Risk Register

Risk Register – outputs each of the risk statements, the risk treatment decision and the owner. Each risk that is identified should be reviewed and undergo treatment by applying one of the following:

• Reduce – Apply the recommendation and improve the appropriate control
• Accept – Knowingly and objectively accept the risk
• Avoid – Change the business or environment to stop completing the related activity
• Transfer – Outsource/transfer the risks to other parties.

Overview of Risk Register

The 'Risk Register' page within Abriska can be reached by selecting ‘Risk Assessment’ and then 'Risk Register' from the sidebar on the organisation home.

Abriska enables all sources of risk, events that might affect the achievement of objectives (whether creating, enhancing, preventing, degrading accelerating or delaying their achievement), areas of impact and their causes to be identified and listed and their ownership documented. These can be identified through referencing and reviewing Abriska’s threat libraries and/or through custom input collected by the organisation through a variety of information gathering techniques.

• The risk register is organisation by which threats pose the most risk to the organisation. The risk statement breaks down the key elements of the risk, by turn on the hightlights through the 'Risk Register status' panel you can see, the threat is highlighted in orange, the asset(s) is blue, what the asset(s) is at a risk of loss of is green and the control to be prioritised at improving to mitigate this risk is yellow.
  

When clicking into a risk it is broken down into several areas to help you navigate the risk and manage it.

• Risk Identification - You can assign a 'Title' to make it easier to identify, assign a 'Risk Owner' to manage the detail around treatment and actions.
• Risk Components - Clearly states what assets, threats and vulnerabilities and part of this assessment, also for reporting purposes it identifies which assessment this risk is part of.
• Linked Controls - Identifies the controls linked to this risk and shows you the current and proposed maturity score.
• Related Risks - You can identify if this risk is associated to another.
• Risk Analysis and Evaluation - Shows calculation of 'Inherent', 'Controlled' and 'Treated' risk score, you may also see the history.
• Risk Treatment - Identifying the 'Risk Strategy', 'Treatment Owner' and a review date.
• Risk Actions - You can view current or resolved actions and create new to align with the treatment strategy. An action owner is identified and implementation date proposed, if the date is moved, this is recorded for auditing purposes and comments or status updates can be added.
  
• Risk History page/tab- found in the Risk Details tab under Analysis and Evaluation.This is relevant for Abriska 31000 and Abriska 27001. This page lists how the risk score has changed over time, the risk exposure graph and risk exposure percentage reduction.
  

  Risk History
  This table illustrates how the risk score has increased or decreased with changes to the risk assessment.
  
  

  Risk change graph
• The risk exposure graph represents how the risk has been reduced from the Inherent level (or initial risk score) - black line to the residual (or current risk score) level. The formula for calculating this score takes into account:
  1.       when the inherent risk was first identified
  2.       when the current risk was first identified
  3.       a multiplication of the risk score by the number of days at each level of risk
  4.       the score is represented as a percentage decrease from the total inherent level through to the total residual level
  For example in the graph the inherent risk is 25, and for about a month the current level was also 25, this has now been reduced to 12. The risk exposure reduction calculation gives a small 4.2% decrease (this would increase with time assuming the residual score is kept low).
• The Risk Exposure Reduction percentage is calculated on total risk exposure over time. Taking into consideration the Inherent, Residual and Target risk types (you will notes there in Analysis and Evaluation)

Adding Risks to the Enterprise Risk Register

How to add enterprise risks to the risk register for Abriska 31000

The 'Risk Owner', Risk Treatment Owner' and Risk Action Owner' will all receive weekly notifications (ensuring this is switched on - see 'Notifications '), to highlight when a there is a change or the proposed date is due or overdue.

The Risk Register can be used as a formal record of risks, to document risk analysis, facilitate ownership and management of risks, input into and document the outcomes of the risk evaluation and risk treatment processes.

Risk Register Overview page

Abriska 31000 offers a Risk Register Overview page to Org Admins, allowing them to preview a summary of the types of risks and their status's.

• Total Risks - similar to the dashboard widget, showing how many risks lay within the differing levels of risk
• Top 5 Risks - similar to the dashboard widget including links to those risks within the register
• Change Since - highlights the number of risk that have increased or decreased in scale or have been edited since the comparison date (changeable at the bottom of the page)
• Risk Strategy - illustrates the numerical value of risks with each strategy set
• Risk Categories - the number of risks within each category and percentage breakdown
• Risk Age - less than 1 month, 6-12 months, over 1 year, over 2 years etc
• Total Risk Exposure Over Time - This graph shoes how the total risk has changed over time, the three lines represent the three risk types (Inherent = Black, Residual = Blue, Target = Green). This samples the risk on a weekly basis therefore small changes in the risk may be 'smoothed out'.
• News - items can be added to provided context to risks, the news can be internal or external and direct or indirect.
• Objectives - objectives can be set at organisation level and be linked through the risks
  
  Back to Enterprise Risk Management