Risk Management using the Risk Register App

A recommended approach to manage your organization's risks and controls, using the Diligent HighBond platform.

This solution requires a subscription to the following:
1. IT Risk Management (previously ITRMBond) or Third Party Risk Management (previously ThirdPartyBond).
2. The Risk Register app.

Risk Register overview

The Risk Register app is the primary location where risks and controls are identified, assessed, and scored. The Risk Register app acts as a single source of truth for all risks and controls in your organization.

Note

The Risk Register app is not the only way to manage risks and controls. You can do this in the Projects app also. If you are using risks and controls in the Projects app for your audits, then continue doing so. The Risk Register app is most applicable when you are managing IT or third-party risks.

Challenges and opportunities

A risk register program helps you to manage risks and controls in your organization more efficiently. You can categorize risks and controls based on the structure and needs of your organization, relate risks and controls to your organization's assets,, trigger assessments, and calculate risk scores.

People involved in risk register

People involved in managing a risk register program can include:

  • Risk Manager
  • Risk Owner
  • Risk Assessor

How it works

The Risk Register process follows this general flow.

  1. Risk identification In this step, you identify threats to your organization. These are risks that may affect the day-to-day functioning of your organization. The risks can be identified with a flexible set of attributes based on your company's objectives, goals, and strategies.
  2. Risk relationship and hierarchy In this step, you assess the vulnerability of critical assets, processes, or an entire organization to specific threats. You create a hierarchy of risks and relate them to other risks, controls, organizations, assets , processes, and other relevant entities.
  3. Risks assessment In this step, you determine the expected likelihood and consequences of specific types of attacks on specific assets. Risk assessment determines possible mishaps, their likelihood and consequences, and your tolerance for these events. Risk assessment can be based on a number of factors such as impact, likelihood, and velocity. When you are assessing a risk, you will come across two types of risks:
    1. Inherent risk: This is the risk level before actions are taken to mitigate the risk's impact or likelihood. For example, susceptibility to theft or fraudulent reporting.
    2. Residual risk: This is the remaining risk level following mitigating actions. For example, after CCTVs are installed and security guards are hired, there is still a chance of a theft. Therefore, Residual risk = Inherent risk - Mitigation.
  4. Risk scoring In this step, risk scores are calculated based on factors such as impact and likelihood of the risk.

Doing it in Diligent HighBond