Term of the Week: Risk Register

Why does a business professional need to know this?

Unmitigated or unaddressed realized risks can kill. A risk register enables you to create a score for any risk that quantifies the potential impact of that risk and the likelihood that it will occur. Use this formula to calculate the score: impact * likelihood of occurrence. Prioritize your efforts by focusing on risks with the highest score and create plans for how to reduce the possibility of those risks occurring (mitigation) and how to respond if mitigation fails (risk response).

It is important not to confuse mitigation and risk response. If mitigation succeeds, no one outside your team will ever know there was a risk. You can close the risk and move on. However, you must define a clear trigger that will trip if mitigation fails and the risk becomes realized. At that point you execute your risk response.

If you are buying or selling cybersecurity defenses, you can use the risk register to evaluate a tool or create one. To do this, you enter each security risk in the register, along with a description of what the product does to prevent that risk from materializing and what you should do if the mitigation fails.

The Good Enough Risk Register Template(Trosper 2016) is a simple spreadsheet that implements a risk register. Enter the information in each field and the sheet will calculate a risk score for you.