A risk library is a collection of potential risks that may affect your organization (e.g., the threat of cyber attack or the threat of fraud from an employee).
A risk library is used to create a risk register, a risk management tool used to identify risks to an individual project or an entire organization.
Many compliance frameworks require the use and regular update of a risk register to proactively reduce threats to the organization.
Using a risk register
We recommend that you use Thoropass’s Risk Register to manage risk and provide your risk management documentation directly to auditors.
Creating and using a risk register follows these steps:
Identify Risk
Calculate Inherent Risk
Create Risk Response
Calculate Residual Risk
Monitor and Repeat
Identify Risks
Gather your risk team and brainstorm for risks to the organization. The risk team should include all relevant security, compliance, legal, and executive stakeholders.
When brainstorming, use our provided Example Risk Library to be as thorough as possible. Be aware that no generalized risk library can predict every threat to your specific organization, so make sure to include any and all risks that your team identifies.
Assign each risk an owner. The risk owner is responsible for monitoring that risk and for any plans to address that risk.
Describe each risk in a way that is specific to your organization. This enables your organization to create the best possible risk response.
For example, describing a risk as “unsecured WiFi at New York and London offices, and risk of unsecured WiFi for remote workers” is better than only writing “unsecured WiFi”.
Calculate Inherent Risk
For each risk, estimate the likelihood of an incident and impact of an incident to your organization if it occurred.
At Thoropass, we use a four-point scale for each metric:
Likelihood score, where (1) is unlikely to occur and (4) is very likely to occur.
Impact score, where (1) is an incident of low impact and (4) is an incident of critical impact.
The likelihood and impact scores are multiplied together to calculate the inherent risk rating.
The inherent risk rating allows you to sort and address the most crucial threats to your organization. For example, a (1) is an unlikely, low impact incident that can often be ignored, while a (16) is a very likely, critical event that must be addressed.
Create Risk Response
For each risk identified, choose a risk response and detail your plan.
The standard risk response options are:
Accept, where the organization accepts the risk and takes no further action.
Risks are typically accepted when they are highly unlikely or have low impact on the organization.
Avoid, where the organization resolves or eliminates the risk entirely.
Risks may be avoided in many ways. For example, if your org is at risk by using a cheaper but unproven third-party service, you may avoid that risk entirely by changing to a more expensive but well-established service.
Mitigate, where the organization implements controls to reduce the likelihood or impact of the risk.
Risks are most often mitigated through your established compliance posture. For example, if your org is at risk from unauthorized access to critical systems, a policy of regular access reviews will reduce the likelihood of an incident.
Transfer, where the organization transfers the responsibility of this risk to a third party.
The most common examples of transferred risk are the purchase of insurance (e.g., cybersecurity insurance) or migrating from in-house infrastructure to a managed service provider.
The risk register is the place to summarize and track your risk status, not project manage each risk response. Most risk responses will require a level of planning and detail that aren’t appropriate to include in the risk register.
Calculate Residual Risk
Now that your organization has determined its risk responses, estimate the residual risk rating. The residual risk rating is the remaining risk after the response plan, treatment, and controls are put into place. It is calculated in the same way as inherent risk rating.
Calculating the residual risk rating:
Likelihood score, where (1) is unlikely to occur and (4) is very likely to occur.
Impact score, where (1) is an incident of low impact and (4) is an incident of critical impact.
The likelihood and impact scores are multiplied together to calculate the residual risk rating.
Monitor and Repeat
Your organization will reevaluate your risk register on a regular basis as determined by your security policies, typically quarterly or biannually.
Throughout the year, any changes to your risks should be reflected in your risk register. This may be changes in your environment, services, or company structure, or updates to the risk responses you’ve put in place.
Related Articles