A risk register written in an annual workshop is filing, not managing. This desk watches risk where it actually moves: the vendors quietly shipping AI into your stack, the incident plan nobody has rehearsed, and the dependency map that shows what touches what before something breaks. Its product is the early warning — the conflict surfaced while it is still cheap.
Every framework asks about incident response. Most companies answer with a plan written for an audit. Real readiness is evidenced — contact trees verified, exercises dated, postmortems completed — and it shows when the notification clock starts.
Vendor risk used to mean reviewing a SOC 2 at onboarding and renewing annually. Now your vendors ship AI features mid-contract — quietly — and your risk surface changes without any procurement event triggering a review.
Most risk registers are written in a workshop, scored by instinct, and filed until next year — while the risks they describe move weekly. Here is what it takes to connect a register to the systems where risk actually lives.