On March 10, 2023, Silicon Valley Bank failed after $42 billion in deposit withdrawals in 24 hours, the largest US bank run since the 2008 crisis. The Federal Reserve’s April 28, 2023 review of SVB found that bank management had not updated the interest rate risk register entries fast enough across 2022. The Fed funds rate climbed 450 basis points in 12 months. The register still carried the 2021 scoring at year-end 2022.
Six supervisory findings dating to 2021 sat unresolved as of the failure. The board pack the directors read in early 2023 reflected the bank’s pre-tightening risk profile, not the post-tightening reality. After SVB, every US ERM leader confronted the same problem: a risk register that updates on too slow a cadence shows the board last year’s exposure, not today’s.
| The Practitioner Cheat Sheet on How Often to Update a Risk Register |
| How often should you update a risk register at a US enterprise: quarterly is the baseline for strategic, operational, financial, and compliance risk; monthly or continuous for cyber risk; bi-monthly for third-party and vendor risk. Annual-only updates are no longer defensible at any institution above $250 million in assets. |
| Silicon Valley Bank failed on March 10, 2023 with $42 billion in deposit withdrawals in one day. Per the Federal Reserve’s April 2023 review, the bank’s risk register entries on interest rate risk and held-to-maturity portfolio losses were updated too slowly across 2022, even as the Fed funds rate climbed 450 basis points. The Fed cited six unresolved supervisory findings dating to 2021. SVB shows what happens when the risk register refresh cadence does not match the underlying risk velocity. |
| ISO 31000:2018 mandates continual improvement of the risk management process, which examiners read as a requirement to update a risk register on a defined cadence with documented review evidence. COSO ERM 2017 Principle 16 requires the entity to assess substantial change, which translates directly into a trigger-based update rule on top of the periodic cadence. |
| Update a risk register on three triggers in addition to the calendar cadence. The first is any material event (loss, near-miss, regulatory action, incident). The second is any structural change (M&A, new product line, leadership transition). The third is any external change (new regulation, market shock, geopolitical event). |
| The 2024 AICPA / NC State Poole College State of Risk Oversight survey of 377 US organizations found that roughly 47% update the enterprise risk register quarterly, 14% monthly, 14% annually, and 8% continuously through GRC software. Annual-only update cadence correlates with the lowest ERM maturity scores in the survey. |
| Every risk register update cycle should produce three artifacts: a delta log showing what changed since last refresh, an updated heat map, and a quarterly board-pack narrative tying the changes to the risk appetite. Without those three, the update is performative and the audit committee cannot see what moved. |
| The risk register update schedule is governed by named owners and dated triggers. Calendar reminders alone produce stale registers. Documented trigger thresholds, paired with quarterly cadence and a board-reporting deadline, produce the kind of register that the next SEC, FDIC, or OCC examiner can rely on. |
This walkthrough sets the practical cadence by risk category, drawn from ISO 31000:2018, COSO ERM 2017, and the 2024 AICPA / NC State State of Risk Oversight Report. Our key elements of a risk register page anchors the field structure.
Why Risk Register Update Frequency Decides Survival (SVB, March 2023)
Silicon Valley Bank had a documented enterprise risk register through 2022. The register named interest rate risk as one of the top enterprise exposures. The Fed funds rate rose from 0.25% in March 2022 to 4.50% by December 2022. The register did not refresh fast enough to capture the change.
The Federal Reserve’s Material Loss Review of Silicon Valley Bank from September 2023 documented six citations from a 2021 supervisory review that the bank had not closed. Risk register update cadence was a recurring theme in the findings. The board never saw the unrealized loss on held-to-maturity securities until the run started.
The lesson for every US enterprise: risk register update frequency must match the velocity of the underlying risks. Interest rate risk at a regional bank moved fast in 2022, but the register moved at its 2021 cadence. The mismatch was the failure point.
Figure 1. The Fed funds rate moved 450 bps across 2022 while SVB’s interest rate risk register scoring stayed flat (illustrative; Federal Reserve OIG Material Loss Review, September 2023).
Baseline Cadence: How Often Should You Update a Risk Register at the Enterprise Level?
The baseline cadence for enterprise risk register updates at a US institution is quarterly. The quarterly cycle matches the board pack rhythm and aligns with the SEC quarterly disclosure schedule for public companies. Most US enterprises with annual revenue above $500 million now run a quarterly register update by default.
Roughly 47% of US organizations update the register quarterly, 14% monthly, 14% annually, and 8% continuously through GRC software, per the 2024 AICPA / NC State survey of 377 US enterprises. Annual-only cadence is no longer defensible for any institution above $250 million in assets. Our five steps of the risk management process page walks the cycle.
