Risk Managers' Forum
The importance of a risk register in risk
Creating and maintaining a risk register protects the assets of a business
By Robert E. Higgins, CIC, CRM
More and more, risk management is being recognized as an integral part of good management practices. The purpose of risk management is to proactively establish programs and processes that support business objectives while protecting the organization's assets—its employees, property, income and reputation—from loss or harm, at the lowest possible cost.
To be effective, an organization's risk management plan requires the development and maintenance of an ongoing process that enables the identification, analysis, evaluation, and treatment of risks that may impact the organization. This knowledge further enables the prioritization of actions to reduce these risks to an acceptable level. What results from this risk management process is a substantial amount of risk management information that needs to be managed in such a way that it can be found and applied quickly and efficiently.
One method that organizations can use to manage their risk management information is to make use of what is called a risk register, also known as a risk log. The risk register serves as a central repository for the organization's risk information and allows for the information that results from the risk management process to be suitably sorted, standardized, and merged for relevance to the appropriate level of management. Its key function is to provide management, the board, and key stakeholders with significant information on the main risks faced by the organization. The risk register also gives the organization's risk management stakeholders a clear view of the current status of each risk, at any point in time.
A risk register as part of the risk management plan will help management to:
• Understand the nature of the risks the organization faces.
• Become aware of the extent of those risks.
• Identify both the level of risk that the organization's management is willing to accept and the level of risk that the organization itself is willing to accept.
• Recognize its ability to control and reduce risk.
• Report the risk status at any point in time.
• Have in place risk event "early warning" factors and upward reporting thresholds.
The risk register will help the organization record the following risk management information:
• Type of risk, who raised it and how it could affect the organization.
• Likelihood of the risk occurring and its potential impact to the organization.
• Risk priority, based on its effect on the organization.
• Actions taken to prevent the risk from happening.
• Risk mitigation/reduction actions taken in case the risk does occur.
How to develop a risk register
The information in the risk register can be presented in a number of different ways, including database, spreadsheet, or a simple, paragraph-style document. One thing to note here, however: The spreadsheet-table layout is probably the best way to display the information contained in your risk register because a paragraph-style document will run the risk of people failing to fully read the document and possibly skipping over important information.
It is important to record when the risk item was identified and added to the register, when the entry was last updated, and for some items, when they were closed. However, closed items should be maintained for historical analysis purposes, perhaps being transferred to a separate "closed risks" register table.
Access to the risk register should also be controlled to maintain its integrity and confidentiality. Some items recorded in the register may be of a sensitive nature and thus not suitable for wide publication. These confidential items can be"'flagged" by adding extra fields to the risk register. The integrity of all item entries is also important, so you need a limited access policy for the register that defines who should be able to update the register's information and who can read it.
Finally, it should be noted that to be effective and timely as part of the risk management plan, the risk register should be treated as a "living and breathing" document and should evolve over time with potential risks removed and new ones added as the organization's risk profile and external risk environment change.
While there is no standard list of components that should be included in the risk register, the following is a list of some of the most widely used components.
Date: As the risk register is a living document, it is important to record the date that risks are identified or modified. Optional dates to include are the target and completion dates.
Risk number: A unique identifying number for the risk.
Risk description:A brief description of the risk, its causes and its impact.
Existing controls: A brief description of the controls that are currently in place for the risk.
Consequence: The consequence (severity or impact) rating for the risk, using scales (e.g., 1-5, with 5 being most severe).
Likelihood: The likelihood (probability) rating for the risk, using scales (e.g., 1-5, with 5 being most likely).
Overall risk score: Determined by multiplying likelihood (probability) times consequence (impact) for a scale ranging from 1 to 25.
Risk ranking: A priority list which is determined by the relative ranking of the risks by their overall risk score.
Risk response: The action which is to be taken if the risk occurs.
Trigger: Something which indicates that a risk is about to occur or has already occurred.
Risk owner: The person whom the project manager assigns to watch for triggers, and manage the risk response if the risk occurs.
Some examples of the types of information included in a risk register—the type of event and the scoring and, in these cases, the mitigation techniques used to stop the event from occurring—follow. (If such an event actually occurred, the appropriate information would be added to the register by including the date of the event, assigning a number to the event, and including actions taken to handle the risk and its ultimate status, i.e. open or closed, as well as including the name of the risk owner.)
Let's assume the potential risk event is a vehicle accident. Since the company involved in putting together the risk register owns a vehicle fleet, it is determined that the chance of an accident is likely, resulting in a score of 4. The consequences of such an occurrence, however, are judged to be only moderate, since most accidents normally result in relatively small losses, resulting in a score of 3. The risk level rating therefore is 12 (4X3). The register also would note that the company is conducting fleet safety training as a method for reducing the risk.
In another example, let's assume the potential risk event is a fire occurring at one of the company's facilities, resulting in heavy property damage. Here, the likelihood is lower than the previous example, but still possible, resulting in a score of 3. However, the loss could be much more severe, resulting in a rating of 4. The risk level rating is 12 (3X4). The mitigation techniques undertaken by the company are the installation of sprinkler systems in all facilities; as well as training employees to identify and reduce fire hazards.
In a final example, let's say the potential risk is windshield damage. Past experience indicates that this is an event that is almost certain to occur, resulting in a score of 5. However, the consequences of such an event are insignificant, resulting in a score of 1. The risk level rating therefore is 5 (5X1). The decision is made to retain these losses and handle them through routine maintenance practices.
Robert E. Higgins, CIC, CRM, CPCU, ARM, ARMP, CRIS, is an area executive vice president in the risk management services department of Gallagher SKS, and has over 30 years' experience in insurance and risk management. He can be reached at (513) 977-3188 or by e-mail at firstname.lastname@example.org. For more information on the Certified Risk Managers (CRM) program, go to www.TheNationalAlliance.com.