Gartner for IT Leaders Tool

Sample Risk Register

(consolidated)

A risk register is a valuable communications tool for Security and Risk Management Leaders. This tool will help effectively
communicate the potential business impacts of risks, record issues and control weaknesses and help support the design,
implementation and monitoring of risk treatment activities.

Approved for external reuse — not for resale.

Unless otherwise marked for external use, the items in this Gartner Tool are for internal noncommercial use by the licensed Gartner client. The
materials contained in this Tool may not be repackaged or resold. Gartner makes no representations or warranties as to the suitability of this Tool for
any particular purpose, and disclaims all liabilities for any damages, whether direct, consequential, incidental or special, arising out of the use of or
inability to use this material or the information provided herein.

The instructions, intent and objective of this template are contained in the source document. Please refer back to that document for details.

© 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
presentation, including all supporting materials, is proprietary to Gartner, Inc. and/or its affiliates and is for the sole internal use of the
intended recipients. Because this presentation may contain information that is confidential, proprietary or otherwise legally protected, it may
not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.

# Classification: Internal
 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
presentation, including all supporting materials, is proprietary to Gartner, Inc. and/or its affiliates and is for the sole internal use of the
intended recipients. Because this presentation may contain information that is confidential, proprietary or otherwise legally protected, it may
not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.

# Classification: Internal
# Classification: Internal
 Instructions
Security and Risk Management Leaders should use the consolidated risk register to record and monitor the current status o
weaknesses within an organization. It is not specifically designed to record all identified issues and findings outside of the ri
Management leaders to :

1) Familiarize yourself with the tabs within the risk register.

This template contains the following five tabs:
The "Risk Register" tab contains the risk register, which is populated with a small set of risks that are representative of the
of register and the identified control weaknesses that inform the risk assessment.
The "Pick List Data" tab contains the pick lists that are used as choices for columns that are of the fixed-choice type.
The "Likelihood Assessment" tab provides a table that can be used as a guide for assessing the likelihood of a particular
suggested example only — you may choose to adjust this table, or use an alternative approach if preferred.
The "Impact Assessment" tab provides a table that can be used as a guide for assessing the impact of a particular risk, sh
of assessing the impact using criteria other than direct financial loss. This table is a suggested example only. As with the
adjust this table, or use an alternative approach if preferred.
The "Risk Assessment Matrix" tab is a lookup table that provides an indication of the risk based on severity of the busine
approach described in ISO/IEC 27005:2011. You may choose to modify the risk outcome in each of the cells to suit local

2) Familiarize yourself with the fields.

Review the field names and field descriptions in embedded comments to familiarize yourself with the approach, definitions a
like. Each field is described below as "unique identifier", "free text," "fixed choice" or "calculated." Those fixed-choice fields a
which should be changed to match your enterprise's terminology. While it may be difficult to apply only one category, you sh

3) Customize the risk register to your organization.

In the risk register Excel spreadsheet, modify the following tabs to match the organization's definitions and preferences:
- Pick List Data
- Likelihood Assessment
- Impact Assessment
- Risk Assessment Matrix
Note that any changes made in any one of these tabs must be reflected in other tabs to ensure internal consistency.

4) Conduct risk assessments and update risk register

Conduct a risk assessment and update the risk register spreadsheet with the outputs, modifying your existing risks or addin
required. The risk assessment can performed on a regular cadence or be triggered by some event or incident — some exam
entity,change of an existing entity, identification of significant control weaknesses, including audit findings, , or change in the
If the residual risk is greater than the risk tolerance, treatment plans should be formulated to bring the residual risk into com

5) Track completion of treatment plans.

Update risk register regularly with status of treatment plans.

