Hey, I would like to better understand Risks and Issues please.
My understanding is that the former is a potential future loss event and the latter is a weakness/vulnerability/control gap etc. that usually comes out of audits/assessments.
If that’s correct, I have some additional questions:
- Do you maintain separate registers for them?
- Is it fair to say that most issue have (or can have) a corresponding risk entry in the risk register? e.g. The lack of/inadequate DLP controls can have an entry in the issue register and also the risk register (as a data leakage risk scenario).
- If above statement and example is true, why can’t we just capture issues (control gaps/findings) as risks in the risk register (instead of issues in a separate register)? Is it because we don’t want the risk register to become really big with lots of entries? or because of other reasons too?
Many thanks in advance.