We have successfully avoided implementing a Risk Register for several years, but our most recent auditor convinced us it was a path to follow.
The examples I've been looking at range from default smoke and mirrors -
"We're good, it's all good, and if it wasn't, we'd execute one of plans 01 thru 23!" ...
... to tables alleging to be actively managed to-do lists regarding all known risks, and names persons responsible for action items managing said risks and their due dates ...
Working with an organization that ineffectively addresses action items and their owners, the latter has it's appeal.
But I can see that having it's own failure mode, since we're already less than devout about such matters.
Your opinions, counsel, and any general scoffing would be welcomed.
The examples I've been looking at range from default smoke and mirrors -
"We're good, it's all good, and if it wasn't, we'd execute one of plans 01 thru 23!" ...
... to tables alleging to be actively managed to-do lists regarding all known risks, and names persons responsible for action items managing said risks and their due dates ...
Working with an organization that ineffectively addresses action items and their owners, the latter has it's appeal.
But I can see that having it's own failure mode, since we're already less than devout about such matters.
Your opinions, counsel, and any general scoffing would be welcomed.