As security, compliance, and risk management professionals, we know that cyber-attacks are increasing in frequency, severity, and creativity. We’re working hard every day to ensure that cybersecurity risk receives adequate attention in our organizations.
Yet, many management teams and boards still struggle to grasp the extent to which cyber risks can impact organizational objectives. Many organizations have struggled with integrating cyber-security risk into an overall enterprise risk management (ERM) program.
What cybersecurity data should be collected? What sort of analysis should be performed? How should one consolidate cybersecurity risk information into an overall program?
To answer these questions, and to help security professionals communicate the value of preventative security to their management teams, NIST recently released a document titled “Integrating Cybersecurity and Enterprise Risk Management” (NISTIR 8286). The focal point of this guidance is centered on the usage of a risk register – described as a “repository of risk information” — to effectively integrate cybersecurity risk management into an overall ERM program.
So, what exactly is a risk register, what information should be tracked in it, and what are the strategic benefits of keeping your risk register up-to-date? That’s what we’ll dive into in the rest of this article.
A risk register is an information repository an organization creates to document the risks they face and the responses they’re taking to address the risks. At a minimum, each risk documented in the risk register should contain a description of a particular risk, the likelihood of it happening, its potential impact from a cost standpoint, how it ranks overall in priority relevant to all other risks, the response, and who owns the risk.
All types of organizations face a broad array of risks, including cybersecurity, financial, legal, operational, privacy, reputational, safety, strategic, and supply chain risks. It can be difficult to know what risks matter the most and ensure that certain risks such as cybersecurity risks and supply chain risks have adequate attention.
Risk registers are useful information gathering constructs: They help senior leaders and operators see the full spectrum of their organization’s significant risks and understand how to best manage the risks in order to achieve organizational objectives. Thus, any organization that wants to maintain a robust risk management process should not skip the important step of creating a risk register.
A risk register can be integrated into any risk management methodology your organization uses. Many resources — such as well-known frameworks from the Committee of Sponsoring Organizations (COSO), Office of Management and Budget (OMB) circulars, and the International Organization for Standardization (ISO) — document Enterprise Risk Management frameworks and processes.
These different resources outline similar approaches: Identify context, identify risks, analyze risk, estimate risk importance, determine and execute the risk response, and identify and respond to changes over time. The risk register is a critical tool organizations should use to track and communicate risk information for all of these steps throughout the enterprise. It serves as a key input for risk management decision-makers to consider.
NIST’s latest risk document, “Integrating Cybersecurity and Enterprise Risk Management” was born from their observation that most organizations do not assess or measure cybersecurity risk with the same rigor or consistent methods as other types of risks.
NIST wanted to help public and private sector organizations uplevel the quality of cyber risk information they collect and provide to their management teams and decision-makers. In turn, this practice would support better cybersecurity management at the enterprise level and support the firm’s core objectives
For many, the term risks conjures up the idea of terrible events like data breaches, service disruptions, ransomware attacks, and natural disasters. Yet, NIST recommends that organizations take a balanced view when evaluating risks, encouraging cybersecurity and risk professionals to identify “all sources of uncertainty — both positive (opportunities) and negative (threats)” in their risk registers.
For instance, launching a new online service provides an opportunity for a company to innovate and improve its revenues. Thus the leadership team may direct the organization to take a little more risk. This way, senior leaders can set the risk appetite and tolerance with threats and opportunities in mind.
When cybersecurity opportunities are included in a risk register, NIST recommends updating the risk response column using one of the following response types and describes the meaning of each:
NIST said the comment field of the risk register should be updated to include information “pertinent to the opportunity and to the residual risk uncertainty of not realizing the opportunity.”
Additionally, each risk filed into a risk register should, at a minimum, contain the following information:
NIST noted that companies can add more data fields as they see fit, but each risk register should evolve as changes in current and future risks occur.
When you maintain detailed cybersecurity risk information in your risk register, you’re able to manage your cyber risks in a more strategic way, focus on the right areas given limited resources, and secure additional resources because your leadership team will start to understand the value of preventative security.
Here are the key benefits of putting cyber security risks into a risk register:
1. Once information is entered into a risk register, you can start to identify patterns from threats and system failures that result in adverse impacts.
2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a common scale for measuring risks across various business units (e.g. making sure everyone knows when to use a “high-risk exposure” vs. a “moderate risk exposure”). By normalizing the tracking of risk information across different units, you will provide senior leaders with more relevant information that will help them prioritize risk response activities.
