The annual spreadsheet refresh is dead. A modern programme is continuous, asset-linked, indicator-driven and built to support — not replace — the compliance-automation suites your auditors already love.
Michael McCarroll— Founder · 20+ yrs GRC, ISO 27001 lead implementer 16 min read Updated June 2026
Why the annual risk assessment broke
The annual risk assessment was designed for a world where the threat surface changed slowly: a known perimeter, a small set of vendors, a single office and a known staff list. None of those constraints hold for an internet-facing organisation in 2026. The threat surface changes every time a developer signs up for a SaaS tool, every time the marketing team plugs an AI agent into the CRM, every time a vendor sub-processor is added.
Running risk on an annual cadence in that environment produces a register that is, on average, six months out of date — which means it is wrong precisely when leadership needs it most. The fix is not a bigger workshop. The fix is to move from assessment as a project to risk management as an operating process.
The three loops of a continuous programme
Step 1
The change loop — daily, automatic
New asset onboarded, new vendor signed, new control deployed, new vulnerability disclosed. Each event raises a candidate risk or updates an existing one. The change loop runs in the background, fed by your asset inventory, vendor system, vulnerability scanner and ticketing tool.
Step 2
The review loop — fortnightly, human
30 minutes, same calendar slot, same template. Walk new and changed risks, review overdue treatments, validate any KRI/KCI alerts. The review loop is where humans decide what the change loop surfaced.
Step 3
The governance loop — quarterly, leadership
Top-10 residual risks, trend lines, control-effectiveness rollups, capacity vs treatment backlog. The governance loop sets risk appetite and approves treatments that need investment.
A register without all three loops is a checklist. With all three, it becomes a management system that auditors recognise and leadership uses.
The asset-risk-control triangle
Every risk in a modern register has three mandatory links:
Asset(s) at threat — what is exposed if the risk materialises. Without an asset, the risk is abstract and cannot be prioritised.
Control(s) treating it — what is in place to reduce likelihood or impact. Without a control, the risk has no treatment.
Owner with a due date — who is doing what by when. Without an owner, the risk drifts.
The triangle is the smallest unit of risk management. A register that maintains it for every risk is decision-grade. A register that does not is documentation theatre.
KRIs and KCIs — the indicators that make risk measurable
Conventional risk scoring is subjective. KRIs and KCIs are how mature programmes inject objectivity.
Indicator
Type
Example threshold
% of critical CVEs unpatched >14 days
KRI
Amber >5%, Red >10%
% of endpoints with disk encryption verified ≤7 days
KCI
Amber <98%, Red <95%
Phishing simulation click rate, 90-day rolling
KRI
Amber >8%, Red >15%
MFA coverage across privileged accounts
KCI
Amber <100%, Red <98%
Vendor concentration in critical category
KRI
Amber >60% one vendor, Red >80%
% of risks with current treatment evidence
KCI
Amber <90%, Red <80%
Pick six to twelve indicators to start. Wire them to thresholds, surface breaches in the fortnightly review, and report trends to leadership quarterly. This is where risk stops being a feeling and starts being a number.
Where compliance automation suites fit (and don't)
Vanta, Drata, Sprinto, Hyperproof and the wider compliance-automation pack are excellent for one specific job: collecting evidence that a defined set of controls is in place for SOC 2 or ISO 27001 certification. They monitor a list of integrations, watch for control drift and produce auditor-friendly evidence packs. If that is your job, they are worth every penny.
What they do not do — and were not designed to do — is run a risk management methodology. They do not:
Maintain a risk register beyond a thin compliance-driven view.
Score residual risk against a 5×5 with editable criteria.
Link risks to assets and threats in a way an auditor can trace.
Manage treatments, owners and due dates beyond the certification scope.
Cover ISO 31000, ISO 42001, ISO 9001, ISO 20000-1 or enterprise risk in any depth.
The right 2026 stack is both: a compliance-automation suite for evidence and certification, plus a purpose-built risk platform for the risk layer underneath. Pretending one tool covers both jobs is how organisations end up with strong audit results and weak risk discipline.
Board reporting that actually lands
Step 1
Lead with trend, not snapshot
A single-page heatmap tells the board nothing about whether you are getting better or worse. A 12-month residual-risk trend chart, broken out by risk family, tells them in seconds.
Step 2
Show control effectiveness alongside risk
Pair the residual-risk trend with the KCI scorecard. The board should see risk is going down and the controls keeping it down are working, not just one or the other.
Step 3
Highlight what changed since last quarter
Three slides max: top-3 new risks added, top-3 risks materially escalated, top-3 risks materially de-escalated, with the why. This is the slide the audit committee actually reads.
Step 4
Always close with a capacity question
"We have N high-rated risks needing treatment, current team capacity treats M per quarter. Investment decision required to close the gap." Risk reporting that does not ask for a decision is just news.
A 30-day move from snapshot to continuous
Week 1. Migrate the register out of the spreadsheet into a tool that supports asset and control links. Cull dead risks.
Week 2. Pick six KRIs and six KCIs. Wire them to data sources you already have.
Week 3. Run the first fortnightly review. Keep it to 30 minutes. Document the agenda template.
Week 4. Draft the new board pack format. Replace the static heatmap with a trend chart and a KCI scorecard.
By day 30 the programme is operating continuously. Maturity comes from running the cadence for six months, not from the tool change itself.
Run the risk layer your compliance suite isn't designed to cover
ISO-STANDARD.app is a purpose-built risk register — asset-linked, control-linked, 5×5 scored, with audit-ready exports. Pair it with whatever compliance-automation suite you already use; they are designed for different jobs.
ISO-STANDARD.app ships a ready-to-adopt information security risk management workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
What's wrong with the annual risk assessment workshop?
Nothing, if your threat landscape only changes once a year. In every other organisation, the workshop output is out of date within weeks: new vendors arrive, staff change, the threat intel shifts, controls fail and recover. An annual workshop produces a document; a continuous register produces a management system.
Are KRIs and KCIs the same thing?
No. A Key Risk Indicator measures how likely something is to go wrong — for example, percentage of unpatched critical CVEs. A Key Control Indicator measures whether a control is operating as intended — for example, percentage of laptops with disk encryption verified in the last 7 days. Mature registers track both, against thresholds, with automatic alerts.
Where do automated compliance suites fit?
They are excellent at evidence collection and control-status monitoring for a defined certification (SOC 2, ISO 27001 controls). They do not run a risk methodology, score residual risk, prioritise treatment, or model emerging risks. Buy them for what they are; do not expect them to run your risk programme.
How often should the risk register be reviewed?
The register itself should be live — every meaningful change touches it. Formal reviews split into three cadences: fortnightly operational walk-through, quarterly leadership review of top risks and trends, annual management review of the methodology itself.
What's the most over-engineered part of most risk programmes?
Risk scoring. Teams spend months debating whether a risk is a 12 or a 15 instead of getting on with treatment. Pick a 5×5 with clearly written criteria, train the team for a day, and accept that scores are estimates. Consistency matters more than precision.
