In a recent survey, 65% of senior finance leaders agree that the volume and complexity of corporate risks have changed “mostly” or “extensively” over the last five years. Despite the perceived high volumes and complexities of risks, many of these leaders don’t believe their risk management processes are keeping pace.
Adopting a risk register is one way that organizations can better identify, assess, and manage risks as well as risk activities in the context of their broader mission and business objectives.
Below we’ll explain what a risk register is, what benefits it offers, and how to create one. We’ll also offer an example and template to help you get started building out your own risk register.
What is a risk register?
A risk register is a repository or central record of current risks facing an organization and related information such as a description of the risk, the impact if the risk should occur, the probability of its occurrence, mitigation strategies, risk owners, and a ranking in order to help prioritize mitigation efforts.
Information should also be included about how risks change in terms of likelihood and impact based on the determined risk responses. The residual risk — or the remaining risk after applying risk responses — should also be recorded in the risk register.
Benefits of a risk register
Having a risk register offers several benefits. The most notable are:
- Consistent communication of risk information: Using a risk register with agreed-upon criteria and categories provides consistency in how you capture and communicate risk information throughout the risk management process and across the enterprise.
- Improved risk-based decisions: A risk register can help key decision makers implement, monitor, evaluate the effectiveness of, and adjust risk responses to keep overall risk within the organization’s tolerance.
- Tracking risks over time and the progress of management processes: A risk register can help you continuously monitor risks and risk responses and provide feedback to improve processes and adjust risk criteria over time.
- Compliance: Risk management is part of most security and compliance frameworks. So by having a risk register as part of your risk management program, you’ll be ensuring compliance with multiple frameworks for your organization.
How to create a risk register
Follow the steps below to create a risk register.
1. Identify and record the risks
Start by identifying all the risks that may impede your enterprise objectives. These are potential threats that might jeopardize your organization’s operations, assets, or individuals. When recording them in the risk register, you can assign each risk an ID like “R-1.”
2. Describe the risks
Next, briefly explain the risk scenario that may impact the organization. A cause and effect format can be useful. A sample risk description in this format is: “[Web application] is using a deprecated and unsecure protocol. If exploited, this vulnerability could allow a hacker to decrypt web app traffic.”
3. Categorize the risks
Next is risk categorization. The goal is to use an organizing construct that enables you to consolidate multiple risk register entries. For example, you may use the NIST SP 800-53 Control Families. These are:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Contingency Planning
- Control Assessment
- Authorization and Monitoring
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical and Environmental Protection
- Planning
- Risk Assessment
- System and Services Acquisition
- System and Information Integrity
- System and Communications Protection
- Program Management
- PII Processing and Transparency
- Supply Chain Risk Management
Using these control families, the risk described in step 2 would be categorized as System and Information Integrity.
Recommended reading
Supply Chain Risk Management: A Breakdown of the Process + Policy Template
Read More4. Assess the likelihood and impact of each risk
Now it’s time to analyze the risks. This requires estimating the likelihood that each identified risk event will occur (before a risk response is applied) and estimating the potential consequences of the risk event (if no risk response is applied).
Below are two methods for risk analysis:
- Qualitative analysis involves descriptors, such as very low, low, moderate, high, or very high. The scale can be informed by external sources, such as industry benchmarks or standards, metrics from similar previous risk scenarios, or findings from inspections and assessments.
- Quantitative analysis involves numerical values based on statistical probabilities and a monetized valuation of loss or gain.
Here are examples of a qualitative and quantitative scale that Secureframe uses for its risk register.
Let’s take a look at an example of using these scales from NISTIR 8286. Say you’re trying to estimate likelihood and impact of consequences of a critical business server becoming unavailable to an organization’s financial department. Subfactors that would affect the likelihood of this risk scenario are:
- The age of the server
- The network on which it resides
- The reliability of its software
For example, if the server is five years or older, then the likelihood of failure may be moderate on a (on a qualitative scale) or a 6-14 (on a quantitative scale).
Subfactors that would affect the impact of this risk scenario are:
- Redundancy
- Timing
- Number of customers relying on the server
- Financial materiality of customers using the server
If another server is highly available through a fault-tolerant connection, for example, then the impact of the loss of the initial server may be low (on a qualitative scale) or a 2-5 (on a quantitative scale).
5. Determine the exposure rating of each risk
You can then calculate the exposure rating for each risk based on the likelihood that a threat event will occur and result in an adverse impact. Just as with risk analysis, you can use both qualitative and quantitative models for calculating and communicating about exposure.
Risks should be prioritized based on their exposure value, among other factors.
6. Determine the type of risk response
Next, determine what type of risk response would be best for handling each identified risk.
The different types of risk response are: accept, mitigate, transfer, resolve, and avoid.
- Risks that fall within your organization’s risk tolerance levels can be accepted. The only risk response needed is monitoring.
- Risks that can be reduced to an acceptable level in a cost-effective way should be mitigated or transferred. You may respond to these risks by implementing controls that help prevent or limit the loss if a threat event occurs.
- Risks that cannot be reduced to an acceptable level in a cost-effective way should be avoided.
- If a solution or remediation is implemented, a risk can be resolved.
7. Describe the response to each risk
Briefly describe the action you are taking to respond to each risk. An example to the risk described in step 2 might be to upgrade the [web application]’s authentication protocol.
8. Calculate the cost of the risk response
Calculate the estimated cost of applying the risk response. For the example above, if your organization already has the tools necessary to complete the upgrade, then the cost would be $0.
The risk exposure cost should be compared to the cost of the risk response to determine if it is worth trying to mitigate or transfer the risk.
9. Assess and record residual risk
After risk responses are determined, consider analyzing and recording the risk that remains after a response is applied. This is known as residual risk. You can assess the likelihood and impact of a residual risk using the same methods as you do for inherent risks to determine if any additional risk response is needed.
10. Assign a risk owner
Assign a designated party who is responsible and accountable for ensuring that the risk is maintained in accordance with organizational requirements. This party may work with a designated Risk Manager who is responsible for managing and monitoring the selected risk response.
11. Add a status
Add a status to track the current condition of the risk and any next activities. Examples of statuses might be “open,” “in progress,” or “complete.”
Risk register example
Below is an example of a risk register. The first row contains categories that are based on the notional risk register in NISTIR 8286. The second row contains an entry for the risk described in the section above.
Risk register template
We created a template to provide guidance and useful information for completing and using a risk register and integrating it with your overall risk management strategy.
Risk register software
Risk register software can make it easier to create a risk register and keep it up-to-date with new risks and information.
With Secureframe for example, you can start building out your risk register with templated risks from our risk library or with custom risks. Once you import a risk description using a pre-built risk from the risk library or fill in a risk description and owner, you can use Comply AI for Risk to auto-fill most fields in the risk assessment workflow including risk score, justification, treatment, and more. At the end of the workflow, you can review and validate that the output is accurate and complete the risk assessment.
In addition to saving you valuable time and resources, this functionality ensures each risk is reported in a consistent and repeatable manner and you won’t need to spend time brainstorming categories or conducting risk formula math.
The Secureframe risk register is easy to update and view at-a-glance so your organization can stay aware of and assess risk changes, review risk and performance results, and continually improve its risk management processes to help the organization achieve its objectives. Learn more about Secureframe's new Risk Management tool.