Building your risk model¶

Duration: ongoing

Materials: your risk register, organisational context, any applicable frameworks

From register to model¶

A risk register records what the organisation currently knows about its exposure. A risk model describes the process by which that knowledge is acquired, maintained, and acted upon. The model makes risk management a continuous practice rather than a periodic documentation exercise.

The SEM framing is central here. The risk register is a model of the organisation’s exposure at a point in time. It encodes assumptions about likelihood, about the adversary landscape, about what the critical assets are and what threatens them. Those assumptions are accurate when they are made and drift thereafter. A risk model without explicit mechanisms for detecting and correcting model drift is a risk model that becomes less accurate over time without anyone noticing.

Documenting the process¶

Write down how the organisation does each of the following.

Risk identification: how do new risks get discovered? Workshop cycles, audit findings, incident analysis, threat intelligence, regulatory changes, reports from staff. If the only mechanism is periodic workshops, risks that emerge between workshops will not be captured until the next cycle.

Risk assessment: how does the organisation evaluate identified risks? The likelihood and impact criteria from the assessment exercise, adapted and documented so that assessments are consistent across time and across different groups.

Risk treatment: how are treatment decisions made? Who has the authority to accept, mitigate, transfer, or avoid? What criteria govern prioritisation? What happens when a treatment cannot be implemented within the available capacity?

Risk monitoring: how does the organisation track whether treatments are being implemented and whether the risk picture is changing? Review schedules, ownership assignments, triggers for unscheduled updates.

Risk communication: who needs to know what, and when? Operational teams need different information than the board. The register format useful for tracking treatment progress is different from the summary useful for governance reporting.

Mapping to frameworks (optional)¶

If the organisation is working toward ISO 27001, NIS2, or another standard, the process documented above maps directly to the standard’s requirements. The risk assessment exercise becomes the evidence for clause 6.1. The treatment plan becomes the implementation roadmap for Annex A controls. The register provides the audit evidence.

This mapping is useful for compliance purposes but ideally does not drive the design of the risk management process. A process designed primarily to satisfy a framework will produce documentation that satisfies the framework. A process designed to actually reduce risk may satisfy the framework as a byproduct.

Keeping the model current¶

The model needs explicit triggers for updates, not just a scheduled review calendar. Updates are worth making when new systems or services go live, when incidents occur that change the likelihood or impact assessment of a known risk or reveal a risk that was not in the register, when audit findings emerge, when regulatory requirements change, when major organisational changes affect the asset landscape, when suppliers change or fail, and when the threat intelligence picture shifts substantially.

Without these triggers, the model will be reviewed at the scheduled date regardless of whether it is still accurate. The scheduled review is useful for completeness; it is not a substitute for currency.

Feedback loops¶

Connect the risk model to operations so that information flows in both directions. Incidents can trigger risk register updates: what did this incident reveal about likelihood or impact that was not reflected in the current assessment? Treatment implementation can update residual risk ratings: once a control is in place, does the risk level change, and by how much? Control testing results can feed back into the assessment: the control was assumed to reduce likelihood to low, and the test suggests it reduces it to medium at best.

These feedback loops are what make the model a living representation of the organisation’s actual exposure rather than a snapshot of a past workshop.

Related¶

• The risk register

• From exercises to operations

• Architecture as model

• Applying SEM to security