Risk · A live register
A risk register scored off real system signals.
Not a spreadsheet you rebuild before the board meeting. Noru's risk register is fed by security findings, vendor posture and control status from the systems you run — scored, owned, and tracked to treatment as your environment changes.
The way this usually goes
The risk register is a spreadsheet someone refreshes the week before the board meeting, then forgets.
Risk scores are guesses — disconnected from the findings, vendors and controls that actually drive them.
Treatments get logged once and never followed to resolution.
Who it's for
One system, every stakeholder
Security & CISO
Risk scored off live signals from your stack, not a once-a-year workshop guess.
Compliance & GRC
A register auditors trust because every risk links to the controls and evidence behind it.
Risk owners
Treatments owned and tracked to resolution, with status that reflects reality.
Leadership & board
Board-ready risk reporting that's current the day you present it.
How it works
What Noru does instead
01
Fed by real signals
Risks connect to security findings, vendor assessments and control status from your live systems — so the register reflects what's actually happening, not what someone remembered.
- Security findings and vulnerabilities feed risk
- Vendor and ICT exposure scored into the register
- Control drift surfaces the risk it creates
02
Scored, owned, tracked
Inherent and residual scoring with impact and likelihood, an owner on every risk, and treatments tracked from decision to done.
- Inherent and residual risk with impact/likelihood
- An owner and a review cadence per risk
- Treatments tracked to resolution, not just logged
03
Linked to the whole program
Risks tie to the controls that mitigate them and the evidence that proves it — one register across security, privacy, vendors and AI.
- Risks linked to controls and evidence
- Privacy and AI risks in the same register
- Findings, treatments and controls in one view
04
Board-ready on demand
Reporting that's current whenever you need it — exposure across the portfolio, defensible to your board and your auditors.
- Portfolio-level risk reporting
- Current the day you present it
- Defensible audit trail per risk
What's included
Platform modules working together
This solution runs on the same system of record as everything else — add modules later without re-platforming.
Risk Register
Know your risk before anyone asks
A live register linked to security findings, controls and treatments — not a yearly workshop artifact.
Security
Track every finding to resolution
Certificates, vulnerabilities and pen-test findings tracked to resolution and linked to risk.
Vendor Risk
See every vendor's posture
A vendor register with risk scoring, security questionnaires and evidence collected from responses.
Controls
Implement once, satisfy many
One control library, mapped across ISO 27001, SOC 2, GDPR and 20+ frameworks — the same evidence reused everywhere.
Works with
- more
Request a demo
See it on your own data.
A walkthrough tailored to this use case, with your questions answered by practitioners.
- 45 minutes, tailored to the frameworks and use cases you care about
- Answers from practitioners, not a sales script
- Leave with a concrete rollout plan — or a clear no-fit
FAQ
Frequently asked questions
Where do risk scores come from?
Each risk carries inherent and residual scoring with impact and likelihood, but the inputs are live: security findings, vendor assessments and control status from your connected systems feed the register, so scores reflect real signals rather than a periodic guess.
How is this different from a risk spreadsheet?
A spreadsheet is a snapshot you maintain by hand. Noru's register is fed by your systems, links every risk to the controls and evidence behind it, assigns owners and review cadences, and tracks treatments to resolution — current by default.
Does it cover privacy and AI risk too?
Yes. Privacy DPIAs and AI model risks land in the same register as security and vendor risk, so you have one defensible view of exposure across the whole program.
Is it audit- and board-ready?
Yes. Every risk has an audit trail, links to its controls and evidence, and rolls up into portfolio reporting you can present to the board or hand to an auditor on demand.