Figure 2. US enterprise risk register update frequency. Quarterly is the modal cadence; annual-only is in retreat (AICPA / NC State 2024 State of Risk Oversight, n=377 US organizations).
Quarterly Risk Register Updates Are the Default at US Enterprises
The quarterly risk register update at a US enterprise typically takes 4 to 6 weeks of work spread across the risk function, business owners, and audit committee chair.
The owner of each register entry re-scores likelihood and impact, refreshes the control list, updates the treatment plan, and confirms the residual rating. The risk function consolidates the changes into a board pack 10 days before the audit committee meeting.
Monthly Risk Register Refresh: When the Faster Cycle Becomes the Standard
Monthly cadence is the standard at US banks above $50 billion in assets, fintechs in the BSA/AML-heavy lane, and any organization in a regulated industry undergoing M&A or a major regulatory inspection. The 14% of US enterprises running a monthly register refresh, per the 2024 survey, are concentrated in financial services, healthcare, and energy.
Annual-Only Updates Fall Short of Current US ERM Practice
Annual-only updates create the SVB problem at a smaller scale. A risk that changes in March cannot wait until December to refresh on the register. The 14% of US enterprises still running annual-only updates, per the 2024 AICPA survey, cluster in non-financial-services mid-market firms with limited ERM resources. Our importance of enterprise risk management page makes the case for the faster cycle.
Trigger-Based Updates Refresh a Risk Register Outside the Quarterly Cycle
The quarterly cycle is the floor for risk register update frequency at a US enterprise, not the ceiling. Calendar-driven updates alone produce stale registers when risks move faster than the calendar.
Five trigger classes force an off-cycle update on top of the periodic cadence: material events, structural changes, external shocks, internal appetite revisions, and detected near-miss patterns. Without these triggers layered on the quarterly cycle, the register lags reality even at the fastest planned cadence.
| Trigger Class | Examples | Action on Risk Register |
| Material event | Loss above the materiality threshold, near-miss, audit finding, regulatory enforcement action, reportable cyber incident | Same-day re-scoring of the affected entry; promote any related log items |
| Structural change | M&A close, new business line launch, leadership transition (CEO/CFO/CRO), new core system go-live | Off-cycle full register review of affected categories within 30 days |
| External change | New regulation finalized, Fed rate decision, geopolitical event, market correction above 10%, new SEC rule | Refresh exposure scoring on affected categories within 5 business days |
| Internal change | Risk appetite revision, new strategic plan, change in tolerance thresholds | Re-rate every register entry against the new appetite within 60 days |
| Detection of a recurring pattern | Three or more similar log entries in 90 days | Promote the pattern to the register; document promotion form |
Material Event Triggers Force an Off-Cycle Risk Register Update
A material event triggers an immediate register update because the underlying exposure assumption changed. A vendor that suffered a ransomware attack last quarter is no longer at the same residual risk on your register.
A reportable cyber incident at your own bank changes the inherent and residual scoring on the cyber row within the same business day. Our essential steps of incident response guide carries the playbook for the response side.
Regulatory Change Triggers a Risk Register Update Within Five Days
New regulations force a register refresh because the inherent risk and the compliance gap change at the moment of issuance.
The SEC’s December 2023 cybersecurity 8-K rule required public companies to refresh the cyber entry on the enterprise register inside 30 days. The October 2024 final rules on stablecoin issuers and the upcoming Basel III endgame at US banks operate the same way.
Near-Miss Pattern Detection Forces an Off-Cycle Risk Register Update
Three or more linked near-misses in 90 days promote the pattern to the register as a new entry. The pattern often reveals a control gap the register did not yet name. Our RCSA risk management page carries the operational-level methodology that feeds pattern detection back into the enterprise register.
Update a Risk Register by Risk Category, Different Cadences Apply
A single uniform cadence across every risk category is the wrong design at any US enterprise. Cyber risk moves daily; strategic risk moves annually. Forcing both into the same quarterly review wastes risk-team effort and misses signals.
The right design layers category-specific cadences inside the umbrella quarterly cycle. Cyber and vendor categories run faster than the umbrella; strategic and ESG categories run slower with annual deep reviews. The umbrella cadence sets the board-pack rhythm; the per-category cadences set the operating discipline.
