Skip to main content

2.9 Documenting the Risk Assessment

2.9 Documenting the Risk Assessment 


  • Risk assessment report provides details about the current state of the risk environment and also points out gaps, if any, from the desired state of IT risk. It also indicates whether gaps are within acceptable levels and provides recommendations for addressing the gap. 

  • Risk assessment report should capture the process and the result of the risk assessment. 

  • Risk and gaps should be documented in such a manner that is understandable by management and it should also indicate the level of risk. This will help management to prioritize the risk response. 

  • Following are the contents of a risk assessment report:

  • Objective and scope of risk assessment

  • Risk assessment process and criteria

  • Assumptions, if any, used during assessment 

  • Risk categorization process 

  • Identification of risk, threats and vulnerabilities along with control weakness

  • Recommendations to address the risk

  • Summary for management 

  • Risk assessment process should be consistent to make them comparable with previous results.

  • Major risks which are already being addressed should also be made part of the report for accurate reporting to senior management. 

  • To the extent possible, the report should not contain technical terminologies that are specific to IT or may be misinterpreted by management. 


Addressing Bypassed Risk 


  • It must be noted few of the IT related risks may not be applicable to the organization. Hence such risks are not evaluated. In such cases, it is advisable to document the risks which were intentionally bypassed along with reasons for the same. 

  • However, risk practitioners should re-evaluate each bypassed risk and ensure that it is being assessed accurately on the current risk landscape. 


 Updating the Risk Register 


  • Risk register is primarily maintained and updated with following objectives:


  • Documentation of all identified risks along with corrective plans

  • Availability of complete risk related database 

  • Improves decision making related to risk and helps to drive risk response plan.

  • For each risk following information should be captured in risk register:

  • risk scenarios and description

  • risk owner

  • impact

  • probability

  • inherent risk score, 

  • details of controls implemented 

  • mitigation plan

  • residual risk score

  • risk owner

  • Risk registers should be updated as and when there is change in an organization's risk scenario. 

  • Very first step in identification of new risk is to update the risk register.  Maintenance of the risk register starts from the risk identification phase. 

Key aspects from CRISC exam perspective 


CRISC Question

Possible Answer

Which document  helps the most in decision making related to risk?

Documented Risk Register

What is the prime objective of review of documentation before risk assessment?

To understand the business processes

What are the objectives for maintenance of the risk register? 

  • Documentation of all identified risks along with corrective plans

  • Availability of complete risk related database 

  • Improves decision making related to risk and helps to drive risk response plan.

Which document helps to identify the changes in an organization's risk profile? 

Review of Risk Register

Which document contains the status of risk mitigation and risk ownership?

Risk Register

Design of an effective key risk indicator (KRI) is best assisted by

Documented end to end operational process flow

What information is captured for each risk in a risk register? .

Various risk scenarios with their date, description, impact, probability, risk score, risk ranking, mitigation action and owner

Maintenance of risk registers starts from which phase of risk management?

Risk identification phase 

Risk scenario is based on

Potential threats 


Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

30% Discount - CRISC Recorded Lecture

We are pleased to announce that we are offering CRISC recorded lectures at 30% discount. Please use below link to avail the discount https://www.udemy.com/course/crisc-with-hemang-doshi/?couponCode=CRISCMARCH21037
Read more

2.5 Project & Program Management

2.5 Project & Program Management ·          It is very important for a risk practitioner to monitor the risk related to the management of the projects.   ·          Some of major reason for failing of IT projects are:   §   Scope creep i.e. requirements are not properly defined at the initial phase. §   Lack planning resulting into over budget and unavailability of skilled resources. §   Lack of structured project management process. §   Systems not tested before implementation §   Compliance or regulatory issues   ·          Root cause for the system failure is to be determined so the learnings can be applied to all the future projects.   ·          Major cause for a project failure is delay in completion. It may happen to make for the time lapsed...
Read more