Skip to main content

Monitor and review risks to information systems

By regularly checking on the risks to information systems, you’ll see if their risk ratings have changed or if their controls are no longer effective.

Monitor the risks — maintain a risk register

Very few risks remain static — a risk that is currently within the business owner and organisation’s risk tolerance may not stay that way.

Maintaining a risk register allows business owners in an organisation to monitor the:

  • risks to information systems
  • controls in place for each risk.

Review the risks

Having a routine for reviewing risks is essential to making sure risk ratings have not changed.

By regularly reviewing the risks to your organisation’s information systems, you’ll be able to see if factors have changed that affect each:

  • risk happening — the likelihood or impact, or both
  • control — for example, its suitability or cost.

Next step — use the results

Your organisation’s risk management process should allow you to act on the results from monitoring and reviewing risks.

If there are any changes to risk ratings and controls, seek out the right stakeholders for:

  • selecting suitable controls
  • making sure final risk ratings are within the business owner and organisation’s risk tolerance.

You can use the relevant parts of the risk assessment process to help, such as:

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated