How to Build a Cyber Risk Register That Actually Works: The Technical Reality Behind Board Governance

Yesterday's episode showed Graham Falkner changing his mind about risk registers. Today we're going to build one. Properly. With none of the waffle that makes most governance documentation useless.

Here's what frustrates me about most cyber risk register guidance. It's written by consultants who've never actually had to present risk assessments to hostile boards. It's full of theoretical frameworks and compliance checkboxes that tell you nothing about whether you'll survive an actual attack.

A working risk register answers one question: if we got hit tomorrow, would we survive?

Everything else is performance art.

The Structure That Doesn't Lie

A useful cyber risk register contains exactly seven columns. More than seven and you're creating busywork. Fewer than seven and you're missing critical information that will bite you when things go wrong.

Column 1: Risk Description

Not "cyber attack." Not "data breach." Actual, specific scenarios that could happen to your business tomorrow.

Good: "Phishing email compromises finance director's credentials, attacker gains access to online banking, authorises fraudulent payment of £45,000 to overseas account before detection."

Bad: "Security incident affecting financial systems."

The difference matters. Vague descriptions let people pretend they're managing risk when they're just maintaining documentation. Specific scenarios force honest conversations about whether you're actually prepared.

Column 2: Likelihood Assessment

Use the government data. The 2025 Cyber Security Breaches Survey interviewed over 2,000 UK businesses. We have real statistics.

85% of breached businesses cite phishing as the attack vector. That's not "possible" or "likely." That's "almost certain" in risk management terms. If your likelihood assessment for phishing doesn't reflect 85% prevalence, you're lying to yourselves.

Use a five-point scale: Rare (0-10%), Unlikely (11-25%), Possible (26-50%), Likely (51-75%), Almost Certain (76-100%). Apply the actual statistics from the government surveys.

Column 3: Impact Assessment

Money. Downtime. Regulatory consequences. Customer loss. Reputational damage. All quantified.

The average breach costs UK businesses £1,600 according to government data. But that's skewed by businesses reporting zero cost (which typically means they didn't detect the impact or they're in denial). When you exclude zeros, it jumps to £3,550. Vodafone's 2025 research puts it at £3,398 for small businesses, £5,001 for companies with 50+ employees.

But averages hide the real risk. 28% of UK SMEs say a breach could put them out of business. So your impact assessment needs two numbers: most likely cost and maximum credible cost.

Most likely: £3,500 direct costs, 2-3 days downtime, £8,000 total impact including lost revenue.

Maximum credible: £50,000+ if we lose a major client contract, regulatory penalties, permanent reputational damage, potential business closure.

Board members understand "this could kill the company." They don't understand "moderate impact on operations."

Column 4: Current Controls

This is where most risk registers turn into fiction. Companies list controls they think they have, or controls they implemented years ago that nobody's verified still work.

Your current controls section must be verifiable. Not "we have backups." Specifically: "Daily automated backups to AWS S3 with 30-day retention, tested monthly by IT manager, last successful restore test 12 November 2025, restoration time 4 hours."

If you can't verify it, you don't have it. If you haven't tested it recently, it doesn't work. These aren't

cynical assumptions. They're based on watching hundreds of businesses discover during actual incidents that the controls they thought they had were either misconfigured, disabled, or never implemented properly in the first place.

Column 5: Residual Risk Rating

Multiply likelihood by impact. Use a standard 5x5 matrix. This gives you a number between 1 and 25 that represents your actual exposure after accounting for current controls.

1-5: Low risk (green) 6-12: Medium risk (yellow)
13-20: High risk (orange) 21-25: Critical risk (red)

Critical and high risks require immediate action. Medium risks need monitoring and planning. Low risks get reviewed but don't demand urgent resources.

Most businesses discover they have more critical risks than they thought once they do this honestly. Good. Better to know now than during an incident.

Column 6: Required Additional Controls

The gap between where you are and where you need to be. Be specific about what you're going to implement, not vague aspirations.

Useless: "Improve security awareness."

Useful: "Implement monthly phishing simulation testing via KnowBe4, mandatory 20-minute security awareness training quarterly, track click rates, target <5% click rate on simulated phishing by Q2 2026."

Include costs. If you need £2,000 for proper security awareness training, say so. If you need £5,000 for better endpoint protection, document it. Boards can't make informed decisions about risk if you're hiding the costs of mitigation.

Column 7: Owner

A named human being at board level. Not "IT team." Not "operations." A director or senior manager with actual authority who will be asked at every board meeting: "What's the status of this risk?"

This is non-negotiable. Risks without owners don't get managed. They get discussed, deferred, and eventually forgotten until they materialise.

