Knowledge BaseOperating ModelTemplatesServicesAboutWork With Me
← All Templates
Enterprise Risk

Risk Register & Scoring Model

A register that calculates residual risk from control effectiveness instead of guessing it twice — inherent → controls → residual, with an auto-populated dashboard.

$299one-time · instant download · free updates
Get the Workbook See the Bundle ($1,797)
What you get
  • 6-tab Excel workbook
  • Inherent → controls → residual, all calculated
  • 1–5 likelihood + 4-dimension impact scales
  • Auto 5×5 heat map & top-risks dashboard
  • Mapped to NIST CSF, SOC 2, ISO, CIS, PCI
  • Instant download · free updates
How it works

Evidence in. Ratings out. Automatically.

Most registers score residual risk by gut, in the same breath as inherent. This one derives residual from the effectiveness of your controls, so the number moves when your control posture changes — and you can defend it.

INPUTLikelihood+ 4 ImpactsInherentScoreL × max impactControlseffectivenessResidualScore× (1 − reduction)Ratingband

Every number is a formula over your inputs — not a workshop opinion. Change an input and the ratings move. That's what makes the output defensible.

What's inside

Six tabs that do the work for you.

Risk Register

One row per risk: 1–5 likelihood and four impact dimensions with written definitions; composite, rating, inherent and residual all calculate.

Scoring Reference

The calibrated likelihood, impact, and rating-band scales your whole team scores against.

Dashboard

Auto 5×5 residual heat map, counts by rating, top risks by residual, breakdown by category.

Compliance Mapping

How the register supports NIST CSF 2.0, SOC 2, ISO 27001, CIS, and PCI.

Glossary

Every column heading defined, with a Source column — adapt the language to your org.

Start Here

A five-step walkthrough and worked examples you delete before use.

Built to be evidence

Numbers you can put in front of an auditor

Deterministic, not guessed

Every rating is a transparent formula over your inputs, so it holds up when someone asks "why is this rated this way?"

Traceable to evidence

Ratings trace back to the inputs that produced them — the audit story is built in, not reconstructed after the fact.

Maps to your frameworks

A built-in Compliance Mapping tab cross-walks the register to NIST CSF 2.0, SOC 2, ISO 27001, CIS, and PCI.

The thinking: How to Build a Risk Register That Calculates Residual Risk and The Data-Driven Risk Assessment.

FAQ

Before you buy

What format is it?

A single Microsoft Excel workbook (.xlsx). It recalculates on open — no macros, no add-ins, no subscription. Also opens in Google Sheets and LibreOffice.

Is it hard to use?

No. You fill the shaded input cells; the white cells calculate. Dropdowns prevent bad entries, the Start Here tab walks you through it, and it ships with worked examples you delete before use.

Can I use it with clients?

Yes — internally or in client engagements. You can't resell the template itself as a template.

Need it tailored?

If you need it adapted to a specific framework, org size, or regulator, get in touch — customization and advisory are available.

Stop guessing residual risk

A register that calculates the number instead of asking the room to estimate it twice.

Get the Workbook — $299 Or get all 7 in the Bundle ($1,797)