Knowledge BaseOperating ModelTemplatesServicesAboutWork With Me
← All Templates
Flagship · The Connected Model

Integrated Risk & Control Register

Risks, Controls, Issues, and Incidents in one workbook that calculate each other. Incidents drive likelihood. Controls drive residual risk. Open findings degrade the controls they hit — automatically.

$997one-time · instant download · free updates
Get the Workbook See the Bundle ($1,797)
What you get
  • 10 linked tabs — the whole program in one file
  • Residual risk calculated from control effectiveness
  • Incident-driven likelihood; issues degrade controls
  • Auto dashboard: heat map, top risks, coverage gaps
  • Mapped to NIST CSF, SOC 2, ISO 27001, DORA, FFIEC
  • Excel (.xlsx) · instant download · free updates
How it works

Evidence in. Ratings out. Automatically.

Most programs keep risks, controls, issues, and incidents in four disconnected spreadsheets. This workbook connects them: each entity feeds the others, so your risk ratings are conclusions drawn from evidence — not opinions waiting to be challenged.

INCIDENTScount → likelihoodCONTROLSeffectiveness → residualISSUESopen findingsRISKrated by evidenceRESIDUAL RATING

Every number is a formula over your inputs — not a workshop opinion. Change an input and the ratings move. That's what makes the output defensible.

What's inside

Ten linked tabs. One source of truth.

Risks

Inherent → controls → residual. Likelihood suggested from incidents; residual calculated from control effectiveness — with override.

Controls

A control library typed P/D/C, mapped to SOC 2 / ISO / NIST CSF / DORA / FFIEC, with effectiveness that open issues degrade.

Issues

Findings sourced from Internal Audit, Regulatory Exam, Certification — linked to the control they affect.

Incidents

Events linked to risks. The count drives suggested likelihood; the worst impact raises the inherent floor.

Risk–Control Map

The junction linking risks to the controls mitigating them — the spine of the residual calculation.

Dashboard

Auto-populated: KPI cards, residual heat map, top risks, coverage gaps. Zero manual entry — board-ready.

Built to be evidence

Numbers you can put in front of an auditor

Deterministic, not guessed

Every rating is a transparent formula over your inputs, so it holds up when someone asks "why is this rated this way?"

Traceable to evidence

Ratings trace back to the inputs that produced them — the audit story is built in, not reconstructed after the fact.

Maps to your frameworks

Controls carry SOC 2, ISO 27001, NIST CSF, DORA, and FFIEC citations — so the register doubles as evidence for the frameworks you're assessed against.

The thinking behind the model: The Connected GRC Model and How to Build a Risk Register That Calculates Residual Risk.

FAQ

Before you buy

What format is it?

A single Microsoft Excel workbook (.xlsx). It recalculates on open — no macros, no add-ins, no subscription. Also opens in Google Sheets and LibreOffice.

Is it hard to use?

No. You fill the shaded input cells; the white cells calculate. Dropdowns prevent bad entries, the Start Here tab walks you through it, and it ships with worked examples you delete before use.

Can I use it with clients?

Yes — internally or in client engagements. You can't resell the template itself as a template.

Need it tailored?

If you need it adapted to a specific framework, org size, or regulator, get in touch — customization and advisory are available.

Run the connected model today

One workbook. Risks, controls, issues, and incidents that finally talk to each other.

Get the Workbook — $997 Or get all 7 in the Bundle ($1,797)