Building your risk model

Duration: Ongoing

Materials: Your risk register, organisational context, frameworks

The exercise

Move from register to model: a repeatable process for identifying, assessing, and managing risks continuously.

Step 1: Document your process (30 minutes)

Write down how you did this:

  1. Risk identification: How do you find new risks? (Workshops, audits, incidents, threat intel, regulatory changes)

  2. Risk assessment: How do you evaluate them? (Your likelihood/impact criteria)

  3. Risk treatment: How do you decide what to do? (Your appetite, prioritisation approach)

  4. Risk monitoring: How do you track progress? (Review schedule, reporting)

  5. Risk communication: Who needs to know what? (Board reports, operational updates)

This becomes your risk management process.

Step 2: Map to frameworks (optional, 20 minutes)

If you’re working towards ISO 27001, NIS2, or other standards, map your process:

  • ISO 27001 risk assessment: Your process becomes clause 6.1 (risk assessment) and 6.2 (risk treatment)

  • NIS2 compliance: Your critical asset analysis supports Article 21 (risk analysis requirement)

  • Internal audit: Your register provides evidence for control selection

  • Board reporting: Your risk summary informs governance oversight

Step 3: Establish triggers for updates (15 minutes)

Don’t wait for scheduled reviews. Update your risk register when:

  • New systems or services go live

  • Security incidents occur

  • Audit findings emerge

  • Regulatory requirements change

  • Major organisational changes happen

  • Suppliers change or fail

  • Threat landscape shifts

Document these triggers.

Step 4: Build feedback loops (15 minutes)

Connect risk management to operations:

  • Incidents → Risk register: Every incident should trigger risk review

  • Risk register → Controls: Treatment plans drive control implementation

  • Control testing → Risk register: Testing results update risk assessments

  • Risk register → Board: Regular reporting keeps leadership informed

Step 5: Start measuring (optional)

Over time, track:

  • Number of risks by level

  • Treatment progress (% complete)

  • Residual risk after treatment

  • Time to treat risks

  • Risk trend (increasing/decreasing)

These metrics show whether your risk posture is improving.

Output

  • Documented risk management process

  • Framework mappings (if needed)

  • Defined update triggers

  • Established feedback loops

  • Measurement approach

Next steps

Immediate:

  1. Share your risk register with stakeholders

  2. Get board or executive approval for treatment plans

  3. Begin implementing priority treatments

  4. Schedule first round of reviews

Near term (1-3 months):

  1. Test your process: Does it work in practice?

  2. Refine based on feedback

  3. Train people on their roles

  4. Establish reporting rhythms

Long term (6-12 months):

  1. Integrate with ISMS or compliance programmes

  2. Automate where beneficial

  3. Mature from reactive to proactive

  4. Build predictive capabilities

Common pitfalls

“Too heavyweight” → Keep the process as simple as possible while remaining effective

“Process for process sake” → Focus on outcomes: are risks being managed?

“No continuous improvement” → Learn from what works and does not, iterate

“Disconnected from strategy” → Risk management should inform business decisions