Cloud Sentry
Risk register

A risk register someone actually maintains.

Every open risk with an owner, a severity, and where it stands, kept current because the people who run your environment keep it current, not because someone remembered to update a spreadsheet before the audit.
The risk register in the Cloud Sentry portal, with owners, severity, and residual status

The status quo

Written once for the audit, then left to rot.

Most risk registers start life the week before a review. Someone builds a tab, fills in a dozen rows, assigns owners who never hear about it again, and files it away. By the next review the owners have changed, half the risks are closed, two new ones went unrecorded, and nobody trusts a single line of it.

The register is not the problem. Treating it as a document instead of a living record is. A register only tells you something when it reflects the work as the work happens, which means it has to be maintained by the people doing that work.

The spreadsheet

Accurate the day it is written, stale by the next week.

A living register

Updated as risks are found, worked, and retired, because that is where the work already is.

How risks get in

Two ways in, one gate they all pass through.

A register is only as honest as the way risks enter it. Ours takes them from the work and from your team, and an operator confirms or declines every proposal before it becomes a live risk.

Operators

Raised from the work

The operators running your cloud, IT, and security create risks live as they surface them, straight from the work that turned them up. No re-keying into a separate tool later.

Your team

Proposed from the floor

Your admins and security leads propose risks the moment they notice one, from wherever they sit. The people closest to a problem are often the first to see it.

Operator review

Confirmed, or declined

Every proposed risk sits in review until an operator confirms it into the register or declines it with a reason. Nothing enters unreviewed, and nothing your team raises disappears silently.

The review pipeline every proposed risk passes through before it enters the register.

That gate is the whole point. Compliance tools let a register fill up with whatever anyone types. Here, a person who runs your environment stands between a proposal and the register.

Anatomy of a risk

Everything you need to know, in one record.

Open any risk and the reasoning is right there. Not a row in a grid you have to interpret, but a record that holds the decision and the discussion behind it.

Owner

One named person accountable for the risk, so it never becomes everyone's job and therefore nobody's.

Severity

How much this risk matters, set deliberately and visible at a glance, so the register sorts itself by what deserves attention first.

Residual status

Where the risk stands after the controls in place: still open, mitigated, accepted, or closed. The honest current state, not the state on the day it was opened.

The discussion

A thread where the reasoning lives: why it was raised, what was weighed, and how the call was made. When someone asks why a risk was accepted, the answer is already written down.

Exemptions

A compensating control with an expiry date, not a permanent hall pass.

Sometimes a control cannot be met the standard way, and the honest answer is a documented exemption. Done poorly, an exemption is a way to make a problem disappear. Done properly, it is a compensating control that says what is covering the gap and when the exemption ends.

  • A compensating control, written down. What is in place instead of the standard control, so the gap is covered rather than ignored.
  • An expiry date, always. Every exemption ends. When the date arrives it comes back for a decision, so nothing quietly becomes permanent.
  • Tied to the risk it answers. An exemption lives against the risk it addresses, so anyone reading the register sees the exception and the reason for it together.
The exemptions view in the Cloud Sentry portal, with compensating controls and expiry dates

Where it feeds

A register that earns its keep the rest of the year.

A living register is worth maintaining because it is used, not filed. Two places lean on it directly.

Audit and buyer conversations

When a buyer or an assessor asks how you handle risk, you show them a register that has been maintained all along, with owners, decisions, and the reasoning behind each one. There is nothing to reconstruct, because nothing was left to rot.

The Evidence Vault

The register is part of the proof you hand over. Scoped, time-bounded, and shared without a fire drill, alongside the rest of the evidence the platform keeps current.

See how the Evidence Vault works

A register is only worth keeping if someone keeps it.

Operators raise risks from the work, your team proposes from the floor, and an operator confirms or declines every one before it enters the register. That is what keeps it honest.

Tell us what you run today and we will show you how the register fills in from the work, with an operator on the gate.

Tour the operations platform: the requests, the evidence, and the live status of what the operators run for you.