Risk Register
Read about what Risk Registers are, why they matter and how to file them in Copla Registry.
Topics covered on this page:
Overview
A Risk Register is a simple, practical way to keep track of the main risks an organization faces, especially those that could affect compliance, day-to-day operations, or trust with customers. It helps teams understand what could go wrong, how serious it would be, and what is being done about it, so risks are managed intentionally rather than compliance being treated as a box-ticking exercise.
How To Access It
To view and manage the Risk Register, your user role needs to have the appropriate Risk Register permissions. Once those permissions are in place, you’ll be able to access and work with it normally.
Where Data Comes From
Assets from the Asset Register are automatically included in the Risk Register, so there’s no need to enter or duplicate the same information again.
How To Find It
You can access the Risk Register directly from the menu bar:
Dynamic Registers → Risk Register
The users will be able to choose a category by clicking on it and deep dive into it.
Register Asset Types
The system will display, on a dedicated page, only the subcategories belonging to the selected asset category. All the objects on the page are collapsible (subcategories and assets). There are three types of assets:
-
Assets that make up a subcategory
These assets are not displayed individually in the Risk Register. To assign risks to this type of asset, the user assigns a risk directly to the subcategory, as all assets within the subcategory share the same risks.
-
Assets that belong to a subcategory but have unique risks
Some assets may inherit the risks of their subcategory while also having additional, asset-specific risks. In this case, the asset is displayed separately in the Risk Register and maintains a parent–child relationship with its subcategory. The risk can be assigned directly to the asset.
-
Assets that do not belong to any subcategory
Assets that are not part of a subcategory are not grouped. These assets appear under the Other category on the main Risk Register page. When drilling down, the system displays all assets that do not have an associated subcategory. The risk can be assigned directly to the asset.
Creating a New Risk
Users can create a new risk by clicking the “Add Risk” button. The system will display a table to be completed, with two pinned columns:
-
Risk Date
-
Risk Description
Risk Description is mandatory, and some columns (fields) must be filled in manually by the user, while others are automatically calculated by the system.
Risk Table
The table columns are logically grouped. Users can hover over a column to view its description and obtain additional information.
Six column groups are defined:
-
Asset Criticality
-
Risk
-
Impact and Likelihood
-
Inherited Risk Level
-
Risk Treatment
-
Residual Risk (After Treatment)
Users can view all columns simultaneously by scrolling horizontally.
Risk Table Column Descriptions
|
ID |
Column Name |
Type |
Logic description |
Tooltip text |
|---|---|---|---|---|
|
C-1 |
Risk Date |
• date• read-only |
• The column is pinned by default. • The system sets the date when the risk record is created (format yyyy-mm-dd).• The value is not editable. |
Date when this risk was created. |
|
C-2 |
Risk Description |
• text field |
• The column is pinned by default.• A required field (marked with '*' on UI; the system shows the error message if empty, the risk record can not be saved without a value).• Field limitation: 700 characters |
What could go wrong, written in clear business terms. |
|
“Risk” group |
||||
|
C-3 |
Threat Description |
• dropdown• single select |
• A dropdown component displaying a list of potential threat descriptions.• The user can use search to find the relevant option• values are provided below the main table |
What could cause the risk to happen. |
|
C-4 |
Vulnerability Description |
• dropdown• single select |
• A dropdown component displaying a list of potential vulnerability descriptions.• The user can use search to find the relevant option• values are provided below the main table |
The weakness that makes this risk possible. |
|
C-5 |
Impact Description |
• dropdown• single select |
• A dropdown component displaying a list of potential impact descriptions.• The user can use search to find the relevant option• values are provided below the main table |
What would happen if the risk occurs. |
|
“Asset Criticality” group |
||||
|
C-7 |
Confidentiality |
• referenced field• read-only |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low)• Data source: The value is populated from the “Confidentiality” field in the Asset Dynamic Register. ◦ For assets of type 2 and/or type 3, the system directly uses the asset’s confidentiality value. ◦ For assets of type 1 (assets that belong to a subcategory and are not displayed individually in the Risk Register), the system assigns the maximum confidentiality value among all assets within the corresponding subcategory. |
How sensitive the affected information is. |
|
C-8 |
Integrity |
• referenced field• read-only |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low)• Data source: The value is populated from the “Integrity” field in the Asset Dynamic Register. ◦ For assets of type 2 and/or type 3, the system directly uses the asset’s integrity value. ◦ For assets of type 1 (assets that belong to a subcategory and are not displayed individually in the Risk Register), the system assigns the maximum integrity value among all assets within the corresponding subcategory. |
How important it is that the information stays accurate and unchanged. |
|
C-9 |
Availability |
