FAIR Institute Blog

Santa’s Naughty and Nice List for Risk Registers

[fa icon="calendar"] Dec 18, 2017 12:09:03 PM / by Teresa Suarez

Santas-Naughty-Nice-List-Risk-Registers-3.pngIt’s crunch time for Santa, his big December 25th deadline is quickly approaching. To prepare for Christmas, he’s making his risk register and checking it twice. 

People—Santa included—often struggle to ascertain what belongs in a risk register. Consequently, risk registers are often muddied with risk-imposters, i.e. "issues". Thankfully, Santa read Jack Jones’ blog post (see What Belongs in a Risk Register) and learned about the FAIR model and risk registers, which inspired him to clean-up his own risk register.

To help streamline the clean-up process, he documented his naughty and nice rationale. 

 

Naughty: Issues 

Issues are conditions that can contribute to risk; they are not risks in themselves. Examples of issues could be: 

  • Control deficiencies
  • Audit findings
  • Policy exceptions 

Here’s a hint: risk = the probable frequency and probable magnitude of future loss. If a risk register entry doesn’t describe an event to which a frequency and magnitude could attributed, then it’s either an issue or irrelevant.

 

Nice: Loss Events

Loss events are adverse events in which tangible loss materializes and/or liability is incurred. To help paint the picture: a loss event unfolds when a threat (an acting force) causes harm to an asset (thing of value) which has a consequential, unfavorable effect (confidentiality, integrity, availability, safety). Events have a frequency and magnitude. Examples of loss events would include: the amount of risk associated with… 

  • Cyber-criminals gaining access to the test environment and stealing production data (e.g. PII)
  • A blizzard causing an outage to a critical North Pole gift-wrapping center
  • A cyber-criminal breaching confidential data within a cloud solution shared drive

  

Conclusion 

Santa understands that risk registers are supposed to help manage risk by providing insight into an organization’s potential loss exposure. Risk management consists of mitigating and managing the frequency and severity of adverse events. If risk registers become bogged down with non-loss-event issues, then they fail to deliver an effective medium for managing risk.  Make your risk management merry and bright by knowing the difference between naughty and nice, then separating the “nice” risk register from “naughty” list.  

Related: 

Top Operational Risks for 2017?

 

Teresa Suarez

Written by Teresa Suarez

Teresa Suarez is a Risk Consultant for RiskLens

Join the FAIR Community

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts