I download a Risk Register Template from http://www.iso27001security.com/. This is again a blank template – an excel spreadsheet comprising four worksheets.
There is no explanation of what a Risk Register is in the file but judging by the empty columns a risk Register is clearly a list of risks. These risks are given a unique reference and they are assessed in terms of probability and severity both before and after controls have been put in place to mitigate them.
The ‘Controls’ – there’s that word again – are the physical or practical bits which mitigate the risks. The probability and severity of the potential impact of the risk are multiplied in order to give the risk a score and highlight the one (with the highest score) which deserves the highest priority – or which should be tackled first. The costs of mitigating the risks is also recorded. After the controls have been implemented, the probability times the severity of the risk is then recalculated and compared with what it was before the controls were introduced.
There’s also a traffic light scoring system based on the result of the probability x severity multiplier which indicates whether at the most serious extreme risks would lead to “operational failure” and be unacceptable, or at the other end of the scale be merely “issues which can be resolved quickly and easily at the other”.