Monitor the risks — maintain a risk register

Very few risks remain static — a risk that is currently within the business owner and organisation’s risk tolerance may not stay that way.

Maintaining a risk register allows business owners in an organisation to monitor the:

• risks to information systems
• controls in place for each risk.

Review the risks

Having a routine for reviewing risks is essential to making sure risk ratings have not changed.

By regularly reviewing the risks to your organisation’s information systems, you’ll be able to see if factors have changed that affect each:

• risk happening — the likelihood or impact, or both
• control — for example, its suitability or cost.

Next step — use the results

Your organisation’s risk management process should allow you to act on the results from monitoring and reviewing risks.

If there are any changes to risk ratings and controls, seek out the right stakeholders for:

• selecting suitable controls
• making sure final risk ratings are within the business owner and organisation’s risk tolerance.

You can use the relevant parts of the risk assessment process to help, such as:

• analysing the risks to an information system
• evaluating the risks to an information system.