Risk and Controls

a central repository of all identified IT risks and measures to respond to them

Risk is:

an uncertain event(s), should it occur, will have a favorable or adverse effect on the achievement of organization’s objectives.

Risk has always been an inseparable part of our lives whether it is related to commerce, health, travel, sports or any other human activity. Information Technology and digitalization are no exceptions. The success of IT organization depends on how well IT managers promote a risk aware culture to identify, analyze and manage technology related risks to protect IT assets. See figure 1 for risk related concepts.

figure 1: risk and related concepts

Risk Register is an important part of this process. It is not a static document but a live management tool which is used as a central repository of all identified IT risks (figure 2). It records details of each risk at different stages of the process including risk statement, type, category, probability, impact, ownership, controls, mitigation strategies and on-going action plans. By maintaining a Risk Register business and IT managers can take a stock of IT risks from a business perspective. Risk Register captures the results of qualitative & quantitative risk analysis and risk response planning

figure 2: IT risk register

Guidelines related to Risk Register

1. Describe IT risk from a business point of view

2. Communicate the risks to the relevant stakeholders on a regular basis including C-level executives, senior and middle management

3. Use risks management and IT control as a central concept in IT planning and decision making

4. Avoid technical IT terminologies

5. Identify IT Asset the risk relates to e.g. a Provider or a Project or a Data Asset

6. Should be organized and reliable e.g Tracking number should be provided.

7. Identify sources of risk e.g. IT Operations or IT Strategy

8. Define Risk Statement in the format provided in sections below

9. Review and update the risks on a periodic basis e.g. weekly or monthly

Following table contains a list of information contained in Risk Register:

Field	Type	Comments
Risk Type	Text	Threat or Opportunity
Name	Text	Risk Title
Short Description	Text	Short Statement (optional)
Long Description	Text	Risk Statement - Uncertain Event, Driver and its Impact
Category	Text	Classification of Risk e.g. Financial or Technological
Business Area	Text	Business area the risk belong to
Risk Owner Role	Text	Person accountable for this risk
Custodian Role	Test	Person who manages the risk
Target Date	Date	Target date to respond to the risk
Status	Text	Current status of risk e.g. Open
Risk Tolerance Probability	Text	Based on Risk Type and Category
Risk Tolerance Impact	Text	Based on Risk Type and Category
Overall Risk Tolerance	Text	Automatically calculated based on Risk Probability and Impact Matrix
Inherent Risk Probability	Text	Selected by user based on guidelines
Inherent Risk Impact	Text	Selected by user based on guidelines
Overall Inherent Risk	Text	Automatically calculated based on Risk Probability and Impact Matrix
Primary IT Control	Text	IT Control to mitigate the risk
Secondary IT Control	Text	IT Control to mitigate the risk
Residual Risk Probability	Text	Selected by user based on guidelines
Residual Risk Impact	Text	Selected by user based on guidelines
Overall Residual Risk	Text	Automatically calculated based on Risk Probability and Impact Matrix
Gap	Text	Description of risks which remains unaddressed even after the controls are in place. This needs to be addressed by the Risk Response Strategy
Risk Response Strategy	Text	Select the risk response strategy in the light of guidelines