Template – Full Risk Register definitions

Category Item Definition

Risk Risk ID A unique identifier for each risk using a numbering
Register system; should be used for cross-reference later as
Index needed.
Example: Year-Q#-R01 or simply R01
 Year is the 4-digit current year, YYYY
 Q# can be Q1, Q2, Q3 or Q4.
 R01 indicates the risk identified that quarter.
Risk Assessment A name or date for the actual risk assessment;
(Name/Date) The risk register may contain identified risks from
multiple risk assessments.
Example: YYYY-Q#-R01
Date Identified The date the specific risk was identified; A risk
assessment can take a several days, so keeping
track of when each risk was identified is critical.
Example: MM-DD-YYYY
Risk Submitter Full name of the auditor who discovered the risk or
person who brought the risk to the attention of the
auditor, upper management, etc.
Example: John Doe, Auditor
Asset Asset Name Name of the asset: data, systems, business
Register / processes, etc.
Inventory Example: E-commerce website
Asset Owner Name of the person in charge of operating and
securing the asset; That person is also responsible
for making decisions on risk for this asset.
Example: John Smith, CEO.
Asset Type Can include hardware, devices, data, software,
personnel, buildings, skillsets, business processes,
hosted systems, etc.
Example: Hosted Systems, Data
Asset Classification Level of confidentiality of the asset for an
organization’s classification levels can include:
public, internal, private, confidential.
Example: public
Asset Criticality Is the criticality of the asset to the business low,
medium or high?
Example: High
Asset Security Triad In terms of the CIA triad (confidentiality, integrity
CIA Priority and availability), which is most important for this
asset?
Example: availability
Asset Business Value The total value of the asset = asset value.
The value of a server is the sum of the hardware
and data it contains (total value to the business,
including replacement value).
 Template – Full Risk Register definitions

Example: The E-commerce website is valued at

$100,000.
Quantitative Asset Value (AV) The total value of the asset= asset value.
Risk (Part of Quantitative The value of a server is the sum of the hardware
Analysis Risk Analysis) and data it contains (total value to the business,
including replacement value).
Example: The E-commerce website is valued at
$100,000.
Exposure Factor (EF) Loss as a percentage due to a successful threat
(Part of Quantitative exploiting a vulnerability
Risk Analysis) Example: 15% of the value of the website can be
affected if it is down for an entire day.
Single Loss Expectancy The amount the company expects to lose each time
(SLE) a failure or risk of loss occurs, or if a threat exploits
SLE = AV * EF. the vulnerability
(Part of Quantitative Example: If the website goes down for one day, the
Risk Analysis) company will lose $15,000 based on an asset value
of $100,000 and exposure factor of 15% (0.15) for
24 hours of downtime. SLE = AV * EF = $15,000

In this scenario, a 24-hour period of downtime can

cost the organization $15,000 to recover from loss
of sales, the replacing web-servers, and paid over-
time to technical staff for restoring functionality,
etc.
Annual Rate of Estimated frequency of the threat occurring in one
Occurrence (ARO) year
(Part of Quantitative Example: The website is expected to go offline
Risk Analysis) once every two years for an entire day.
ARO = 1 time / 2 years = 0.5
Annual Loss Expectancy Estimated expected yearly loss based on the single
(ALE) loss expectancy and the annual rate of occurrence.
ALE = SLE x ARO Example: ALE = SLE x ARO
(Part of Quantitative ALE = ($15,000) x (0.5) = $7,500.
Risk Analysis) The company can expect to lose $7,500 a year on
average if the website goes down for an entire day.

This means that the company can implement

safeguards that cost up to $7,500 a year to protect
the website against downtime.
Vulnerability A weakness that can affect the confidentiality,
Risk integrity or availability of an asset.
Identification Example: E-commerce website runs on WordPress.
Exploits are often found on WordPress and to its
plugins.
Threat Anything that can exploit the vulnerability of the
 Template – Full Risk Register definitions