3. Company leaders will have greater confidence in the risk response choices they make because the responses will be informed by the right context, including detailed risk information, enterprise objectives, and budgetary guidance.
4. A risk register forces risk owners to write down accurate risk responses for risks they “own”. To do so, risk owners will need to verify whether risks are mitigated to the extent they believe they’d done: Check whether certain policies are up-to-date and whether existing controls intended to mitigate threats are working as designed. Risk owners will talk to their compliance team or internal audit team to understand where risk management activities and compliance activities already intersect. These steps are important because they ultimately help decision-makers understand their potential exposure for achieving strategic operations, reporting, and compliance objectives.
5. Maintaining a risk register makes it possible to produce enterprise-level risk disclosures for required filings and hearings or for formal reports as required, should your organization experience a significant incident.
At a minimum, each risk filed into a risk register should contain a description of the risk, the impact to the business if the risk should occur (e.g. costs), the probability of its occurrence, the risk owner(s), how it ranks overall relative to all other risks, and the risk response.
NIST noted that companies can add more data fields as they see fit, but each risk register should evolve as changes in current and future risks occur.
Register Element | Description |
ID (risk identifier) | A sequential numeric identifier for referring to risk in the risk register |
Priority | A relative indicator of the criticality of this entry in the risk register, either expressed in ordinal value (e.g., 1, 2, 3) or in reference to a given scale (e.g. high, moderate, low) |
Risk description | A brief explanation of the cybersecurity risk scenario (potentially) impacting the organization and enterprise. Risk descriptions are often written in a cause and effect format, such as “if X occurs, then Y happens” |
Current Assessment –Likelihood | An estimation of the probability, before any risk response, that this scenario will occur. The first iteration of the risk cycle may also be considered the initial assessment. |
Current Assessment — impact | Analysis of the potential benefits or consequences that might result from this scenario if no additional response is provided. The first iteration of the risk cycle may also be considered the initial assessment. |
Current Assessment – Exposure Rating | A calculation of the probability of risk exposure based on the likelihood estimate and the determined benefits or consequences of the risk. Other common frameworks use different terms for this combination, such as level of risk (e.g., ISO 31000, NIST SP 800-300 Rev. 1). The first iteration of the risk cycle may also be considered the initial assessment. |
Risk Response Type | The risk response (sometimes referred to as the risk treatment) for handling the identified risk. See next table |
Risk Response Description | A brief description of the risk response. For example, “Implement software management application XYZ to ensure that software platforms and applications are inventoried,” or “Develop and implement a process to ensure the timely receipt of threat intelligence from [name of specific information sharing forums and sources.] |
Risk Owner | The designated party is responsible and accountable for ensuring that the risk is maintained in accordance with enterprise requirements. The Risk Owner may work with a designated Risk Manager who is responsible for managing and monitoring the selected risk response |
Status | A field for tracking the current condition of the risk. |
Risk Response Types
Type | Description |
Accept | Accept cybersecurity risk within risk tolerance levels. No additional risk response action is needed except for monitoring. |
Transfer | For cybersecurity risks that fall outside of tolerance levels, reduce them to an acceptable level by sharing a portion of the consequences with another party (e.g., cybersecurity insurance). While some of the financial consequences may be transferable, there are often consequences that cannot be transferred, like loss of customer trust. |
Mitigate | Apply actions that reduce the threats, vulnerabilities, and impacts of a given risk to an acceptable level. Responses could include those that help prevent a loss (i.e., reducing the probability of occurrence or the likelihood that a threat event materializes or succeeds) or that help limit such a loss by decreasing the amount of damage and liability. |
Avoid | Apply responses to ensure that the risk does not occur. Avoiding risk may be the best option if there is not a cost-effective method for reducing the cybersecurity risk to an acceptable level. The cost of the lost opportunity associated with such a decision should be considered as well. |
You can download our free risk register template for Excel. It’s a starting point for building out your own risk register.
In Hyperproof, organizations can set up multiple risk registers to track different types of risks and customize the scales/risk scoring for each risk register. Companies might want to do this for several reasons: each department has different needs or considerations. For instance, IT focuses on IT assets, and Accounting focuses on sensitive information. Manufacturing focuses on processes and physical risks. Each of these departments might want its own risk register for tracking company risks at a more granular level.
