The risk library contains all risk frameworks and risk statements. Risk frameworks are
used to group risk statements into manageable categories, while risk statements group the
individual risks. The risk register is the central repository for all potential risks that could
occur at any time, anywhere in the organization.
Assess risks and develop risk statements
Assessing risk means identifying and analyzing the threats and vulnerabilities that could
adversely affect your organization’s business objectives. Risk is a function of the
likelihood of a given threat exercising a particular potential vulnerability, and the
resulting impact of that adverse event on the organization. By identifying your risks and
the impact and likelihood of those risks occurring, your organization can prioritize control
testing and remediation activities. It also helps you understand the true business impact
when a control fails.
A good risk statement should answer:
- What could happen?
- How could it happen?
- Why do we care?
