Risk Register

A risk register is a structured document or system that records, tracks, and manages identified risks to an organisation's operations, compliance, or objectives. In the context of TTPA compliance, it catalogues specific risks related to political advertising transparency, targeting restrictions, and regulatory obligations. The register typically includes each risk's description, likelihood, potential impact, mitigation measures, and responsible parties.

Legal Basis

While Regulation 2024/900 does not explicitly mandate a "risk register" by name, risk assessment and management are implicit in compliance obligations:

"Providers of political advertising services shall ensure that the sponsor is clearly and unambiguously identified and that a transparency notice is made available."

— Article 7, Regulation (EU) 2024/900

Risk registers support compliance with broader due diligence obligations under Article 6 and help organisations demonstrate accountability to supervisory authorities.

Why It Matters

A risk register is essential for any organisation involved in political advertising services—platforms, publishers, agencies, and sponsors. It provides a systematic framework to identify where compliance failures might occur, assess their severity, and prioritise mitigation efforts.

For platforms and publishers, a risk register helps track operational risks such as missing transparency labels, failure to verify sponsor identity, or inadvertent use of prohibited targeting techniques. For sponsors and political actors, it identifies risks around data processing, cross-border restrictions, and third-country sponsorship rules.

Maintaining an up-to-date risk register also demonstrates proactive compliance to supervisory authorities and can serve as evidence of due diligence during investigations or audits. It supports internal accountability by assigning clear ownership for each risk area and tracking the effectiveness of mitigation measures over time.

Key Points

• Proactive compliance tool: Identifies potential violations before they occur, enabling preventive action rather than reactive remediation.
• Covers all TTPA obligations: Should include risks related to transparency notices, sponsor verification, targeting restrictions, record-keeping, and reporting channels.
• Living document: Must be regularly reviewed and updated, especially when new services are launched, regulations change, or incidents occur.
• Assigns accountability: Clearly designates which teams or individuals are responsible for monitoring and mitigating each risk.
• Informs training and resources: Helps prioritise where compliance training, technology investment, or process improvements are most needed.
• Supports audit readiness: Demonstrates to supervisory authorities that the organisation has systematic risk management processes in place.

Risk Register vs. Compliance Audit

A risk register is a forward-looking, continuous management tool that identifies and tracks potential compliance failures, while a compliance audit is a periodic, retrospective assessment that evaluates whether controls are working and obligations are being met.

The risk register informs what auditors should examine and helps prioritise audit scope. Audit findings, in turn, often identify new risks or control weaknesses that should be added to the register. Together, they form a continuous compliance cycle: the register identifies what could go wrong, mitigation measures address those risks, and audits verify whether the measures are effective.

Organisations should maintain both: a dynamic risk register for day-to-day risk management and regular audits (internal or external) to validate compliance and update the register based on real-world findings.

Related Terms

• Compliance Management System
• Due Diligence
• Transparency Notice
• Provider of Political Advertising Services
• Targeting Techniques
• Sponsor
• Political Advertising
• Supervisory Authority
• Record-Keeping
• Data Protection Impact Assessment