Risk Register

Estimated reading: 15 minutes 606 views

What is it?

The Risk Register Page displays all your risks in a table view where you are able to customize, sort, and filter specific risks. The highlighted fields show key information about each risk to sort through. This includes the risk name, residual risk, risk category, treatment type, owner, and assignment date. You can add a new risk directly from this page. The purpose of the Risk Register page is to have a complete overview of your risks and be able to make quick actions and edits by clicking on the name of the risk.

The following screenshot shows the Risk Register page.

While adding a risk, it should be named clearly and briefly so anyone can understand what the risk is. Describe the potential impacts of the occurrence of the risk, ideally in business terms. Decide whether to use “worst case” or “anticipated” impacts and be consistent. Consistency is especially important as the risk register gets larger and more people get involved in the assessments.

When you click on a risk name, the details about the risk are displayed in a new tab. Click on the three-dot menu to take additional actions.

High-Level Risk Definitions

Company Objectives	A short description of the organization’s objective is available in settings
Risk Category	Category (grouping) of risks
Risk	Describe the risk briefly so that people will understand what risk you are assessing
Impact	Describe the potential impacts should the risk occur, ideally in business terms. Decide whether to use “worst case” or “anticipated” impacts and be consistent. Consistency is especially important as the risk register gets larger and more people get involved in the assessments
Inherent Risk Probability	Enter the probability or likelihood that the risk would eventuate (occur) if it were totally unmitigated as a percentage value (see the guidance on scoring)
Inherent Risk Impact	Enter the potential business impact if the risk eventuated without any mitigation as a percentage value (see the guidance on scoring)
Inherent Risk Rating	This is the product of the probability and impact values, or, in other words, the untreated or inherent level of risk
Connected Controls	The controls that have been selected to mitigate this risk
Risk Action	Describe how the risk is to be treated. See “Risk Action definitions” below
Control Strength	To what extent is control in place? 0% means that none of your current controls are reducing the risk. 100% means that only your controls are being used to mitigate the entire risk
Treatment Plan	In case your risk actions do not include controls, you can leverage a free text editor in the Treatment plan section to add details on how the risk will be addressed
Target Risk Probability	Enter the probability that the risk will occur once the controls, etc. are fully in effect
Target Risk Impact	Enter the likely impact once the controls, etc. are fully in effect
Target Risk Rating	This is the product of the anticipated probability and impact values once the risk treatment is fully implemented
Residual Risk	This is the risk rating today, given the implementation status and anticipated probability and impact values when fully completed
Owner	Who is the “Risk Owner”, the person who will be held accountable if the risk treatments are inadequate, incidents occur, and the organization is adversely impacted? It is in this person’s interest to assess and treat the risks adequately or face the consequences

Assigning and Managing Risk Owners

Risk ownership is essential in risk management. Without a defined individual responsible for managing that risk, mitigation is not possible.

To assign risk owner,

Click on the “Owner” button in the top right corner of a risk page.
You can select owners from your existing team or invite a new owner from here.

To assign an owner, there are two options:

Select an owner from your current team by clicking on “Assign from current team”.
Invite a new owner by clicking “Invite new Owner”. This person will receive an invite to TrustCloud and then a risk assignment notification.

TrustRegister Notifications

TrustRegister alerts you to a wide variety of events, such as ‘Risk Ownership’, the ‘Date Approaching’, and a ‘Summary of Changes after a risk is edited.

Risk Categories

Risks can be assigned a custom or standard category, enabling you to quickly determine what risks belong where. Default categories include ‘Financial Risk’, ‘Operational Risk, ‘Security Risk’, ‘Vendor Risk’, ‘Fraud Risk’, ‘Legal Risk’, ‘Brand Risk’, and ‘Strategic Risk’. The table below includes a few examples of the most commonly used risk categories as well. Don’t forget, that you can always set up custom categories via the settings page. Click here to learn more.

Financial Risk	Internal: misappropriation of assets, unintentional error External: theft of assets (i.e., wire fraud, etc.)
Operational Risk	Reliance on the cloud, SaaS platform unavailable, software error or issue deployed, managed service platform down External environmental changes (i.e economic changes) Changes in the organization’s business model Changes in leadership
Security Risk	SaaS platform compromised; Client’s managed service environments compromised
Vendor Risk	Vendor system compromised, vendor goes out of business
Fraud Risk	Theft of client information and unauthorized users on the platform

Risk Subcategories

Risks can be further divided into subcategories to make risk management easier and more precise.

Click here to learn how to modify and edit subcategories. Make sure you add at least one subcategory for the field to be visible on the risk details page.

Risk by Groups (Departments)

Risks can be tagged and viewed by organizational groups, such as departments. This enables risk administrators to view which risks belong to engineering, sales, HR, etc. To configure and set up groups, navigate to the TrustOps groups section or click here to learn more.

The following screenshot shows that the risks can be viewed in a specific department.

Reporting Groups for Risk Impact Dashboards

Risk reporting varies by audience. CEOs and boards predominantly focus on tier 1 risks, or ‘organization critical’ risks, when making decisions. Whereas a CISO focuses on risks that are increasing cyber liability. Custom reporting groups allow you to tag each risk with one or many reporting fields to automatically generate a dashboard under the ‘Impact’ view in TrustRegister. TrustRegister allows you to report on a wide variety of risks across multiple levels in an organization.

For example, having a ‘Board of Directors (BoD)’ reporting group will allow you to tag risks as ‘BoD’ and showcase only these risks via a dedicated dashboard. Simply add a group, tag risks, and take a screenshot of the ‘BoD’ dashboard, making executive reporting straightforward.

The following screenshot shows the risk details along with the reporting group tags.

Click here to learn how to modify and edit reporting groups. Make sure you add at least one reporting group for the field to be visible on the risk details page.

Inherent risk

Inherent risk is the outcome of the risk if you have not acted upon mitigating it. When choosing the likelihood of the inherent risk, keep in mind how likely it is that the impact will occur if you do not mitigate the risk. Refer to the ‘Scoring Guide’ when choosing the likelihood. The business impact on inherent risk is how much of an effect the incident will have on the business if no mitigation is in place. Similar to selecting the likelihood, refer to the scoring guidelines when choosing the level of impact.

After inputting those scores, the ‘Inherent Risk Rating’ will be calculated, giving you the untreated or inherent level of risk.

The following screenshot shows the inherent risk ratings.

Advanced Risk Breakdown

The advanced risk breakdown gives you the option to input your risk impact and likelihood using the Confidentiality, Integrity, and Accessibility (CIA) triad. Some organizations require defining and maintaining CIA values for contractual obligations

Confidentiality means the information is not disclosed to unauthorized users or entities
Integrity is when the information is consistent and not altered without proper approvals in place.
Availability is where the information is accessible to the authorized user when required.

Unless you have an obligation to define and require a CIA in place, using the default simple risk breakdown is fine and acceptable.

The following screenshot shows the advanced break-down.

Financial Impact of Risk

Finance and budgets are often key requirements for mitigating risks. TrustRegister connects businesses to risk management. Determine the potential financial impact along with your allocated and requested budget to showcase the business impact that risk has.

The following screenshot shows the financial impact of a particular risk.

The values used here can be viewed via the overview page of the budget analysis dashboard.

How to estimate financial impact:

We recommend the following high level approach for determining the range of impact. Assuming a risk was realized, i.e. the risk took place, what would be the primary and secondary impact of that risk. Adding those two values will provide you a high level estimate of what the impact could look like.

Items that are considered a primary loss:

Direct financial payments or loss
Loss of business due to disruption in services
Cancellation of future deals and changes in market share
Repair and remediation costs for responding to incidents
Regulatory Fines and payouts
Public relations and reputation damage costs including valuations and stocks

Items that are considered secondary loss:

Legal and consulting costs
Increased cyber coverage, capital costs, and insurance
Employee retraining and restructuring costs
Lost productivity and morale due to risk incident

A range is ideal as determining exact values can be challenging. Please reach out to us if you need help calculating the financial impact of your risks.

Residual Risk

The ‘Residual Risk’ is the risk rating given on the basis of the implementation status, anticipated probability, and impact values when fully completed. For example, if the inherent risk value is 50% and the treated risk value is 30% but the treatment is only 50% implemented, the current risk level is 40%. In reality, many security controls are either fully implemented and fully effective or partially implemented and not at all effective, but the risk calculation here is based on the fact that work is underway, so management can assume it will be treated in due course.

You can add an assessment date for when the risk will be assessed or reviewed. These options can be edited at any time.

Risk Action

The Risk Action section describes how you will be treating your risk. You can use controls to mitigate risks, leverage treatment plans, or use a combination of both.

Connected Controls

To get started, each one of our catalog risks comes pre-mapped to controls in your program. You can always remove and re-add new risks based on your current needs.

Go to the “Treatment Plan” tab.
Click on the “Add Control” button under the “Connected Controls” section.
On the “Search for a control” search window, search for the control that will best mitigate your risk based on the current status and description.
Click on the “Add Control” button.
The control will be displayed in the “Connected Control” section.
The following screenshot shows the Connected Control page.

Control Strength

Control strength refers to how ‘effective’ your selected controls are at mitigating the risk. This is a holistic number that allows you to consolidate the impact your controls are having and can go from 0% to 100%. 0% means that none of your current controls are reducing the risk. 100% means that only your controls are being used to mitigate the entire risk. The ideal is between 50 and 85%, as no combination of controls can theoretically drop the residual risk to zero. Keep in mind that changing this number will impact your residual risk, with additional formula details linked here.

