What does a risk register primarily document within a utility security program?

• A. Identified risks, their severity, owner, controls, residual risk, and timelines for mitigation and review.
• B. Incident response playbooks and escalation paths.
• C. List of hardware inventory and firmware versions.
• D. Compliance checklists for monthly audits.

Answer: (A)

A risk register is a centralized, living record of risks. In a utility security program, it catalogs each identified risk, its assessed severity and likelihood, the person responsible for managing it, the controls in place or planned to mitigate it, the residual risk after those controls, and the timelines for implementing mitigations and for periodic reviews. This combination makes it the best document for tracking risk posture over time, ensuring accountability, guiding prioritization and resource allocation, and providing a clear path from identification through action and reassessment. Other documents serve related but different purposes: incident response playbooks outline steps during incidents, asset inventories track hardware and firmware, and compliance checklists support audits. The risk register ties these elements together into a coherent picture of risk and how it’s being managed.