# Classification: Internal
# Classification: Internal
# Classification: Internal
RISK REGISTER

Sample Risk Register (Consolidated)

` Inherent Risk Assessment Output Control Assessment Output Residual Risk Assessment Output Residual Gap Management Plan to Address Residual Gap
Frequency / Actual
Risk Control Residual Risk Target Completion
Risk Event Type (Level 2) Risk Exposure (Level 1) Risk Description Risk Owner(s) Risk Type Description of Risk and Impact Likelihood Impact Inherent Risk Existing Mitigating Controls Likelihood Impact Next Risk Issues identified Plan of Action & Milestones Action Owner Action Status Date of Update Completion
Identifier Effectiveness Risk Tolerance Date
Assessment Date
Unique
Fixed choice Fixed choice Free Text Free text Fixed choice Free text Fixed choice Fixed choice Calculated Free text Fixed choice Fixed choice Fixed choice Calculated Fixed choice Free text Free text Free Text Free Text Fixed Choice Free text Free text Free text
identifier
• Modify procedures so that payment claims of
greater than $25,000 must be lodged physically and
We suffer a coordinated operation of multiple claims • Failure to adequately identify the claimant when not identification sighted. SVP, Customer Solution implemented —
against existing retirement funds to fraudsters • Payment procedures using phasing and delay mechanisms to physically present. • Modify procedures to cross-check contact and Service Division waiting on acceptance
Significant fraud event arising from fraudulent impersonating existing clients, based on what appears to identify potentially fraudulent claims and prevent outflow of funds. • No mechanism to detect clustering of retirement account details out of band.
RISK001 Cybercrime - Business Email Compromise Cybercrime payment to a person impersonating a senior CFO Cyber and IT be authentic paperwork and knowledgeable calls to our Rare/Remote/Improbable Large Medium • Payment claims of greater than $100,000 must be lodged Effective Rare/Remote/Improbable Moderate Low Low Annual fund claims across multiple customer service staff. 1-Sep-14
executive. customer service line. We fail to recover the payments. physically and identification sighted. • Staff not trained to identify high-risk payment
Such a fraud requires a well-informed, coordinated situations. • Extend postclaim, prepayment fraud detection
operation. capability to detect claims clustering.
• Train staff to ask profiling questions. CSO Solution in progress

We suffer a significant outage to customer service

• Desktop and network anti-malware software installed and updated • Implement sandboxing technology to improve
Significant system downtime on customer service workstations due to a ransomware outbreak. This inhibits • No protection against Day 0-type attacks.
regularly. identification and containment capabilities. Risk assessed — TBD when solution
RISK002 Cybercrime - Ransomware Cybercrime workstations due to an uncontrolled ransomware Head of Retail Cyber and IT our ability to serve customers effectively. There are also Almost Certain/Frequent Large Extreme Partially Effective Probable/Likely Large High Low Annual • No early-warning system for malware tailored IT PMO
• Forensic and diagnostics support available on demand. • Commission a threat intelligence service to monitor negotiating solution agreed on
outbreak. secondary financial and brand impacts. specifically for our systems.
for early signs of a potential attack.

• Implement a "panic" protocol for staff exposed to

Theft, Loss or Improper access to Data -
RISK003
Company Intellectual Property
extreme situations (for example, a family member
• Legal protection (patents) exists on all significant IP.
One of our own staff gains access to key IP and provides it who is kidnapped).
• Strong incentive and disincentive balance to encourage desired • Incentive and disincentive program is ineffective in
to a competitor. The competitor uses it to go to market first. • Commission a project to develop a method for
Leakage of intellectual property (IP — product road staff behavior. abnormal situations (for example, under extreme Solution implemented —
Theft, Loss or Improper access to Data Head of Research Cyber and IT As a consequence, we waste our R&D investment and Probable/Likely Severe Extreme Effective Possible Severe High Low Annual identifying staff at risk of blackmail or in other CSO 31-Aug-14
map and designs) to a competitor. • Strong access control restrictions on IP considered to be strategic stress, such as kidnap, hostage or extortion [KHE] waiting on acceptance
lose significant market share. In this scenario, we consider personal forms of distress (such as a problem with
assets. scenarios).
insider leaks only, not external penetration. gambling).
• DLP implemented to detect exfiltration of IP.
• Implement technology to detect unusual patterns of
access to identify "slow leaks."

name of customer-facing business web application

system> delayed due to major Distributed Denial of
Significant system downtime <name of customer- • Bandwidth is 2x more than required to handle peak traffic. Management plan
General Manager, Service attack. This inhibits our ability to serve customers No proactive detection capability to distinguish
RISK004 Cybercrime - Denial of Service Cybercrime facing business web application system> delayed due Operational Almost Certain/Frequent Moderate High • Redundancy is built into network design and security controls Partially Effective Possible Moderate Medium Medium Annual • Implement DDOS or traffic monitoring capability CSO Risk accepted — closed completed 1-Apr-
Online Delivery effectively. There are also secondary financial and brand between DDOS and normal increases in traffic
to major Distributed Denial of Service attack. • DDOS mitigation support available on demand. 2014
impacts as customers are unable to find and transact with
us online for a period of time

• Implement monitoring for mentions of our brand in

A rumor appears in social media or the popular press that social or popular media.
SVP, Public Affairs Solution in progress 31-Oct-14
the company is about to become embroiled in a financial • Prepare media statements for immediate use,
scandal. The rumor is not true, but it causes a depression should the need ever arise.
Online Brand Risk - Social media Unfounded rumor in social or popular media that a
RISK005 Online Brand Risk SVP, Public Affairs Cyber and IT on the stock price. The rumor does not subside and Almost Certain/Frequent Moderate High None. Ineffective Almost Certain/Frequent Moderate High Low Annual We do not monitor for mentions of our brand at all.
misinformation financial scandal is about to engulf the company. • Develop a relationship with law enforcement to
continues to depress the price. The most likely scenario is Solution implemented —
that this will be started by activists who object to our support rapid response and prosecution, should the SVP, Security 31-Dec-14
waiting on acceptance
business. risk occur.
• Bolster "brand trust" via triple-bottom-line strategy SVP, Marketing and
Solution in progress 31-Mar-15
and existing marketing campaign. Community

We send out a batch of credit card numbers to an

We do not currently trap instances of credit card
unauthorized person. Our most significant exposure to this
numbers being sent to unauthorized recipients, and
Accidental release of credit card numbers to an is accidental release via email directed to an erroneous
Theft, Loss or Improper access to Data - PCI the benefit of existing mitigating controls in isolation Implement a network data loss prevention (DLP) Solution agreed on —
RISK006 Theft, Loss or Improper access to Data unauthorized recipient (more than 500 numbers per Head of Cards Cyber and IT address. This risk specifically excludes malicious acts. The Almost Certain/Frequent Large Extreme Data encryption for credit card numbers to authorized recipients. Ineffective Almost Certain/Frequent Large Extreme Low Annual CISO 1-Jun-15
Data is therefore negligible. Our major exposure is solution. waiting to implement
single incident). impact of this would be potentially heavy fines from the
accidental release via email, although we have
card schemes, in addition to secondary exposures from
lesser exposures via other channels.
fraud and brand damage.

A disgruntled staff member sends out the compensation

package details of other staff members throughout the
Malicious, internal transmission throughout the • Access to compensation details is segmented and restricted. A disgruntled staff member could realistically access
Theft, Loss or Improper access to Data - organization. This would create jealousy and conflict
RISK007 Theft, Loss or Improper access to Data organization of the compensation packages of SVP, HR Cyber and IT Possible Moderate Medium • High degree of audit logging on access to the details. Effective Rare/Remote/Improbable Moderate Low Low Annual details for only a limited number of other staff No further action. Risk is considered acceptable. Not applicable (NA) Risk accepted — closed 12-Apr-14
Employee data among staff, and lead to further widespread
multiple staff members. • Strong organizational culture. members.
disgruntlement, with a loss of productivity and possible
departure of key staff.

Theft, Loss or Improper access to Data - Non-
RISK008
Sensitive Customer data
External exposure of non-personally identifiable
Theft, Loss or Improper access to Data
information (PII) customer demographic data.
A portion of our consolidated internal-use-only customer We have deliberately adopted an open architecture • Upgrade the staff awareness program so that staff
demographic information is leaked to an unauthorized third to this information to allow for an agile response to must positively acknowledge actions and provide
party (for example, the media). Although the information is • Open architecture, but with a high degree of monitoring and audit market opportunities. This risk is implicit in this justification when a large volume of information is
CMO Cyber and IT Possible Severe High Effective Unlikely/Seldom Severe Medium Low Annual CMO Solution in progress 1-Oct-14
for internal use only, it is not regulated. However, the logging that are traceable to individuals. architectural approach. However, the adoption of this extracted.
public may perceive this as a breach of their details (in this architecture requires high degrees of logging and • Colocate one staff member from the internal
scenario, it is not), and their trust in our brand is degraded. staff awareness, and a strong corporate culture. investigation team on-site in a liaison role.

