SAMA CSF Risk Register Template (Free Excel Download)

A clean risk register template is the first thing a Saudi compliance, risk or audit team needs when standing up a cyber risk management programme. The Saudi Central Bank's Cyber Security Framework expects member organisations to operate a structured cyber risk register, and the inspectors who assess CSF maturity ask to see it on day one. Yet a great many Saudi banks still run their risk register in a spreadsheet that was put together for one purpose, has accumulated columns over time, and no longer answers the questions either the inspector or the audit committee actually asks.

This post is the risk register template Saudi banks (and any in-scope SAMA entity) can use as a working starting point, structured to align with SAMA CSF, ISO/IEC 27005:2022 and NIST SP 800-30. A downloadable Excel copy is available at the end.

What the register has to do

A real risk register is a forward-looking statement of what could go wrong, what is being done about it, and how the organisation knows whether the residual exposure is within appetite. It is not a list of incidents (that is the incident register), not a list of vulnerabilities (that is the vulnerability backlog) and not a list of controls (that is the control library).

The structure below produces a register that:

• An inspector can read and understand within minutes.
• A risk committee can use to make accept/treat decisions.
• An audit committee can review for trend and assurance.
• A control owner can use to see which risks depend on their controls.

Template structure

The template is built as a single sheet with one row per risk and the columns below. Calculated columns are derived; assessor-entered columns are explicit.

Identification columns

• Risk ID. Stable identifier (e.g. CR-2026-001) that does not change as the risk evolves.
• Risk short name. A 5-10 word handle for the risk.
• Risk domain. From the taxonomy — governance, identity and access, network security, application security, data security, third-party, incident, business continuity, physical, awareness.
• Risk family. Within the domain.
• Risk scenario. The named scenario being rated (e.g. "abuse of privileged credentials by an insider").

Description columns

• Threat. The threat actor or threat type.
• Vulnerability. The weakness the threat exploits.
• Asset. The asset, process or service at risk.
• Description. Plain-English narrative — what could happen, how, and what the consequence would be.

Ownership columns

• Risk owner. Named individual (not a function or job title) who is accountable for the risk.
• Date assigned. When the owner accepted the risk.
• Risk category for appetite. The category under which appetite has been defined.

Inherent assessment columns

• Inherent likelihood. 1-5 scale, with documented criteria per level.
• Inherent impact (financial). 1-5 scale, defined thresholds.
• Inherent impact (operational). 1-5 scale.
• Inherent impact (regulatory). 1-5 scale.
• Inherent impact (reputational). 1-5 scale.
• Inherent impact (customer). 1-5 scale.
• Inherent impact composite. Calculated as the highest of the dimensional scores.
• Inherent score. Calculated from likelihood × impact composite.
• Inherent rating. Calculated category (Very Low / Low / Medium / High / Very High).

Control linkage columns

• Linked controls. List of control IDs (from the control library) that mitigate this risk.
• Control effectiveness rating. Aggregate effectiveness of the linked controls. Four-level scale: not implemented, partially effective, mostly effective, fully effective.
• Control evidence reference. Link to the most recent control test result.
• SAMA CSF references. Sub-control IDs the linked controls satisfy.
• NCA ECC references. Sub-control IDs the linked controls satisfy.
• ISO 27001 references. Annex A control IDs the linked controls satisfy.

Residual assessment columns

• Residual likelihood. Calculated from inherent likelihood adjusted by control effectiveness — not re-entered by the assessor. This is the most important methodology rule. Allowing assessors to re-enter the residual score breaks the link between control effectiveness and risk reduction.
• Residual impact composite. Calculated similarly.
• Residual score. Calculated.
• Residual rating. Calculated category.
• Within appetite? Calculated Yes/No based on appetite category and residual rating.

Treatment columns

• Treatment option. Mitigate / Transfer / Avoid / Accept.
• Treatment plan ID. Reference to the treatment plan record.
• Treatment status. Not started / In progress / Complete / Overdue.
• Treatment owner. Named individual.
• Treatment target date. When the treatment is expected to complete.
• Expected residual after treatment. What the residual rating is expected to be once treatment is complete.
• Acceptance rationale. For accepted risks, the documented rationale and who approved it.

Monitoring columns

• KRI 1 name, value, threshold, status. Up to three KRIs per risk with their current value and traffic-light status.
• KRI 2 name, value, threshold, status.
• KRI 3 name, value, threshold, status.
• Last KRI update date.

Linkage columns

• Linked incidents. Incident IDs that have realised this risk.
• Linked findings. Audit finding IDs that relate to this risk.
• Linked vendors. Vendor IDs for third-party-driven risks.

Tracking columns

• Date created.
• Date last reviewed.
• Date next scheduled review.
• Last reviewer.
• Change log. Versioned change history (typically a separate sheet linked by Risk ID).

Methodology rules baked into the template

A few methodology rules make the difference between a register that survives an inspector's question and one that does not. The template enforces them through formulas and validation:

Residual is derived, not re-entered. The residual likelihood and impact are computed from the inherent values and the control effectiveness rating. The assessor can change the inputs but cannot directly write the output. This preserves the linkage between control effectiveness and risk reduction.

Risk owner is mandatory and named. A risk without a named owner is not a risk on the register, it is an opinion in a spreadsheet.

Control linkage is mandatory. A risk without linked controls is implicitly being treated as "accept all" — which may be the right answer, but it should be made explicit via the treatment option column.

Appetite is defined per category. The acceptance threshold is not the same for governance risks as for cyber risks. The template carries appetite per category and computes "within appetite" automatically.

KRIs have thresholds. A KRI without a threshold is just a number. The template requires green/amber/red thresholds.

How to populate the template for the first time

A first population of the register in a Saudi mid-sized bank typically takes three to six weeks. The sequence we see work best:

1. Agree the taxonomy. Domain → family → scenario. Get sign-off from the risk committee before you populate.
2. Workshop the scenarios with control owners and the second line. Walk through each domain and identify the scenarios that matter to the bank.
3. Score inherent risk. Apply the criteria honestly. A register in which everything scores High is useless.
4. Link controls. Pull from the existing control library. If the control library is itself a mess, fix that first — the register depends on it.
5. Compute residual. Let the formulas do their work.
6. Identify treatment for risks above appetite. Prioritise by gap from appetite, not by inherent score.
7. Define KRIs. Two or three per significant risk.
8. Present to the risk committee. The register should be visible to the committee from day one.

Maintenance cadence

• Monthly. KRI values updated. Treatment status updated.
• Quarterly. Full review of every risk by the owner. Residual ratings refreshed. Aged treatment actions escalated.
• On material change. New risks identified, retired risks removed, scoring criteria adjusted with sign-off.
• Annually. Full methodology review. Taxonomy refresh if needed.

A risk register that is updated only at year-end is a register that has aged out of usefulness for ten months out of twelve.

Get the downloadable template

The full template — as an Excel workbook with all columns, formulas for inherent and residual scoring, conditional formatting for the heat-map view, validation rules, and a worked example — is available on request. Contact us to receive a copy.

For the wider methodology context, read our cyber risk register guide and our risk management software buyer's guide. For the regulatory background, read our SAMA frameworks guide. To see the same risk register running as a live, audit-trailed risk module inside a unified GRC platform — with residual scoring derived from live control effectiveness data and KRIs ingested automatically — read about GRC Vantage's risk module, supported from our offices in Riyadh and Dammam.