Without records, if something goes wrong—like a customer's data leak or a cyber attack—you cannot prove you were being careful, which leads to lawsuits, regulatory fines, and loss of customer trust. For example, if your e-commerce business suffers a breach and you cannot show auditors that you had identified password risks and planned to fix them, the Income Tax Department or MEITY could impose penalties under data protection rules. Banks and large customers (like e-commerce platforms you sell through) increasingly demand proof of risk management before renewing contracts or increasing credit limits. Without documentation, you look unprepared, and you may lose business or face ₹50+ lakh fines under DPDP Act 2023.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal records at all. Risk decisions are made in conversations or phone calls, and nothing is written down or saved anywhere.
Initial
You keep some scattered notes—maybe a WhatsApp message, an email, or a loose sheet—but they are not organized, incomplete, and often lost after a few months.
Developing
You have started keeping basic records in a simple format (a Word document or Excel sheet) noting risks found and actions planned, but entries are irregular and not always timestamped or signed off.
Defined
You maintain a consistent log or register (digital or printed) of identified risks, decisions taken, and who approved them, updated at least quarterly and stored in one location.
Managed
You have a documented Risk Register in a system (spreadsheet or simple tool) with clear columns for risk ID, date identified, description, decision taken, assigned owner, deadline, and review date; records are kept for at least 3 years.
Optimised
You operate a formal Risk Management process integrated with business planning: risks are assessed against business impact, tracked in a live system, reviewed monthly, reported to leadership, and linked to audit trails and compliance evidence automatically.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Start a simple notebook or open a Word file titled 'Risk Log' and record any risk you identify this week with the date and what you plan to do about it. Save it in one folder on your computer. | Business Owner or IT Manager | 1 day |
| 1 → 2 | Convert the notes into a basic Excel spreadsheet with columns: Date Identified, Risk Description, Decision/Action, Owner, Target Date, Status. Review it monthly and add new risks consistently. | IT Manager or Office Coordinator | 1 week |
| 2 → 3 | Create a formal Risk Register document (printed or digital) following a standard template, include approval sign-offs from the owner/manager, store it securely, and commit to reviewing it every quarter with documented meeting notes. | IT Manager + Business Owner | 2-4 weeks |
| 3 → 4 | Migrate the Risk Register into a simple cloud spreadsheet (Google Sheets or OneDrive) with role-based access, add a tracking column for evidence/completion, ensure all entries have creation and review dates, and establish a 3-year archival policy. | IT Manager | 1-2 months |
| 4 → 5 | Integrate risk tracking into monthly business reviews, link risks to audit findings and compliance requirements, automate reminders for risk review owners, generate monthly reports for leadership, and connect risk data to incident and remediation tracking. | IT Manager + Compliance Officer | Ongoing (2-3 hours per month) |
Documents and records that prove your maturity level.
- Risk Register or Risk Log document (Excel, Word, or PDF) with at least 5 entries covering the past 12 months, showing date identified, risk description, and action taken
- Signed approval or acknowledgment records (email, signature on form, or meeting minutes) showing that a manager or owner reviewed and approved risk decisions
- Timestamped records (email chains, meeting notes, or system logs) showing when risks were communicated to relevant staff or departments
- Completion or follow-up records (closed tickets, email confirmations, or status updates) showing what actions were taken to mitigate identified risks
- Annual or quarterly Risk Management review document (meeting minutes or sign-off sheet) proving that risks were reviewed, updated, and re-assessed at planned intervals
Prepare for these questions from customers or third-party reviewers.
- "Can you show me how you document risks when your team identifies them? Where do these records live, and who has access?"
- "Walk me through a recent risk you identified—what was it, when did you find it, what did you decide to do, and how do I verify that action was completed?"
- "How long do you keep risk records, and can you demonstrate that older risks have been reviewed for closure or escalation?"
- "If I picked a risk from 6 months ago, could you show me evidence that someone reviewed it, approved the mitigation plan, and monitored progress?"
- "How are risk decisions communicated to relevant teams, and do you have proof that the right people knew about and understood the actions they were supposed to take?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and maintain a simple Risk Register with structured columns and basic filtering | Google Sheets (free Gmail account) or Microsoft Excel (if already licensed) | Microsoft 365 (₹600–₹1,200/year for small business) |
| Track risk remediation tasks, assign owners, set reminders, and maintain audit trails | Trello (free tier allows 1 board) or Asana (free tier with 15 team members) | Monday.com (₹1,200–₹2,400/month) or Jira (₹7,000–₹10,000/month for small teams) |
| Store and version-control risk documents securely with access logs and audit trails | Google Drive (free: 15 GB) or OneDrive (free: 5 GB, or ₹600/year for 100 GB) | Nextcloud self-hosted (variable) or Box (₹1,500–₹3,000/month) |
- Keeping records only in the owner's or IT person's head or personal devices; when that person leaves or is unavailable, all knowledge of past risk decisions is lost, making it impossible to prove compliance or continuity
- Writing risk records in English when your team speaks Hindi/local languages, leading to misunderstandings and inconsistent follow-up; always use the language your team understands
- Creating a Risk Register once and never updating it; after 6 months it becomes outdated and irrelevant, and auditors will see it as a compliance checkbox rather than a working tool, which actually harms your credibility
- Recording risks but not recording actions or decisions (e.g., 'Password policy is weak' but no entry on what you will do or when), which leaves no evidence that you took responsibility for fixing problems
- Storing risk records on a personal computer without backup; a hardware failure or ransomware attack will destroy your entire audit trail, making it impossible to defend yourself in a breach investigation
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Consent and Notice) and Section 9 (Processing of Personal Data)—requires documented evidence of risk assessment and reasonable security measures taken |
| CERT-In Guidelines 2022 | Rule 4 and Rule 5—organizations must maintain logs and records of security incidents and mitigation actions; applicable to critical infrastructure operators and large entities |
| ISO 27001:2022 | Clause 6.1 (Actions to Address Risks and Opportunities) and Clause 7.5 (Documented Information)—requires organizations to document risk assessments and decisions |
| NIST CSF 2.0 | Govern (GV) and Manage (GM) functions—organizations must maintain records of risk identification, response decisions, and monitoring activities |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →