The idea of a risk register used in a practical and effective way is an expectation of the ISACA’s Certified in Risk and Information Systems Control® (CRISC®) certification. In a practical way means that it could be managed directly by the owner of the risk. However, seeing a senior manager interact directly with the risk register instead of using an executive summary does not happen often. This is because it can be difficult to quickly understand the high detail and be able relate it to the level of aggregation comparable with the organization’s objectives. At the same time, it would not be valuable to remove detail that is shown in the risk register.
However, the risk register can be organized so that it is neat and simple to read. Furthermore, it is helpful to create the opportunity to aggregate the information whenever possible to eliminate any redundancy or similarity with assiduity. Reducing the number of registrations for homogeneous categories is the first step. Hooking the categories to high-level reports is the second.
Giving senior management the ability to navigate in data starting from high-level views, then going down to the maximum detail while still preserving the consistency of information is more effective than any key risk indicator (KRI). In this way, senior management can determine themselves the need to act or not, which makes communication more effective.
The sequence of steps to connect aggregated facts with detail elements has already been discussed in a my previous articles on maturity assessment, how to prepare a risk executive summary and how to structure a risk analysis. Here, instead, the information to be used in assessments is emphasized, including information that could be concerning for senior management such as computer security and privacy.
For the risk register, details and business perspective must be ensured at each level. In this way, the risk assessors feel the organization’s presence and it decreases the feeling of a generic, low-quality work. The selection of which elements to include in the drop-down determines its importance and the attention it will receive. A list that notes low, medium or high is less interesting than the use of baseline, significant and challenging labels. The use of terms closely linked to the context strengthens the ability to make targeted reflections.
Often the most appropriate terms are overlooked by thinking that generic terms are preferable to operating staff, but it is important to remember that these people are the experts.
These parameters are examples of what should be focused on to improve senior management’s understanding of the risk protection scenario.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “Security Adjustments to Strengthen the Bond Between Risk Registers and Information,” ISACA Journal, volume 5, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!
