I read this article a few weeks ago and set it aside to revisit. In it, the author states that “Risk management used to be someone else’s job.” and then later concludes that “…in a global business arena that is increasingly unforgiving when it comes to missteps, the message is clear: Everyone—including you—now has to be a vigilant risk manager.” Yes, well, sort of, maybe, kind of… hmmm…
During RSA 2013 (last year) I had the opportunity to sit in on a half-day event around IT risk management. When I joined the closing panel, I asked how many people in the audience had “risk manager” in their titles, and then asked them to leave their hands up if they actually made decisions based on their risk analysis, or if they simply made recommendations. Unsurprisingly, the vast majority (possibly all) of the hands went down. You’re not “managing” anything if you’re not empowered to make a decision. And, inevitably, that means you’re going to be one of those people contributing to the “risk register,” which is the place where all good risk conversations seem to go to die.
My opinion is not necessarily shared by the rest of Gartner, or even by the rest of my team, but I want to make a few points about these risk registers and why I think they’re a faulty concept that needs to be deprecated within our environments. Similarly, I think these surveys (like the one noted in the article referenced earlier) are also silly. “What are your top concerns?” If you’re a business, it’s going to be “staying in business” and “growing revenue” and “avoiding foolishness.” The specifics of each of these varies year-to-year, but let’s be honest for a moment and admit that, at least within the US, this is really what execs are “worried” about (if you can even call it that – I’m convinced most really don’t think too much about it, instead preferring to focus on making good decisions that lead to up-side realization).
Here are three reasons why I think the risk register is really a silly notion:
Shouldn’t risk findings be driving actual remediation activities?
One of the reasons I hate risk registers is because, as a former consultant, auditor and assessor, I’ve often seen the same items maintained on the list year after year after year. What’s the point of that list? If you have a risk finding worth recording on the “really important scary things” list, then you doggone well better have a remediation plan or compensating controls. Your risk management program serves to inform, as well as to drive good decision-making. Risk registers don’t meet this need at all. I would far prefer that enterprises resolve to have a clear “register” every year (or quarter!) so that all risk assessment findings either drive directly to remediation or are summarily managed through compensating controls or are summarily dismissed as unconcerning. Failing to take action strikes me as an indefensible approach that will some day land your business in hot legal waters.
What exactly are you trying to accomplish with it, anyway? (it’ll never be complete)
You’ve built a risk register, probably over the course of a few years. Now what? What was the objective of making this list? Are you trying to give your executives a migraine? Or, maybe you secretly hope that hackers will find the list and start taking advantage of your weaknesses? I’ve heard of enterprises that make these lists and then keep them super-secret, but to what end? More importantly, though, is that these lists will never be complete. “Risk” evolves over time. Moreover, a lot of operational risks, particularly under IT, get short shrift and are underrepresented within risk registers. Or, even worse, they get rolled up into meaningless aggregate statements like “cybersecurity risk is high” (whatever that means?!). If your goal is prioritization, then improve your risk analysis and risk assessment capabilities. If your goal is to make better decisions, then turn that data into something actionable. But, know that the list is temporal and should always be in flux. If it’s not… if your risk register tends to be very static… then I submit you’re not truly doing something useful.
Risk registers reinforce the really bad idea of the “annual risk assessment.”
One of my other pet peeves around risk registers is that it tends to reflect the fatally flawed notion of the “annual risk assessment.” I’ll address this topic in-depth in another blog post, but suffice to say, if you’re only “assessing risk” on an annual basis, you’re doing it wrong. Risk assessment and risk management are ongoing activities that should be leveraged to make good decisions throughout the business calendar, rather than just ahead of the annual budget cycle. All meaningful decisions should be supported by at least a lightweight risk assessment that helps analyze key factors toward ensuring that due diligence is performed and that a reasonable standard of care is met.
When all is said and done, the risk register typically becomes a dumping ground for “things we don’t know how to manage” or “things we don’t care enough about to manage.” This is unacceptable, and often a cop-out. Any finding worth listing is worth listing in an action plan for remediation. Can’t do everything this year? No problem, put it on your strategic roadmap, documenting how you’re going to address it. Or, document your compensating controls (like insurance) and then move on. Yes, documentation should exist, but not as a list of “really scary things.”