The case for using multiple risk registers with 6clicks

In 6clicks, organizations can set up multiple risk registers to track different types of risks and customize the scales/risk scoring for each risk register. Companies might want to do this for several reasons: namely, each department has different needs or considerations. For instance, IT focuses on IT assets, and Accounting focuses on sensitive information. Manufacturing focuses on processes and physical risks. Each of these departments might want their own risk register for tracking company risks at a more granular level.

The most common use cases to use multiple risk registers are to sort them by:

• High/strategic risks vs. low operational risks
• Corporate/strategic risks vs. domains/departmental risks
• Corporate/parent company risks vs. subsidiary risks

A few less common use cases for leveraging multiple risk registers include:

• Risk intake & filtering
• Tracking items (e.g. vulnerabilities) related to risks
• Upgrading/changing process (adding a new risk register for a new process)

Evaluate risks by identifying threats and opportunities

For many, the term risks conjure up the idea of terrible events like data breaches, service disruptions, ransomware attacks, and natural disasters. Yet, NIST recommends that organizations take a balanced view when evaluating risks, encouraging cybersecurity and risk professionals to identify “all sources of uncertainty — both positive (opportunities) and negative (threats)” in their risk registers.

For instance, launching a new online service provides an opportunity for a company to innovate and improve its revenues, thus the leadership team may direct the organization to take a little more risk. This way, senior leaders can set the risk appetite and tolerance with both threats and opportunities in mind.

When cybersecurity opportunities are included in a risk register, NIST recommends updating the risk response column using one of the following response types and describes the meaning of each:

• Realize: Eliminate uncertainty to make sure the opportunity is actualized
• Share: Allocate ownership to another party that is better able to capture the opportunity
• Enhance:Increase the probability and positive impact of an opportunity
• Accept: Take advantage of an opportunity if it happens to present itself

NIST said the comment field of the risk register should be updated to include information “pertinent to the opportunity and to the residual risk uncertainty of not realizing the opportunity.”

The benefits of maintaining robust cybersecurity risk data

When you maintain detailed cybersecurity risk information in your risk register, you're able to manage your cyber risks in a more strategic way, focus on the right areas given limited resources, and secure additional resources because your leadership team will start to understand the value of preventative security.

Here are the key benefits of putting cyber security risks into a risk register:

1. Once information is entered into a risk register, you can start to identify patterns from threats and system failures that result in adverse impacts.
2. By committing to using a risk register, you have to go through a process of gathering all relevant parties and agreeing on a common scale for measuring risks across various business units (e.g. making sure everyone knows when to use a “high-risk exposure” vs. a “moderate risk exposure”). By normalizing the tracking of risk information across different units, you will provide senior leaders with more relevant information that will help them prioritize risk response activities.
3. Company leaders will have greater confidence in the risk response choices they make because the responses will be informed by the right context, including detailed risk information, enterprise objectives, and budgetary guidance.
4. A risk register forces risk owners to write down accurate risk responses for risks they “own”. To do so, risk owners will need to verify whether risks are mitigated to the extent they believe they'd done: Check whether certain policies are up-to-date and whether existing controls intended to mitigate threats are working as designed. Risk owners will talk to their compliance team or internal audit team to understand where risk management activities and compliance activities already intersect. These steps are important because they ultimately help decision-makers understand their potential exposure for achieving strategic, operations, reporting, and compliance objectives.
5. Maintaining a risk register makes it possible to produce enterprise-level risk disclosures for required filings and hearings or for formal reports as required, should your organization experience a significant incident.

Continuous monitoring is critical

Risks and threat vectors can change in a matter of minutes. Thus, it's important to keep an eye on your risks at all times. NIST's latest guidance emphasizes the importance of continuous monitoring and outlines several ways to monitor risks on an ongoing basis, including:

• Setting up positive KPIs such as the number of critical business systems that include strong authentication protections
• Setting up negative KPIs, such as the number of severe customer disruptions in the last 90 days
  Teaching employees about the types of cybersecurity risk issues most likely to occur within the organization
• Showing employees how they can alert key personnel to cybersecurity risk issues before they become significant
• Conduct risk response exercises to train employees in recognizing, reporting, and responding to cybersecurity incidents

If senior management and risk professionals take just one message from NIST's guidance, it is this: If cybersecurity risks are to be truly understood by senior management, cybersecurity risk cannot be tracked in a vacuum but rather must be tracked in an enterprise-wide risk register. This ensures all decisions made by company leaders are weighed against the firm's risk appetite and risk tolerance and that limited resources are put in the right places to support business objectives.

Don't use spreadsheets

In January and early December this year, we surveyed 2,000 risk management, compliance, and security assurance professionals to understand their cybersecurity risk management processes, practices, and tech stack. We found that half of all survey respondents still use spreadsheets as their risk register.

Although using spreadsheets to track risks is a widespread practice, it actually does more harm than good. In addition to other limitations, spreadsheets are not databases; they have no data integrity or referential integrity, and they provide no way to create and maintain relationships between data in other files, such as documentation of controls designed to ensure you meet regulatory requirements. Their data analysis and reporting capabilities are quite limited, and they do not generate the reports organizations need for IT compliance audits.

Instead, you'll be much better off by maintaining a risk register in purpose-built software, such as 6clicks.

6clicks: intuitive risk register software

Purpose-built risk register software like 6clicks makes it easy for risk owners to document everything that should go into a risk register, make updates to risks on the fly, visualize changes to risks, and communicate risk information to leadership teams.

6clicks offers a secure, intuitive risk register for everyone in your organization. With the application, risk owners from all functions and business units can document their risks and risk treatment plans. You can link risk to control and gauge how much a specific risk has been mitigated by an existing control versus the residual risk that remains. With this clarity, your risk management, security assurance, and compliance teams can focus their energy on the risks you truly need to worry about.

Further, organizations using 6clicks are able to save time and money by avoiding a common and expensive practice: Creating duplicative controls. Most organizations treat their risk reduction and compliance efforts as separate workstreams; activities are typically initiated by separate teams in response to separate events. Because 6clicks offers a compliance operations platform that allows you to get all compliance work done efficiently and keeps all records, if you use 6clicks' risk module and the compliance operations platform, you'll be able to tie a control to risk and a compliance requirement.

When you know that a control that's already there for meeting a cybersecurity framework's requirement is the same control that would mitigate a certain risk in your risk register, you'll avoid creating a redundant control in response to that risk. This means you'll do less work around controls testing, maintenance, and collecting evidence for internal and external IT compliance audits.

Last but not least, with 6clicks' dashboard, you can see how your risks change over time, identify which risks and controls to pay attention to at a given moment, and effectively communicate the potential exposure for achieving strategic, operations, reporting, and compliance objectives to your executives.

To see how 6clicks can help your organization manage risks better and get work done more efficiently, sign up for a personalized demo.