Your First Cyber Risk Register: 2-Hour Implementation Guide with Template

Right. You've listened to Episode 31. You've read the technical deep-dive. You understand the psychology. Now you need to actually create the thing.

This is the practical implementation guide. No theory. No waffle. Exactly what to do, in what order, with specific examples and a template you can use immediately.

Estimated time: 2 hours for initial creation. 30 minutes quarterly for review.

Let's begin.

Before You Start: What You Actually Need

Required participants: Minimum one board member or senior manager with actual authority. Ideally 2-3 people covering finance, operations, and IT.

Required information:

• List of your critical business systems and data

• Current cyber security controls (what you think you have)

• Recent security incidents (if any)

• Access to UK government Cyber Security Breaches Survey 2025

• Insurance policy details (if you have cyber insurance)

• Contact information for your IT support (internal or external)

Tools needed:

• Spreadsheet software (Excel, Google Sheets, anything that makes tables)

• Calculator

• Honesty (surprisingly rare)

What you don't need:

• Consultant

• Special software

• Technical expertise (basic understanding sufficient)

• Perfect information (start with what you know, refine later)

Step 1: Identify Your Top Five Cyber Risks (30 Minutes)

Don't try to document every possible risk. Start with the five that could actually kill your business or cause serious harm.

Use this decision framework:

For every UK small business, these three risks are mandatory:

1. Phishing-based email compromise leading to fraudulent payments

2. Ransomware attack encrypting business-critical systems

3. Insider threat (malicious or negligent) causing data breach

Why mandatory? Because 85% of breaches involve phishing, ransomware can be business-ending, and insider threats are vastly underestimated. If these aren't in your top five, you're lying to yourselves.

For the remaining two risks, consider:

• Supply chain compromise (if you rely on critical suppliers or service providers)

• Cloud misconfiguration exposing sensitive data (if you use cloud services heavily)

• Loss of access to critical systems (if you have single points of failure)

• Data theft of IP or customer information (if you have valuable proprietary data)

• DDoS attack disrupting online services (if you're heavily dependent on website/online presence)

• Physical theft of devices containing business data (if staff work remotely with sensitive data on laptops)

Pick the two that would cause you the most harm if they occurred tomorrow.

Write each risk as a specific scenario:

❌ Bad: "Cyber attack affecting systems" ✅ Good: "Phishing email compromises finance director's Office 365 account. Attacker monitors emails for two weeks, identifies pending £45,000 payment to supplier, sends fake email with updated bank details from compromised account, finance team processes fraudulent payment, money transferred overseas before fraud detected."

Specific. Realistic. Describes the full attack chain from initial compromise to business impact.

Step 2: Assess Likelihood Using Real Statistics (20 Minutes)

For each risk, assign a likelihood rating using the government data:

Almost Certain (76-100% annual probability):

• Phishing attempts (85% of breaches involve phishing)

• Receiving malicious emails (happens constantly)

Likely (51-75% annual probability):

• Business experiencing some form of breach or attack (43% annually)

• Remote workers being targeted (19% of remote workers per Vodafone 2025)

Possible (26-50% annual probability):

• Significant security incident causing measurable damage

• Supply chain security issues affecting your business

• Insider security incident (accidental or deliberate)

Unlikely (11-25% annual probability):

• Ransomware attack (approximately 1% annually but cumulative over years)

• Targeted attack by sophisticated threat actor

• Major data breach requiring ICO notification

Rare (0-10% annual probability):

• Zero-day exploit specifically targeting your business

• Physical destruction of IT infrastructure

• Insider espionage for competitor

Don't guess. Use the actual statistics from the 2025 Cyber Security Breaches Survey and Vodafone research.

Example likelihood assessment for the five mandatory risks:

Step 3: Assess Impact in Money and Downtime (30 Minutes)

For each risk, document both most likely impact and maximum credible impact.

Most likely impact includes:

• Direct costs (ransomware payment, consultant fees, forensics, legal)

• Recovery costs (staff time, system restoration, data recreation)

• Lost revenue during downtime

• Customer notification costs if data breach

• Regulatory penalties (if applicable)

Maximum credible impact includes:

• Loss of major client(s) due to breach

• Permanent closure (28% of SMEs say attack could close them per Vodafone 2025)

• Director personal liability if negligence proven

• Long-term reputational damage affecting sales

Use the government and Vodafone data as baselines:

• Average breach: £1,600 (all businesses), £3,550 (excluding zeros)

• Average for small businesses: £3,398 per Vodafone 2025

• Average for 50+ employees: £5,001 per Vodafone 2025

Example impact assessment:

Be honest about maximum credible impact. If a risk could close your business, say so explicitly.

