Skip to content

What is it?

A tool to capture and quantify information about the risks associated with a project or activity, including the potential impact, likelihood of occurrence, mitigation measures, responses, and response triggers.

Why is it important?

A risk register increases the chances of successful execution of a project or activity by helping managers identify and evaluate risks, assess their potential impact, and create contingency plans.

Why does a business professional need to know this?

Unmitigated or unaddressed realized risks can kill. A risk register enables you to create a score for any risk that quantifies the potential impact of that risk and the likelihood that it will occur. Use this formula to calculate the score: impact * likelihood of occurrence. Prioritize your efforts by focusing on risks with the highest score and create plans for how to reduce the possibility of those risks occurring (mitigation) and how to respond if mitigation fails (risk response).

It is important not to confuse mitigation and risk response. If mitigation succeeds, no one outside your team will ever know there was a risk. You can close the risk and move on. However, you must define a clear trigger that will trip if mitigation fails and the risk becomes realized. At that point you execute your risk response.

If you are buying or selling cybersecurity defenses, you can use the risk register to evaluate a tool or create one. To do this, you enter each security risk in the register, along with a description of what the product does to prevent that risk from materializing and what you should do if the mitigation fails.

The Good Enough Risk Register Template(Trosper 2016) is a simple spreadsheet that implements a risk register. Enter the information in each field and the sheet will calculate a risk score for you.

References

About Bob Trosper

Photo of Bob Trosper

Bob Trosper is a retired agile project management organization (PMO) director and program manager (Project Management Professional (PMP) and certified scrum master) with deep industry experience. He has built two project management organizations (PMOs) from the ground up and has a successful track record of process innovation and on-time delivery of critical business initiatives.

Term: Risk register

Email: rtrosper@sonic.net

Twitter: @pickfinger

LinkedIn: linkedin.com/in/bobtrosper

What is it?

Chief Information Security Officer. The most senior individual responsible for protecting an organization’s information assets.

Why is it important?

The CISO has overall responsibility for the information security program for an organization. The CISO works closely with executive management and business stakeholders to protect information assets.

...continue reading "Term of the Week: CISO"

What is it?

A comprehensive, step-by-step series of actions to be followed by an organization’s computer security incident response team (CSIRT) and business operations personnel following a verified cybersecurity incident to reduce the overall impact of the incident.

Why is it important?

When properly implemented, an incident response plan can help ensure an effective response to security incidents and help mitigate the effects of a potentially serious event. The presence of a well-rehearsed plan has proven to reduce the financial impact of security incidents.

...continue reading "Term of the Week: Incident Response Plan"

What is it?

A plan that allows an organization to remain operational at acceptable, predefined levels of operation despite disruptions resulting from human, technical, or natural causes.

Why is it important?

With more and more companies becoming heavily reliant on data to drive decisions, any loss of that data -- even short-term -- can bring business to a halt and have dire effects on the bottom line.

...continue reading "Term of the Week: Business Continuity Plan"

What is it?

A systematic process by which an organization gathers information about its essential business functions and processes and evaluates the potential impact to the organization if those functions and processes were interrupted or otherwise adversely affected. Also referred to as a business impact analysis.

Why is it important?

This term is important because it helps organizations prioritize the allocation of time and resources to prevent, manage, and recover from incidents that affect critical business operations and assets. A business impact assessment also provides information to help create an incident response plan and a business continuity plan.

...continue reading "Term of the Week: Business Impact Assessment (BIA)"

What is it?

A process for defining, identifying, classifying, and prioritizing potential weaknesses in an organization’s computer, network, and communications infrastructure, also known as vulnerability analysis or security assessment.

Why is it important?

When conducted correctly, results from a vulnerability assessment can be used to define or update an organization’s internal and external network as well as its information security policies.

...continue reading "Term of the Week: Vulnerability Assessment"

What is it?

Controls to ensure that software applications are developed and operated in accordance with an organization’s requirements and risk tolerance levels(NIST 2017).

Why is it important?

Application risk governance provides a framework to ensure an appropriate balance between security and operations.
...continue reading "Term of the Week: Application Risk Governance"

What is it?

A combination of three approaches that organizations use to demonstrate compliance with international standards, global rules, laws, and state regulations. Referred to as IT GRC when a company uses information technology (IT) to apply GRC.

Why is it important?

Governance, risk management, compliance (GRC) is often implemented by companies that are growing globally to maintain consistent policies, processes, and procedures across all parts of the organization. It is important for business professionals to understand and follow the internal information security rules, company risk factors, and industry requirements that drive the implementation of GRC in order to ensure that the company as a whole remains compliant.
...continue reading "Term of the Week: Governance, Risk Management, Compliance (GRC)"

What is it?

The act or process of making a network, data repository, sensor, computer system, software, or other equipment resistant to unauthorized access or damage.

Why is it important?

Unauthorized access is one of the primary catalysts for operational, financial, strategic, legal, and other damage to an organization. These breaches also increase the risk of harm to third parties, including customers, patients, and other stakeholders. Hardening hardware, software, and data systems is a key risk mitigation strategy.
...continue reading "Term of the Week: Hardening"

The Language of Cybersecurity has received a 2018 STC Touchstone award for excellence from the Northern California Chapters of the Society for Technical Communication.

The citation for this honor highlights the usefulness of the references, the crispness of the writing, and the consistency of its format.

Congratulations to editor Tonie Flores and the 60+ industry experts who contributed to this book.

Touchstone Award