What is a Risk Register?

A risk register is a log in its simplest form. It can take many forms, from very simple to massively complex, but fundamentally, it is where you record your risks to understand your current risk landscape; also, be aware that it will take a few passes to capture everything (and you’ll probably still miss stuff).

Purpose of a Risk Register

The main purpose is to document your risks and the actions taken to minimise them; this is a core way to satisfy the expectation of most legislation that you have applied due care and due diligence to your cyber security efforts to protect the data of your clients as well as your own valuable information.

Documenting allows you to prioritise your risks, ensuring the ones that could impact your business most are focused on.

Key Aspects of a Risk Register

Risk registers can be designed in various ways, from simple to massively complex, with multiple scoring vectors beyond the standard impact and likelihood.

But they should all have the following

• Risk detail – what is the risk?
• Risk assessment – what is the impact and likelihood of the risk?
• Risk treatment – what is the plan of action? It can be nothing
• Risk ownership – who takes responsibility?

And what a lot of people miss

• Risk monitoring and review – How do you know controls are working now and will be working in the future?

Creating and Maintaining a Risk Register

Once you have defined your risk register, you must add risks. The first step is to identify the risk. Don’t think of risks as things you have missed; when you start this process, just document risks that could affect you; don’t think about the controls you already have. A good example of this is malware; almost every business will have some form of anti-malware, but it is always a risk; new malware is released daily, so the threat is always present, even if the risk is low due to your anti-malware controls.

Closed risks should be reviewed using the same principles. However, the threat landscape changes, and what worked at the point of treatment may no longer be enough. This is why routine review and monitoring are important.

Best Practices for Utilising a Risk Register

Once you create your register then, here are some good practices to follow to ensure it brings value to the business in the long term

• Routine reviews – Risk assessment is not a one-time process but a continuous review. Risks change, controls fail, new risks occur and old ones re-occur
• Get the right people involved—Risk shouldn’t be left to a single individual. It may be managed by one person, even in large organisations, but it needs to involve key people, especially risk owners.
• Risk is a leadership issue. Ensure that risk is presented to the leadership, and ideally, they should be represented as owners of key business risks.
• Training and awareness – Make sure everyone involved in risk is trained to understand the process and expectations on them and ultimately bring buy-in.

Having a good risk management strategy (read more here) and a well defined risk register (download one for free here) is vitally important to all businesses.

‍