Risk Assessment
Risk registers, likelihood vs impact, and the difference between accepting risk and ignoring it.
Overview
A risk register that nobody maintains is a compliance decoration. Real risk management is the discipline of making defensible decisions about what to protect, how, and who is accountable. Answer the five questions below with the rigour of someone who will be asked to justify their risk register to an auditor.
Read before you answer
Risk assessment is the structured process of identifying, analysing, and evaluating risks so that an organisation can make informed decisions about how to treat them. In IT governance and information security contexts, risk assessment is a foundational requirement: ISO 27001 mandates it as part of the ISMS, COBIT includes risk management across its governance and management objectives, and regulators from the FCA to HIPAA require organisations to identify and treat risks to the assets they are responsible for protecting. A risk assessment produces a risk register β a documented list of identified risks, each with an owner, a likelihood rating, an impact rating, a risk score, a treatment decision, and a residual risk after controls are applied.
Risk analysis involves two dimensions: likelihood (how probable is it that this risk event will occur?) and impact (how severe would the consequences be if it did?). These are typically rated on a scale β commonly 1β5 or Low/Medium/High/Critical β and multiplied or mapped on a heat map to produce an overall risk score. The resulting score determines prioritisation, not treatment: a high-likelihood, low-impact risk may require a different response than a low-likelihood, catastrophic-impact risk. The four standard risk treatment options are: mitigate (implement controls to reduce likelihood or impact), transfer (shift the financial consequence to a third party, typically via insurance or contract), accept (acknowledge the risk and take no further action, with documented justification and owner sign-off), and avoid (cease the activity that gives rise to the risk). Risk acceptance is a legitimate governance decision when the cost of mitigation exceeds the expected loss β but it must be documented, owned, and reviewed periodically. Undocumented risk acceptance is indistinguishable from a control failure during an audit.
Residual risk is the risk that remains after controls have been applied. No control eliminates risk entirely; the objective of risk treatment is to reduce risk to a level the organisation considers acceptable β within its defined risk appetite and risk tolerance. Risk appetite is the board-level statement of how much risk the organisation is willing to accept in pursuit of its objectives. Risk tolerance is the operational boundary within which the organisation is prepared to work. A governance programme must track residual risk for all items in the risk register and ensure that residual risk levels are approved by the appropriate authority β a risk owner at operational level, escalated to a risk committee or board for high-residual risks. Risk registers are living documents: new risks must be added as they are identified, closed risks archived, and all risks reviewed at least annually or when material changes occur to the environment.