A compliance programme without a risk register is a document exercise. Risk Registers are where GRC programmes live between audits. For MSPs, the Risk Register is the single most powerful tool for ongoing client engagement and managed service stickiness.
Who this is for: MSPs delivering or planning to deliver ongoing GRC managed services to clients.
TL;DR
- ISO 27001, SOC 2, Essential Eight, NIST CSF, and most other frameworks require a maintained risk register
- A managed risk register is the recurring engagement touchpoint that keeps MSPs relevant between annual audits
- 6clicks provides a structured risk register with risk identification, scoring, treatment, and tracking workflows
- Hailey AI assists with risk identification and assessment, reducing analyst time per client
- MSPs that manage client risk registers often see stronger long-term client retention as risk management becomes embedded in ongoing operational and governance processes
What is a risk register and why does every client need one?
A risk register is a structured record of identified risks, with details including:
- Risk description: What the risk is and its potential impact
- Risk likelihood and impact: Quantified or qualified risk scoring
- Risk treatment: How the organisation has chosen to address the risk (accept, mitigate, transfer, avoid)
- Treatment status: Progress on implementing the risk treatment
- Risk owner: Who in the organisation is accountable for the risk
- Review date: When the risk will be formally reassessed
Every major compliance framework requires a maintained risk register:
- ISO 27001:2022 — Clause 6.1.2 requires a systematic information security risk assessment process
- SOC 2 — Risk assessment is a core component of the Security Common Criteria
- Essential Eight — Risk management underpins the entire maturity framework
- NIST CSF 2.0 — The Identify function requires systematic risk assessment
The managed risk register as a recurring service
A static risk register that is updated once a year for an audit is almost worthless. A managed risk register that is actively maintained throughout the year is genuinely valuable. This is the difference between a compliance project and a compliance programme — and the difference between a one-time fee and a recurring subscription.
A managed risk register service includes:
- Initial risk identification: Systematic identification of information security risks across the client's environment
- Monthly risk review: Review of open risks, treatment progress, and new risk identification
- Risk scoring and prioritisation: Regular recalibration of risk ratings as the threat landscape and client environment change
- Treatment tracking: Monitoring and reporting on remediation activities
- Quarterly risk report: Summary of risk posture, changes, and outstanding actions for client management
How 6clicks supports managed risk register delivery
Structured risk library
6clicks provides a pre-built risk library aligned to common information security risk categories, significantly reducing initial risk identification time.
Hailey AI risk identification
Hailey AI analyses the client's framework controls and assessment responses to suggest additional risks that may have been overlooked, improving risk identification coverage.
Risk scoring workflows
6clicks supports both qualitative and quantitative risk scoring methodologies. Risk matrices, heat maps, and dashboards provide instant visualisation of the client's risk posture.
Treatment plans and tracking
Risk treatment plans are managed within 6clicks with task assignment, due dates, and progress tracking. Dynamic dashboards give MSPs and clients real-time visibility of treatment progress.
Automated risk reports
6clicks generates risk summary reports on a scheduled or on-demand basis, formatted for client management and board audiences.
How to price a managed risk register service
- Included in a fully managed GRC subscription: Most MSPs include risk register management as part of their standard managed GRC subscription
- Standalone service: AUD 1,500–3,000/month for risk register management only
- Annual review project: AUD 3,000–6,000 for initial risk assessment and register build
Frequently asked questions
A risk assessment is the process of identifying, analysing, and evaluating risks. A risk register is the output, the living document that records identified risks, scores, treatments, and status. The assessment creates the register; the register is maintained on an ongoing basis.
ISO 27001:2022 requires risk assessments at planned intervals or when significant changes occur. Most MSPs conduct monthly micro-reviews (new risks, treatment progress) and a full annual reassessment.
Yes. Each client has their own Risk Register in their Spoke environment. The Hub provides a consolidated view of risk status across all clients, enabling MSP-level oversight.
Hailey AI analyses the client's framework coverage, asset inventory, and assessment responses to suggest risks that may not have been explicitly identified, improving accuracy.
6clicks supports both likelihood × impact matrix scoring and custom scoring methodologies. MSPs can configure the scoring approach to match their methodology or client preferences.
Next step
Start delivering managed risk register services with 6clicks.