Step 4: Document Current Controls (20 Minutes)

List what you actually have in place right now. Not what you plan to implement. Not what you think you should have. What exists today.

For each control, document:

• Specific implementation details

• Configuration settings

• Who manages it

• Last verification date

• Test results (if tested)

❌ Bad current control documentation: "We have MFA" "Backups are done" "Staff are trained"

✅ Good current control documentation: "Microsoft 365 enforced MFA using Microsoft Authenticator app on all user accounts except external contractors. Configured by IT manager 15-Mar-2025. Not yet tested for FIDO2 hardware tokens."

"Daily automated backups to Backblaze B2 cloud storage, 30-day retention, managed by IT support company TechCo Ltd. Last successful restoration test: 01-Nov-2025 (test file restored in 2 hours). Full system restoration never tested."

"Annual security awareness training via internal presentation, last delivered 10-Jan-2025, 18 of 20 staff attended, no testing of retention, no phishing simulations conducted."

Common controls for small businesses:

Email security:

• Microsoft 365 or Google Workspace built-in filtering

• Additional email security service (e.g., Mimecast, Proofpoint, Barracuda)

• Banner warnings for external emails

• Link protection / safe links

• Attachment scanning

Authentication:

• Password policy (complexity, length, expiry)

• MFA on email accounts (authenticator app vs SMS vs FIDO2)

• MFA on banking and financial systems

• MFA on admin accounts

Endpoint protection:

• Antivirus / endpoint detection and response

• Patch management process

• Device encryption

• Mobile device management

Backup and recovery:

• Backup frequency, retention, location

• Air-gapped or immutable storage

• Test frequency and results

• Recovery time objectives

Access controls:

• Principle of least privilege

• Admin access limitations

• Access review frequency

• Offboarding procedures

Staff training:

• Security awareness training frequency

• Phishing simulation testing

• Incident reporting procedures

• Social engineering awareness

Document what you have honestly. If a control is configured but not tested, say so. If you think you have something but you're not sure, mark it as "unverified."

Step 5: Calculate Residual Risk Ratings (10 Minutes)

Use a 5x5 risk matrix:

Likelihood ratings:

• Rare = 1

• Unlikely = 2

• Possible = 3

• Likely = 4

• Almost Certain = 5

Impact ratings (based on cost and business disruption):

• Negligible (< £1,000, < 1 day downtime) = 1

• Minor (£1,000-£5,000, 1-3 days) = 2

• Moderate (£5,000-£20,000, 3-7 days) = 3

• Major (£20,000-£50,000, 1-2 weeks) = 4

• Catastrophic (> £50,000 or business-ending) = 5

Residual risk score = Likelihood × Impact

1-5 = Low (green) - monitor 6-12 = Medium (yellow) - plan mitigation 13-20 = High (orange) - urgent action needed 21-25 = Critical (red) - immediate action required

Example residual risk calculation:

Be honest about maximum credible impact. If a risk could close your business, say so explicitly.

Step 4: Document Current Controls (20 Minutes)

List what you actually have in place right now. Not what you plan to implement. Not what you think you should have. What exists today.

For each control, document:

• Specific implementation details

• Configuration settings

• Who manages it

• Last verification date

• Test results (if tested)

❌ Bad current control documentation: "We have MFA" "Backups are done" "Staff are trained"

✅ Good current control documentation: "Microsoft 365 enforced MFA using Microsoft Authenticator app on all user accounts except external contractors. Configured by IT manager 15-Mar-2025. Not yet tested for FIDO2 hardware tokens."

"Daily automated backups to Backblaze B2 cloud storage, 30-day retention, managed by IT support company TechCo Ltd. Last successful restoration test: 01-Nov-2025 (test file restored in 2 hours). Full system restoration never tested."

"Annual security awareness training via internal presentation, last delivered 10-Jan-2025, 18 of 20 staff attended, no testing of retention, no phishing simulations conducted."

Common controls for small businesses:

Email security:

• Microsoft 365 or Google Workspace built-in filtering

• Additional email security service (e.g., Mimecast, Proofpoint, Barracuda)

• Banner warnings for external emails

• Link protection / safe links

• Attachment scanning

Authentication:

• Password policy (complexity, length, expiry)

• MFA on email accounts (authenticator app vs SMS vs FIDO2)

• MFA on banking and financial systems

• MFA on admin accounts

Endpoint protection:

• Antivirus / endpoint detection and response

• Patch management process

• Device encryption

• Mobile device management

Backup and recovery:

• Backup frequency, retention, location

• Air-gapped or immutable storage

• Test frequency and results

• Recovery time objectives

Access controls:

• Principle of least privilege

• Admin access limitations

• Access review frequency

• Offboarding procedures

Staff training:

• Security awareness training frequency

• Phishing simulation testing

• Incident reporting procedures

• Social engineering awareness

Document what you have honestly. If a control is configured but not tested, say so. If you think you have something but you're not sure, mark it as "unverified."

