Risk Reporting and Documentation

Risk Reporting and Documentation

风险报告和记录

Risk reporting is a key task to perform at the conclusion of a risk analysis. Risk reporting involves the production of a risk report and a presentation of that report to the interested/relevant parties. For many organizations, risk reporting is an internal concern only, whereas other organizations may have regulations that mandate third-party or public reporting of their risk findings. A risk report should be accurate, timely, comprehensive of the entire oganization, clear and precise to support decision making, and updated on a regular basis.

风险报告是风险分析结束后的一项关键任务。风险报告包括编制风险报告，并将报告分发给相关各方。对许多组织来说，风险报告只是内部事务。对许多组织来说，风险报告只是内部问题，而其他组织可能有规定要求第三方或公众报告其风险发现。风险报告应准确、及时、全面地反映整个组织的情况，清晰、准确地支持决策，并定期更新。

A risk register or risk log is a document that inventories all the identified risks to an organization or system or within an individual project. A risk register is used to record and track the activities of risk management, including the following:

风险登记册或风险日志是一份文件，其中记录了组织或系统或单个项目中所有已识别的风险。风险登记册用于记录和跟踪风险管理活动，包括以下内容：  

 ■ Identifying risks 识别风险
 ■ Evaluating the severity of and prioritizing those risks

    评估这些风险的严重性并确定优先次序 

 ■ Prescribing responses to reduce or eliminate the risks

    制定减少或消除风险的应对措施  
 ■ Tracking the progress of risk mitigation
    跟踪风险缓解的进展情况

A risk register can serve as a project management document to track completion of risk response activities as well as a historical record of risk management over time. The contents of a risk register could be shared with others to facilitate a more realistic evaluation of real-world threats and risks through the amalgamation of risk management activities by other organizations.

风险登记册可以作为项目管理文件，跟踪风险应对活动的完成情况，也可以作为一段时间内风险管理的历史记录。风险登记册的内容可以与其他组织共享，以便通过合并其他组织的风险管理活动，对现实世界的威胁和风险进行更真实的评估。

A risk matrix or risk heat map is a form of risk assessment that is performed on a basic graph or chart. It is sometimes labeled as a qualitative risk assessment. The simplest form of a risk matrix is a 3×3 grid comparing probability and damage potential. This was covered in Chapter 1.

风险矩阵或风险热图是在基本图表上进行风险评估的一种形式。有时也被称为定性风险评估。风险矩阵的最简单形式是一个 3×3 的网格，比较概率和损害可能性。第 1 章对此进行了介绍。

原文始发于微信公众号（网络安全等保测评）：Risk Reporting and Documentation