• Implement a network DLP solution to identify any

Theft, Loss or Improper access to Data -
RISK009
Company Confidential Data
Theft, Loss or Improper access to Data
This risk assumes that the vulnerability information is
potential leaks to the media over electronic
outdated. If it was current, then the risk profile would be
channels.
A staff member maliciously sends outdated security worse. The assumption is that the staff member is
• Access to vulnerability information is restricted to authorized staff Although access is restricted and staff are trained, a • Implement an endpoint DLP solution to detect
vulnerability information to the media to embarrass the CISO Cyber and IT attempting to embarrass the organization by portraying it Possible Large Medium Effective Unlikely/Seldom Large Medium Low Annual CISO Solution in progress 15-Dec-14
who are trained to manage that information with discretion. rogue staff member could transfer this information. downloading of information to removable media or
organization. as incompetent. This leads to erroneous assertions by
printing of information.
media commentators that our security is lax, and our brand
• Escalate audit logging on access to the
becomes a byword for the same.
vulnerability database.

We would incur fines of over $1 million from regulators. Risk assessed — TBD when solution
Depending on the actions of the third party, subsequent • Implement a network DLP solution. CISO
Accidental transmission of customer name and We currently have no method of identifying the negotiating solution agreed on
Theft, Loss or Improper access to Data - effects would include significant brand damage, adverse
RISK010 Theft, Loss or Improper access to Data address information (only) from a CRM database via CIO Cyber and IT Almost Certain/Frequent Large Extreme None. Ineffective Almost Certain/Frequent Large Extreme Low Annual outflow of customer information via email or any
Sensitive Customer Data media exposure, loss of customer confidence and possibly
email to an unauthorized third party. other channel. • Launch an awareness program for individuals who Head of Customer Risk assessed — TBD when solution
loss of revenue. Major risk of accidental loss is via the
email channel. have access to customer data. Service Division negotiating solution agreed on

To be expanded based on client risk To be expanded based on client risk

RISK011
assessment and taxonomy assessment and taxonomy

RISK012
RISK013
RISK014
RISK015
RISK016
RISK017
RISK018
RISK019
RISK020
RISK021
RISK022
RISK023
RISK024
RISK025

GARTNER LEADER'S TOOLKIT_x000D_ Classification: Internal

#
7
 Pick List Data
Primary
Risk
Risk Type Risk Exposure (Level 1) Risk Event (Level 2) Risk Likelihood Risk Level Control Effectiveness Treatment Status Impact
Impact
Category
Financial Cybercrime Cybercrime - Business Email Compromise Insignificant Open — not yet assessed Financial
Rare/Remote/Improbable Minute Highly Effective
Operational Online Brand Risk Cybercrime - Ransomware Unlikely/Seldom Small Low Effective Risk assessed — determining treatment Customer
Cyber and IT Theft, Loss or Improper access to Data Cybercrime - Phishing Possible Moderate Medium Partially Effective Treatment agreed on — waiting to implement Opportunity
Strategic Technology Failure Cybercrime - Denial of Service Probable/Likely Large High Ineffective Treatment in progress Shareholder
Regulatory Compliance Online Brand Risk - Social media misinformation Almost Certain/Frequent
Compliance Severe Extreme Treatment implemented — waiting on acceptance Commercial
To be expanded based on client risk assessment and taxonomy Online Brand Risk - Fraudulent mobile apps Staff
Theft, Loss or Improper access to Data - PCI Data Risk accepted — closed Brand
Theft, Loss or Improper access to Data - Employee data Media
Theft, Loss or Improper access to Data - Non-Sensitive Customer data Regulator
Theft, Loss or Improper access to Data - Company Confidential Data
Theft, Loss or Improper access to Data - Sensitive Customer Data
Technology Failure - Hardware
Technology Failure - Software
Technology Failure - Network
Technology Failure - Cloud
Regulatory Compliance - Privacy fine
To be expanded based on client risk assessment and taxonomy

Classification: Internal
#
 Impact Assessment Decision Table

Business Impact
Financial Impact Customer Impact Opportunity Impact
Insolvency, or negative Complete failure of We lose rights to our IP.
profit outlook. service across multiple Competitor gains first-
lines of business >= 5 mover advantage.
Severe minutes.

