The risk was documented. It had a score.It had a description.It even had recommended controls. But no one owned it. Weeks passed.Then months. The risk didn’t disappear. It just became invisible.This is one of the most overlooked governance problems in tech companies:unclear risk ownership. The Illusion of “Someone Is Handling It” In many tech environments, risks are identified quickly. Security tools generate alerts.Engineers log vulnerabilities.Compliance teams update risk registers. Everything looks organised. But when you ask one simple question Who owns this risk?the room goes quiet. Sometimes the answer is: That is not ownership. That is diffusion of responsibility. Control Owner vs Risk Owner This is where confusion begins. A control owner manages a safeguard.For example: But a risk owner is different. A risk owner is accountable for the business impact if the risk materialises. That person: In many tech companies, this distinction is blurred. Controls exist. Ownership does not. Why This Happens in Tech Companies Tech organisations move fast. New features.New integrations.New markets. In this environment: When risk ownership is unclear: And default risk acceptance is rarely strategic. Risk Ownership Is a Leadership Function Here is the uncomfortable truth: Risk ownership is not a technical role. It is a business role. If a customer data breach would impact revenue, reputation, and regulatory standing, the risk owner should sit at a level that understands those consequences. Security teams identify and assess. But business leaders decide. When risk ownership stays inside security alone, governance becomes unbalanced. What Clear Risk Ownership Changes When ownership is clearly assigned: The risk register stops being a static document. It becomes a decision-making tool. That shift changes everything. The Hidden Cost of No Ownership Unowned risks create: But the biggest cost is strategic blindness. If leadership does not explicitly accept or reject risks, the organisation drifts. Drift is dangerous in tech. How Governance Fixes This Good GRC does not just track risks. It clarifies: Governance is not about adding layers. It is about removing ownership gaps. Why This Matters Now As tech companies scale, complexity increases. Without strong ownership structures: Risk ownership is not a spreadsheet column. It is an operating model. And without it, even the best risk scoring system cannot drive strategy. Clear ownership turns risk from a warning into a decision. And governance begins where accountability becomes explicit.
Automating ISO 27001 Risk Scoring in Python: From Risk Register to Ranked Strategy.
Spreadsheets are powerful. But they are also fragile. When I first worked on an ISO 27001-aligned risk register, it looked structured and complete. Assets were listed. Threats were documented. Likelihood and impact were scored. Controls were mapped to Annex A. Everything seemed organised. But something important was missing. Consistency. That’s when I decided to automate the scoring model using Python. Not to replace governance but to strengthen it. The Problem With Manual Risk Scoring Risk registers often rely on manual scoring: Even with good intentions, this introduces: Governance works best when it is defensible and repeatable. Automation helps achieve that. The Model: How the Risk Scoring Worked The goal was simple: Take a structured ISO 27001 risk register and build a consistent, automated scoring engine. The Python-based model: Instead of manually scanning rows, the model produced a prioritised risk list instantly. What changed was not just speed it was clarity. Why Impact Was Calculated Using the Worst-Case CIA Value In ISO 27001 risk assessments, impact is often linked to Confidentiality, Integrity, and Availability. Rather than averaging these values, I calculated impact using the maximum CIA score. Why? Because a severe impact in any one dimension can materially affect the business. For example: Using the maximum value aligns better with real-world risk severity. This small design decision makes the model more conservative and more realistic. From Risk Score to Risk Category After calculating RiskScore, the model categorized risks: This step matters. Leadership rarely responds to raw numbers.They respond to thresholds and priorities. By defining consistent scoring bands, the model ensures: Automation removes ambiguity from categorisation. What the Ranked Output Revealed Once automated and sorted, patterns became clearer. Assets such as: Scored among the highest risks. These are common enterprise risk drivers. The automation did not create new risks.It revealed them clearly. That clarity supports strategic decisions:
From Spreadsheet to Strategy: How Risk Assessments Support Business Decisions
Amara stared at the spreadsheet longer than she expected. Rows of risks.Columns for likelihood, impact, controls, ownership.Numbers that looked simple at first glance. But the more she worked through it, the more she realised something important: This wasn’t just documentation. It was a map of how a business could fail. And more importantly, how it could decide what to protect first. A Risk Assessment Is Not a Compliance Exercise Many people see risk assessments as: But when done properly, a risk assessment forces one hard question: What could hurt this business the most and are we prepared? That question shifts everything. Because risk is not technical first.It is business first. A vulnerability only becomes a risk when it threatens: That’s where strategy begins. When Numbers Turn Into Priorities In the spreadsheet, each risk had: On paper, it looked structured and calm. In reality, those numbers determine: This is where risk assessment becomes strategic. Because leadership does not act on fear.They act on prioritisation. A well-built risk assessment translates technical concerns into business language. The Power of Risk Ownership One column stood out to Amara more than the others: Risk Owner. This is where risk stops being abstract. When ownership is clear: Without ownership, risks sit in spreadsheets. With ownership, they enter conversations. And conversations drive strategy. Risk Appetite: The Silent Decision-Maker Another realisation came while scoring risks. Not all high risks are treated the same. Some are mitigated immediately.Some are monitored.Some are accepted. Why? Because every business has a risk appetite. A startup might accept more risk to move faster.A regulated company may tolerate far less. Risk assessment is not about eliminating all risk.It is about making conscious trade-offs. That’s strategy. Controls Are Investments Each risk in the spreadsheet required a decision: Controls cost time and money. So every mitigation choice is an investment decision. When risk assessments are done well, they help leadership answer: This is how GRC supports business objectives. Why This Matters in Tech Companies Tech companies move fast. New features.New integrations.New markets. Without structured risk visibility, growth creates blind spots. A risk assessment: It allows companies to scale without guessing. That’s not bureaucracy. That’s operational intelligence. From Spreadsheet to Strategy At first glance, a risk assessment looks like rows and formulas. But underneath, it represents: The spreadsheet is only the container. The real value is the thinking behind it. Risk assessments are not about filling templates. They are about helping organisations decide clearly and confidently what matters most. And that is where governance becomes strategy.