Blog

Risk Register or Fairytale? How to Stop Pretending and Start Prioritising - de.iterate

Written by sallydeiteratecom | Jul 30, 2025 1:54:32 PM

If your risk register reads like it was written by the Brothers Grimm, you’re not alone.

If your risk register is full of vague references to “hacking,” “email threats,” and “data breaches” with no clear owners or next steps, you’re in good company.

Most companies start out with the best of intentions. They know they need a risk register for ISO 27001 or privacy compliance, so they find a template, copy it across, and tick the box. And then… it quietly gathers digital dust.

Let’s be honest: a bad risk register is worse than no risk register. Why? Because it gives you a false sense of security and makes audits harder, not easier.

What a Fictional Risk Register Looks Like

You’ve probably seen one. The “fiction section” of compliance. Maybe it started as all good fiction should…once upon a time, we [insert over-inflated fairytale here]. It’s probably filled with:

  • Risks that don’t apply to your business (“Loss of floppy disk data”. Really?).
  • No clear asset or owner.
  • No documented treatment or next review date.
  • Every risk has the same rating. Or worse: none at all.
  • And somehow, nothing has changed since it was first created in 2019.

It may have looked good enough to tick a box during your last audit. But, if a breach occurred tomorrow, it wouldn’t hold up under scrutiny.

Why Risks Aren’t Just Paperwork

Your risk register isn’t just something you create to keep your certification auditor happy. It’s the starting point of everything.

Every control you apply, every security decision you make, every dollar you spend on cyber or privacy protections, it all starts with what you’re actually trying to protect and what could go wrong.

When done well, a risk register tells a powerful story. It shows that your organisation understands its environment, that it’s thought through the consequences of failure, and that it’s actively doing something about it.

In short: it’s the spine of your compliance and security narrative.

Common Traps (and How to Dodge Them)

Here are the five biggest mistakes we see, and how to fix them:

  1. Too many risks: If your register has 87 items, half of which are barely relevant, no one’s reading it. Focus on the top 10 to 20 that genuinely matter. Especially if you’re only just starting your data privacy story.
  2. Risks that are actually threats or controls: “Phishing” is not a risk. It’s a threat. “Implement MFA” isn’t a risk. It’s a control. Make sure your register defines risks as potential events with impact and likelihood.
  3. No ownership: Every risk needs an accountable owner. If it’s everyone’s problem, it’s no one’s priority.
  4. Static registers: Risks evolve. Your register should too. Review quarterly, or whenever something big changes, like new systems, new clients, or new laws.
  5. No link to treatment plans: A risk without a mitigation plan isn’t just risky. It’s irresponsible. Even if the plan is “accept and monitor”, it needs to be documented.

Building a Risk Register that Actually Works

Start simple. What are the top five things that could go wrong in your organisation when it comes to data, systems, and people? Document those. Assign owners. Decide what to do about them.

Then iterate (yes, we’re leaning into the pun here). A good risk register is alive, not archived. It grows with your business. You can always add more risks as your understanding matures, but you have to start somewhere.

Use categories to keep things manageable (like operational, reputational, technical, third-party, legal) and define clear criteria for impact and likelihood so you’re not making it up as you go along.

How de.iterate Helps

Let’s be honest, spreadsheets weren’t built for this. de.iterate brings your risk register into the 21st century with:

  • Built-in risk templates aligned to ISO 27001 and data privacy frameworks.
  • Control suggestions based on your risk entries, so that you’re not left guessing.
  • Audit-ready history, so you can show what was done, when, and why.
  • Automated review cycles, so your register never goes stale.
  • Clear ownership and accountability with task tracking and reminders baked in.

Because when the auditor comes knocking, or a real risk becomes reality, you want more than a pretty list. You want a defensible, dynamic, and usable risk management process.

We All Lived Happily Ever After

If your risk register feels more like a compliance prop than a strategic asset, it’s time to change the narrative. Stop pretending. Start prioritising. Because real privacy and security starts with understanding what you’re up against, and actually doing something about it.

And if you’re ready to ditch the fiction? We’ve got the platform to help. Book a demo now, or contact the team.

View full post