The Risk Register
What is a Risk Register?
Every company must manage its risks and the best place to record those risks is the risk register. The Risk Identification represents an integral part of the overall risk management process. After all the risks have been identified, they must be assessed and then properly treated. All the risks in the company must be properly registered. The purpose of maintaining a risk register is keeping a record of all the identified risks, including their descriptions and impact on the company. The risk register is an important tool of risk management.
What does the Risk Register Include?
There are various templates and types of risk registers, but all of them must cover as much information about the risks involved as possible. The minimum information the risk register must include is as follows:
- list of assets subject to the risk,
- the type of risk and a risk owner,
- the level of all identified risks,
- risk treatment decision – reduce, accept, avoid, share
- the risk treatment plan,
- controls used for risk treatment and their link to the identified risks
- Status of the risk treatment.
The input for the list of assets subject to the risk is the inventory of assets, including the information assets. The list of assets is filled during the asset identification during a risk assessment process. It could be that not all assets would be considered during the risk assessment process.
The typical types of risks are strategic, operational, reputation, security, credit, market, liquidity, etc, depending on the type and mission of the organization.
The risk treatment process contains the following options:
- Reducing the risk
- Accepting the risk
- Avoiding the risk
- Sharing the risk
The decisions on risk treatment are made at different levels of management, depending on the level of risk and as per company risk management policy. In making a decision on risk treatment the management must develop a plan of appropriate actions and implementation of controls. Implemented controls must be registered in the risk register and their effectiveness must be evaluated at planned intervals. One could use maturity scales or effectiveness scales to assess the implemented controls. The status of the risk treatment shows the level of residual risk after implementation of necessary controls.
Additional Risk Register Items
Of course the companies’ risk registers are not limited to the above mentioned information. It can additionally include:
- The date of identification – date when the risk was identified
- Risk description – description of vulnerabilities, the threats that can occur
- Overall risk score – Overall degree of the risk
- Target risk level – the level of risk which is considered as acceptable
- Target risk level date – the date when the target risk level will be achieved
- Mitigating actions – a description of actions that will be taken to reduce the likelihood or impact of a risk should it occur
- Action owner – the individual responsible for carrying out a mitigating action
- Action cost – the cost of actions and the comparison with the costs incurred as a result of risk occurrence
- Action status – complete, in progress, ongoing, not yet due, overdue
- Action target complition date – the date by which mitigating actions will be completed
The risk register must be monitored at planned intervals and always be under the control of company’s top management. Companies can have one risk register for all processes or departments or separate registers for every process or department to pay greater attention to the risks while monitoring their status.