Santa’s Naughty and Nice List for Risk Registers

/

Santas-Naughty-Nice-List-Risk-Registers-3.pngIt’s crunch time for Santa, his big December 25th deadline is quickly approaching. To prepare for Christmas, he’s making his risk register and checking it twice. 

People—Santa included—often struggle to ascertain what belongs in a risk register. Consequently, risk registers are often muddied with risk-imposters, i.e. "issues". Thankfully, Santa read Jack Jones’ blog post (see What Belongs in a Risk Register) and learned about the FAIR model and risk registers, which inspired him to clean-up his own risk register.

To help streamline the clean-up process, he documented his naughty and nice rationale. 

 

Naughty: Issues 

Issues are conditions that can contribute to risk; they are not risks in themselves. Examples of issues could be: 

  • Control deficiencies
  • Audit findings
  • Policy exceptions 

Here’s a hint: risk = the probable frequency and probable magnitude of future loss. If a risk register entry doesn’t describe an event to which a frequency and magnitude could attributed, then it’s either an issue or irrelevant.

 

Nice: Loss Events

Loss events are adverse events in which tangible loss materializes and/or liability is incurred. To help paint the picture: a loss event unfolds when a threat (an acting force) causes harm to an asset (thing of value) which has a consequential, unfavorable effect (confidentiality, integrity, availability, safety). Events have a frequency and magnitude. Examples of loss events would include: the amount of risk associated with… 

  • Cyber-criminals gaining access to the test environment and stealing production data (e.g. PII)
  • A blizzard causing an outage to a critical North Pole gift-wrapping center
  • A cyber-criminal breaching confidential data within a cloud solution shared drive

  

Conclusion 

Santa understands that risk registers are supposed to help manage risk by providing insight into an organization’s potential loss exposure. Risk management consists of mitigating and managing the frequency and severity of adverse events. If risk registers become bogged down with non-loss-event issues, then they fail to deliver an effective medium for managing risk.  Make your risk management merry and bright by knowing the difference between naughty and nice, then separating the “nice” risk register from “naughty” list.  

Related: 

Top Operational Risks for 2017?

 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37

Recent Blogs

SEE ALL
FAIR

2025 FAIR Conference: Super Early Bird Registration Is Now Open!

FAIR

Cyber Risk Is Business Risk: As CISO Role Evolves, FAIR Helps Navigate Complexity

FAIR

Accounting Authority ACCA Points to FAIR Standards for Healthcare Cyber Risk Management

FAIR

FAIR Standards Update: New Artifacts and Expanding the Standards Committee

FAIR

Traditional Risk Registers Are Broken: Here’s How FAIR Can Fix Them

FAIR

Looking Ahead to 2025: Cybersecurity Trends and the FAIR Institute’s Plans for the Future