Skip to main content

2.9 Documenting the Risk Assessment

2.9 Documenting the Risk Assessment 


  • Risk assessment report provides details about the current state of the risk environment and also points out gaps, if any, from the desired state of IT risk. It also indicates whether gaps are within acceptable levels and provides recommendations for addressing the gap. 

  • Risk assessment report should capture the process and the result of the risk assessment. 

  • Risk and gaps should be documented in such a manner that is understandable by management and it should also indicate the level of risk. This will help management to prioritize the risk response. 

  • Following are the contents of a risk assessment report:

  • Objective and scope of risk assessment

  • Risk assessment process and criteria

  • Assumptions, if any, used during assessment 

  • Risk categorization process 

  • Identification of risk, threats and vulnerabilities along with control weakness

  • Recommendations to address the risk

  • Summary for management 

  • Risk assessment process should be consistent to make them comparable with previous results.

  • Major risks which are already being addressed should also be made part of the report for accurate reporting to senior management. 

  • To the extent possible, the report should not contain technical terminologies that are specific to IT or may be misinterpreted by management. 


Addressing Bypassed Risk 


  • It must be noted few of the IT related risks may not be applicable to the organization. Hence such risks are not evaluated. In such cases, it is advisable to document the risks which were intentionally bypassed along with reasons for the same. 

  • However, risk practitioners should re-evaluate each bypassed risk and ensure that it is being assessed accurately on the current risk landscape. 


 Updating the Risk Register 


  • Risk register is primarily maintained and updated with following objectives:


  • Documentation of all identified risks along with corrective plans

  • Availability of complete risk related database 

  • Improves decision making related to risk and helps to drive risk response plan.

  • For each risk following information should be captured in risk register:

  • risk scenarios and description

  • risk owner

  • impact

  • probability

  • inherent risk score, 

  • details of controls implemented 

  • mitigation plan

  • residual risk score

  • risk owner

  • Risk registers should be updated as and when there is change in an organization's risk scenario. 

  • Very first step in identification of new risk is to update the risk register.  Maintenance of the risk register starts from the risk identification phase. 

Key aspects from CRISC exam perspective 


CRISC Question

Possible Answer

Which document  helps the most in decision making related to risk?

Documented Risk Register

What is the prime objective of review of documentation before risk assessment?

To understand the business processes

What are the objectives for maintenance of the risk register? 

  • Documentation of all identified risks along with corrective plans

  • Availability of complete risk related database 

  • Improves decision making related to risk and helps to drive risk response plan.

Which document helps to identify the changes in an organization's risk profile? 

Review of Risk Register

Which document contains the status of risk mitigation and risk ownership?

Risk Register

Design of an effective key risk indicator (KRI) is best assisted by

Documented end to end operational process flow

What information is captured for each risk in a risk register? .

Various risk scenarios with their date, description, impact, probability, risk score, risk ranking, mitigation action and owner

Maintenance of risk registers starts from which phase of risk management?

Risk identification phase 

Risk scenario is based on

Potential threats 


Popular posts from this blog

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more