Let’s chat
0330 043 0826 | [email protected]
InfoSec Governance Logo

How to create a risk register in under 10 minutes

In todays blog we’re going to be talking about risk registers and how you can get your risk register setup within 10 minutes of watching this video.

Just like our recent blog articles, we’re going to be providing a templated version already setup for you, so you can download this template, open it up and get started once you have followed this video.

The risk register we’re going to be looking at today, and the one you can downloaded is a comprehensive one and colour coded for visualisation. So it may look like a lot, but its fairly easy to navigate and a lot of the cells automatically update when you put information in them.

Ok.. so if you’re new to risk, this subject can be a big area. When it comes to businesses, a lot of businesses known about the standard risks to business, such as fire, flood, theft, people leaving the business and so forth.

But what you also have to think about, especially if you are working towards ISO 27001 or IASME Cyber Assurance is the wider picture of the risk to the business. So we need to think about backups, assets (or your computers/servers/bring your own devices/home workers etc.), what about the environmental settings, physical aspect of the business etc..

So as an example, if you work in a managed building, in the middle of the city and it has a shared reception area. What are the risks here? Possibly anyone could work in and it down, is there confidential information available for people to see? What are the opening hours of the building. What can be locked in your area..

So as you can see, theres a lot to think about and if you’ve not thought about this already, take a step back, have a think, look around your business and think, what if this, what is that and so forth.

Now that we know what risk is and what we need to look for, lets get into the juicy stuff, the risk register.

Today we’re going to go through the example risk register we have, this risk register is more tailored towards ISO 27001 compliance, so if you’re not going to work towards that in the future there are a column or two you could remove, to make it easier.

But Ideally, you want to create a risk register in Excel or some other spreadsheet software as its generally easier to work with, there are a few columns to look at which may be over whelming for some, but we’ll talk about each of these columns shortly.

First up, when it comes to risk registers, you need to have some sort of well defined risk impact matrix or scale in place, so you can identify what the risk impact is and how severe it is.

As a standard, you should include the CIA triad, so looking at Confidentiality, Integrity and Availability when it comes to the risk and think about how often this may happen.

In our template you can see that we have the Confidentiality, Integrity and Availability listed on the left and then we have a the impact level, so a low impact if it may happen once every 6 – 12 month, we have a medium impact if every 1 – 6 months and a critical impact if it happens more recent than that.

When it comes to defining your risks and looking at the severity, you should go off this scale or one similar.

Now we move onto the risk register, this is where you will spend most of your time.

This page is split into several sections, which are split into several columns.

The first section, Risk details. In this section you will be looking to have a unique reference for your risk, then we have the primary asset and the sub asset. Now depending upon you and your business, you could either consolidate this down into one column, or have a primary asset like hardware and then a sub asset like desktop or laptop. It depends on how detailed you would like to be,

Then we have the risk and impact description, so what is the risk to the business, so for example we have a primary asset of hardware, a sub asset of laptop and the risk and impact could be the laptop is stolen from the user whilst off site. With loss of personal information.  Or something similar.

As long as you explain what the risk is and what the impact to the business will be, make it informative.

The next section is Risk Treatment. This section is made up into the following columns.

Cost impact, whats the cost to the business, os if you lose a laptop, it maybe something like £1000

The ISO 27001 SoA Control, this column can be removed if you are not working towards ISO 27001, but if you are, you should look at what SoA control this will comply against.

Risk Probability, is the next column, so what is the probability that this risk may occur, low, high, medium. And you should select from the list which is the most appropriate.

Risk Impact is next, so what would be the impact to your business, if this risk did happen, again it’s a low, medium, high value.

Risk Level, will automatically populate for you when the previous two columns have been filled in, giving you a risk level.

Then we have the column, that is A, E, R. T.  This column is all about how you will deal with the risk that you have identified.  Do you Accept the risk, Eradicate the risk, Reduce the risk or transfer the risk somewhere else.

Then the last column in this section, the owner, who is the owner of this risk, who will manage the risk, treat it, and so forth.

Then in a sort of column/section on its own, its suggestion action. So what is the suggested action to reduce or remove this risk to the business.

Then we move onto the Residual Risk section, this section is made up of the following.

Residual probably, this is where you highlight what the residual risk to the business will be, once remediations are put in place, you can select from the drop down box. Again, this is a low, medium, high type value.

Then we have risk level, this will auto populate, giving you the risk to the business.

Then its documents and policies, so what documents and policies are applicable to this risk. You should have at least one here.

Now we’re onto the last section, risk review.

So we have a last reviewed date, so when was this last viewed, this should be reviewed at least annually or upon change of the risk.

We have the next review date to review the risk and lastly the status of the risk, ongoing, being reviewed etc.

And that’s it, I hope this all makes sense, please download the template.