The Risks Every UK Small Business Must Include

Based on the 2025 government survey and Vodafone research, here are the five risks that belong in every small business cyber risk register:

Risk 1: Phishing-Based Email Compromise

85% of breaches start with phishing. Finance staff, directors, HR personnel handling payroll or employee data are primary targets. Typical scenario: attacker compromises email account, monitors for payment activity, intercepts legitimate payment requests or creates fake ones, redirects payments to attacker-controlled accounts.

Likelihood: Almost Certain (85% of breaches) Impact: £3,500-£50,000+ depending on payment size and detection speed Current Controls: [Your actual controls here] Residual Risk: Typically 20+ (Critical) before proper controls Required Controls: MFA on all email accounts, FIDO2 hardware tokens for finance staff, payment verification procedures, security awareness training, email filtering

Risk 2: Ransomware Attack

Approximately 1% of UK businesses report ransomware attacks annually (19,000 incidents in 2024/25). This sounds low until you calculate cumulative risk over 5 years: roughly 5% chance. For a risk that can close your business, that's unacceptable exposure.

Likelihood: Unlikely (1-5% annually) Impact: Business-ending if you don't have verified backups. Average ransom demands £10,000-£100,000, but paying doesn't guarantee recovery. Total costs including downtime, investigation, restoration easily exceed £50,000. Current Controls: [Your actual controls] Residual Risk: Typically 15-20 (High to Critical) without proper backup strategy Required Controls: Air-gapped backups tested monthly, endpoint detection and response, vulnerability patching within 48 hours of release, privilege access management

Risk 3: Supply Chain Compromise

Only 14% of UK businesses review their immediate suppliers' cyber security. Yet supply chain attacks are increasing. Your suppliers' security becomes your security.

Likelihood: Possible (growing threat, insufficient data for precise percentage) Impact: Depends on supplier criticality. Hosting provider compromise could mean total business interruption. Payment processor compromise could mean customer data breach and regulatory penalties. Current Controls: [Your actual controls] Residual Risk: Typically 12-18 (Medium to High) Required Controls: Supplier security assessments, contractual requirements for minimum security standards, incident notification clauses, alternative supplier relationships for critical services

Risk 4: Insider Threat (Malicious or Negligent)

Government surveys don't directly measure insider threats, but qualitative research shows this is vastly underestimated. Includes both malicious insiders stealing data and negligent staff causing security incidents through poor practices.

Likelihood: Possible (hard to measure, often goes undetected) Impact: Data theft, regulatory breaches, customer loss. Can be business-ending if critical IP or customer data gets exfiltrated and published or sold. Current Controls: [Your actual controls] Residual Risk: Typically 10-15 (Medium to High) Required Controls: Access controls based on least privilege, logging and monitoring of data access, offboarding procedures, data loss prevention, regular access reviews

Risk 5: Cloud Service Misconfiguration

64% of SMEs have staff working remotely. Most use cloud services. Misconfigured cloud storage, inadequate access controls, or compromised cloud credentials can expose massive amounts of data.

Likelihood: Likely (very common, often undetected) Impact: Regulatory penalties under UK GDPR, customer notification costs, reputational damage. ICO fines for serious negligence can reach millions for large breaches. Current Controls: [Your actual controls] Residual Risk: Typically 15-20 (High to Critical) without proper cloud security Required Controls: Cloud security posture management, automated configuration scanning, mandatory MFA, principle of least privilege, regular security reviews

The Technical Controls That Actually Matter

Forget the 50-page NIST frameworks and 200-control ISO 27001 annexes. Small businesses need exactly ten technical controls implemented properly. Everything else can wait.

1. Multi-Factor Authentication (MFA)

Every single account that touches business data. Email, banking, cloud services, admin access to any system. No exceptions.

Not SMS-based codes (vulnerable to SIM swapping). Authenticator apps minimum. FIDO2 hardware security keys for finance staff and administrators ideal.

Cost: £30-50 per FIDO2 key, one-time purchase. Authenticator apps are free. Implementation: 2-4 hours for small business.

2. Email Filtering and Anti-Phishing

Microsoft 365 and Google Workspace both include basic filtering. It's not enough. Add third-party email security that checks links, scans attachments, and quarantines suspicious messages.

Cost: £2-5 per user per month. Implementation: 2-3 hours setup, ongoing management 1 hour monthly.

3. Endpoint Protection

Proper EDR (Endpoint Detection and Response), not just antivirus. Needs to detect suspicious behaviour, not just known malware signatures.

Cost: £3-8 per device per month. Implementation: 4-6 hours for deployment, ongoing management 2 hours monthly.

4. Patch Management

Critical vulnerabilities patched within 48 hours. Everything else within 30 days. Automated where possible. Tested before deployment to production.

Cost: Time investment only if done manually, £2-4 per device per month for automated solutions. Implementation: Set up once, monitor ongoing.

