How often do you revisit your risk register

General
1

I’m seeing teams let registers go stale; last week I found three vendors still tagged low risk despite two incidents this quarter. I’m leaning toward a 30-day review cadence with simple triggers like a new vendor, a scope change, or any incident, but I’d like to hear what cadence and mitigation thresholds you use to keep it disciplined without wasting cycles.

‌⁠‍⁠​‍​‍‌⁠‌​​‍​‍​⁠‍‍​‍​‍‌‍‌‍‌‍⁠⁠‌⁠​‍‌‍‌‌‌‍⁠‍‌⁠​⁠‌‍‍‌‌‍​⁠‌‍​‌‌‍​⁠‌‍​⁠‌‍⁠⁠‌⁠‌‌‌‍⁠‍‌⁠‌​‌‍​‌‌‍⁠‍‌⁠‌​​‍​‍​‍⁠​​‍​‍‌‍‍⁠​‍​‍​⁠‍‍​‍​‍‌‍⁠‍‌‍‌‌‌⁠‌⁠‌‌⁠⁠‌⁠‌​‌‍⁠⁠‌⁠​​‌‍‍‌‌‍​⁠​‍​‍​‍⁠​​‍​‍‌‍‍‌‌‍‌​​‍​‍​⁠‍‍​‍​‍‌‍⁠‍‌‍‌‌‌⁠‌⁠​‍​‍​‍⁠​​‍​‍‌‍‌​​‍​‍​⁠‍‍​‍​‍​⁠​‍​⁠​​​⁠​‍​⁠‌‍​⁠​​​⁠​‌​⁠​‍​⁠​‌​‍​‍​‍⁠​​‍​‍‌‍‍​​‍​‍​⁠‍‍​‍​‍‌⁠‌‍​⁠‌⁠‌​‌‍‌‌‌⁠‌⁠​​‌​⁠​‌⁠‌‍‌‍​‌‌‌‌⁠‌‍‍​‌‍‍‌‌⁠‍‍‌‍⁠⁠‌‌​​‌‌‌​​⁠‍‌​‍​‍‌⁠⁠‌​​

2026-01-26 – Weekly Forensic Accountant News : Transactions under $10,000 in fraud
2

We run tiered reviews: weekly on the top 10, 30 days for everything else, and “any incident” auto-bumps risk and forces an immediate check; the low-friction trick was turning cards red after 45 days so they’re impossible to ignore. It’s like milk — if it’s past the date, we don’t argue with it.

‌⁠‍⁠​‍​‍‌⁠‌​​‍​‍​⁠‍‍​‍​‍‌‍‌‍‌‍⁠⁠‌⁠​‍‌‍‌‌‌‍⁠‍‌⁠​⁠‌‍‍‌‌‍​⁠‌‍​‌‌‍​⁠‌‍​⁠‌‍⁠⁠‌⁠‌‌‌‍⁠‍‌⁠‌​‌‍​‌‌‍⁠‍‌⁠‌​​‍​‍​‍⁠​​‍​‍‌‍‍⁠​‍​‍​⁠‍‍​‍​‍‌⁠​‍‌‍‌‌‌⁠​​‌‍⁠​‌⁠‍‌​‍​‍​‍⁠​​‍​‍‌‍‍‌‌‍‌​​‍​‍​⁠‍‍​⁠​‌​⁠‌‌​⁠​‌​‍⁠​​‍​‍‌‍‌​​‍​‍​⁠‍‍​‍​‍​⁠​‍​⁠​​​⁠​‍​⁠‌‍​⁠​​​⁠​‌​⁠​‍​⁠​⁠​‍​‍​‍⁠​​‍​‍‌‍‍​​‍​‍​⁠‍‍​‍​‍​⁠​​‌‌‌​‌‍​‌‌‌⁠⁠‌⁠​‌‌⁠‌​‌‌‍‌‌‍⁠‌‌⁠‌‍‌​⁠‍‌⁠‌‍‌​‍‍‌‍​‍‌​⁠​​⁠​​‌‌‍‍​‍​‍‌⁠⁠‌​​