Risk Register and Treatment Plan
The Risk Register and Treatment Plan is a powerful Tool in ISMS.online which allows you to record and manage your risks, indicating their impact and likelihood, how you propose to treat them and any details of that treatment. The standalone ISO 27001 policy & controls area comes with an inbuilt Risk Register and Treatment plan. Risk Registers can also be created as standalone tools or integrated into other initiatives, for example, to manage the risks relating to a specific project.
Instructions on Creating a new Risk Register & Treatment plan
Creating a Risk Register & Treatment Plan
To create a Risk Register and Treatment Plan within an Initiative, open the desired Initiative and click on the Tools tab as shown below:
Then, click New tool usage and select Risk Register and Treatment Plan from the drop-down menu. You can then choose to associate a tool with the entire project or to a particular Phase, Deliverable or Activity. Once you are happy with the options, click Create new usage.
Give it a relevant name and click Save.
Creating a New Risk
When creating a new Risk there are a number of details you can add in:
- Risk status – State whether the risk you are plotting is currently Open or Closed.
- Description – Give a description of what the risk actually is.
- Potential Impact – Describe the potential impact on your organisation or team should this risk not be mitigated (e.g. preventable ilegal activities occurring which cause damage/harm to the public).
- Origin – Where the risk arises from.
- Type of risk – You can select Threat or Opportunity; if the risks you are plotting do not fall in either category you can contact the ISMS.online Support Team to arrange customisation of your dropdown list.
- Current likelihood/Impact – Select the likelihood and impact of the risk at the time of adding it to the register (these range from very low to very high)
- Owner – Select the team member responsible for monitoring the risk.
- Dates: Review/Reminder – Select when you would like this risk to be reviewed, and when you would like a reminder notification to be sent out.
- Summary of action – Select the option that represents your action from the drop-down list (combination of actions, terminate, tolerate, transfer, treat).
There are also three advanced details you can fill:
- Value at risk – If possible at this stage, ascertain the financial cost of this risk if it becomes an issue.
- Objective – Useful for linking risks back to objectives in external plans.
- Obj ID –
Management of a Risk Register & Treatment Plan
Once you’ve populated your plan with risks, you’ll see each risk plotted with a letter of the alphabet, if you click a letter, you’ll open all risk details next the map, and the treatment plan below it.
You can also view all of your risks in the table below, use the toggle buttons to swap between open and closed risks.
The functionality within a risk item is familiar from other areas of ISMS.online, you can: add notes, set tasks, upload documents, and start discussions.
The treatment notes also come with the extra function of clearly stating how you feel about a risk (i.e. happy, neutral, unhappy). This will plot a RAG icon next to that risk on the risk register.
As you use these tools to manage your risks and change their impact and likelihood, you’ll see details of these changes plotted on the History graph. This allows you to visualise the treatment of a risk over time compared to the acceptable likelihood and impact.
It’s easy to add risks from scratch or drawing down from our risk bank. These are generic risks that we have created ready for you to quickly add into your risk maps. You can easily adapt these risks to meet your specific needs once you have added them. Treatment examples are proposed for each risk that you can also adopt, adapt or add to in the risk treatment area.
To view the risk bank simply click ‘View Risk Bank’ in the top right, as shown in the image below. Then, when you have seen a risk you want to add to your map, simply click ‘Add risk’, also shown below.
With the Risk Register and Treatment Plan as part of the initiative, all the members of that initiative will have access to the Plan. Therefore, if you want more people to be able to view the Risk Register, simply add them to the initiative.
Should you wish to change the name of your Risk Register and Treatment Plan, you can do so by clicking Settings (next to Team in the top right-hand corner), making changes in the text box shown below and clicking save.