Design principles

Before you can start configuring and using this risk register, you need to know about a few design principles.

Bow-tie

This tool uses the bow-tie method to define risks. The idea of this method is that one or more causes lead to an unwanted event, which has one or more harmful effects. To register a risk in this tool, to you need to specify the event, at least one cause and one effect.

Causes can be mitigated by means of preventive measures. Detective measures are used to make an event not go unnoticed. Use repressive measures to make sure the effects of an event don't cripple your organisation.

Controls vs measures

In cybersecurity, people often talk about controls and measures. This tool also uses both terms. A measure is a concrete action to improve security. A control is an objective defined at a more higher level than a measure. A control is what's defined in a standard like ISO 27002 and contains one or more measures.

Because a standard like ISO 27002 must be able to be applied in all sorts of organisations, the measures of the controls in ISO 27002 are described in a general manner. However, when you determine mitigating measures during a risk analysis, you want to describe those measures in a more detailed manner. Both can still be seen as measures.

Risk dialogue

Many risk registers or GRC tools have a dashboard with several graphs and options to generate reports. This tool doesn't. The reason for it is that proper risk management isn't about graphs and reports. It's about having meaningful discussions about the risks that an organisation faces. Yes, this tool has an export option and many tools exist to create reports and graphs with such exports. Don't waste your time on that. A discussion with managers and the board about the risks that are relevant at that level and about the maturity of the risk management process within the organisation, is much more useful and effective than presenting them graphs and numbers.