Risk Register Review Frequency: How Often and What Must Change
Most organisations review their risk register annually. Annual review creates a 12-month window in which the risk register can be completely wrong without anyone knowing. New equipment is commissioned, processes are modified, incident investigations reveal control gaps, and regulatory requirements change — none of which are reflected in the register until the calendar says it is time.
Annual review is a minimum, not a target. The question is not only how often to review, but what conditions require an unscheduled review and what a review must actually examine to be substantive.
What ISO 31000 Requires on Review Timing
ISO 31000 requires that risk assessments be reviewed on a periodic basis and whenever there is a significant change to the context, circumstances, or risk environment. The standard does not specify a review frequency. It establishes the principle that the review cycle must be appropriate to the rate at which risks and their controls can change.
For a low-hazard administrative environment, annual review may be entirely appropriate. For mining, construction, or heavy industry, where operational conditions can change daily and where control failures can result in fatalities, annual review is a bare minimum. Many high-hazard operations review critical risks quarterly and principal hazard management plans more frequently than that.
The relevant question is not “when does the calendar say we review?” but “how quickly can the risk picture change, and is our review cycle sensitive to that rate of change?”
What Triggers an Unscheduled Review
Certain changes must trigger a risk register review regardless of the scheduled cycle. Waiting for the annual review date when one of these conditions has occurred means operating with a risk register that is known to be inaccurate.
New or modified equipment: When equipment is commissioned, upgraded, or repurposed, the hazard profile changes. New energy sources, different operating parameters, and unfamiliar failure modes must be assessed. The existing risk register entries for affected tasks may no longer reflect the actual controls in place.
Process changes: Any change to how work is done — revised procedures, new chemicals, different sequencing of tasks — alters the control landscape. A management of change process should automatically trigger a risk assessment for the affected tasks.
Incident or near-miss: An incident that reveals a failed or absent control requires the relevant risk register entries to be reviewed immediately. If a control was relied upon in the register but failed in practice, the residual risk rating is wrong. The register must be updated to reflect actual control effectiveness.
Critical control failure: When a critical control fails a verification check, the risk it manages is temporarily at a higher residual level. The register should reflect this until the control is restored and re-verified.
Regulatory change: New or amended legislation, codes of practice, or regulator guidance may introduce new requirements, identify previously unrecognised hazards, or change the adequacy threshold for existing controls.
Workforce or organisational change: Significant changes to supervision ratios, contractor mix, or site management structure can affect whether controls that rely on human behaviour and supervision are still adequate.
What a Substantive Review Must Cover
The most common failure in risk register review is re-dating rather than re-examining. The reviewer opens each risk entry, confirms it looks broadly correct, updates the review date, and moves on. The register is now “current” but not necessarily accurate.
A substantive review must address four questions for each risk entry:
Is the hazard still present? Operations change. A hazard that existed when the register was written may have been eliminated by engineering changes. An entry that no longer reflects a real hazard creates noise and wastes management attention. Remove it.
Are the controls still in place and adequate? Not “do we have a procedure for this” but “is the procedure being followed, is the equipment functioning, and is the control achieving its intended effect?” This requires checking verification records, not just the control description. A control that is listed but not functioning is worse than no control, because it creates false confidence in the residual risk rating.
Has the residual risk rating changed? If a control has degraded, if a new threat has been identified, or if the consequence of the hazard has been re-evaluated, the residual rating must change. A rating that is carried forward unchanged year after year is almost certainly not being reassessed — it is being confirmed.
Are treatment actions still appropriate and progressing? Risk treatments that were scheduled to be completed 18 months ago and have not progressed represent unmanaged residual risk. The review must check whether actions are on track, whether they are still the right actions, and whether the timeline is realistic.
What Common Review Failures Look Like
The date audit. Every entry has been reviewed, the date updated, and the rating confirmed unchanged. No substantive examination has occurred. The review log shows compliance. The risk picture has not been assessed.
Controls listed as effective without evidence. A control’s effectiveness rating is marked “adequate” but no verification records have been checked. The reviewer assumes the control is functioning because it is documented. This is the most common source of gap between the risk register and operational reality.
Treatment actions not followed up. Actions from the previous review are carried forward with extended due dates. The same actions appear in three consecutive annual reviews. No-one has examined why they have not been completed or whether they are still appropriate.
No connection to incident data. The risk register is reviewed in isolation from the incident record. Incidents from the past 12 months that revealed control failures are not used to inform the review. The register and the incident record are separate systems that never speak to each other.
This last failure is structural, not just a process problem. When the risk register and incident management system are separate tools, the information that should most directly inform a risk review — what controls actually failed and under what conditions — is not accessible during the review process.
What the Review Record Must Demonstrate
A risk register review must produce a record that demonstrates what was examined, what changed, and why. A review date and a signature is not a record — it is a timestamp.
A substantive review record includes:
- Confirmation of which risk entries were reviewed and by whom
- A summary of what changed and the basis for the change
- A list of controls checked against verification records, with the outcome
- Treatment actions reviewed, with updated status and any changes to scope or timeline
- Any new risks identified and added, with their initial assessment
- Any risks removed and the reason for removal
This record serves two purposes. It demonstrates to regulators and auditors that reviews are substantive. It also provides continuity — the next reviewer can see what was examined, what was assumed, and what was outstanding, rather than starting from scratch.
For a breakdown of how RiskSight connects risk register reviews to verification records, incident findings, and control health data, see Risk Management Software for Mining, Construction & Heavy Industry.
Start a 30-day free trial with demo data included. No credit card required.
Ready to modernise your risk management?
Start your 30-day free trial. No credit card required.
Start free trial