The good, the bad and the ugly
Risk registers are the knowledge-banks of risk management. They are a critical tool for managing risk, but are all too often used for purposes for which they were never intended.
COMMON MISUSE OF A RISK REGISTER:
1. Presenting your risk register as your Risk Report.
The lack of traction (or ‘anti-traction’) that a risk register can induce when presented as The Risk Report is remarkable. Your decision makers need to understand both the status of risks and what decisions are required of them quickly. No amount of colour coding or sorting of risks within your risk register will allow this to happen fast enough. A spreadsheet or database without a simple frontpage dashboard or reporting capability is difficult to digest rapidly (and often difficult to print).
2. Projecting your risk register onto a screen as you update it during a workshop.
Very few people find staring at a spreadsheet projected on a wall stimulating. It is also embarrassing for the person whose role it is to type with everyone watching. Risk workshops should ideally be more interactive, making use of other risk tools. A simple risk bow-tie is a great method for collecting most of the information you require for a risk which can then be recorded in your risk register. You can also use a dedicated scribe to record all risk information in your risk register as you progress through a risk workshop.
3. Filling in your risks column by column, delaying the instigation of actions which may help to manage your risks.
Many risks can appear complex, especially when they are first identified. Their full consequences might be difficult to quantify, and their true causes challenging to ascertain. The danger here is to spend all of your time and resources attempting to describe the risk, rather working on them in an iterative manner, gradually building up your understanding of their causes, consequences and potential controls. Sometimes it is best to put basic controls in place which can not only collect more data regarding the risk itself, but might also help to manage it.
WHAT SHOULD A RISK REGISTER INCLUDE?
If designed correctly, and used for their true purpose, risk registers form a corner-stone to any risk management process. A basic risk register should ideally include at least five main sections:
a) The name of the risk with a brief description, including causes and consequences should that risk occur.
b) A form of unique identifier code through which you can identify each risk and their owner. This also helps when you need to amalgamate different risk registers.
c) A list of the controls in place (or should be in place) to manage the risk, together with their owner(s).
d) A ranking system to allow you to prioritise your risks. A risk rankings matrix or heat map is commonly used for this purpose, utilising both the likelihood and consequence of a risk should it occur.
e) Action management, or a link through to your action management system. Having collected all of this information on your risks – what are you going to do about them?
You might also include information on who is going to provide assurance on which aspects of each risk; what monitors are used to track the status of key risks and controls; your target rating for each risk; which risks have changed in rating most significantly…. The key is to tailor your risk register to your needs, aligning it with your business processes and keeping it proportionate to what you require.
A risk register records all of your risk and control knowledge, together with your appetite to manage risks and the status of your controls. It needs to be tailored to your organisation and updated regularly to keep it relevant and useful. Linking your risk register to your action management system helps to ensure that actions are carried out. The constant communication and discussion of the status of risks and controls, as recorded in your risk register, should underpin the management of risks in your organisation.
WANT TO HEAR MORE?
A standard risk register course: 'How to develop an effective risk register' is delivered by Satarla on behalf of the Institute of Risk Management on a regular basis. Alternatively, we love to integrate this training into bespoke courses for in-house clients. For more information on the courses or to contact us directly, please click below.