Step 5: Calculate Residual Risk Ratings (10 Minutes)

Use a 5x5 risk matrix:

Likelihood ratings:

• Rare = 1

• Unlikely = 2

• Possible = 3

• Likely = 4

• Almost Certain = 5

Impact ratings (based on cost and business disruption):

• Negligible (< £1,000, < 1 day downtime) = 1

• Minor (£1,000-£5,000, 1-3 days) = 2

• Moderate (£5,000-£20,000, 3-7 days) = 3

• Major (£20,000-£50,000, 1-2 weeks) = 4

• Catastrophic (> £50,000 or business-ending) = 5

Residual risk score = Likelihood × Impact

1-5 = Low (green) - monitor 6-12 = Medium (yellow) - plan mitigation 13-20 = High (orange) - urgent action needed 21-25 = Critical (red) - immediate action required

Example residual risk calculation:

Most small businesses discover they have more high/critical risks than expected. Good. Better to know now.

Step 6: Identify Required Additional Controls (20 Minutes)

For each high or critical risk, document specific controls needed to reduce risk to acceptable levels.

Be specific about:

• Exact control to implement

• Expected cost (one-time and ongoing)

• Implementation timeframe

• Who will implement

• Expected risk reduction

❌ Bad additional control documentation: "Improve email security" "Better training" "Enhance backups"

✅ Good additional control documentation: "Implement FIDO2 hardware security keys (Authentrend F11 Pro) for finance director and office manager. Cost: £45 per key × 2 = £90 one-time. Implementation: IT support to configure in next 2 weeks. Expected risk reduction: Phishing likelihood drops from Almost Certain to Likely (phishing still possible via other vectors but payment fraud via finance compromise significantly reduced)."

"Deploy KnowBe4 Security Awareness Training with monthly phishing simulations. Cost: £5 per user per month = £100/month ongoing. Implementation: HR to enroll all staff by end of month. Target: Reduce click rate on simulated phishing from unknown baseline to under 10% within 6 months. Expected risk reduction: Phishing success rate decreases, improving likelihood rating from Almost Certain to Likely."

Common additional controls needed by small businesses:

For phishing/email compromise:

• FIDO2 hardware tokens for finance and senior staff

• Advanced email filtering beyond basic platform defaults

• Payment verification procedures (callback verification for any payment instruction changes)

• Security awareness training with monthly phishing simulations

For ransomware:

• Air-gapped or immutable backups tested monthly

• Endpoint detection and response (EDR not just antivirus)

• Vulnerability patch management (48-hour turnaround for critical patches)

• Network segmentation to limit lateral movement

• Privileged access management

For insider threats:

• Access controls based on least privilege

• Regular access reviews quarterly

• Comprehensive logging and monitoring

• Offboarding procedures that remove all access within 24 hours

• Data loss prevention tools for high-risk roles

For supply chain risks:

• Supplier security assessment questionnaire

• Contractual requirements for minimum security standards

• Incident notification clauses in contracts

• Alternative supplier identification for critical services

For cloud security:

• Cloud security posture management tools

• MFA on all cloud services (no exceptions)

• Principle of least privilege on cloud permissions

• Regular security configuration reviews

• Automated alerts for misconfigurations

Priority order: Critical risks first, then high risks, then medium risks.

Step 7: Assign Board-Level Ownership (10 Minutes)

Every risk needs a named owner at board or senior management level. Not "IT team." Not "everyone." One person who will be asked at every board meeting: "What's the status of this risk?"

Typical ownership assignments:

RiskOwnerRationalePhishing/email compromiseFinance DirectorFinancial fraud is primary impact, affects finance processesRansomwareOperations DirectorBusiness continuity and system availability is primary impactInsider threatsHR DirectorStaff-related risk, access management spans HR processesSupply chainOperations DirectorSupplier management is operations responsibilityCloud securityIT Manager (reporting to board)Technical implementation with board oversight

Owners don't personally implement technical controls. They're accountable for ensuring controls are implemented, tested, and remain effective.

Step 8: Create Review Schedule (5 Minutes)

Risk registers decay if not reviewed regularly.

Quarterly review agenda (30 minutes):

1. Review incidents from previous quarter (internal and industry-wide relevant incidents)

2. Update likelihood assessments based on current threat intelligence

3. Verify current controls still functioning (spot checks, test results)

4. Progress update on additional controls implementation

5. Budget allocation for pending control implementations

6. Emerging risks assessment

7. Document decisions and actions

Add to board meeting standing agenda as first item after finances. If board meetings are less frequent than quarterly, schedule dedicated risk review sessions.

