Understanding the Risk Register
The Risk Register records governance risks that may affect systems, data, operations, vendors, or organisation-wide obligations. Risks are long-lived governance records, not remediation tasks: they are identified, treated, reviewed, and either accepted or retired over time. Issues remain the remediation surface — a risk may later create or link to issues, but that workflow is not enabled yet.
Open the Compliance workspace, switch to the Registers group, and select Risks. Add the top governance risks against your most important assets first.
Separating risks (governance objects) from issues (remediation items) keeps both registers usable. Without a risk register, every concerning thing tends to become an open issue that nobody closes; with a risk register, the persistent governance question stays in one place.
Risks now carry a Treatment & safeguards panel (Phase 4 MVP) and Risk Register summary counts surface on the Compliance dashboard, Position Summary, board report, and Evidence Pack. Full Control Library expansion (Phase 5), Exception / Acceptance Register (Phase 6), risk-aware director attestation (Phase 7), and risk-driven issue creation remain deferred.
