Which artifact is used to systematically identify and document potential risks in a system?

A risk register is the central artifact used to systematically identify and document potential risks in a system. It serves as a living log that records each identified risk along with key details such as description, likelihood, impact, risk rating, responsible owner, and planned mitigations or controls. This organized, ongoing document helps stakeholders prioritize responses, allocate resources, and monitor progress over time, ensuring that risks are actively managed rather than just noted.

A threat model focuses on identifying threats and attack surfaces within a system, but it isn’t the centralized log used to capture and track all identified risks. An incident log records events after incidents occur, which is retrospective rather than a proactive catalog of potential risks. A change request concerns proposed changes to the system, not the documentation of risks.