It’s crunch time for Santa, his big December 25th deadline is quickly approaching. To prepare for Christmas, he’s making his risk register and checking it twice.
People—Santa included—often struggle to ascertain what belongs in a risk register. Consequently, risk registers are often muddied with risk-imposters, i.e. "issues". Thankfully, Santa read Jack Jones’ blog post (see What Belongs in a Risk Register) and learned about the FAIR model and risk registers, which inspired him to clean-up his own risk register.
To help streamline the clean-up process, he documented his naughty and nice rationale.
Issues are conditions that can contribute to risk; they are not risks in themselves. Examples of issues could be:
- Control deficiencies
- Audit findings
- Policy exceptions
Here’s a hint: risk = the probable frequency and probable magnitude of future loss. If a risk register entry doesn’t describe an event to which a frequency and magnitude could attributed, then it’s either an issue or irrelevant.
Nice: Loss Events
Loss events are adverse events in which tangible loss materializes and/or liability is incurred. To help paint the picture: a loss event unfolds when a threat (an acting force) causes harm to an asset (thing of value) which has a consequential, unfavorable effect (confidentiality, integrity, availability, safety). Events have a frequency and magnitude. Examples of loss events would include: the amount of risk associated with…
- Cyber-criminals gaining access to the test environment and stealing production data (e.g. PII)
- A blizzard causing an outage to a critical North Pole gift-wrapping center
- A cyber-criminal breaching confidential data within a cloud solution shared drive
Santa understands that risk registers are supposed to help manage risk by providing insight into an organization’s potential loss exposure. Risk management consists of mitigating and managing the frequency and severity of adverse events. If risk registers become bogged down with non-loss-event issues, then they fail to deliver an effective medium for managing risk. Make your risk management merry and bright by knowing the difference between naughty and nice, then separating the “nice” risk register from “naughty” list.