Material financial loss (as Failure (partial or Compromise of IP or

formally defined), or loss complete) of service trade secret, and
above the board- across multiple lines of competitor generates
Large reportable threshold. business < 5 minutes, or significant market share
complete failure across a using it.
single line of business >=
1 day.
Financial loss greater Partial service disruption Compromise of IP or
than budget allowance, in a single line of trade secret, but we are
requiring budget business >= 1 day, or able to recover through
adjustment across total service disruption in legal or other means.
Moderate
multiple lines of a single line of business
business. >= 1 hour.

Financial loss greater Partial service disruption Competitor gains insight

than budget allowance, in a single line of into our IP and generates
requiring budget business < 1 day, or total inferior competitive
Small adjustment within a disruption in a single line offering.
single line of business. of business < 1 hour, or
attributable rise in daily
call center load >= 20%.
Financial loss within Insignificant service IP or trade secret leaked
annual budget disruption, or attributable prior to planned release.
Insignificant allowance. rise in daily call center
load < 20%.

# Classification: Internal
 Impact Dimensions
Shareholder Impact Commercial Impact Staff Impact Brand Impact
Attributable negative Commercial liability Actual or high risk of Company name
share price movement exposure threatens death or injury. becomes a byword for
>= 10%. viability of the company. corporate misconduct or
misadventure.

Attributable negative Exposure to punitive Risk of death or injury Loss of multiple high-
share price movement damages, or loss of Tier rated higher than value customers, or
>= 5% but < 10%. 1 customer. insignificant, or major job introduction of
losses. widespread negative
brand sentiment.

Attributable negative Exposure to restitution or Minor job losses, or Loss of one high-value
share price movement similar damages for significant loss of customer or multiple
>= 1% but < 5%. breach of contract, or productivity (>= 30 midlevel customers, or
loss of lower-tier person days). introduction of short-term
customer. negative brand
sentiment.

Attributable negative Minor penalties incurred Minor staff disruption, or Loss of multiple low-
share price movement < for exceptions explicitly minor loss of productivity value customers, or
1%. articulated in the (< 30 person days). reinforcement of existing
contract. negative brand
sentiment.

Attributable negative No impact to commercial No staff impact. Insignificant customer

share price movement obligations, or no penalty loss.
insignificant (< 0.1%). incurred for missed
obligations.

# Classification: Internal
 Media Impact Regulator Impact
International long-term One or more lines of
media coverage. business are shut down,
or an executive faces
personal legal liability.

International short-term Regulator issues a notice

media coverage, or to comply under penalty
national long-term media of service termination.
coverage.

National short-term Regulator issues an

media coverage. enforceable undertaking.

Local long-term media Regulator requires

coverage. regular reporting until
resolution.

No media coverage, or No regulator interest, or

local short-term report to regulator is
coverage. optional.

# Classification: Internal
 Likelihood Assessment Criteria Table

Likelihood Criteria
Likelihood Level
Likelihood of occurrence in next 12 months
Rare/Remote/Improbable Less than 5%
Unlikely/Seldom 5% - 20%
Possible 20% to 50%
Probable/Likely 50% to 80%
Almost Certain/Frequent Greater than 80%

# Classification: Internal
Likelihood Criteria
Frequency in years
Every 10+years
Every 5-10 years
Every 3-5 years
Every 2-3 years
Every year

# Classification: Internal
 Risk Assessment Matrix

Likelihood of Risk
Rare/Remote/Improbable Unlikely/Seldom

Severe Medium Medium

Large Medium Medium

Severity of
Business Moderate Low Medium
Impact
Small Minute Low

Insignificant Minute Minute

# Classification: Internal
Likelihood of Risk Scenario
Possible Probable/Likely Almost Certain/Frequent

High Extreme Extreme

Medium High Extreme

Medium Medium High

Medium Medium Medium

Low Medium Medium

# Classification: Internal