Gartner for IT Leaders Tool

Sample Risk Register

Reporting

Approved for external reuse — not for resale.

Unless otherwise marked for external use, the items in this Gartner Tool are for internal noncommercial use by the licensed Gartner client. The materials contained in this Tool
may not be repackaged or resold. Gartner makes no representations or warranties as to the suitability of this Tool for any particular purpose, and disclaims all liabilities for any
damages, whether direct, consequential, incidental or special, arising out of the use of or inability to use this material or the information provided herein.
The instructions, intent and objective of this template are contained in the source document. Please refer back to that document for details.
Notes accompany this presentation.
Please select Notes Page view to examine the Notes text.

© 2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This presentation, including all supporting materials,
is proprietary to Gartner, Inc. and/or its affiliates and is for the sole internal use of the intended recipients. Because this presentation may contain information that is confidential,
proprietary or otherwise legally protected, it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
 Top 5 Cyber and IT Residual Risks
  SCALE OF LIKELIHOOD (PROBABILITY) TOP 5 RISKS

ALMOST RESIDUAL WITHIN

  RARE UNLIKELY POSSIBLE PROBABLE RISK DESCRIPTION TREND COMMENTS
CERTAIN RISK LEVEL TOLERANCE

Theft, Loss or
SCALE OF SEVERITY (IMPACT)

R03 Improper access to

SEVERE EXTREME
Data - Sensitive
R10 Customer Data

R02 R10 R06 Theft, Loss or

LARGE Improper access to EXTREME
Data - PCI Data
R06
Theft, Loss or
R05 Improper access to
MODERATE Data - Company HIGH
Intellectual
R03 Property

SMALL Cybercrime -
HIGH
Ransomware
R02
Online Brand Risk
INSIGNF’NT - Social media HIGH
R05 misinformation

Rx = Risk # = Risk Level Increasing = Within Risk Tolerance

= Risk Level Maintained = Outside Risk Tolerance
Gartner for IT Leaders tool

2 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved.

= Risk Level Decreasing

Classification: Internal
 Top 5 Cyber and IT Risk Profile
  SCALE OF LIKELIHOOD (PROBABILITY) TOP 5 RISKS

ALMOST INHERENT CONTROL RESIDUAL WITHIN

  RARE UNLIKELY POSSIBLE PROBABLE RISK DESCRIPTION
CERTAIN RISK LEVEL EFFECTIVE RISK TOLERANCE

Theft, Loss or
SCALE OF SEVERITY (IMPACT)

R03 R03 Improper access to Ineffective

SEVERE R10 Data - Sensitive
EXTREME EXTREME
Customer Data

R02 R02 R06 Theft, Loss or Partially

LARGE
R10
R06 R06 Improper access to EXTREME
Effective
EXTREME
Data - PCI Data
R10
Theft, Loss or
Improper access to
R05
MODERATE R03 Data - Company EXTREME Effective HIGH
R05 Intellectual
Property

SMALL Cybercrime - Partially

HIGH HIGH
R02 Ransomware Effective

Online Brand Risk Partially

INSIGNF’NT - Social media HIGH HIGH
R05 Effective
misinformation

Rx = Residual Risk # Rx = Inherent Risk # = Within Risk Tolerance = Outside Risk Tolerance

Gartner for IT Leaders tool

3 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved.

Classification: Internal
   SCALE OF SEVERITY (IMPACT)

VERY CATASTROPHI
SCALE OF LIKELIHOOD (PROBABILITY)
  MINOR MODERATE MAJOR
SIGNIFICANT C

R6, R7 R2
ALMOST CERTAIN

R3, R4, R5
PROBABLE

R5 R1
POSSIBLE

R1
UNLIKELY

R2
ALMOST NEVER

Gartner for IT Leaders tool

4 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved.

Classification: Internal
 Comprehensive List : Cyber and IT Residual Risks
  SCALE OF LIKELIHOOD (PROBABILITY) RISK LIST

RESIDUAL
RISK DESCRIPTION COMMENTS
ALMOST RISK LEVEL
  RARE UNLIKELY POSSIBLE PROBABLE
CERTAIN
Cybercrime - Business Email
R1 LOW
Compromise
SCALE OF SEVERITY (IMPACT)

R08 R03 R2 Cybercrime - Ransomware HIGH

SEVERE
Theft, Loss or Improper access
R3 to Data - Company Intellectual HIGH
Property
R09 R02 R10 R06
LARGE R4 Cybercrime - Denial of Service MEDIUM

Online Brand Risk - Social

R5 HIGH
media misinformation
R01 R07 R04 R05 Theft, Loss or Improper access
MODERATE R6 EXTREME
to Data - PCI Data
Theft, Loss or Improper access
R7 LOW
to Data - Employee data
Theft, Loss or Improper access
SMALL R8 to Data - Non-Sensitive MEDIUM
Customer data
Theft, Loss or Improper access
R9 to Data - Company Confidential MEDIUM
Data
INSIGNF’NT
Theft, Loss or Improper access
R10 to Data - Sensitive Customer EXTREME
Data

Rx = Risk #

Gartner for IT Leaders tool

5 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved.

Classification: Internal
 Control Effectiveness of Top 5 Cyber and IT Risks
Management Critical Immediate Action Required Key
Extreme Residual Risk

Lower Higher
Theft, Loss or
Improper access to Theft, Loss or Risk Velocity
High Data - PCI Data Improper access to
Data - Sensitive
Customer Data Slower Faster
RESIDUAL RISK

Online Brand Risk -

Theft, Loss or Cybercrime - Social media
Requires Your Action
Improper access to Ransomware misinformation
Medium Data - Company
Intellectual
Property

Low

Minute
Modest Concern Periodic Monitoring
Highly Effective Partially Effective Ineffective
CONTROL EFFECTIVENESS
Gartner for IT Leaders tool

6 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved.

Classification: Internal
 Issue Management Progress
On Track
14 New/Reopened
Overdue
12 Closed/Pending Closure
Projection
10

0
Mar-20 Apr-20 May- Jun-20 Jul-20 Aug- Sep- Oct-20 Nov- Dec- Jan-21 Feb- Mar-21 Apr-21 May- Jun-21 Jul-21 Aug- Sep- Oct-21 After
20 20 20 20 20 21 21 21 21 Oct-21

Gartner for IT Leaders tool

7 © 2021 Gartner, Inc. and/or its affiliates. All rights reserved.

Classification: Internal