People—Santa included—often struggle to ascertain what belongs in a risk register. Consequently, risk registers are often muddied with risk-imposters, i.e. "issues". Thankfully, Santa read Jack Jones’ blog post (see What Belongs in a Risk Register) and learned about the FAIR model and risk registers, which inspired him to clean-up his own risk register.
To help streamline the clean-up process, he documented his naughty and nice rationale.
Issues are conditions that can contribute to risk; they are not risks in themselves. Examples of issues could be:
Here’s a hint: risk = the probable frequency and probable magnitude of future loss. If a risk register entry doesn’t describe an event to which a frequency and magnitude could attributed, then it’s either an issue or irrelevant.
Loss events are adverse events in which tangible loss materializes and/or liability is incurred. To help paint the picture: a loss event unfolds when a threat (an acting force) causes harm to an asset (thing of value) which has a consequential, unfavorable effect (confidentiality, integrity, availability, safety). Events have a frequency and magnitude. Examples of loss events would include: the amount of risk associated with…
Santa understands that risk registers are supposed to help manage risk by providing insight into an organization’s potential loss exposure. Risk management consists of mitigating and managing the frequency and severity of adverse events. If risk registers become bogged down with non-loss-event issues, then they fail to deliver an effective medium for managing risk. Make your risk management merry and bright by knowing the difference between naughty and nice, then separating the “nice” risk register from “naughty” list.
Related:
Top Operational Risks for 2017?