The most common use cases to use multiple risk registers are to sort them by:
A few less common use cases for leveraging multiple risk registers include:
When you maintain detailed cybersecurity risk information in your risk register, you’re able to manage your cyber risks in a more strategic way, focus on the right areas given limited resources, and secure additional resources because your leadership team will start to understand the value of preventative security.
Here are the key benefits of putting cyber security risks into a risk register:
1. Once information is entered into a risk register, you can start to identify patterns from threats and system failures that result in adverse impacts.
2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a standard scale for measuring risks across various business units (e.g. making sure everyone knows when to use a “high-risk exposure” vs. a “moderate risk exposure”). By normalizing the tracking of risk information across different units, you will provide senior leaders with more relevant information that will help them prioritize risk response activities.
3. Company leaders will have greater confidence in their risk response choices because the responses will be informed by the proper context, including detailed risk information, enterprise objectives, and budgetary guidance.
4. A risk register forces risk owners to write down accurate risk responses for risks they “own.”. To do so, risk owners must verify whether risks are mitigated to the extent they believe they’d done: Check whether specific policies are up-to-date and whether existing controls intended to mitigate threats are working as designed. Risk owners will talk to their compliance or internal audit teams to understand where risk management and compliance activities intersect. These steps are necessary because they ultimately help decision-makers understand their potential exposure for achieving strategic, operations, reporting, and compliance objectives.
5. Maintaining a risk register makes it possible to produce enterprise-level risk disclosures for required filings and hearings or for formal reports as required, should your organization experience a significant incident.
Risks and threat vectors can change in a matter of minutes. Thus, it’s essential to keep an eye on your risks at all times. NIST’s latest guidance emphasizes the importance of continuous monitoring. It outlines several ways to monitor risks on an ongoing basis, including:
If senior management and risk professionals take just one message from NIST’s guidance, it is this: If cybersecurity risks are to be truly understood by senior management, cyber security risk cannot be tracked in a vacuum but rather must be tracked in an enterprise-wide risk register. This ensures all decisions made by company leaders are weighed against the firm’s risk appetite and risk tolerance and that limited resources are put in the right places to support business objectives.
In our annual IT Compliance Benchmark Report we surveyed risk management, compliance, and security assurance professionals to understand their cybersecurity risk management processes, practices, and tech stack. In 2023, 10% of respondents said they use spreadsheets to manage their IT compliance vs. 43% in 2022.
In a positive trend, using spreadsheets to track risks is becoming less widespread, as using spreadsheets actually does more harm than good. In addition to other limitations, spreadsheets are not databases; they have no data integrity or referential integrity, and they provide no way to create and maintain relationships between data in other files, such as documentation of controls designed to ensure you meet regulatory requirements. Their data analysis and reporting capabilities are quite limited, and they do not generate the reports organizations need for IT compliance audits.
Instead, you’ll be much better off by maintaining a risk register in purpose-built software, such as Hyperproof.
Purpose-built risk register software makes it easy for risk owners to document everything that should go into a risk register, make updates to risks on the fly, visualize changes to risks, and communicate risk information to leadership teams.
Hyperproof offers a secure, intuitive risk register for everyone in your organization. With the application, risk owners from all functions and business units can document risks and treatment plans. You can link risk to control and gauge how much a specific risk has been mitigated by an existing control versus the residual risk that remains. With this clarity, your risk management, security assurance, and compliance teams can focus their energy on the risks you need to worry about.
Further, organizations using Hyperproof are able to save time and money by avoiding a common and expensive practice: Creating duplicative controls. Most organizations treat their risk reduction and compliance efforts as separate workstreams; separate teams typically initiate activities in response to individual events.
Because Hyperproof offers a compliance operations platform that allows you to get all compliance work done efficiently and keeps all records, if you use Hyperproof’s risk module and the compliance operations platform, you can tie a control to risk and a compliance requirement.
When you know that control that’s already there for meeting a cybersecurity framework’s requirement is the same control that would mitigate a certain risk in your risk register, you’ll avoid creating a redundant control in response to that risk. This means you’ll work less on controls testing, maintenance, and collecting evidence for internal and external IT compliance audits.
Last but not least, with Hyperproof’s dashboard, you can see how your risks change over time, identify which risks and controls to pay attention to at a given moment, and effectively communicate the potential exposure for achieving strategic operations, reporting, and compliance objectives to your executives.
To see how Hyperproof can help your organization manage risks better and get work done more efficiently, sign up for a personalized demo.