Introduction to the maintenance of a risk register

A business would normally have a risk register. This short post aims to help understanding where to start or what to review in the context of data protection laws such as GDPR. DORA or NIS2.

It is important that, for the sake of clarity among stakeholders, when assessing risks, one doesn't mix all the risks.

Risk should be categorised, and I am not simply talking about whether they have a low, medium or high impact, but more about the consequences.

In an organisation, what should be included in a risk register would vary from department to department. It is important that department heads are consulted, as well as those within the department. It will make it easier for those involved to understand why there are policies, procedures and mitigation in general.

If the risks for each department aren't assessed properly, then, in my opinion, there is no risk register. This is a continuous exercise as new incidents would highlight threats and vulnerabilities. 

There are multiple types of risks (non exhaustive list):

  • Risks related to non compliance with legal obligations.
    This can be complicated since there are many laws. Multi disciplinary skills are required: company acts, accounting regulations, anti-money laundering, employment law, data protection, resilience, health, safety etc.

    The role of the Compliance Officers is to help, and you can start having some sympathy for them.
    The Audit function will complement.

    In an ideal world, people in the relevant departments would know what laws apply to their work, but in reality, not everyone can be both skilled at their jobs and expert in all related law, can they?
     
  • Some risks will be on the business being able to operate (operations). That, itself, will have a diverse set from cash flow management to protecting against cyber attacks or ensuring the business will reduce its impact on the environment.
     
  • Some risks will be related to the consequences of processing activities and the impact on people if something in the processing went wrong, affecting them. Not just their privacy rights as most people believe, but their Fundamental Rights (re-read art 1.2 of the GDPR). This is very relevant in the EU with the GDPR for instance, but sadly, not everywhere, since most countries don't have such rights.

Sadly, I can see why some people would hide known risks, not try to identify them, or simply accept them with full support from management. This would especially be true for those working for companies that believe they are above the law. Probably not a sign of a good culture if you're afraid to lose your job when flagging a risk. Whistleblowing laws are therefore there to assist.

One way we encourage Bizoneo GRC users to assess risks is by starting to understand what processes are in place with the business. This implies documenting:

  • what is involved in such processing
  • who are the stakeholders
  • what are the constraints
  • what would be the relevant applicable laws
  • brainstorm to see what can go wrong
  • etc

For companies in scope of the Digital Operational Resilience Act (DORA) or the GDPR, risk assessments are crucial. How can one assess the criticality of an asset, a supplier ior a processing activity if not able to put a context?

If, in a different context, you were to buy a business, shouldn't you understand what the party you are about to buy considered?

Nothing prevents you to think of the unthinkable, does it? Risk assessments are "multi-disciplinary" and not all will be identified at first. Review regularly and be creative (eg unplug the server and see what happens).

Bizoneo offers the ability to document processing and includes risks registers and tools to understand their impact and report.

Claude Saulnier
B-Eng - CDPO - CIPP/E 

Bizoneo

Post Scriptum (PS):