A business would normally have a risk register. This short post aims to help understanding where to start or what to review in the context of data protection laws such as GDPR. DORA or NIS2.
It is important that, for the sake of clarity among stakeholders, when assessing risks, one doesn't mix all the risks.
Risk should be categorised, and I am not simply talking about whether they have a low, medium or high impact, but more about the consequences.
In an organisation, what should be included in a risk register would vary from department to department. It is important that department heads are consulted, as well as those within the department. It will make it easier for those involved to understand why there are policies, procedures and mitigation in general.
If the risks for each department aren't assessed properly, then, in my opinion, there is no risk register. This is a continuous exercise as new incidents would highlight threats and vulnerabilities.
There are multiple types of risks (non exhaustive list):
Sadly, I can see why some people would hide known risks, not try to identify them, or simply accept them with full support from management. This would especially be true for those working for companies that believe they are above the law. Probably not a sign of a good culture if you're afraid to lose your job when flagging a risk. Whistleblowing laws are therefore there to assist.
One way we encourage Bizoneo GRC users to assess risks is by starting to understand what processes are in place with the business. This implies documenting:
For companies in scope of the Digital Operational Resilience Act (DORA) or the GDPR, risk assessments are crucial. How can one assess the criticality of an asset, a supplier ior a processing activity if not able to put a context?
If, in a different context, you were to buy a business, shouldn't you understand what the party you are about to buy considered?
Nothing prevents you to think of the unthinkable, does it? Risk assessments are "multi-disciplinary" and not all will be identified at first. Review regularly and be creative (eg unplug the server and see what happens).
Bizoneo offers the ability to document processing and includes risks registers and tools to understand their impact and report.
Claude Saulnier
B-Eng - CDPO - CIPP/E
Bizoneo
Post Scriptum (PS):