Updated: Nov 1, 2022
For many organisations, developing a risk register is seen as a destination - and it should not be. Often, the corporate risk register is seen as some kind of holy grail and this, coupled with some periodic assertions of relevance and controls performance, forms the "risk management system". A risk register is basically a statement of scope and intent: the organisation has identified the risks or threats it thinks are significant enough to warrant doing something about and what steps it will take to mitigate them. Nothing wrong in that - it just stops way short of what's really required to effectively manage exposure to said threats.
When we have identified a risk or threat that needs to be addressed, what is subsequently chosen to mitigate it should address the organisations exposure to it. Whether or not the exposure is actually reduced depends on a number of things:
The measures chosen to mitigate the threat are, in principle, known to be effective. That is, they are fit for purpose in the first place
The measures we have put in place are operated consistently and error free. This means that are actually being performed as required and are performed free of errors, oversights and misunderstandings.
These two points demonstrate that the risk register and some periodic self assessments alone are just not sufficient to effectively manage risk exposure. For that to happen, meaningful metrics and continuous performance monitoring are required to establish what is REALLY going on.
Metrics - numbers that help us to confirm that risk our exposures are within acceptable parameters being held at a acceptable level.
Process quality: are our approaches to risk mitigation transparent enough to enable us to ensure that they are being performed error free, at the desired frequency and that identified issues are being addressed.
When we can establish metrics that are reliable indicators of intrinsic exposure to risk and have processes that we know are reliable, risk registers become meaningful. Without metrics and process transparency we have nothing more than a statement of scope and intent.
It's worthwhile to note that the majority of cyber attacks and many operational failures occur because of human error associated with the performance of processes for mitigating risk. The processes work, in principle,, but their intrinsic capability to reduce threat exposure is often undermined by errors, oversight and misunderstandings in their execution - which a risk register alone cannot detect.
To reiterate then: we need to know that know controls and risk mitigation activities are being performed error free, at the desired frequency and that identified issues are being promptly addressed.