational impact)

4 – High (serious disruption, significant cost, potential regulatory issues)

5 – Critical (threatens business survival)

Then multiply the Likelihood by the Consequence to get the Risk Score. This is just mechanical so if you are happy with Excel, this could be calculated by a formula.

Examples:

“Microsoft 365 compromised via phishing, leading to fraudulent invoices being sent to customers”

Likelihood: 4 (Likely because phishing remains the top cause of incidents for UK businesses)

Consequence: 4 (High because it may lead to fraud and reputational damage for the business)

Score: 16

“Appointment app unavailable for a day, don’t know which customers were due and future appointments can’t be taken.”

Likelihood: 3 (Possible)

Consequence: 2 (Low – work slows but can continue via mobile network)

Score: 6

Sometimes, it can help to visualise if the Risk Score is coloured. A typical scale is:

15–25 = Red (Priority and need attention and action in the near term)

8–14 = Amber (Plan improvements and monitor)

1–7 = Green (Acceptable; keep under review and improve over time)

These can be added manually as cell fill colours or you could use the Conditional Formatting in Excel.

The point of the Risk Score isn’t for it to be 100%. It’s prioritisation, a handy way to see which risks deserve attention first.

Step 4: Decide what you’ll do about each risk

Now for the fun part! How will you handle each risk? Add another column to the spreadsheet and label it “Risk Treatment” – jargon for the actions that need to be taken to reduce the risk.

For each one, pick a simple treatment approach:

Reduce – put controls in place to lower Likelihood or Consequence

Transfer – insure against the risk (e.g. cyber insurance)

Accept – consciously live with the risk because it’s low or mitigation is disproportionate

Avoid – stop doing the activity that creates the risk

The Risk Treatment column can be limited to: Reduce, Transfer, Accept, Avoid

Add the following columns to your register:

Controls (in this column, you will list the actions that need to be taken to reduce the risk)

Risk Owner (an individual within your business who is responsible for overseeing the risk)

Review date (when is the next review of the risk or action due)

Review Frequency (how often does the risk need reviewing, typically quarterly, bi-annually, annually)

Example 1

Risk: “Microsoft 365 compromised via phishing, leading to fraudulent invoices being sent to customers” (Risk Score 16)

Treatment: Reduce

Controls: Enable strong authentication on all accounts; deliver cyber security awareness training etc;

Owner: Operations Director

Review date: 1st December

Review Frequency: Quarterly

Example 2

Risk: “Appointment app unavailable for a day, don’t know which customers were due and future appointments can’t be taken” – Score 6

Treatment: Reduce

Controls: Print the next day’s appointments every day, record the contact details of customers wanting a future appointment

Owner: Office Manager

Review date: 1st April

Review Frequency: Annually

If a risk is Red, make sure there are clear actions with realistic dates and named owners. If no one owns it, it probably won’t get done.

Step 5: Make it a “living” document (not a one-off exercise)

A risk register only comes into its own if it’s actually looked at and used!

For SMEs, a light-touch approach is usually enough. Review it regularly e.g. quarterly and build it into your management meetings by making “top risks and actions” a standing item at board or management meetings.

When reviewing, check that the risks are still applicable, whether scores are still realistic etc. Confirm that owners are still correct and adjust review dates as actions are completed.

Review the register whenever there are significant changes such as:

  • New location or offices
  • Add new cloud systems or major suppliers
  • Launch a new product or service
  • Have an incident or near-miss.

Make it a habit to add new risks onto the register as changes occur.

Over time, you’ll shift from keeping your fingers crossed being in control of your top risks and knowing what you are doing about them. That’s a powerful message for customers, partners, regulators and insurers alike – and it directly supports good practice under frameworks such as ISO 27001 (Clause 6.1) and the NCSC’s cyber security guidance.

Turning five steps into real-world resilience

A risk register doesn’t need to be complicated to be effective.

  1. List what matters
  2. Identify what could go wrong
  3. Score Likelihood and Consequence
  4. Decide and assign actions
  5. Review it regularly

If you are doing that then your business is already ahead of many organisations.

If you’d like help building or refreshing your risk register to comply with frameworks like IASME Cyber Assured or ISO 27001 – Cybersec Solutions can act as your virtual CISO, bringing structured risk management to your business in a way that fits your size, sector and budget.