Hey, I would like to better understand Risks and Issues please.
My understanding is that the former is a potential future loss event and the latter is a weakness/vulnerability/control gap etc. that usually comes out of audits/assessments.
If that’s correct, I have some additional questions:
- Do you maintain separate registers for them?
- Is it fair to say that most issue have (or can have) a corresponding risk entry in the risk register? e.g. The lack of/inadequate DLP controls can have an entry in the issue register and also the risk register (as a data leakage risk scenario).
- If above statement and example is true, why can’t we just capture issues (control gaps/findings) as risks in the risk register (instead of issues in a separate register)? Is it because we don’t want the risk register to become really big with lots of entries? or because of other reasons too?
Many thanks in advance.
Risk is about the probability of something happening in the future that could have detrimental effects (e.g., data breach, natural disasters, fires, etc.). On the other hand, an issue is something that is already present; it has already happened. In the context here, an issue is most closely related to an incident.
Generally speaking, risks become issues. Though as you mentioned, a current issue could lead to a threat or a vulnerability in the future and therefore could have the potential for lending to a new risk; i.e., an incident/issue could cause or increase a vulnerability, which in turn can increase the likelihood or impact of a threat, and ultimately a risk.
Assessments or audits identify non-conformities or deficiencies in a system or program, which could cause issues. These are vulnerabilities that increase the likelihood of a risk and, if not mitigated, could turn into issues. Assessments and audits can't identify issues/incidents, because issues have already occurred.
To use your example, DLP controls mitigate the risk of accidental/negligent/malicious loss of data, or its unauthorized transfer out of the network. Here, the vulnerability is controlling the data that can be lost or transferred without authorization. The threat is internal network users that can accidentally/negligently/maliciously transmit the data. The lack of DLP controls will certainly increase the vulnerability and the likelihood of a loss or unauthorized transfer (the risk will increase accordingly). However, lack of DLP controls is NOT an issue/incident; the issue in this scenario is if an actual loss or unauthorized transfer happens.
Typically, risks are tracked in a risk register as a medium for "things that could happen". In the register, risks can be re-evaluated and re-prioritized as needed, and they can also be removed from the register if the circumstances call for it. Issues are typically tracked in an "issue log" (ticketing systems like Jira automatically do this) as a medium for "things that have already happened and need attention now". Issues will always remain on the log as an event that has occurred. When an incident occurs, it is recorded in the issue log, and it is common to also note the incident on the associated risk on the risk register. Another reason that risks and issues are typically kept separate is because treatment of risks usually involves preventative measures, whereas remediation of issues is typically incident response.