A cyber risk register helps a business turn vague concern into visible decisions. It lists what could go wrong, how serious it would be, who owns it and what action comes next. If you are still putting basic controls in place, start with our small business cybersecurity checklist, then use this guide to decide what to prioritise.
The NCSC board toolkit on risk management explains that good cyber risk management supports better decisions and should be integrated with wider organisational risk, not treated as a separate IT exercise.
What is a cyber risk register?
A cyber risk register is a structured list of cyber-related risks. It does not need to be complex. For many small businesses, a spreadsheet is enough. The value is not the document itself; it is the conversation it creates about assets, threats, likelihood, impact, controls and accountability.
A good register helps you avoid two common mistakes: spending time on low-risk issues because they are visible, and ignoring high-impact issues because nobody owns them.
Step 1: define the scope
Start with a manageable scope. You might begin with the whole business at a high level, or focus on a specific area such as customer data, website operations, finance systems, AI tools or supplier access. A clear scope keeps the exercise practical.
- What systems are included?
- Which teams or processes are included?
- What data matters most?
- What decisions should the register support?
Step 2: list critical assets
Assets are the things you need to protect. They include systems, data, devices, accounts, suppliers and processes. Do not only list technology. A payment approval process, customer trust or key supplier portal can be an asset too.
| Asset | Why it matters |
|---|---|
| Account recovery, customer communication, invoices | |
| Website | Reputation, leads, publishing, forms |
| Accounting system | Payments, supplier records, financial reporting |
| Customer database | Personal data, service delivery, compliance |
| AI tools | Data processing, output quality, supplier exposure |
Step 3: identify realistic threats
A threat is something that could cause harm. Keep this realistic. Most small businesses should start with phishing, ransomware, lost devices, weak passwords, supplier compromise, website compromise, accidental deletion and unauthorised access by former staff.
If AI is now part of the business, include risks such as shadow AI, sensitive prompts and unreliable AI output. Our guide to AI security for UK businesses can help frame those risks.
Step 4: score likelihood and impact simply
Use low, medium and high at first. Likelihood asks how probable the risk is. Impact asks how damaging it would be. Do not pretend the scoring is scientific if it is based on judgement. The point is to compare risks clearly enough to make decisions.
A simple risk score that drives action is better than a complex score nobody trusts or updates.
Step 5: record existing controls
Controls are the things already reducing risk. Examples include MFA, backups, staff training, supplier contracts, endpoint protection, payment verification, admin access limits and incident plans. Recording existing controls helps avoid duplication and exposes false confidence.
Step 6: decide treatment actions
Risk treatment means deciding what to do. You may reduce the risk, accept it, transfer part of it through insurance or avoid the activity. Most cyber risks are reduced through practical actions.
- Enable MFA on a high-risk system.
- Test backups for a critical data set.
- Remove old supplier accounts.
- Document payment verification.
- Review AI tool settings.
- Create a first-hour incident plan.
Step 7: assign owners and dates
A risk without an owner is a note, not a managed risk. Assign a named person and a review date. The owner does not need to do all the work personally, but they are responsible for making sure the risk is understood and progressed.
Example risk register layout
| Field | Example |
|---|---|
| Risk | Supplier email compromise leads to fraudulent invoice |
| Asset | Payments process |
| Likelihood | Medium |
| Impact | High |
| Current controls | Manager approval required |
| Action | Verify bank changes by known phone number |
| Owner | Finance lead |
| Review date | Quarterly |
Common mistakes
- Creating too many risks and reviewing none of them.
- Scoring everything as high.
- Ignoring supplier and process risks.
- Treating cyber risk as only an IT issue.
- Failing to update the register after incidents or business changes.
Frequently asked questions
How many risks should a small business track?
Start with 10 to 15 meaningful risks. If the register becomes too large too quickly, it may stop being used.
How often should it be reviewed?
Quarterly is a practical rhythm for many small businesses. Review sooner after incidents, new systems, supplier changes or major AI adoption.
Next steps
Create a first register with your top ten risks. Then link it to practical controls: security habits, incident preparation, supplier checks and account protection. The value comes from action, not from having a spreadsheet.
If phishing and payment fraud are high on your register, use our guide to how phishing emails have changed to shape practical staff controls.
Sources and further reading
What a risk register is for
A cyber risk register is not paperwork for its own sake. It is a decision tool. It helps leaders see what could harm the organisation, how likely it is, how serious it would be and what action is being taken. Without a register, risks live in scattered conversations: someone worries about backups, someone else worries about phishing, and another person worries about suppliers. The register puts those concerns in one place.
The best register is simple enough to maintain. If it becomes too complex, people stop updating it. Start with a small number of columns and a monthly review. The goal is clarity: what matters, who owns it and what happens next.