5. Backup and Recovery

Daily backups. 30-day retention minimum. Stored off-site. Air-gapped or immutable. Tested monthly. Restoration time documented and practised.

Cost: £50-200 per month depending on data volume. Implementation: 4-8 hours setup, 2 hours monthly for testing.

6. Access Controls

Principle of least privilege. Users get minimum access needed for their role. Administrative access limited to specific individuals with business need. Regular access reviews quarterly.

Cost: Time investment only. Implementation: 8-12 hours initial audit and configuration, 2 hours quarterly review.

7. Password Policy

Minimum 12 characters. A password manager is mandatory for all staff. No password reuse. Changed if compromised. Not changed routinely (NCSC guidance explicitly says don't force regular password changes unless compromise suspected).

Cost: £3-5 per user per month for a business password manager. Implementation: 4 hours setup and training.

8. Security Awareness Training

Monthly phishing simulations. Quarterly training sessions. Track metrics. If click rates on simulated phishing exceed 10%, training isn't working.

Cost: £5-15 per user per month for quality platforms. Implementation: 2 hours monthly.

9. Logging and Monitoring

You need to know when something's wrong. Critical systems log authentication attempts, access to sensitive data, and configuration changes. Logs are retained for 90 days. Someone actually reviews them.

Cost: Free for basic logging, £5-20 per user per month for SIEM solutions. Implementation: 8-12 hours setup, ongoing review.

10. Incident Response Plan

Written procedure for what happens when you get hit. Who does what? Who calls who? How do you isolate systems? How you communicate with customers. How do you report to ICO if required?

Cost: Time investment only. Implementation: 4-6 hours to write, 2-3 hours annually to test and update.

These ten controls, implemented properly, address roughly 90% of the attacks that hit small businesses. They're not comprehensive security. They're proportionate protection for organisations with limited resources.

Total cost for a 20-person business: approximately £150-300 per user per year, plus 40-60 hours of implementation time and 5-8 hours monthly management.

Compare that to the £3,398 average breach cost. Or the 28% of SMEs who say a breach could close them. The return on investment is obvious to anyone who can do basic arithmetic.

The Board Presentation That Gets Budget Approved

Your risk register is useless if the board doesn't approve resources to fix the gaps. Here's how to present cyber risk to get actual funding:

Start with business impact, not technology. "We have a 43% chance of experiencing a security breach this year. If that breach costs £3,500 in direct costs plus £5,000 in lost revenue and recovery, we're looking at an impact of £8,500. Our current controls don't adequately prevent or detect this."

Show the cumulative risk over time. "We have roughly 1% annual risk of ransomware. Over five years, that's approximately 5% cumulative risk. A ransomware attack without proper backups could cost £50,000+ or put the business out of business. We're currently accepting that risk."

Present the controls as insurance, not cost. "£150 per employee per year on proper security controls costs us £3,000 annually for 20 staff. One prevented breach pays for 2.8 years of protection. Two prevented breaches pay for 5.6 years."

Make risk acceptance explicit. "If the board chooses not to fund these controls, we need formal documentation that the board has accepted these risks, understands the potential consequences, and has determined the likelihood of impact doesn't justify the investment."

That last one works miracles. Directors hate explicitly accepting documented risks. They'll find the budget.

The Quarterly Review That Keeps This Current

Risk registers decay. Threats change. Controls stop working. Quarterly reviews keep your register accurate.

Standard agenda:

1. Review the previous quarter's incidents (internal and industry-wide)

2. Update likelihood assessments based on current threat data

3. Verify current controls are still functioning as documented

4. Progress check on additional controls implementation

5. Emerging threats assessment

6. Risk appetite review (has board tolerance changed?)

This takes 30-60 minutes. Schedule it as a standing board agenda item. Don't skip it because "nothing's changed." That's how risk management dies.

The Brutal Reality Check

Here's what I tell every business that pushes back on this. You don't have to do any of this. Risk registers aren't legally mandated for most small businesses. The NCSC Board Toolkit is guidance, not law. You can absolutely choose to do nothing.

But when you get breached, and you will get breached, these questions will be asked:

Did you understand the risk? Did you assess the likelihood? Did you consider the impact? Did you implement reasonable controls? Did you test your defences? Did you train your staff? Did you have an incident response plan?

If the answers are all no, and you've lost customer data or failed to prevent a fraud that cost a client money, you're going to have very uncomfortable conversations with regulators, insurers, and potentially lawyers.

The Companies Act already requires directors to exercise reasonable care, skill and diligence. When 43% of businesses get breached, when the average costs exceed £3,000, and when the government publishes free guidance on exactly what "reasonable" looks like, ignorance isn't a defence.

Create the risk register. Implement the controls. Document your governance. Or explicitly accept that you're gambling with your business survival on better odds than a coin flip.

Your choice. But make it an informed choice.