We gather data from the business in a Business Impact Analysis (spreadsheet), which is used to create the business continuity plans.
For every exposure identified in a plan, we do a Risk Acceptance Form. After every yellow incident, we perform a post-incident review and for every large exercise, we do a post exercise review.
For any exposures or findings, we follow through with using our spreadsheet.
Enterprise Risk: We have a process for our Annual Risk Assessment, whereas we identify, assess, report, and monitor risks. This is all spreadsheet-based currently.