ISO 31000 Risk Register: What It Actually Requires

ISO 31000 is the international standard for risk management. If you work in mining, construction, or any high-hazard industry, your organisation probably claims to follow it. But when you look at the actual risk register? It’s usually a spreadsheet with a likelihood-consequence matrix and not much else.

Here’s what ISO 31000 actually expects — and where most teams fall short.

What ISO 31000 Is (and Isn’t)

First, an important distinction: ISO 31000 is a framework, not a checklist. It doesn’t prescribe a specific register format or demand particular fields. Instead, it outlines principles and a process for managing risk effectively.

That said, the process has clear requirements that your risk register needs to support. If your register can’t facilitate these, you’re not really following ISO 31000 — you’re just saying you do.

The ISO 31000 Risk Management Process

The standard defines a structured process:

1. Scope, context, and criteria — Establish what you’re assessing and how
2. Risk identification — Find, recognise, and describe risks
3. Risk analysis — Understand the nature of risk and determine the level
4. Risk evaluation — Compare results against criteria to determine priorities
5. Risk treatment — Select and implement options for addressing risk
6. Monitoring and review — Track and review the entire process
7. Communication and consultation — Engage stakeholders throughout

Your risk register is the living document that supports steps 2 through 6. Let’s look at what that means in practice.

What Your Risk Register Actually Needs

Risk Identification Fields

Every risk entry should capture:

• Risk description — What could happen? Be specific. “Safety risk” is not a risk description.
• Risk source/hazard — What’s the underlying source of the risk?
• Potential causes — What could trigger this risk? (Maps to threats in a bowtie diagram)
• Potential consequences — What’s the impact if it materialises?
• Existing controls — What’s already in place? This is critical and often missing.

Risk Analysis

ISO 31000 requires you to understand the level of risk considering:

• Likelihood — How probable, considering existing controls?
• Consequence — How severe, considering existing controls?
• Current risk level — The residual risk with current controls in place

The key phrase is “considering existing controls.” Many registers assess inherent risk (without controls) and then jump to a risk score. ISO 31000 wants you to understand the risk level as it stands right now, with your current controls operating.

Risk Evaluation

Your register needs to support comparison against risk criteria — the thresholds your organisation has set for acceptable and unacceptable risk. This is more than a traffic light. It should drive decisions:

• Accept the risk?
• Treat it further?
• Escalate for decision?
• Stop the activity?

Risk Treatment

This is where most spreadsheet registers completely break down. ISO 31000 requires:

• Treatment options — What are you going to do about unacceptable risks?
• Treatment plan — Who’s responsible? What’s the timeline?
• Target risk level — What’s the expected risk level after treatment?
• Implementation tracking — Is the treatment actually being implemented?

A spreadsheet row with “Implement better controls” in a column is not a treatment plan.

Monitoring and Review

ISO 31000 explicitly requires ongoing monitoring of:

• Risk changes — Has the risk level changed? New threats? New consequences?
• Control effectiveness — Are existing controls still working?
• Treatment progress — Are treatment actions being completed?
• Context changes — Has the operating environment changed?

This means your register needs to be a living system, not a document you update once a year for the audit.

Where Most Organisations Get It Wrong

1. The Annual Update Trap

“We review our risk register annually.” ISO 31000 calls for monitoring and review to be “planned and undertaken at appropriate intervals.” For operational risks in high-hazard industries, annual is almost never appropriate.

2. Disconnected Controls

The register lists controls, but there’s no link between the control and the risk it’s managing. When a control degrades, nobody knows which risks are affected.

3. No Treatment Tracking

Treatments are identified but never tracked. Six months later, nobody knows whether the corrective actions were completed — or whether they actually reduced the risk.

4. Generic Risk Descriptions

“Environmental risk” or “Safety risk” tells you nothing. ISO 31000 requires risks to be identified with enough specificity to be analysed and treated effectively.

5. Missing Context

The standard starts with establishing context. Most registers skip this entirely, jumping straight to a list of risks with no documented scope, objectives, or risk criteria.

What Good Looks Like

A risk register that genuinely supports ISO 31000:

• Links risks to controls and tracks whether those controls are effective
• Tracks treatment plans with owners, deadlines, and completion status
• Supports multiple assessment types — inherent, current (residual), and target risk levels
• Triggers reviews when controls degrade or context changes
• Provides audit trail — who changed what, when, and why
• Connects to your broader risk framework — not a standalone spreadsheet

Moving Beyond Spreadsheets

Spreadsheets were never designed to be risk management systems. They can’t track control effectiveness, alert you to degradation, manage treatment workflows, or maintain an audit trail.

RiskSight is built specifically around the ISO 31000 process — linking risks to controls, tracking barrier health, managing treatments, and maintaining the living system the standard actually requires.

Start a free trial and see how an ISO 31000-aligned risk register actually works in practice.