Regulatory Requirements for Risk Management
Risk management is a common expectation of most governance and compliance systems, and I am a firm believer that it is the fundamental process in security management. If you understand the potential threats and vulnerabilities that can affect your business, you can be proactive in your defence.
A great example of this is a General Data Protection Regulation (GDPR) Data Privacy Impact Assessment, a risk assessment by any other name—a review of potential risks that could impact the privacy of future data processing operations.
So officially, although there will be some companies that don’t, the vast majority of companies would need a risk register of some kind for compliance. I recommend you have one regardless; the complexity of said register is up to you.
A risk register can be used in several places, most commonly a general risk register and independent project registers.
Benefits of Having a Formal Risk Register
As part of documenting your risks, you also document your remediation activities and long-term monitoring; risks rarely stop being risks, so having good monitoring to validate that your controls are working and knowing how you previously remediated them means if they do re-occur, you have a good record of your approach to remedying it last time.
Risk metrics are also good indicators of your overall security posture, as you should document them regardless of whether you think you have mitigated them or not when you start the process; most businesses will have common risks, such as virus infection, that form a great starting point.
Risks of Not Implementing a Risk Register
The biggest problem with not implementing a risk register and overall risk management process is that it removes the ability to truly focus on your key vulnerabilities. I have witnessed numerous organisations spending significant sums on the wrong things in a vendor's sales pitch.
Risk Assessment process
Along with your risk register, you will need a robust risk assessment process to ensure consistency in your approach to managing risk; learn more about risk management and assessments from our other articles about risk - What is Risk Management? and What is the difference between a risk assessment and a Risk Register?
Need a risk register???
Download a simple useable example here.