Feb 20 2026

Risk Registers vs. GRC Charters: What Comes First?

Category: GRCdisc7 @ 2:29 pm

“You can’t have a risk register without an approved GRC charter.”

I hear this statement often — and it’s a myth worth clarifying.

A risk register is an operational tool. Many organizations create and use one long before they formalize governance structures. Major frameworks from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) don’t require a GRC charter as a prerequisite to building a risk register.

However, here’s the nuance: a GRC charter gives the risk register authority. It defines ownership, executive sponsorship, and decision rights. Without governance backing, a risk register can exist — but it risks becoming a passive checklist instead of a strategic decision tool.

The practical takeaway: you can start managing risks immediately, but for long-term effectiveness, formal governance should follow quickly. Mature organizations align their risk registers with a clear charter to ensure accountability and impact.

Risk management is not about paperwork — it’s about enabling better decisions.

Here’s a policy-style version you can use for internal documentation:

Risk Register Governance Policy Statement

The organization maintains a risk register as a formal mechanism to identify, assess, document, and monitor enterprise risks. The existence of a risk register does not depend on the prior approval of a formal Governance, Risk, and Compliance (GRC) charter; however, effective risk management requires clear governance authority and executive sponsorship.

Consistent with guidance from the National Institute of Standards and Technology and standards published by the International Organization for Standardization, the organization recognizes that a risk register is an operational tool that supports decision-making at all levels. A formal GRC charter strengthens the effectiveness of the risk register by defining roles, responsibilities, and accountability for risk ownership and acceptance.

Where a GRC charter is not yet established, management may initiate and maintain a risk register to support ongoing risk management activities. The organization will work toward formalizing governance structures to ensure that risks documented in the register are reviewed, prioritized, and acted upon with appropriate authority.

The objective of this policy is to ensure that the risk register functions as an living management instrument that informs strategic and operational decisions, rather than as a static compliance artifact.

#RiskRegister #GRCCharter

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: GRC Charter, Risk Register

Jan 23 2025

State threats to national security

Category: Cyber Threatsdisc7 @ 4:41 pm

The state threats outlined in the 2025 National Risk Register focus on risks posed by hostile states and their potential impact on critical national infrastructure (CNI), financial systems, and communications networks. Key findings include:

  1. Cyber Attacks on Financial Systems: State and non-state actors could target financial market infrastructures (FMIs) and retail banks, leading to system failures, data breaches, and prolonged outages. Such incidents risk eroding public confidence in financial systems, disrupting transactions, and causing economic instability. Recovery from these attacks could take weeks to months, depending on the severity.
  2. Disruption of Critical Infrastructure: Malicious attacks on telecommunications, such as transatlantic cables or space-based systems, could severely impact data communication, government operations, and emergency services. These risks, while low in likelihood, have significant consequences, including economic losses and interruptions to essential services like energy and transport.
  3. Economic and Strategic Risks: The report emphasizes the potential consequences of geopolitical conflicts and economic vulnerabilities. Examples include the UK’s integration with European energy markets, where supply disruptions or price volatility could result from global or regional tensions, including threats to global oil trade routes.

In response, robust incident management frameworks and recovery plans, such as the UK’s Authorities’ Response Framework (ARF), are critical to mitigate the effects of these threats. The focus remains on resilience-building and safeguarding national security.

“The National Risk Register is the external [published] version of the [internal, classified] National Security Risk Assessment which is the government’s assessment of the most serious risks facing the UK.”

In 180 pages, the NRR describes of significant risks, threats and hazards categorized as: terrorism; cyber; state; geographic and diplomatic; accidents and systems failures; natural and environmental [plus] human, animal and plant health; societal; or conflict and instability. Each risk is described as a ‘reasonable worst case scenario’, most with plots of estimated probabilities over 2 years (if malicious) or 5 years (benign) against domestic impacts, along with the necessary response and recovery activities.

The introduction by Pat McFadden, chairman of the UK Cabinet resilience committee, refers to recent and current incidents, not just in the UK (e.g. Crowdstrike and US wildfires), emphasising resilience at a national level. [NIS 2, in contrast, concerns resilience both nationally and internationally across Europe, acknowledging the regional and in fact global nature of shared infrastructure, supply chains and threats.]

Pat concludes the intro with a call to action: “I encourage all risk and resilience professionals to consider the risks in this publication, and join our collective endeavor to make the UK more prosperous and resilient.” Hopefully we are doing more than ‘consider’, for example comparing and contrasting our corporate risk registers, priorities and actions against the NRR, and adopting a similarly dynamic risk management approach with frequent updates rather than the usual once-a-year.

To review the complete UK risk register 2025 report: National Risk Register 2025 edition

Tags: cyber threats, National Threats, Risk Register, State Threats, UK Threat report