Treatment Types

Controls alone are not entirely sufficient for mitigating a risk. There is always some component of residual risk remaining. You need to remediate, continue mitigating, transfer, accept, or avoid this remaining risk.

Remediation

Implement a control that fully or nearly fixes the underlying risk by adding more controls or fixing the underlying cause of the risk as part of your next risk assessment.

Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.

Mitigation

Reducing the likelihood and/or impact of the risk, but not fixing it entirely by adding more controls or developing a risk treatment plan independent of controls during your next assessment.

Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.

Transference

Transferring the risk to another entity so your organization can recover from the incurred costs of the risk being realized. Choosing this option can include ‘transferring risk’ to a cyber insurance policy.

Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited.

Acceptance

Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk cost more than the costs that would be incurred if the risk were to be realized. Choosing this option may require that you provide an explanation to your auditor.

Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources fixing the vulnerability.

Avoidance

Removing all exposure to an identified risk or continuing to ignore its impact. Choosing this option may require that you provide an explanation to your auditor.

Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data being compromised, you quickly migrate that sensitive data to newer, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers. You can do this knowing that the underlying reason is no longer valid, thereby avoiding the risk.

Treatment Plans and Tasks

Once you have determined how the risk will be treated, it is key to divide the remaining work amongst your team so each person can do their part in reducing the risk. For example, the risk of a data breach can be reduced by buying a cyber insurance policy, which would become helpful should the risk materialize. TrustRegister provides you with an easy way to create and manage treatment plan tasks directly for each risk.

To get started, click on the “Add Task” button within the ‘Action Plan’ section.

Next, add key task details like the task name, owner, group, any notes, and a due date. You can also link an external ticket from tools like JIRA or ServiceNow to track progress. In order to make budget conversations easier, we recommend you add details on how much budget you are requesting as well as how much budget is allocated so the difference can be shown to leaders.

This task will now be visible within each risk as well as within the task page found in TrustOps. Similar to other tasks across the platform, you will receive reminders for this task via email or via Slack. Click here to set up Slack or JIRA workflows for tasks. Once created, click on each row to open up the update window. Here, you will be able to change the status from ‘Open’ to ‘Resolved’ or ‘Dismissed’. Keep in mind that updating the status will cause this task to be updated across the platform, including connected tools like Slack or Jira. In addition, you can also communicate with your team by leaving comments to track approvals or manage change.

Target Risk Level (Optional)

Similar to the ‘Inherent Risk’ from a calculation perspective, the target risk is indicative of ‘what your risk would look like’ if all treatment actions were successfully applied. For example, if your control strength is 90% and you have chosen to accept the remaining risk, what would the new impact and probability look like? This is an aspirational value against which your residual risk is calculated. Keep in mind that changing this number will impact your residual risk. Additional formula details are here.

Important Note: In order to simplify your assessments, you can set this target value to the lowest possible setting, allowing you to solely focus on inherent and residual risk.

Important Formulas and Calculations for TrustRegister

Inherent Risk Rating (A) = Inherent Risk Probability X Inherent Risk Business Impact
Target Risk Rating (B) = Target Probability X Target Business Impact
Residual Risk (RR) = A-(A-B)*Mitigation
Residual Risk (RR) = Target Risk Rating (B) when control strength is 100%

Scoring Inputs and Risk Levels

For Teams Onboarded to TrustRegister AFTER October 1st, 2023

Risk scoring doesn’t have to be a guessing game anymore! TrustRegister supports the following inputs for impact and likelihood calculations:

These inputs result in the following inherent risk and residual risk ranges: Contact us via the support button in your TrustCloud account to modify the input numbers or the ranges documented below.

These numbers are modifiable, and our team can help you set them up as part of onboarding. Contact us via the support process to get started!

Important callouts

In order to utilize this new functionality, please make sure of the following:

The ranges have no overlap. For example, if a ‘Very Low’ is between 1 and 5, a ‘Low’ cannot be between 5 and 10.
The ranges have no missing numbers. For example, if ‘Very Low’ is between 1 and 5, ‘Low’ cannot start at 7.

For Teams Onboarded to TrustRegister before October 1st, 2023

The table below represents the historical scoring model used by TrustRegister to showcase ‘Impact’, ‘Likelihood’, and ‘Calculated Inherent/Residual’ risk ranges.

This scoring matrix has been updated in the product and will only be available to customers onboarded before October 1st, 2023. Existing customers are encouraged to move to the new approach documented above.

Tagged:
TrustRegister

Learning

Forums

Champions

Resources