Unified Risk Register Template — ISO 42001 + NIST + EU AI Act Integration

Unified Risk Register Template — ISO 42001 + NIST + EU AI Act Integration

Zen AI Governance — Knowledge Base ISO/NIST Integration Updated 18 Nov 2025 www.zenaigovernance.com ↗

Unified Risk Register Template — ISO 42001 + NIST + EU AI Act Integration

ISO/NIST Integration Playbook Unified Risk Register
+ On this page
Key takeaways
  • Combines ISO 42001 risk management, NIST AI RMF functions (Map/Manage), and EU AI Act requirements into one register.
  • Each risk record links to Evidence IDs (EV-###) and PMM incidents for traceability and audit reuse.
  • Quantitative + qualitative scoring enables trend analysis and dashboards for compliance heatmaps.

Purpose & Objectives

The Unified Risk Register (U-RR) acts as the single source of truth for AI risks across projects and business units. It consolidates risk criteria (impact, likelihood, trustworthiness), control status, and responsibility to meet the requirements of:

  • ISO 42001 §6.1 – Risk Management and Opportunities Planning
  • NIST AI RMF (Map + Manage) – Risk Identification, Assessment, Treatment
  • EU AI Act Articles 9 & 10 – Risk Management System & Data Governance Plans

Register Structure & Fields

Field NameDescriptionFramework Reference
Risk IDUnique identifier (e.g., AI-R-2025-003)ISO §6.1
Risk TitleConcise description of the riskNIST Map 1.2
CategoryOperational / Ethical / Technical / Legal / ReputationalNIST Map 1.1
Likelihood (1–5)Probability of occurrenceISO §6.1 / NIST Measure
Impact (1–5)Severity if realisedISO §6.1 / EU Art 9
Inherent ScoreLikelihood × Impact before controlsISO §6.1
Existing ControlsImplemented safeguards (technical, organisational)NIST Manage
Residual ScoreLikelihood × Impact after controlsISO §9.1
OwnerRole accountable for monitoring (e.g., AI Ops Lead)ISO §5 Leadership
Evidence IDLink to supporting documents (EV-###)Annex IV EU AI Act
Next Review DateScheduled re-evaluation dateISO §10 Improvement

Risk Scoring Model

  • Score = Likelihood × Impact (1–25 scale)
  • Risk Levels: 1–5 Low, 6–10 Moderate, 11–15 High, >15 Critical
  • Controls effectiveness rated (Strong = 0.5, Medium = 0.75, Weak = 1.0 multiplier)
  • Colour coding in dashboards: Green < 6, Amber 6–15, Red > 15

Workflow & Governance

  1. Identification: Risk logged by developer or business owner at design phase.
  2. Assessment: Quantitative scoring reviewed by AI Risk Officer & Data Protection Lead.
  3. Treatment: Mitigation plan approved and linked to CAPA or control register.
  4. Monitoring: Residual risk tracked in AIMS dashboard and PMM reports.
  5. Closure: Governance Board approves closure once risk < threshold for 2 cycles.

Example Entries

Risk IDRisk TitleInherentResidualOwnerStatus
AI-R-2025-011Bias in credit scoring model208Data Science LeadMitigated
AI-R-2025-017Prompt injection attack in LLM interface2512Security EngineerOpen

Templates & Schemas

A) Unified Risk Register (CSV Headers)
Risk_ID,Risk_Title,Category,Likelihood,Impact,Inherent_Score,Existing_Controls,Residual_Score,Owner,Evidence_ID,Next_Review,Status
B) Risk Treatment Log (Excerpt)
Risk_IDMitigation ActionDue DateResponsibleEvidence
AI-R-2025-011Add counterfactual fairness module2025-12-15ML EngineerEV-FAI-003

Framework Alignment

FrameworkReferenceRelevance
ISO/IEC 42001§6.1 & §9.1Risk identification and performance evaluation.
NIST AI RMFMap & ManageRisk profiling and treatment cycle.
EU AI ActArticles 9–10Mandatory risk management system and data governance linkage.
UK DSIT FrameworkPrinciple 3Proportionate governance of AI risks with transparency.

Implementation Checklist

  • Unified Risk Register template created and stored in Evidence Repository.
  • Cross-linking enabled between RMS, CAPA Log, and PMM Records.
  • Quarterly risk review performed by AI Governance Board.
  • Heatmap dashboard visualises top 10 residual risks by category.
  • Audit trail preserved for all risk updates and mitigation decisions.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 18 Nov 2025 • This page is general guidance, not legal advice.

    • Related Articles

    • Mapping ISO/IEC 42001 Clauses to NIST AI RMF Functions

      Zen AI Governance — Knowledge Base • ISO/NIST Integration • Updated 18 Nov 2025 www.zenaigovernance.com ↗ Mapping ISO/IEC 42001 Clauses to NIST AI RMF Functions ISO / NIST Integration Playbook Unified AI Governance Framework + On this page On this ...

    • What is the EU AI Act and who does it apply to?

      ? Overview The EU Artificial Intelligence Act (EU AI Act) is the world’s first comprehensive law regulating the development, deployment, and use of Artificial Intelligence within the European Union. Its aim is to ensure that AI systems placed on the ...

    • Risk Management System (EU/UK aligned)

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Risk Management System (EU/UK aligned) EU AI Act Compliance Regulatory Knowledge EU/UK aligned + On this page On this page Purpose & principles ...

    • Obligations for High-Risk AI Systems (EU/UK aligned)

      Zen AI Governance — Knowledge Base • EU/UK alignment • Updated 05 Nov 2025 www.zenaigovernance.com ↗ Obligations for High-Risk AI Systems (EU/UK aligned) EU AI Act Compliance Regulatory Knowledge EU/UK aligned + On this page On this page Scope & ...

    • Conformity Assessment & CE Marking (EU / UK Aligned)

      Zen AI Governance — Knowledge Base • EU AI Act Compliance • Updated 17 Nov 2025 www.zenaigovernance.com ↗ Conformity Assessment & CE Marking (EU / UK Aligned) EU AI Act Compliance Conformity Assessment & CE Marking + On this page On this page ...