You have your risk management framework in place but what is the next step? Firstly, well done for getting this far. A lot of hard work goes into a good framework. Now you have to put it into practice.
As part of the risk management plan you will need a log of all the potential risks that might affect your business. A risk register, also known as a risk log, is an important part of a company’s risk planning and helps to fulfil many regulatory requirements. Here is some guidance on what a risk register is and how to develop one.
Risk registers are also useful when embarking on a project and will follow similar principles to an organizational risk log.
Choose a format that works for you
A risk register is a document listing all the potential risks identified as part of the risk management process. There are a number of free online templates to choose from, but it could be in a database or simply a table format or text document.
What’s in a risk register?
There is no definitive list of what should be included in a risk register, but there are some key areas to think about. A risk register, or log, is a working document and should continue to evolve as new risks arise, old ones become obsolete or you just have more information that you need to record. When the register is amended, it should be dated for version control.
- Risk category – this could be financial, reputational etc
- Risk description
- Probability of occurrence – is this a high or low risk scenario?
- Impact of risk – how each risk will affect the company which could include financial and security outcomes
- Triggers – identifying events that could lead to a risk occurring could help with prevention
- Solution for prevention – processes or fail safes put in place to avoid a risk happening
- Action if risk occurs – this could line of reporting, process review, damage limitation etc
You should also rank risks in order of severity so you know how to prioritize them. This could be through a scoring system for impact of risk and probability of occurrence. It is also important to assign a risk owner for accountability and give a unique code to make it easy to identify each risk.
Identifying all potential risks is no easy task. Many risks will be highlighted through the risk management framework and planning process. (Read our article on developing an enterprise risk management framework). Others will need input from teams around the company, including management. In reality the head of finance should know about financial risks and the head of marketing should have an idea of reputational risks, so get people involved.
An example of a risk could be a cyber attack on the company’s IT network. The probability of occurrence might be quite low but the impact could be catastrophic with customer, financial or patented technology taken. Therefore, you might rank this risk as high priority. Your solution could include investing in the best security infrastructure, employing a dedicated IT person and ensuring all software updates are carried out.
Don't Become Complacent
After many years in risk management I have seen some companies compile risk registers but not refer back to them or not use them as part of their risk management planning. Risk management is about mitigating risks and impact of risks on a business. It is so important not to become complacent with risks that could have catastrophic effects on your business.