The Webinar above will discuss the topics from this article on detail, along with a demonstration of how we organise our own Risk Register. Feel free to watch it if you appreciate the audiovisual support, or continue reading the article below.
Estimated Reading Time: 7 Minutes
This article is part of a series of content developed especially for Financial Services and companies regulated by the Central Bank of Ireland. It consists of a 6-Step Series to provide useful insights about the challenge of Managing Technology Risk and Governance, which includes Cyber Security, Data Management and other dangerous and common risks in today’s world.
At the end of this post, you can download a sample Risk Register and fill it with your info. If you want to receive other parts of the content straight in your inbox, subscribe to this series.
In this article, we will deal with the development of your Asset Register and Risk Register – critical tasks to manage Compliance and regulatory requirements in your organisation, as well as managing risk and ensuring Business Continuity.
We will be providing insights and sharing our knowledge and references on this topic, focusing whenever possible on the tech and cyber security perspective, while also targeting different areas of the organisation. Get ready and make the most of it!
Building an asset register is not a whole lot of fun, but it helps clarify what is valuable in your company and who is responsible for it. Moreover, without knowing what you have and who is in charge of protecting these assets, you can never fully understand technology risk in your business.
When considering building an Asset register, we dip into our ISO 27001 knowledge and preparation and utilise their definition from the 2005 revision of ISO/IEC 27001 which defines an asset as “anything that has value to the organisation.”
Think about that for a moment as it covers a lot of ground. Necessarily so.
There are two reasons why managing assets is essential:
1) We use Assets to perform the risk assessment. Assets are usually the key element of identifying risks, together with threats and vulnerabilities.
2) If the organisation doesn’t know who is responsible for which asset, chaos would ensue – defining asset owners and assigning them the responsibility to protect the confidentiality, integrity and availability of the information is one of the fundamental concepts in IT Risk management.
If this is your first attempt at creating an asset inventory, the simplest way to build it is during the initial risk assessment process because this is when all the assets need to be identified, together with their owners.
The best way to build an asset inventory is to interview the head of each department or outsourced service provider (if appropriate), and list all the assets a department uses.
We use discovery tools that automate the gathering of such information in terms of technical resources that may be less obvious – i.e. virtualisation solutions, switches, routers etc. – as these are often forgotten.
This process is further supported by describing what you see and do. It is always amazing what your staff know about what is stored and used in your business.
You may already have several elements of this asset register to hand, in which case you only need to compile them under the headings as described below.
Building the asset register is usually done by the person who coordinates the Risk Management process, and this person collects all the information (hopefully with plenty of help) and makes sure that the inventory is updated.
In the asset register that we are looking to build today, we suggest the inclusion of assets under the following headings:
The owner is usually a person who operates the asset and who makes sure the information related to this asset is protected.
For instance, an owner of a server can be the system administrator, and the owner of a file can be the person who has created this file. For the employees, the owner is usually the person who is their direct supervisor.
For similar assets used by many people (such as laptops or mobile phones), you can define that an asset owner is the person using the asset.
If you have a single asset used by many people (e.g. an ERP software), then an asset owner can be a member of the board who has the responsibility throughout the whole organisation – in this case of a Critical Business System, this could be the CIO or CFO.
When this part is done, you should be able to move to the next stage.
Building a risk register allows you to both assess and treat the risks of all of your identified assets. Although critical, we are often asked – why is it so important? The answer is quite simple although not understood by many people: it is important to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such events (i.e. treat the risks).
Now add to that that you also have to assess the importance of each risk so that you can focus on the most important ones first. In NIST world, this allows you to prioritise your next actions based on identified risk.
While building the risk register seems daunting, it is very commonly unnecessarily mystified. These 4 straightforward steps alongside our sample documentation will shed light on what you have to do:
This is the first step on your journey through risk management. You will have to define rules on how you are going to perform the risk management because you want your whole organisation – and your stakeholders – to implement this in the same way. The approach that we will take will be quantitative in our example.
Once you know the rules, you can start finding out which potential problems could happen to you. You need to access a list of all your assets, then investigate threats and vulnerabilities related to those assets.
You should assess the impact and likelihood of each combination of assets/ threats/ vulnerabilities and finally calculate the level of risk. Again, our sample risk table will assist you in building out your risk register.
Our experience tells us that companies are usually aware of only 30-40% of their risks. As a result, you will find this kind of exercise both revealing and rewarding.
Not all risks are created equal – you must focus on the most important ones, so-called ‘high’ or ‘critical’ risks, first.
There are four options you can choose from to mitigate each critical risk:
This is where you need to get creative – how to decrease the risks with minimum investment. The unfortunate truth is that budgets will always be limited. You need to figure out the best way to mitigate risk at the least cost. We will get in more detail about this bit on the next part of the series – Developing an Action Plan and Scorecard.
This is the step where all of your hard work and information gathering starts to pay off. Let’s be frank – all up to now this whole risk management job was purely theoretical, but this is where the rubber meets the road and we get some concrete results.
The primary purpose of the Risk Treatment Plan is this: to define exactly who is going to implement each control, in which timeframe, with which budget.
Once you’ve written this document, it is crucial to get buy-in from either your board or top management as it will take considerable time and effort (and money) to implement all the controls that you have planned here. Moreover, without their commitment, all these efforts will fail.
You have just completed the hardest part of your overall risk management strategy.
Best of luck!
Over the next few weeks, we will keep producing content about the Challenges of Managing Technology Risk and Governance. Subscribe to this series to follow up and receive content straight in your inbox. The 6-steps consists of:
Download your Risk Register Sample Here and continue tackling the risk. The Asset and Risk Register are crucial for the development of a Risk management system, but keep in mind that they are only part of that system and not the end result. To continue managing the risk consistently and continually, we have developed our own methodology to assist and guide you through every step.
If you are looking for an extra level of detail and a system that will make this process much more comfortable and straightforward, talk to us. We can get you to your desired state of maturity with a tested solution, from our years of experience working with customers in highly regulated industries – Financial Services, Healthcare, semi-private organisations.
Also, as always, if you have any feedback or questions about this article, please do not hesitate to get in touch.