Annual deep review (2-3 hours):

• Complete reassessment of all risks

• Full verification testing of all controls

• External assessment or audit if budget allows

• Update risk appetite statement

• Review and update incident response plan

Step 9: Present to Board for Approval (Planning)

You now have a complete risk register. It needs board approval and budget allocation.

Prepare 10-minute board presentation covering:

1. Why we created this (Episode 31 reference, government statistics, legal obligations)

2. What we found (high-level summary: X critical risks, Y high risks, total estimated exposure £Z)

3. Current gaps (specific controls we lack, with costs)

4. Recommended actions (prioritized list with timelines and budgets)

5. Decision required (approve budget for critical/high risk mitigation, or formally accept risks with documentation)

Use this specific framing:

"We've assessed our top five cyber risks using 2025 government statistics. We have three high-priority and two medium-priority risks. Our current controls reduce some exposure but significant gaps remain.

Implementing the recommended additional controls costs £X one-time plus £Y annually. This addresses risks that could cost us up to £Z in a single incident, with 28% of UK SMEs reporting a breach could close them.

If the board chooses not to fund these controls, we need formal documentation that the board has reviewed these risks, understands the potential consequences including business closure, and has determined the investment isn't justified. This is required for Companies Act governance compliance.

Recommended decision: Approve £X budget for immediate implementation of controls addressing critical and high risks, with quarterly review of effectiveness."

The "formal risk acceptance" phrase works miracles. Directors hate documenting that they explicitly accepted risks that could destroy the business.

Step 10: Implement and Monitor

Once approved:

Week 1-2: Implement quick wins (MFA, email filters, policy updates) Week 3-4: Begin longer implementation projects (training, EDR, advanced backups) Month 2-3: Complete implementation, verify all controls operational Month 3: First quarterly review

Track these metrics monthly:

• Controls implemented vs planned

• Budget spent vs allocated

• Test results for key controls

• Incident count and severity

• Near-miss count (attempted attacks detected and blocked)

Warning signs that your risk register is decaying:

• Quarterly reviews getting skipped

• Controls listed as "implemented" but not verified

• No updates after incidents

• No board discussion of cyber risk

• Budget requests for additional controls always deferred

If you see these signs, the register has become compliance theatre. Stop lying to yourselves and either fix it or acknowledge you're not managing risk.

The Downloadable Template

Here's the actual spreadsheet structure to use:

This is the minimum viable structure. You can add columns for more detail, but don't remove anything listed above.

Common Mistakes to Avoid

Mistake 1: Vague risk descriptions Creates: Inability to assess likelihood or impact accurately Fix: Force yourself to describe complete attack scenarios from initial compromise to business impact

Mistake 2: Guessing likelihood instead of using statistics Creates: Systematic underestimation of risk Fix: Use government survey data, industry reports, and verified statistics

Mistake 3: Undocumented "current controls" Creates: Illusion of protection that evaporates during actual incidents Fix: Verify every control, document specifics, test regularly

Mistake 4: "IT team" as risk owner Creates: Diffused responsibility, no accountability Fix: Board-level or senior management ownership only

Mistake 5: Creating the register then never updating it Creates: Useless compliance document Fix: Quarterly reviews as standing board agenda item, skip at your peril

Mistake 6: Skipping the board presentation Creates: No budget, no authority, no action Fix: Schedule formal board presentation, make them approve or explicitly accept risks

Mistake 7: Implementing controls without testing Creates: False confidence in protections that don't work Fix: Test everything, document results, retest after changes

The 2-Hour Reality Check

You've now spent approximately 2 hours creating your first cyber risk register:

• 30 minutes identifying risks

• 20 minutes assessing likelihood

• 30 minutes assessing impact

• 20 minutes documenting current controls

• 10 minutes calculating residual risk

• 20 minutes identifying additional controls

• 10 minutes assigning ownership

• 5 minutes creating review schedule

• 15 minutes building the actual spreadsheet

That's it. No consultant needed. No special software. No technical expertise required beyond basic business understanding.

The next quarterly review takes 30 minutes. That's 2 hours initial creation plus 2 hours annually for quarterly reviews. Eight hours per year total board time dedicated to managing risks that could permanently destroy your business.

If you cannot spare eight hours annually on risk governance, you're not running a business. You're gambling.

Create the register today. Present it next week. Start implementing immediately.

Because 28% of UK SMEs are one attack away from closure, and the only difference between them and the survivors is systematic risk management.