asset and compromise its confidentiality, integrity

or availability.
Example: Hackers exploit vulnerable WordPress
(website hosting platform) plugins and compromise
the availability of the server.
Threat Actor Any source exploiting the vulnerability including
insiders, hacktivist, organized cybercriminals,
nation states, etc.
Example: Hackers compromise the website and
cause downtime.
Risk Title Summary of the combined risk; a simple sentence
that can be used in an executive summary.
Example: E-commerce website downtime is due to
hacked WordPress vulnerable plugins.
Risk Description A detailed description of the risk.
Example: WordPress and its plugins are frequently
found to have vulnerabilities that hackers exploit to
bring websites down—vulnerabilities and that
could lead to potential data compromise.
Existing Controls Security controls or protections currently in place to
help mitigate or reduce vulnerability.
Document if no security exists so that the need for
controls is clear.
Example: WordPress applies automatic updates—
but the plugins are not updated automatically.
Source How was this risk identified? Possible sources
include: as part of an audit, reported by user,
incident response, etc.
Example: scheduled audit
Risk Owner The risk owner is usually the data/asset owner,
which, in smaller businesses, is the business owner.
Example: John Smith, CEO
Risk Type Does the risk affect the integrity, confidentiality or
availability of the asset?
Example: availability (downtime)/confidentiality
(potential data compromise).
Risk Category Under what type of risk category does the risk fall?
Each business creates its own categories, e.g., data
security, data availability, regulatory, legal,
environmental, etc.
Example: data availability, data security, regulatory
(because the website takes credit cards)
Risk Trigger Description What causes the risk to have the potential to be
realized?
Example: WordPress plugin vulnerabilities are
discovered, but the plugins are not updated.
 Template – Full Risk Register definitions

Risk Trigger Expected When do you expect risk to be triggered?

Date Example: Unknown, but historically it happens
once every two years.
Potential Outcome If the trigger takes place, what could happen?
Example: A vulnerable plugin can lead to the
website’s being compromised and experiencing
downtime and data compromise.
Associated Risks What are other related risks? Use the risk ID for
reference.
Example: YYYY-Q#-R02 website data
compromise due to vulnerable plugins)
Risk Probability Rating What is the probability of the risk being realized?
Analysis (Part of Semi- For a semi-quantitative analysis, use the table
Quantitative Risk below. (The probability value is determined by the
Analysis) organization.)
Probability Ratings Pro. Value
Not Likely 0.10
Low Likelihood 0.30
Likely 0.50
Highly Likely 0.70
Near Certainty 0.90

Example: Highly Likely (0.70) = 70%

Probability Value Decimal value of the probability rating
(Part of Semi- Example: 0.70
Quantitative Risk
Analysis)
Impact Rating Qualitative ranking of impact
(Part of Semi- In a semi-quantitative analysis, use a table similar
Quantitative Risk to the one below. (The impact value is determined
Analysis) by the organization.)
 Template – Full Risk Register definitions

Impact Impact
Value Reputation Impact
Rating
Marginal 0.05 Little or no impact.
May be noticeable
by a limited
Significant 0.10
audience, some
embarrassment
Damage to
Serious 0.20 reputation, loss of
confidence
Loss of business
confidence,
Very Serious 0.40 compromise of
large amount of
information
Complete
Catastrophic 0.80 compromise of
information.
Example: Very Serious
Impact Value Impact value of impact rating given.
(Part of Semi-
Quantitative) Example: 0.40
Risk Exposure Level Identify probability value * impact value;
then use scale to identify exposure level.
Example: (0.70)*(0.40) = 0.28
High
Medium
Low

Probabilit
y          
0.04 0.0 0.1 0.3 0.7
0.9 5 9 8 6 2
0.03 0.0 0.1 0.2 0.5
0.7 5 7 4 8 6
0.02 0.0
0.5 5 5 0.1 0.2 0.4
0.01 0.0 0.0 0.1 0.2
0.3 5 3 6 2 4
0.00 0.0 0.0 0.0 0.0
0.1 5 1 2 4 8
Impact -> 0.05 0.1 0.2 0.4 0.8

Example: High
 Template – Full Risk Register definitions

Risk Exposure Value Value of the risk exposure level

Example: 0.28
Top 10 (Y/N) Once the risk assessment is completed, the
organization should return to this item to determine
if this risk is one of the Top 10 Risks that should be
prioritized. The risk exposure values could be used
to help prioritize, but the organization should
review all identified risks to make this
determination.
Example: Y
(Credit card data could be compromised and lead to
a reportable security breach.)
Risk Recommended Risk The auditor or individual performing the risk
Mitigation Mitigation assessment shall investigate and research how to
Planning reduce or mitigate the risk and make
recommendations.
Example: Enable automatic WordPress plugin
updates and have the webmaster available to
address issues caused by the update, or have the
webmaster test updates and apply updates as they
become available.

