Why the spreadsheet era is finally ending, where most organisations actually sit on the maturity curve, and the four moves that separate a living risk programme from an annual ritual.
Michael McCarroll— Founder · 20+ yrs GRC, ISO 27001 lead implementer 14 min read Updated June 2026
The market got the words wrong
Search "risk management software" and the first ten results are mostly compliance-automation suites — Vanta, Drata, Sprinto, Hyperproof and the wider GRC pack. They are excellent at what they do: collecting evidence that a defined set of controls is in place for a specific certification. That is compliance work.
Risk management is a different discipline. It asks a different question: given what could go wrong, where should we spend the next pound of effort? Compliance asks can we prove the control exists? Both questions matter. They are not interchangeable, and a tool optimised for the second rarely answers the first well.
The conflation has consequences. Mid-market teams buy compliance-automation suites expecting a risk programme and discover, six months in, that the risk register is still a spreadsheet on someone's laptop. The certification arrives; the risk discipline never does.
A four-stage maturity model
Step 1
Stage 1 — Ad hoc
Risks live in people's heads and in last week's incident write-up. There is no register, no owner, no scoring. Common in pre-revenue startups and very small consultancies. Honest, but unsustainable past a handful of staff or the first customer-security questionnaire.
Step 2
Stage 2 — Reactive spreadsheets
A spreadsheet exists. It was created for the last ISO or SOC audit and is refreshed annually, usually in the fortnight before the surveillance visit. Scores are subjective, owners are out of date, and most rows have not been touched since the last review. This is where ~70% of organisations actually sit, regardless of what the leadership team tells the board.
Step 3
Stage 3 — Process
A defined risk methodology exists (usually 5×5 likelihood × impact), risks have named owners, treatments are tracked, and reviews happen quarterly. Reporting is consistent. The register links to controls and is referenced by leadership. Auditors find no material issues with the risk process itself. This is where ISO 27001-certified mid-market organisations should be — and where the genuinely mature ones are.
Step 4
Stage 4 — Continuous & quantitative
Risks are reviewed continuously, not periodically. Key risk indicators (KRIs) feed the register from operational systems. Residual risk is recalculated whenever a control changes status. AI, vendor and emerging-tech risks are captured alongside traditional infosec risks. Board reports show trend lines, not snapshots. Currently fewer than 10% of organisations. By 2028 this will be the new floor for regulated industries.
Why most organisations overestimate their stage
We see a consistent pattern in client onboardings: leadership rates the programme one stage higher than the evidence supports. The reason is procedural — the team can describe the process in interview, so it feels real. But the artefacts tell a different story: the register has not been edited in six months, half the owners have left, and the heatmap has not been regenerated since the last audit.
Three honest tests to grade yourself:
The 30-day test. Open the register. How many risks have a real edit (not a date bump) in the last 30 days? If the answer is under 10%, you are Stage 2.
The owner test. Pick five risks at random. Email the named owners and ask them to describe the risk in their own words. If two cannot, you are Stage 2.
The linkage test. Pick five risks. Can you trace each to a specific asset, a specific control, and a specific treatment action with a due date? If not, you are not yet Stage 3.
The four moves that separate Stage 3+ programmes
Step 1
Move from project to process
Stop running an annual risk workshop. Replace it with a recurring 30-minute risk review on the same calendar slot every fortnight. Same people, same agenda, same template. The cadence is the programme.
Step 2
Link every risk to an asset and a control
A risk that does not threaten a named asset is not a risk — it is anxiety. A risk that is not treated by a named control is not managed — it is logged. The register's job is to maintain those two links and keep them current.
Step 3
Make residual risk a real number
Inherent score minus control effectiveness equals residual. If your control effectiveness is "high / medium / low" you are guessing. If it is "0–100 based on last test outcome", you have a number leadership can act on. This is the move enterprise risk has made; SMB risk needs to follow.
Step 4
Capture the categories most registers miss
Audit your top-50 risks for coverage of: AI and model risk, vendor and supply-chain concentration, climate and physical risk, geopolitical and sanctions risk, talent-key-person risk. Most 2020-era registers cover none of these. Most 2026 audits will ask about all of them.
What 'good' looks like in 2026
The 2026 risk function shares five traits we did not see at scale before 2024:
The register is the source of truth — not a spreadsheet exported from one.
Risks are tagged by domain (cyber, AI, supplier, regulatory, operational, climate) so leadership can read the heatmap by lens.
KRIs from operational tools (asset inventory, IAM, vendor reviews, security scan results) feed the register automatically.
AI is its own risk domain with its own scoring sub-criteria, not a footnote under cyber.
Board packs show 12-month residual-risk trend lines, not a single-page heatmap.
None of this requires expensive enterprise GRC software. It requires a clear methodology, a register that supports the methodology, and the discipline to run a fortnightly cadence. The tooling cost in 2026 is a fraction of what it was in 2016 — the discipline gap is the only real barrier left.
A 90-day plan to move up a stage
Step 1
Days 1–14 — Re-baseline
Export the current register. Mark every risk that has not been edited in 6 months as review-required. Reassign owners for anyone who has left. Tag every risk with its domain. Be honest — this is internal.
Step 2
Days 15–45 — Re-link
For each top-tier risk, attach the asset(s) it threatens and the control(s) that treat it. If either is missing, create the link or admit the gap. Add at least five risks from the missing-category list (AI, vendor concentration, climate, geopolitical, key person).
Step 3
Days 46–75 — Re-cadence
Schedule the fortnightly review. Pick a small standing agenda: new risks, residual-risk movements, overdue treatments, KRIs out of tolerance. Hold the first three meetings yourself if you have to.
Step 4
Days 76–90 — Re-report
Replace the static heatmap in the board pack with a residual-risk trend chart. Show what changed and why. Note the categories newly in scope (AI, supplier concentration). This is when leadership notices the programme has moved.
Run a 2026-grade risk programme without 2026 enterprise pricing
ISO-STANDARD.app was built for the four moves above — risk-led, asset-linked, residual-aware, continuous. It is the risk register a Stage 3+ programme needs, without the six-figure GRC bill or the six-month implementation.
ISO-STANDARD.app ships a ready-to-adopt risk management workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
Is the spreadsheet really finished as a risk register?
Spreadsheets still suit very small organisations with under fifty risks and a single owner. Beyond that they fail four tests: real ownership, change history, linkage to assets and controls, and reporting that holds up to an auditor. Most teams crossing those thresholds in 2026 move to a purpose-built register rather than building a tenth tab.
Are GRC suites like Vanta and Drata risk management tools?
They are control-automation tools, not risk-management tools. They prove a defined set of SOC 2 or ISO 27001 controls are in place. They do not help you decide which risks to treat, score residual risk after treatment, or run a 5×5 quantitative assessment. Risk and compliance are different jobs that need different software.
What does 'risk-led' mean in practice?
Risk-led means the risk register drives the work, not the other way round. You identify risks, score them, then choose controls to treat the highest-rated risks. Control-led organisations adopt a fixed control set (Annex A, Trust Services Criteria) first and then back-fit risks to justify it. Risk-led is what ISO 27001 clauses 6.1 and 8.2 actually require.
What is the single biggest mistake mid-market organisations make?
Treating the annual risk assessment as a project rather than a process. A risk register reviewed once a year is a document, not a management system. Risks change weekly — new vendors, new staff, new products, new threat intel — and the register must change with them or it stops being decision-grade.
How do AI and the EU AI Act change risk management?
They expand the surface area. AI introduces risk categories most registers have never captured — model bias, drift, prompt injection, training-data leakage, shadow AI, vendor model dependency. The EU AI Act and ISO 42001 force risk owners to assess these alongside traditional information-security risks rather than in a separate silo.
