Examining a risk register at the corporate level
As discussed in Chapter 2, one way to characterize and prioritize risks is in a risk registry. The issue is that not all risk registries are created the same. That means that some are at a high level, some can be too granular, and some have too many fields, which can be confusing when calculating risk. In my experience, the best corporate risk registers have to find the balance between being technical and accessible to all stakeholders. We typically use the following for the columns in the risk register:
- The business organization or applicable line of business
- A description of the risk
- The score for the impact if exploited
- The score for the likelihood of the risk being implemented
- The risk score (impact x likelihood)
- The identified risk owner (can be a team or a person)
- Current compensating controls
- The date that the risk was first added
This allows you to gather all applicable information for...
