one of the most significant documents that you're gonna work with in relation to risk is a document called The Risk Register. Now what your risk register looks like, what you track. Do you do it digitally or by hand? Or which software did?
That really isn't the point that certainly nothing the sea risk exam would get into.
the fact that we have a risk register, we understand its benefits and what we add through each stage of the risk management life cycle. So our risk register is a tool. It is about tracking risks in and of itself. It's not a communication tool. It could be used
to communicate, you know, risks. But But, you know, they'll ask you, you know which of the following describes the role of risk register. Don't choose communication tool. It's a tool that we use to track risks from identification all the way through the risk monitoring face.
So what you'll see is we're gonna see columns on this risk register and mine. I just happen in an Excel spreadsheet,
but we're gonna talk about what is the risk. As a matter of fact, let's go ahead and look at this on the next slide. Now again, this is one that's kind of hastily thrown together, really doesn't have everything I would like on a risk register, but it's a good start.
So what is the risk in what's
it's category by categorizing risk that will make it easier to determine who the risk officer should be. So you can see this particular risk is in the technical category. So who becomes the owner? The chief technical officer?
All right, so we've got the category and description of the risk, and we're gonna sign it a risk I d
nowthe Next elements. This is through qualitative analysis. What's the probability and the impact of this risk event? Now? This is actually semi quantitative because we're using numbers, right? So we're saying the impacts of three, the likelihoods of five.
So it's rankings 15. So it's not purely
qualitative because generally, in a risk management plan, we're gonna have a definition that says, you know, level one impact means the organization will not be impacted or affected at all.
You know, we're gonna have sort of a key that helps us understand the 12345 of what it means with impact in the 12345
of likelihood. Where is true qualitative analysis. We'd see impact is high likelihood is medium, and that's much harder to put. Um, you know, fact based, it's much harder to tie to objective information.
All right, then we've got that risk ranking when things will do with the risk rankings will use that in order to prioritize our risks. So I want to see the risks that air ranked at 25 1st because they have the highest impact in the highest likelihood.
And what the impact, or what that ranking is, may drive how we respond, you know, Do we accept the risk that has five impact? Five likelihood? Probably not. That looks like a pretty severe risk to me. So that's gonna help me kind of determine what my strategy is.
Now you'll see. We've also got a trigger.
These could be referred to as key risk indicators. They're really the same as trigger something that lets us know.
Looks like this risk is gonna is gonna materialize
now. Ideally, we'd rather just prevent this negative impact. However,
um, you can't guarantee that you've prevented all types of attacks, so we also need a contingency plan. So we've got a firewall, an intrusion detection system, ideally to keep the denial of service attack from being successful.
But if it is, we can fail over from server A to server, be in another facility.
We have an owner, and then also, we talk about what the residual risk is and can be. You might have a column here for secondary risks as well.
So ultimately, what I have across the next couple of slides is just sort of the definition of what these columns on the risk register. Our four. So, like we said category is really gonna help us determine who's gonna be the owner.
Ah, when we talk about impact and likelihood, we said those were really the two pieces that give us the value for a risk, right? How likely is it that happen? And if it does happen, what's the severity or the impact
and then the consequence? You know what is going to happen if it materializes and how we rank it
Contingency and prevention plans, just like we said. So ultimately, this risk register is gonna be a document that comes up a lot on the exam. Make sure, you know it gets created in the risk identification phase and will be using it all the way throughout
all the other risk processes.
Now, another big benefit of that risk register is it's gonna help provide the basis for a risk communication strategy, our risk response strategy. And then also, it's going to be a key element in raising awareness within our organization.
That doesn't mean I'm gonna distribute the risk register to everybody in the company. I'm certainly not gonna do that.
But on the risk team were all gonna have access to the elements of the risk registered that are pertinent to us.
And we're gonna be able to find a central location where we can communicate where we can educate ourselves in relation to risks within the organization. So I said earlier, it's not a communication tool, but it contains information that's important to be communicated,
if that makes sense.
So we want to make sure that we're using that risk register properly that were using it in risk meetings AA and that were documenting what we discovered. What we determine all the way from the part where we start by identifying risks. Then
we track our assessment. Qualitative analysis,
semi quantitative analysis. Ah, quantitative analysis. You know, in order to provide a risk breaking, we then determine our risk management strategy. We make sure that we have an owner, and then ultimately all of this information is pulled together so that we can,
um I have this information in our risk management meetings and then also in determining what we need to convey to business owners or end users.
information on that risk register is gonna become part of the information that needs to be communicated and part of the elements that need to be addressed in order to raise awareness. So we talk about awareness within an organization. We want people to have a risk management on the tip of their tongues
in the back of their mind at all times. Everything
ultimately is gonna come around till looking at risks. What are my assets? Threats, vulnerabilities. And then give me the probability and impact of that event. What's, ah, cost effective countermeasure? And does it provide enough mitigation,
or do we need additional mitigation strategies? Right. So that's just risk management in a nutshell. But as we raise awareness, we're training our employees to think in those terms. Now, of course, every risk awareness program for every organization is gonna be a little different because our culture is a little different.
what we're looking to do is to educate our people, make them aware of not just the importance of using risk management to make decisions, but also to be aware of the risks that exist out there. I go through a lot of organizations and on the walls you'll see
never give your password to anyone or make sure you log out of your system when you leave right. That's raising awareness
to the risks that can impact information security,
therefore, impacting the business.
management needs toe. Oversee this risk awareness program. Get final sign off, making sure we're focused in the correct direction. And then, ultimately, you know, we need to make sure that as we're training employees that we train based on job description.
We don't want to put the chief technical officer
in the same risk class as perhaps a custodian to different jobs, totally different responsibilities. So when we're talking about risks to senior management, we gotta address liability because those are the folks that have liability at stake here.
We've got to talk about compliance. We've gotta talk about fines and penalties.
We've got to talk about due care and due diligence, whereas if we go to the other end and we're looking at just basic end users, we have to talk about Hey, you need to lock your system. You need to have strong passwords. You need to get rid of default settings, whatever there's maybe, but ultimately,
when we raise awareness through education, through training through discussions,
we need to make sure that the appropriate awareness program is geared towards individuals based on their jobs.