• referenced field• read-only |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low)• Data source: The value is populated from the “Availability” field in the Asset Dynamic Register. ◦ For assets of type 2 and/or type 3, the system directly uses the asset’s availability value. ◦ For assets of type 1 (assets that belong to a subcategory and are not displayed individually in the Risk Register), the system assigns the maximum availability value among all assets within the corresponding subcategory. |
How important it is that the system or service is available when needed. |
|
C-10 |
Total |
• calculated field • read-only |
• Automatic calculation• Calculation Formula: C-7 + C-8 + C-9• The field automatically recalculates whenever any of the source fields (C-7, C-8, C-9) are updated.• If any of the source fields are empty or missing, the calculated field remains empty. |
Overall importance of the affected asset or process. |
|
“Impact and Likelihood” group |
||||
|
C-11 |
Financial Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Potential financial loss if the risk occurs. |
|
C-12 |
Regulatory/Legal/Compliance Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Possible regulatory, legal, or compliance consequences. |
|
C-13 |
Reputational Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Possible damage to trust or reputation. |
|
C-14 |
Operational Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Disruption to daily operations or service delivery. |
|
C-15 |
Customer Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Impact on customers or end users. |
|
C-16 |
Total Impact |
• calculated field • read-only |
• Automatic calculation. • Calculation Formula: C-11 + C-12 + C-13+ C-14 + C-15• The field automatically recalculates whenever any of the source fields (C-11 + C-12 + C-13+ C-14 + C-15) are updated.• If any of the source fields are empty or missing, the calculated field remains empty. |
Overall severity of the impact if the risk occurs. |
|
C-17 |
Likelihood |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
How likely it is that this risk will happen. |
|
“Inherit Risk Level” group |
||||
|
C-18 |
Risk Score |
• calculated field • read-only |
• Automatic calculation. • Calculation Formula: C-17 x C-16 x C-10• The field automatically recalculates whenever any of the source fields (C-17 x C-16 x C-10) are updated.• If any of the source fields are empty or missing, the calculated field remains empty. |
Overall risk score based on impact and likelihood. |
|
C-19 |
Risk Level |
• calculated field • read-only |
• Automatic calculation. • Mapping: ◦ If C-18 value is between 15 and 180 → assign 1 (Low); ◦ If C-18 value is between 181 and 360 → assign 2 (Medium); ◦ If C-18 value is greater than 360 → assign 3 (High). • The value updates dynamically whenever the C-18 value changes. |
Risk level shown as Low, Medium, or High. |
|
“Risk Treatment” group |
||||
|
C-20 |
Risk Treatment Action (Decision) |
• dropdown• single select |
• Value options: ◦ Accept ◦ Mitigate ◦ Transfer ◦ Avoid (Stop the activity) |
How you plan to handle this risk. |
|
C-21 |
Existing Controls |
text field |
• Field limitation: 700 characters (MVP concept) |
What is already in place to reduce this risk. |
|
C-22 |
Proposed Treatment / Control |
text field |
• Field limitation: 700 characters (MVP concept) |
What you plan to implement to reduce the risk further. |
|
C-23 |
Responsible Team/function |
text field |
• Field limitation: 700 characters (MVP concept) |
Team responsible for managing this risk. |
|
C-24 |
Due Date |
• date• date picker |
• Users can pick the date from the date picker or insert it manually.• Format (yyyy-mm-dd).• The date should not be before the C-1 date. |
When the planned actions should be completed. |
|
“Residual Risk (after Treatment)” group |
||||
|
C-25 |
Financial Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Financial impact after planned actions are applied. |
|
C-26 |
Regulatory/Legal Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Regulatory or legal impact after planned actions are applied. |
|
C-27 |
Reputational Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Reputational impact after planned actions are applied. |
|
C-28 |
Operational Impact |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
Operational impact after planned actions are applied. |
|
C-29 |
Customer Impact |
• dropdown• single select |
• Value options: ◦ 3 (High)Overall remaining impact after treatment. ◦ 2 (Medium) ◦ 1 (Low) |
Customer impact after planned actions are applied. |
|
C-30 |
Total Impact |
• calculated field • read-only |
• Automatic calculation. • Calculation Formula: C-25 + C-26 + C-27 + C-28 + C-29• The field automatically recalculates whenever any of the source fields (C-25 + C-26 + C-27 + C-28 + C-29) are updated.• If any of the source fields are empty or missing, the calculated field remains empty. |
Overall remaining impact after treatment. |
|
C-31 |
Likelihood |
• dropdown• single select |
• Value options: ◦ 3 (High) ◦ 2 (Medium) ◦ 1 (Low) |
How likely the risk is after treatment. |
|
C-32 |
Risk Score |
• calculated field • read-only |
• Automatic calculation. • Calculation Formula: C-31 x C-30 x C-10• The field automatically recalculates whenever any of the source fields (C-31 x C-30 x C-10) are updated.• If any of the source fields are empty or missing, the calculated field remains empty. |
Overall remaining risk score. |
|
C-33 |
Risk Level |
• calculated field • read-only |
• Automatic calculation. • Mapping: ◦ If С-32 value is between 15 and 180 → assign 1 (Low); ◦ If С-32 value is between 181 and 360 → assign 2 (Medium); ◦ If С-32 value is greater than 360 → assign 3 (High). • The value updates dynamically whenever the С-32 value changes. |
Remaining risk level after treatment. |
|
C-34 |
Report to Board |
text field |
• Field limitation: 700 characters (MVP concept) |
Key information suitable for board-level reporting. |
|
C-35 |
Responsible Function |
text field |
• Field limitation: 700 characters |
Function accountable for long-term ownership of the risk. |