Figure 3. Recommended risk register update cadence by category at a US enterprise. Cyber and third-party run faster; strategic and compliance hold quarterly.
| Risk Category | Recommended Cadence | Why That Cadence |
| Strategic | Quarterly, with annual deep review | Strategy moves slowly; quarterly catches major shifts; annual deep review tied to budget cycle |
| Operational | Quarterly | Process changes track quarterly business cycles; pattern detection from log feeds in |
| Financial | Quarterly | Aligned with SEC quarterly disclosure and audit committee rhythm |
| Compliance | Quarterly, with rule-change triggers | Quarterly cadence + same-day update on any final rule publication |
| Cyber | Monthly | Threat landscape moves daily; control state moves weekly; monthly is the practical floor |
| Third-party / Vendor | Bi-monthly | Vendor incidents and SOC 2 cycle changes accumulate faster than quarterly |
| ESG / Climate | Semi-annual, with disclosure-event triggers | Aligned with sustainability reporting; faster on regulatory milestones |
Cyber Risk Register Entries Update Monthly at a Minimum
Cyber risk requires monthly updates at the absolute minimum. The threat space changes weekly; CISA and the FBI issue new advisories almost daily. Vulnerabilities like CVE-2017-5638 (Equifax 2017), CVE-2021-44228 (Log4Shell), and CVE-2024-3094 (XZ Utils backdoor) need to land on the enterprise register within days of discovery, not at the next quarterly board cycle.
Operational and Compliance Risk Register Entries Hold a Quarterly Rhythm
Operational risk and compliance risk both update on a quarterly cycle for most US enterprises. The cycle aligns with the business operating rhythm and the audit committee cadence. Off-cycle updates layer on top: a process failure triggers an operational refresh; a new final rule from the OCC, FDIC, FRB, or SEC triggers a compliance refresh inside 30 days.
Strategic Risk Register Entries Update Quarterly With an Annual Deep Review
Strategic risk register entries (competitive position, market entry, technology disruption, M&A pipeline) refresh quarterly but undergo a full deep review annually as part of the strategic planning cycle. The annual deep review re-scopes every strategic register row against the new strategic plan, while the quarterly refresh tracks deltas. Our convergence of risk oversight with strategic planning page lays out the integration.
Standards View: ISO 31000, COSO ERM, and Risk Register Update Frequency
The major risk frameworks do not name a specific update cadence, but they require continual improvement, periodic review, and substantial-change assessment. Translating those requirements into a practical schedule is what every US risk function is responsible for documenting in the ERM charter.
ISO 31000 and the Continual Improvement Mandate for Risk Register Updates
ISO 31000:2018 places continual improvement at the center of the risk management process. The standard does not name quarterly or monthly cadence, but examiners read the continual-improvement principle as requiring a documented review schedule, dated review evidence, and a feedback loop from log to register. Our ISO 31000 vs COSO ERM framework comparison pairs the two standards.
COSO ERM 2017 Principle 16 on Substantial Change Drives Off-Cycle Updates
COSO ERM 2017 Component 4 (Review and Revision) carries Principle 16: Assesses Substantial Change. The principle requires the entity to identify and assess changes that may substantially affect the strategy and business objectives. In practice this becomes the trigger-based update rule that runs on top of the quarterly cadence.
Industry Benchmarks: How Often US Companies Actually Update Their Risk Register
Industry benchmark data shows where US enterprises sit today on risk register update cadence. The 2024 AICPA / NC State Poole College survey of 377 US organizations gives the cleanest baseline. The American Bankers Association tracks the same data for member banks. Our guide to audit risk assessment anchors the audit-committee read.
AICPA / NC State Survey on US Risk Register Update Frequency
The 15th annual State of Risk Oversight Report, published by AICPA and NC State Poole College in 2024, surveyed 377 US-based organizations on ERM practices. Quarterly update is the modal cadence at 47%, while monthly and annual tie at 14% each. Continuous updates through GRC software sit at 8% and growing year over year.
Annual-only update cadence correlates with the lowest ERM maturity scores in the survey data. The same firms also score lowest on board-level ERM oversight, risk appetite alignment, and integration between risk and strategy. The pattern reads as a single causal chain: under-resourced risk functions produce stale registers, which produce reactive boards.
Public Filings Benchmark for Risk Register Refresh Cadence
Public companies face the SEC Form 10-K and 10-Q schedules, which functionally mandate at least quarterly risk register updates for any risk material enough to disclose. The SEC’s December 2023 cybersecurity 8-K rule added a 4-business-day disclosure requirement after a material cyber incident, which collapses cyber-row update latency from quarterly to days.
