Manage risks, risk statements, and risk frameworks

The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at anytime, anywhere in the organization.

Asses risks and develop risk statements

Assessing risk means identifying and analyzing the threats and vulnerabilities that could adversely affect your organization’s business objectives. Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. By identifying your risks and the impact and likelihood of those risks occurring, your organization can prioritize control testing and remediation activities. It also helps you understand the true business impact when a control fails.

A good risk statement should answer:
  • What could happen?
  • How could it happen?
  • Why do we care?