Professional Documents
Culture Documents
Sample Risk Register Consolidated
Sample Risk Register Consolidated
Sample Risk Register Consolidated
A risk register is a valuable communications tool for Security and Risk Management Leaders. This tool will help effectively
communicate the potential business impacts of risks, record issues and control weaknesses and help support the design,
implementation and monitoring of risk treatment activities.
The instructions, intent and objective of this template are contained in the source document. Please refer back to that document for details.
© 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
presentation, including all supporting materials, is proprietary to Gartner, Inc. and/or its affiliates and is for the sole internal use of the
intended recipients. Because this presentation may contain information that is confidential, proprietary or otherwise legally protected, it may
not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
# Classification: Internal
© 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
presentation, including all supporting materials, is proprietary to Gartner, Inc. and/or its affiliates and is for the sole internal use of the
intended recipients. Because this presentation may contain information that is confidential, proprietary or otherwise legally protected, it may
not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
# Classification: Internal
# Classification: Internal
Instructions
Security and Risk Management Leaders should use the consolidated risk register to record and monitor the current status o
weaknesses within an organization. It is not specifically designed to record all identified issues and findings outside of the ri
Management leaders to :
Review the field names and field descriptions in embedded comments to familiarize yourself with the approach, definitions a
like. Each field is described below as "unique identifier", "free text," "fixed choice" or "calculated." Those fixed-choice fields a
which should be changed to match your enterprise's terminology. While it may be difficult to apply only one category, you sh
In the risk register Excel spreadsheet, modify the following tabs to match the organization's definitions and preferences:
- Pick List Data
- Likelihood Assessment
- Impact Assessment
- Risk Assessment Matrix
Note that any changes made in any one of these tabs must be reflected in other tabs to ensure internal consistency.
Conduct a risk assessment and update the risk register spreadsheet with the outputs, modifying your existing risks or addin
required. The risk assessment can performed on a regular cadence or be triggered by some event or incident — some exam
entity,change of an existing entity, identification of significant control weaknesses, including audit findings, , or change in the
If the residual risk is greater than the risk tolerance, treatment plans should be formulated to bring the residual risk into com
# Classification: Internal
# Classification: Internal
# Classification: Internal
RISK REGISTER
A portion of our consolidated internal-use-only customer We have deliberately adopted an open architecture • Upgrade the staff awareness program so that staff
demographic information is leaked to an unauthorized third to this information to allow for an agile response to must positively acknowledge actions and provide
Theft, Loss or Improper access to Data - Non- External exposure of non-personally identifiable party (for example, the media). Although the information is • Open architecture, but with a high degree of monitoring and audit market opportunities. This risk is implicit in this justification when a large volume of information is
RISK008 Theft, Loss or Improper access to Data CMO Cyber and IT Possible Severe High Effective Unlikely/Seldom Severe Medium Low Annual CMO Solution in progress 1-Oct-14
Sensitive Customer data information (PII) customer demographic data. for internal use only, it is not regulated. However, the logging that are traceable to individuals. architectural approach. However, the adoption of this extracted.
public may perceive this as a breach of their details (in this architecture requires high degrees of logging and • Colocate one staff member from the internal
scenario, it is not), and their trust in our brand is degraded. staff awareness, and a strong corporate culture. investigation team on-site in a liaison role.
We would incur fines of over $1 million from regulators. Risk assessed — TBD when solution
Depending on the actions of the third party, subsequent • Implement a network DLP solution. CISO
Accidental transmission of customer name and We currently have no method of identifying the negotiating solution agreed on
Theft, Loss or Improper access to Data - effects would include significant brand damage, adverse
RISK010 Theft, Loss or Improper access to Data address information (only) from a CRM database via CIO Cyber and IT Almost Certain/Frequent Large Extreme None. Ineffective Almost Certain/Frequent Large Extreme Low Annual outflow of customer information via email or any
Sensitive Customer Data media exposure, loss of customer confidence and possibly
email to an unauthorized third party. other channel. • Launch an awareness program for individuals who Head of Customer Risk assessed — TBD when solution
loss of revenue. Major risk of accidental loss is via the
email channel. have access to customer data. Service Division negotiating solution agreed on
RISK012
RISK013
RISK014
RISK015
RISK016
RISK017
RISK018
RISK019
RISK020
RISK021
RISK022
RISK023
RISK024
RISK025
Classification: Internal
#
Impact Assessment Decision Table
Business Impact
Financial Impact Customer Impact Opportunity Impact
Insolvency, or negative Complete failure of We lose rights to our IP.
profit outlook. service across multiple Competitor gains first-
lines of business >= 5 mover advantage.
Severe minutes.
# Classification: Internal
Impact Dimensions
Shareholder Impact Commercial Impact Staff Impact Brand Impact
Attributable negative Commercial liability Actual or high risk of Company name
share price movement exposure threatens death or injury. becomes a byword for
>= 10%. viability of the company. corporate misconduct or
misadventure.
Attributable negative Exposure to punitive Risk of death or injury Loss of multiple high-
share price movement damages, or loss of Tier rated higher than value customers, or
>= 5% but < 10%. 1 customer. insignificant, or major job introduction of
losses. widespread negative
brand sentiment.
Attributable negative Exposure to restitution or Minor job losses, or Loss of one high-value
share price movement similar damages for significant loss of customer or multiple
>= 1% but < 5%. breach of contract, or productivity (>= 30 midlevel customers, or
loss of lower-tier person days). introduction of short-term
customer. negative brand
sentiment.
Attributable negative Minor penalties incurred Minor staff disruption, or Loss of multiple low-
share price movement < for exceptions explicitly minor loss of productivity value customers, or
1%. articulated in the (< 30 person days). reinforcement of existing
contract. negative brand
sentiment.
# Classification: Internal
Media Impact Regulator Impact
International long-term One or more lines of
media coverage. business are shut down,
or an executive faces
personal legal liability.
# Classification: Internal
Likelihood Assessment Criteria Table
Likelihood Criteria
Likelihood Level
Likelihood of occurrence in next 12 months
Rare/Remote/Improbable Less than 5%
Unlikely/Seldom 5% - 20%
Possible 20% to 50%
Probable/Likely 50% to 80%
Almost Certain/Frequent Greater than 80%
# Classification: Internal
Likelihood Criteria
Frequency in years
Every 10+years
Every 5-10 years
Every 3-5 years
Every 2-3 years
Every year
# Classification: Internal
Risk Assessment Matrix
Likelihood of Risk
Rare/Remote/Improbable Unlikely/Seldom
# Classification: Internal
Likelihood of Risk Scenario
Possible Probable/Likely Almost Certain/Frequent
# Classification: Internal