The idea of a risk register used in a practical and effective way is an expectation of the ISACA’s Certified in Risk and Information Systems Control® (CRISC®)认证. In a practical way means that it could be managed directly by the owner of the risk. 然而, seeing a senior manager interact directly with the risk register 而不是 of using an executive summary does not happen often. This is because it can be difficult to quickly understand the high detail and be able relate it to the level of aggregation comparable with the organization’s objectives. At the same time, it would not be valuable to remove detail that is shown in the risk register.
然而, the risk register can be organized so that it is neat and simple to read. 此外, it is helpful to create the opportunity to aggregate the information whenever possible to eliminate any redundancy or similarity with assiduity. Reducing the number of registrations for homogeneous categories is the first step. Hooking the categories to high-level reports is the second.
Giving senior management the ability to navigate in data starting from high-level views, then going down to the maximum detail while still preserving the consistency of information is more effective than any key risk indicator (KRI). 以这种方式, senior management can determine themselves the need to act or not, which makes communication more effective.
The sequence of steps to connect aggregated facts with detail elements has already been discussed in a my previous articles on 成熟度评估,如何准备一个 风险执行摘要 以及如何构造a 风险分析. 在这里, 而不是, the information to be used in assessments is emphasized, including information that could be concerning for senior management such as computer security and privacy.
For the risk register, details and business perspective must be ensured at each level. 以这种方式, the risk assessors feel the organization’s presence and it decreases the feeling of a generic, 低质量的工作. The selection of which elements to include in the drop-down determines its importance and the attention it will receive. 一个标注低的列表, medium or high is less interesting than the use of baseline, significant and challenging labels. The use of terms closely linked to the context strengthens the ability to make targeted reflections.
Often the most appropriate terms are overlooked by thinking that generic terms are preferable to operating staff, but it is important to remember that these people are the experts.
These parameters are examples of what should be focused on to improve senior management’s understanding of the risk protection scenario.
编者按: ISACA杂志 Turns 50 This Year! Celebrate with us—and don’t forget you can still receive the print copy by visiting your 偏好中心 选择加入!
别忘了,澳门赌场官方软件可以 免费获得CPE from ISACA杂志 quizzes!
