I get it, cyber risk registers are not something many companies have ever taken that seriously. They are a dumping ground for concerns, “risks”, compliance issues, etc. … the list goes on…for the organization. Often being passed on from employee to employee until someone sits on it long enough or is thoroughly frustrated with it and they just hand it off to the next guy who seems qualified to manage it.
Just STOP right there, you have questions and we have answers. I’m going to walk you through where to begin and how to keep moving forward.
Step 1 - Start with defining what risk is
Take a deep breath. It’s just a risk register and, though daunting, is something you are capable, maybe not willing, of handling.
Let’s start by making sure everything that should be on the risk register is actually a risk. This may take hours, days, or even weeks but spend your time going through the listing – maybe on your own or with the owners of the “risks” – to determine what can get tossed out. I’m not saying these concerns within the organization should be forgotten but they shouldn’t have a home on your risk register.
Step 2 - Re-scope your risk scenario statements accordingly
Scope the darn thing. This step may very well coincide with Step 1 but is a whole different area to tackle.
If you are meeting with your SMEs that have the knowledge around each of these “risks” you can challenge each item by having them scope it. Start first with the actual Loss Event, what are they concerned with (not just any potential risk) and when does the loss materialize? If you can make it to this point and this risk register item is actually a loss event, then move on to the additional steps of scoping – define your asset(s), threat(s), and impact. Not only will this help to flush out some of the items that do not belong on the risk register but it will also help you to get a listing of risks to start to triage, quantify, and prioritize. Congratulations you’ve cleaned up your risk register and can now begin the risk assessment process. This can still be an area where you can get intake from the business to identify risks, just make sure going forward the items added are actual risks. Which brings me to my last point…Step 3!
Step 3 - Train and Operationalize
Make this method stick. Develop your register in a way that those adding to it are forced to put actual risks within it. They must scope it out – it’s okay to keep it high level - I envision some simple columns to identify the Loss Event, Asset, Threat, Impact – and get the details when it’s fresh in their minds. Train the subject matter experts (SMEs) or those who add to the register to only add real risks and fully scope them when adding. This will help you in the long run to manage this risk register.
It can seem daunting and impossible to tackle a giant risk register but it can be done. Find what works best for your organization and for the SMEs providing you with risks to keep up all of the hard work you put in initially.
Next, watch the video How to Unscramble Your Risk Register to see some risk triage in action.
And for an advanced view of risk registers, see How ADP Gets Business Value from Its Risk Register with FAIR and RiskLens
RiskLens can help your organization streamline its risk register by quantitatively assessing risks (starting with “high” risks) to determine which cause the greatest amount of exposure to the company and should be mitigated first. Let us show you how.