Business Impact How will the mitigating control affect the business?
Analysis Changes can affect business operations:
performance, end users, computer systems, etc.
Example: Automatic plugins can impair
functionality and cause additional downtime.

Cost What is the associated cost of the

recommendation(s)?
Example: Enabling automatic updates on plugins
could cause unacceptable downtime. Hiring the
webmaster to test and deploy plugin updates costs
between $500 - $2,000 a month as plugin updates
become available.

Risk Risk Management Documenting when the risk management meeting

Response/ Meeting takes place is critical. Risk management helps
Risk protect the organization from a compliance point of
Management view and ensures accountability.
Example: Use a form like the one below to keep
track of critical meeting details:
Risk Management Meeting Details
Item Details
Date: MM-DD-YYYY
Starting time: 2:00 p.m.
 Template – Full Risk Register definitions

Members/Roles: John/CEO
Mark/Auditor
Documentation Reviewed: risk analysis
General Outcome of the reviewed risk
Meeting: analysis
Ending time: 3:00 p.m.
Action items until next Implement four
meeting: approved
mitigating
controls.
Date of next Meeting: MM-DD-YYYY
Approved Risk Risk management is part of due care and due
Management Response diligence in choosing how the organization decides
to proceed with risk (accept, mitigate or transfer).
Accepting a risk takes place when a risk identified
during a risk assessment, and its impact, analyzed
and deemed to be an acceptable risk. Avoid refers
to ignoring the risk without properly analyzing its
potential impact.
Example: Mitigate. Hire the webmaster
immediately.
Approved by The Risk Owner is usually the Asset/Data Owner or
(Risk Owner) the Business owner. The owner determines
whether to Accept, Mitigate, or Transfer the Risk.
Example: John Smith, CEO

Approved If the risk owner decides to mitigate the risk, and a

Risk Mitigation Controls few options were provided, one option should be
chosen and documented.
Example: Mitigate. Hire the webmaster
immediately with an approved budget of $1,000 -
$3,000 per month as needed.

Risk Mitigation Control It is important to document approval of the risk

Decision Date mitigation control (risk treatment). The clock starts
ticking that day until the control to address the
vulnerability is implemented.
Example: MM-DD-YYYY

Risk Mitigation Control Keeping track of the lapse in time between the
Implementation Date approval and implementation date is critical, as it
shows for how long the control was approved but
not implemented. There can be multiple factors.
Example: MM-DD-YYYY
Risk Mitigation Control Justification for any delays in the implementation
Implementation Delay of an approved control.
 Template – Full Risk Register definitions

Explanation Example: To draft a new contract for the

webmaster took two days. Then the contract had to
be reviewed and adjusted. The webmaster signed
and executed the contract on MM-DD-YYYY.
Risk Risk Trigger Occurrence Has the risk trigger taken place?
Tracking (Y/N) Example: Yes. MM-DD-YYYY
Trigger Date Occurrence Documenting the trigger date is important for
compliance purposes and in case an investigation is
needed in the future.
Example: MM-DD-YYYY
Risk Status This indication shows whether or not the risk status
has been triggered.
Possible statuses could include:
identified, analysis complete, planning complete,
triggered, resolved, retired, canceled, etc.
Example: Resolved (Mitigated)
Notes Add any notes related to tracking the status of the
risk here.
Residual Likelihood of After implementing the mitigating control, how
Risk Occurrence does the likelihood of occurrence change?
Example: In this case, the probability was lowered
from 0.70 to 0.30 by contracting the webmaster to
perform WordPress plugin updates in nearly real
time. However, the likelihood could NOT be
eliminated but only reduced.
Residual Severity of Did the impact of the risk change by implementing
Impact the mitigating control?
If an additional encryption layer was added to the
credit card information, and a failover server was
added to the web server hosting WordPress, that
server may have reduced the impact. In this case,
however, the overall impact stays the same. But the
likelihood that the credit card information is
exposed is reduced due to the additional encryption.
Example: Impact remains at Catastrophic = 0.8.
Residual Risk Level After implementing the mitigating control, the
probability and impact of the risk should be re-
evaluated to ensure it is within the organization’s
acceptable level (risk appetite).
Example: While still in the high category, residual
risk is lowered from 0.400 to 0.240 (0.3*0.8).
Notes Add additional notes related to residual risk here.