Fields you'll probably need to capture, but not all will be populated for all risks, given some result from human agency and some for natural causes
Unique Id - unique id for the risk
Data Identified - when was the risk first identified
Threat Source - the source of a threat may be different from the specific actor involved e.g. organised crime
Threat Actor - the actor who causes a threat may be different from the source e.g. malware author hired to target particular firm by organised crime
Threat Description - a description of what the threat is e.g. theft of mobile assets
Inherent Likelihood - description of probability
Inherent Impact Description - stakes that what of impacts
Inherent Impact - states the aggregate cost if the risk is realised
Generic treatment option - avoid, transfer/share, reduce or accept
Current controls - the controls that are currently in place that affect likelihood or impact. Also record the type of control i.e. deter, prevent, detect, response, recovery
Cost of current controls - capture the costs associated with operating the controls
Current Likelihood - in recognition that there will be controls in place
Current Impact - in recognition that there will be controls in place
Target Likelihood - this will relate to if the current level is still above risk appetite
Target Impact - in recognition that there will be controls in place
Treatment plan - actions required to get to target level
Risk Owner - who if the organisation at senior level owns the risk.
Risk Manager - who is implementing the current treatment plan
You may also want to consider how the risks can be structured to avoid duplicates/overlaps.
-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