Building the Update Schedule for Your Risk Register
The schedule that actually drives a risk register update cycle is a one-page document, not a 40-page ERM manual. The page names the umbrella cadence, the per-category cadences, the five triggers, the named owners, and the board reporting deadline. Audit committees can approve it in one meeting.
Map Each Risk Category to an Update Frequency
Step one is the category map: list every risk category on the register (strategic, operational, financial, compliance, cyber, vendor, ESG) and assign a cadence to each. Strategic, operational, financial, and compliance run quarterly. Cyber runs monthly. Vendor runs bi-monthly. ESG runs semi-annually with disclosure-event triggers.
Assign a Named Owner to Drive Each Risk Register Update
Step two is owner assignment. Every register entry needs a named owner who is responsible for the recurring refresh and for filing off-cycle updates when triggers fire. Owner reconciliation runs quarterly against the HR system to catch personnel turnover. Our how to develop key risk indicators page connects KRI ownership back to register ownership.
Frequently Asked Questions About How Often to Update a Risk Register
How Often Should You Update a Risk Register in Practice?
What Triggers an Off-Cycle Risk Register Update?
Is an Annual Risk Register Update Enough for US Compliance?
Should I Update My Risk Register After Every Audit Finding?
Who Decides When to Update a Risk Register at a US Company?
Does the SEC Require a Specific Risk Register Update Frequency?
How Do Material Events Change My Risk Register Update Schedule?
Can I Update My Risk Register Continuously With GRC Software?
Common Mistakes in Risk Register Update Frequency at US Enterprises (Pitfalls)
Five patterns surface repeatedly in OCC, FDIC, FRB, and SEC findings when risk register update frequency goes wrong. The table captures the recurring miss, the root cause, and the remedy that closes the finding. Each pattern compounds faster at smaller institutions without a dedicated risk function.
| Pitfall | Root Cause | Remedy |
| Annual-only update cadence | Risk function under-resourced; ERM charter inherited from a 2015-era playbook | Move to quarterly baseline + trigger-based off-cycle updates; document in ERM charter; board-approve |
| No trigger-based update rule | Update schedule is calendar-driven only; no escalation policy | Write a one-page trigger policy: material event, structural change, external shock, appetite revision, pattern detection |
| Cyber updates on the same quarterly rhythm as strategic | Single uniform cadence across all categories | Layer category-specific cadences: cyber monthly, vendor bi-monthly, strategic quarterly with annual deep review |
| Audit findings closed without register update | Audit and ERM functions report to different executives | Mandate register update within 30 days of every audit finding; tag in the finding tracker |
| Continuous GRC updates without governance | Platform deployed without data integrity controls; every event hits the register | Define register-grade thresholds; route everything else to the operational log; quarterly governance review |
| Update done but board never sees the delta | Update produced a new register file but no narrative | Mandate a delta log and a one-page board narrative for every update cycle |
| Stale owners on the register | Personnel turnover; owners not refreshed | Quarterly owner reconciliation; HR system feeds register owner field |
Looking Ahead: AI-Driven Risk Register Updates in 2026-2027
Three forces will reshape risk register update frequency at US enterprises between 2026 and 2027. The first is AI-assisted pattern detection. GRC platforms now scan operational logs, news feeds, and internal email to surface candidate register-promotion events automatically, cutting the latency between event and register entry from months to days.
The second force is regulatory disclosure compression. The SEC cybersecurity 8-K rule from December 2023 set a 4-business-day clock. The proposed SEC climate disclosure rule and the FRB’s stress-testing schedule are pulling register cadence toward continuous for the categories the regulators read most often. Our operational risk management framework page anchors the operations side.
The third force is third-party concentration and the vendor-incident cycle. Verizon’s 2025 DBIR found 30% of all breaches involved a third party. Vendor risk register entries now refresh on every SOC 2 Type II report, every published vendor security advisory, and every regulator action against a critical vendor. Our how to manage third party risk page pairs with the mitigate vendor risks playbook for the workflow.
The US enterprise that runs quarterly cadence with five documented triggers and category-specific cadences for cyber and vendor risk is the institution that absorbs all three forces with the smallest GRC rewrite.
The register cadence is the visible control. The discipline that connects events to register entries (named owners, dated triggers, board-readable deltas) carries the program forward into the post-SVB era.
Next Steps for Your Risk Register Update Schedule
Risk Publishing helps US enterprises wire the quarterly cadence and the five trigger thresholds into an ERM charter the next audit committee will sign off on without questions. Review the advisory services page to see how the engagement runs, and contact the practice when the register cadence is the next item on the GRC ro
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.