1.10 IT Risk Register
· Risk register serves as a central repository for all risk related documentation. It documents the entire risk universe of the organization. It maintains inventory of identified potential risk.
· Risk register includes following information for each risk:
§ Description of the risk
§ Probability/likelihood of occurrence
§ Impact
§ Risk score
§ Risk owner
§ Controls implemented
§ Residual risk
§ Risk response action plan
· Process of maintaining a risk register begins from risk identification stage itself. Results of risk identification are the initial entries into the risk register.
· Risk register should be reviewed at periodic interval to ensure that same is updated with new risk. Risk register helps to track each risk. Best way to ensure that risk register is updated and accurate is to publish the same centrally with workflow feature to automate risk assessing and risk polling process.
· Risk register provides value to the organization by:
§ Driving the risk response plan
§ Improving the decision making for risk
· Risk register improves the decision making process for risk response as all the relevant information related to specific risk is captured and available to evaluate and determine the prioritization of risk responses.
Key aspects from CRISC exam perspective
CRISC Question |
Possible Answer |
Best way to ensure that an accurate risk register is maintained over time |
A centralized risk register with automated risk assessing and polling features. |
Main advantage/purpose of creating and maintaining a risk register is to |
Documentation & inventory of all identified risks |
Preparation of a risk register begins in which risk management process |
Risk identification phase |
Document that improves decision making by providing all the relevant information about risks |
Risk Register |
Value of risk register is best described as |
· It drives the risk response plan · Improves decision making for risk |
Video Tutorial - 1.10 IT Risk Register