Centra State Healthcare System
AtlantiCare Healthcare
Inspira Health Network
Penn Medicine
Christian Health Care Center
Metrohealth: University Of Michigan Health

Are you trying to document and assess all the risks and vulnerabilities for your entire enterprise? You may be wondering how to even begin.

We recommend starting with a risk register. This is the most logical starting point – a universal first step – to gathering and assessing risk within the “four walls” of your organization, even if your organization is geographically dispersed.

A typical risk register will include a centralized inventory of all risks, by location, and allows you to assign a risk level. Once you have a full documented register – a holistic view into risk across the enterprise – it’s much more efficient to then map those risks through the lens of certain security frameworks, such as HIPAA, NIST CSF, HITRUST, PCI and others.

How ComplyAssistant’s risk register works

ComplyAssistant’s easy-to-use risk register module takes you through 6 comprehensive steps of collecting and assessing risk across the organization:

1) Identify and inventory all threats

Within our tool, you will document all threats throughout the organization. Each threat can be tagged by type of threat, such as environmental, human, computer systems, or network. The risk register module within our GRC software comes standard with a library of threats you can use immediately. You also have the flexibility to create your own threat list or modify the pre-set library based on the requirements of your organization

risk register threats

2) Assess risk level

Within our risk register tool, you can also assess the risk level for each threat, based on two inputs:

  1. Likelihood of incident – How likely is it that the threat event would actually occur?
  2. Impact to the organization – What would be the total impact if the incident did occur?

The risk register tool will automatically calculate an inherit risk level based on your inputs.

risk register threat assessment

3) Choose how best to address each risk

Using the calculated risk level, you can then document how your organization chooses to manage the risk in four categories: avoid, control, accept or transfer. Our risk register module comes standard with a library of pre-set controls, or you can choose to create your own.

risk register plan

4) Determine residual risk

Once controls are documented, the risk register will then calculate residual risk, indicating which areas need more attention in order to mitigate.

risk register residual risk

5) Determine maturity level

Developed in conjunction with our partners at Kardon, the ComplyAssistant risk register also includes a unique feature in the market, which calculates how mature your plan is based on documentation, training and preparedness of the incident team.

risk register maturity level

6) Assign an action plan

With all threats documented, risk levels assigned, and maturity stages determined, your organization will then have a complete view into enterprise risk, and a prioritized list of where to focus resources. Within the risk register, you can assign controls, actions and tasks to various members of your team, and track progress along the way.

risk register action plan
Ready to build your own risk register?

Tell us a bit about yourself and one of our experts will contact you:

Want more? Check out our blog post on how using a risk register can help avoid recreating the wheel each year during security risk assessments.