Risk Register Overview and Guidance

Use the Risk Register overview and guidance document as a standalone resource or as a documented internal procedure.

Objective

This Risk Register Guide will help you establish best practices and maintain information security risk criteria. This will ensure that successive security risk assessments produce consistent, valid and comparable results, to identify, analyze, evaluate and treat risk. 

Designate a Risk Owner

Most companies have several people who have expertise in specific risk areas. To prepare for a security audit, the company needs to appoint a Risk Owner who has responsibility over all security risks. This person must have the seniority (or mandate) to address risk issues anywhere in the company. They must be able to put risk analysis on the agenda in different department meetings, and drive sometimes uncomfortable conversations to completion with action items and timely resolution.

Guidance Outline

• Risk Title (Applicable Threats): Start by identifying threats specific to the industry type, such as for a SaaS provider.
• Predisposing Condition / Vulnerability: Recognize weaknesses within your environment that may be exploited by the identified threats.
• Asset at Risk: Pinpoint critical services or products that are susceptible to these threats. This is determined in your Business Impact Analysis (BIA), 
• Impact to Customer: Assess how an adversarial event, if it were to expose a vulnerability, could affect the Confidentiality, Integrity, and Availability (CIA) of the in-scope data. This includes the potential for data breaches, unauthorized data modification, or interruptions to critical services.

• Overall Inherent Risk: To calculate the inherent risk, consider the likelihood of a threat event occurring before controls are in place. Then consider the potential loss (or adverse impact like reputation damage) that could result. For semi-quantitative scoring calculation, please refer to the “Risk Scoring Calculation” section below. 

• Risk Response: Management should determine an appropriate response to each risk based on the organization's risk tolerance and the potential impact on business mission and objectives. For details on risk response options, please refer to the “Risk Treatment Options” section.
• Control Implementation: Identify and apply mitigating and compensating controls as necessary to reduce the risk to an acceptable level.
• Residual Risk: The remaining risk (residual risk) is the inherent risk that persists after the effectiveness of the risk response has been taken into account.
• Risk Acceptance: Selecting “Completed” from the risk “Status” indicates that the above outlined steps have been completed and management has approved the risk response with corresponding corrective actions. 

Information security is a moving target. Once you have taken your company through the Risk Register, Trustero recommends reviewing and updating this document regularly and as necessary to reflect any changes in the risk landscape or the organization's risk tolerance.

Inherent Risk Scoring Calculation:

Calculating the chances of a risk happening is a challenging undertaking with many unknowns and unknowables. What is the chance of a database breach? A ransomware attack? A week-long power failure? A vendor’s security breach that opens access into your systems?

The National Institute of Standards and Technology (NIST) has published guidelines for Risk Analysis and Management. (Links at the bottom.) The NIST guidelines may help you make semi-quantitative risk calculations. This ensures a systematic, structured approach to managing organizational risks. This process is crucial for maintaining the integrity and security of information systems and for making informed decisions regarding risk treatment strategies.

Calculation Process

The risk scoring process determines the likelihood of a threat exploiting a vulnerability or predisposing condition and the impact that such an event would have on the organization. This calculation is essential for prioritizing risks and deciding on appropriate mitigation strategies.

1. Likelihood Assessment: This evaluates the probability of any risk occurring. It is not limited to security vulnerabilities or predisposing conditions. It considers various factors like the presence of threats or vulnerabilities, environmental conditions, and the effectiveness of existing controls.
2. Impact Assessment: Determines the potential consequences of a threat that exploits a vulnerability. The assessment forecasts the harm to the organization's confidentiality, integrity, and availability of information and systems.
3. Risk Level Determination: Taken together, the likelihood and impacts yields the overall risk level. This level guides the decision on whether to accept, avoid, mitigate, share, or transfer the risk.

Risk Scoring Matrix

The attached tables provide a detailed breakdown of how risk levels are calculated based on the combination of likelihood and impact. This illustrates how different combinations of likelihood and impact levels correspond to overall risk levels, ranging from Very Low to Very High.

