We recommend starting with a risk register. This is the most logical starting point – a universal first step – to gathering and assessing risk within the “four walls” of your organization, even if your organization is geographically dispersed.
A typical risk register will include a centralized inventory of all risks, by location, and allows you to assign a risk level. Once you have a full documented register – a holistic view into risk across the enterprise – it’s much more efficient to then map those risks through the lens of certain security frameworks, such as HIPAA, NIST CSF, HITRUST, PCI and others.
ComplyAssistant’s easy-to-use risk register module takes you through 6 comprehensive steps of collecting and assessing risk across the organization:
Within our tool, you will document all threats throughout the organization. Each threat can be tagged by type of threat, such as environmental, human, computer systems, or network. The risk register module within our GRC software comes standard with a library of threats you can use immediately. You also have the flexibility to create your own threat list or modify the pre-set library based on the requirements of your organization
Within our risk register tool, you can also assess the risk level for each threat, based on two inputs:
The risk register tool will automatically calculate an inherit risk level based on your inputs.
Using the calculated risk level, you can then document how your organization chooses to manage the risk in four categories: avoid, control, accept or transfer. Our risk register module comes standard with a library of pre-set controls, or you can choose to create your own.
Once controls are documented, the risk register will then calculate residual risk, indicating which areas need more attention in order to mitigate.
Developed in conjunction with our partners at Kardon, the ComplyAssistant risk register also includes a unique feature in the market, which calculates how mature your plan is based on documentation, training and preparedness of the incident team.
With all threats documented, risk levels assigned, and maturity stages determined, your organization will then have a complete view into enterprise risk, and a prioritized list of where to focus resources. Within the risk register, you can assign controls, actions and tasks to various members of your team, and track progress along the way.
Tell us a bit about yourself and one of our experts will contact you:
Want more? Check out our blog post on how using a risk register can help avoid recreating the wheel each year during security risk assessments.