How do you track all the risk issue "to-dos" in your organization? Every project seems to have a long tail of issues to be resolved even after a project moves to production status. I always try to draw a parallel to something we use every day to help illustrate the concept. For better or worse, the example that seems closest to me is the home "honey-do" list.
Oh, the infamous honey-do list, the subject of many life stories. If you are like my wife and me, it has been both the blessing and bane of our long marriage. Regardless of what you may think about the "Honey-Do List" that exists in almost every household, it effectively serves a purpose. It's there to remind us what priority tasks need to be addressed in the future to keep the house in good order.
It's also there to track the completion of the items on the list. In my house, the to-do side of the list seems to grow more quickly than the "done" side. In full disclosure, while my wife efficiently clears her tasks, I may be one of the world's greatest procrastinators when dealing with the list. But, for discussion's sake, and moving the focus toward the risk register, I'd like to separate this discussion into three functions; adding to the list, tracking, and completion.
At work, the primary focus is the delivery of products and services to our members while keeping their information secure. As we deliver these projects, there are always trade-offs. They are mainly those issues and details to be addressed later in the project, or on the next release. While the item may conflict with current security protocols or procedures, if they are a low-risk issue or have other controls that result in a lower security risk, they may be acceptable short term. In these cases, we need to document the risk, get it approved by management, and assign a completion date.
Adding new tasks: At home, we discuss the big items going on the list. Usually, the heart of the discussion is around the priority. The same thing needs to happen at work. When adding an item to the Risk Registry, we must start by collecting all pertinent information on a request form. At a minimum, you must document the date, name of requestor, system affected, description of the risk, and the controls, which will help reduce the risk until the implementation of the final fix. Have the form signed by the requestor, and submitted to the coordinator who controls the risk registry.
Approval by Management: There are many reasons why management approval is critical. A discussion about the overall business impact of an issue, or how much a delay may cost, is a management and budget issue typically owned by a department manager. When implementing the Risk Registry process, the program owner should set up regular meetings to add, change, and delete requests: the business sponsor, Info Security, Enterprise Risk, and the CIO. This meeting will ensure that everyone gets a chance to weigh in on the issue and an acceptable due date.
Completion and After-Action Report: There is an old risk management adage which summarizes any risk program in three steps:
1. Don't do anything wrong today
2. Don't do anything wrong tomorrow; and
If life were only that simple, I would have gotten much more sleep over the past few years. The truth is that the only way we get better is to learn from our experiences and mistakes. When we close out an item on the risk register, it is just as important to know why it happened as what we did to correct the risk. Finding the root cause can be enlightening. It may have been an error in scheduling, a technology problem, an unclear security standard, or countless other factors. Take the time to document the results and, if significant, train others on the issue to avoid recurrence.
At home, I try hard to keep the honey-do list to a minimum. It is less stressful and makes life with my significant other, much more pleasant. We agree on what goes on the list, decide on the needs, and when complete, we look to make sure it will not break again next week. Don't make your initial foray into the world of risk tracking overly complicated. Start with a simple concept like the honey-do list and gradually build it into a valuable risk management tool.
Learn more about Gene Fredriksen and all of our experts on our author page.