NOTE: Behind the scenes within the Risk Register, an actual calculation takes place to ensure the risk level is based on actual selection of likelihood + level of impact to ensure accurate and repeatable results. 

Risk Level Defined

Each risk level from Very Low to Very High has a specific score and associated description, indicating the severity of the potential outcomes. Ensure that risk levels correspond with your organization's defined risk tolerance, as stated in your ISMS Management Program Policy or equivalent documentation.

1. Very High: Multiple severe or catastrophic adverse effects are likely.
2. High: A severe or catastrophic adverse effect is likely. 
3. Moderate: A serious adverse effect is possible. 
4. Low: Limited adverse effects are likely. 
5. Very Low: Negligible adverse effects are expected. 
   
   

Likelihood of Occurrence Defined

Quantifies how frequently a risk event is expected to occur, from Very Low (once every 10 years) to Very High (more than 100 times a year).

1. Very High: Occurs more than 100 times a year; almost certain adverse impact.
2. High: Occurs between 10-100 times a year; likely adverse impact. 
3. Moderate: Occurs between 1-10 times a year; possible adverse impact.
4. Low: Occurs less than once a year; unlikely adverse impact.  
5. Very Low: Occurs less than once every ten years; highly unlikely adverse impact.
   
   

Adverse Impact Defined

Provides a score and description for different levels of impact a risk event could have on the organization, from Very Low (negligible) to Very High (severe or catastrophic).

1. Very High: Multiple severe or catastrophic adverse effects; significantly exceeds risk tolerance. 
2. High: Severe or catastrophic effects; approaches upper limits of risk tolerance. 
3. Moderate: Serious effects; within acceptable risk tolerance.
4. Low: Limited effects; comfortably within risk tolerance.
5. Very Low: Negligible effects; minimal concern within risk tolerance.

Risk Treatment Options

Each of these treatment options provides a different approach to managing risk, and the choice of which to use depends on an organization’s risk appetite, the specific context of the risk, and the potential costs involved in the risk treatment.

1. Accept: Accepting the risk means acknowledging that the potential impact and likelihood of the risk occurring are tolerable to the organization without taking any further action. This option is typically chosen when the cost of mitigating the risk exceeds the benefit that would be gained from doing so, or when the likelihood of occurrence is considered acceptably low.
2. Avoid: Avoiding the risk involves altering plans or procedures to completely eliminate the exposure to the risk. This may include:
   • Changing business practices
   • Not proceeding with a project
   • Avoiding certain markets or technologies. Avoidance is the most definitive way to handle a risk but can also mean missing out on potential opportunities.
3. Mitigate: Mitigation refers to taking steps to reduce the likelihood and/or impact of a risk to an acceptable level. Mitigation helps in managing the risk to a level where the benefits of risk reduction outweigh the costs. This might involve:
   • Implementing controls
   • Adopting new policies
   • Enhancing security measures
   • Improving operations 
4. Share: Sharing the risk involves partnering with other parties to distribute the impact of the risk. This can include joint ventures, partnerships, or consortia where risk exposure is distributed among the members. Sharing risk is beneficial in scenarios where single entities do not want to bear the full brunt of a risk or where shared expertise can help manage the risk more effectively.
5. Transfer: Transferring the risk means shifting the responsibility or burden of the risk to another party. This is often done through:
   1. Insurance policies
   2. Outsourcing
   3. Contracts where another party agrees to cover the risk
   Companies commonly transfer the financial risk of operational hazards or losses to insurance companies. A specific example is cyber insurance, which companies use to transfer the financial risks associated with data breaches, cyber-attacks, and other related security incidents. By purchasing cyber insurance, a company can mitigate the financial impact of these security threats, effectively offloading the risk of large financial losses to the insurer. This method is particularly valuable in managing risks that are external and challenging to control internally.

Regulatory roots

Our Risk Register is based on and derived from three publications from the National Institute of Standards and Technology: 

• NIST SP 800-30 Rev. 1 Guide for Conducting Risk Assessments
• NIST SP 800-37 Rev. 2 Risk Management Framework (RMF)
• NIST SP 800-39 Management Information Security Risk