A risk without an owner is usually just a worry with a spreadsheet row.
The fields to include
Use plain language. Avoid technical labels unless the team understands them. A useful register normally includes risk description, affected asset or process, likelihood, impact, current controls, owner, next action, due date and status. You can add scoring later, but do not let scoring delay the first version.
| Field | Example |
|---|---|
| Risk | Staff account takeover through phishing |
| Impact | Email compromise, customer fraud, data exposure |
| Current controls | MFA on email, staff reporting process |
| Next action | Review admin accounts and run phishing refresher |
| Owner | Operations manager |
How to score likelihood and impact
Keep scoring understandable. Use low, medium and high at first. Likelihood asks how plausible the risk is in your context. Impact asks how much damage it would cause. A common mistake is to score everything as high. That makes prioritisation impossible. Be honest about what would actually disrupt revenue, operations, customers, legal obligations or reputation.
- Low likelihood: possible but unusual for your organisation.
- Medium likelihood: realistic based on your systems, sector or recent incidents.
- High likelihood: already happening, frequently attempted or clearly exposed.
- Low impact: inconvenience with limited business effect.
- Medium impact: disruption, cost or customer concern.
- High impact: serious operational, financial, legal or reputational damage.
Example risks for a small business
Your register should reflect your own business, but most small organisations share several common risks. Email compromise, ransomware, supplier payment fraud, loss of a laptop, weak backups, website compromise, accidental data sharing, AI tool misuse and loss of access to domain or hosting accounts are all worth considering.
Do not list every theoretical threat. Pick the risks that connect to real assets and real decisions. If the business depends on online bookings, payment systems or customer support email, those deserve attention. If a supplier hosts critical data, supplier risk belongs in the register. If staff use AI tools, shadow AI and data leakage should be included.
Turn risks into actions
A register has value only when it changes behaviour. Each high or medium risk should have a next action. The action might be accepting the risk, reducing it, transferring it through insurance or supplier contract, or avoiding it by stopping an activity. For most cybersecurity risks, the action is reduction: MFA, backups, training, access review, supplier check, patching or incident planning.
- Account takeover: turn on MFA and review admin users.
- Ransomware: test backups and patch devices.
- Supplier fraud: verify payment changes by phone.
- AI data leakage: approve tools and publish data rules.
- Website compromise: update plugins, restrict admin access and keep backups.
How often to review it
Review the register monthly while you are building the habit, then quarterly once it is stable. Also review it after major changes: new suppliers, new systems, new AI tools, staff changes, incidents, new contracts or regulatory changes. Risks are not static. A low risk can become high when a new system becomes business-critical.
Keep evidence light but useful. Note when MFA was enabled, when backups were tested, when staff training happened or when a supplier was reviewed. This helps if customers, insurers, auditors or partners ask how you manage cyber risk.
How to present it to leadership
Leaders do not need every technical detail. They need to know the top risks, what is being done, what decisions are needed and where budget or authority is required. Present the top five risks with status and next actions. Use plain business language: revenue disruption, customer trust, legal exposure, operational downtime and recovery time.
This turns cybersecurity from a vague fear into a management process. It also helps avoid reactive spending. When priorities are visible, the business can invest in the controls that reduce the most important risks first.
Connect the register to real meetings
A risk register should not live in isolation. Add it to an existing management rhythm: monthly operations meeting, quarterly leadership review, supplier review or board pack. If the register is reviewed only when an incident happens, it will not guide decisions early enough.
Keep the meeting focused. Review new risks, overdue actions, changed scores and decisions needed. Do not spend the whole meeting debating wording. The useful question is: has anything changed that affects priority or ownership?
Signs your register is working
A working register changes what the organisation does. It helps budget decisions, clarifies owners, reduces repeated debates and shows progress over time. It also makes trade-offs explicit. A risk may remain high because the fix is expensive, but leadership should know that and accept it consciously rather than by accident.
- Every high risk has an owner and next action.
- Overdue actions are visible and discussed.
- New systems and suppliers are added before they become critical.
- Controls are recorded as evidence, not just assumed.
- Leadership can explain the top cyber risks in business language.
When those signs are present, the register is doing its job. It is helping the business make better security decisions with the time and budget it actually has.
Keep historical notes
Do not overwrite the story of a risk completely each time you update it. Keep short notes showing when the score changed, when a control was added or when leadership accepted a risk. This history is useful later because it explains why decisions were made. It also helps new managers understand context without restarting every discussion.
Historical notes can be brief: “MFA enabled for email”, “backup restore tested”, “supplier review completed”, “risk accepted until renewal”, or “moved to high after attempted fraud”. Over time, those notes show whether security is improving or whether the same risks remain stuck.
