If you never revisit your risk list, you'll spend money protecting against problems that don't exist anymore while ignoring new threats that have appeared. For example, a Delhi IT services company identified only 'server theft' as a risk in 2022, but added cloud storage in 2023 without updating their risk register—then suffered a data breach through misconfigured AWS buckets costing them ₹15 lakhs and a major customer contract. Banks and insurance companies conducting audits will flag 'stale risk assessments' as a critical finding. You might also fail RBI audits, lose client certifications, or discover too late that your cyber insurance doesn't cover new risks you've taken on.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written risk register at all, or one created 3+ years ago that nobody has touched. When asked about your biggest risks, team members give different answers each time.
Initial
You have a basic risk list written down, but you haven't looked at it or updated it in more than 18 months. New threats from recent business changes are not mentioned anywhere.
Developing
You review your risk register once per year (usually when an auditor asks), but the review is a quick checklist with no real investigation into whether assumptions have changed. Most entries are unchanged year-to-year.
Defined
You conduct a structured risk review at least once per year with your management team and IT person, documenting what changed in your business, technology, and threat landscape, and updating your risk register accordingly. Review notes are kept with dates and signatures.
Managed
You review risks semi-annually (every 6 months) or after any significant business change (new service launch, major system upgrade, new regulation, breach news in your sector). You have a documented process, assigned owner, and a log of all reviews and changes made.
Optimised
You review risks every quarter as part of a formal governance process, with cross-functional input from operations, finance, sales, and IT. Risk owners are assigned and accountable. Any change in business context automatically triggers a risk review, and trends are tracked to predict emerging threats.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Schedule a 2-hour workshop with owner, finance person, and IT lead to list all business risks (data theft, supplier failure, regulatory fine, fraud, system downtime, reputation damage). Write them in a simple Excel sheet with date created. | Business owner + IT lead | 1 day |
| 1 → 2 | Add a 'Last Reviewed' column to your risk register and set a calendar reminder for one year from today to review it. On review day, check for new business changes (new customers, new systems, new regulations, industry breaches) and mark which risks are still valid. | IT lead or designated risk owner | 3 hours |
| 2 → 3 | Create a one-page Risk Review Template including: date, business changes since last review, new threats from news/industry, changes to likelihood/impact of each risk, new risks identified, review attendees, and signature. Conduct a formal annual review meeting with documented notes. | IT lead + business owner | 2-4 weeks (includes first formal review) |
| 3 → 4 | Assign a named Risk Owner (usually IT lead or compliance officer) with a documented job responsibility. Establish a trigger-based review process (review happens after system upgrades, new hires >10 people, new services, new regulations). Keep a log of all reviews and changes. Link reviews to your annual compliance calendar. | Business owner + HR + IT lead | 1-2 months |
| 4 → 5 | Move to quarterly risk reviews embedded in governance meetings. Create a risk trending dashboard (e.g., are cyber risks increasing? supplier risks decreasing?). Link risk changes to business strategy discussions. Train all team leads to flag emerging risks to the Risk Owner. | Risk owner + management team | Ongoing (1 hour per quarter, 4 hours annual setup) |
Documents and records that prove your maturity level.
- Risk Register document (Excel or Google Sheet) with columns: Risk ID, Description, Date Identified, Last Reviewed Date, Current Status, Likelihood, Impact, Owner
- Annual Risk Review Meeting Minutes dated and signed, showing discussion of business/technology/threat changes and risk updates
- Changelog or version history showing when and why risks were added, removed, or re-scored
- Business Context Log noting significant changes (new service/product, system upgrade, new regulation, major hire, customer/supplier change) with dates
- Documented Risk Review Schedule or calendar reminder evidence showing periodic review is scheduled
Prepare for these questions from customers or third-party reviewers.
- "When was your risk assessment last reviewed and updated? Can you show me the review notes and who attended?"
- "What business, technology, or threat landscape changes have occurred since your last risk review? How did these change your risk profile?"
- "Show me how you identified new risks. How do you know you haven't missed any?"
- "Who is responsible for maintaining and reviewing the risk register? What is their timeline and governance approval process?"
- "Have you ever removed a risk from your register? On what basis? Can you show the decision and approval?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and track your risk register with versioning and review history | Google Sheets or LibreOffice Calc (set sharing permissions and add notes with dates) | Microsoft Excel with OneDrive version history, or Notion (₹0-2000 depending on team size) |
| Track business changes and compliance updates relevant to your risks (regulations, breaches in your sector, new threats) | RSS feed reader (Feedly free version) + CERT-In alerts (free email subscription at cert-in.org.in), Google News alerts | SecurityTrails (₹5000-15000/year) or industry-specific threat intel service |
| Document and track risk review meetings and decisions with audit trail | Google Docs or Notion for meeting templates and notes (with access logs) | Jira or Monday.com (₹2000-10000/year depending on team) for formal workflow tracking |
- Treating the annual compliance audit as your only reason to touch the risk register—meaning risks stay frozen in time and new threats are missed until an auditor points them out (too late).
- Reviewing risks on paper but never actually changing your protections or budget based on findings—so your risk register becomes a filing exercise rather than a real business tool.
- Only the IT person knowing about risks, so when they leave or get busy, nobody remembers when the last review was—use a formal process and calendar so the business remembers, not just one person.
- Confusing a risk review with a security audit—a risk review is about asking 'is this still a threat?' while an audit asks 'are we protected against this threat?' They're different and both needed.
- Not documenting which business changes triggered a risk review update, so auditors and new team members cannot trace why risks changed and cannot trust your register as a historical record.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(2)(f) - Controller must conduct Data Protection Impact Assessment and periodically review security measures based on evolving risks |
| CERT-In 2022 Directions | Direction 4 & 5 - Organizations must conduct periodic risk and security assessments and implement corrective measures |
| ISO 27001:2022 | Clause 6.1 (Planning to address risks and opportunities) and Annex A A.12.6.1 (Management of information security incidents) - periodic review of controls and risks |
| NIST CSF 2.0 | Govern (GV) Function - GV.RO Risk Oversight: Regular identification and analysis of information and cybersecurity risks |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →