The Corporate Risk Register contains details of all of the risks to the organisation. It is a tool that captures, describes and assesses risks as they are identified, together with risk accountabilities, actions where required, review dates and dates when actions were completed and the risk item closed [BS 31100 DPC].
A Business Continuity Risk Register will include the date of the last assessment, a description of the risk, an estimate of the impact and the likelihood, any mitigating controls, and a statement of action required, with target date and owner. A properly maintained risk register provides a useful vehicle for communication [ISO 27000].
The IT Risk Register records the risks identified with Information Technology and Information Systems. While many companies will bundle this into the Corporate Risk Register, larger organisations tend to have one Register per department with the highest severity risks being promoted to the Corporate Risk Register.
These Risk Registers are owned by the senior management team since the acceptance of risks contained therein is not the responsibility of ICT, given that some of the risks will affect business areas.