What is Risk Register?

What is Risk Register?

A risk register is a document or tool used in project management that provides a comprehensive overview of all the potential risks that could impact a project. It is a key element of risk management planning, and is used to identify, assess, prioritize, and manage risks throughout the project lifecycle.

Organisations use a document to maintain their risk management information, and this document is known as risk register or risk log. Risk register helps in classifying, standardising and merging information to be used by the management.

Its primary function is to furnish information to the senior management, board members and key stakeholders on the main risks faced by the organisation. Risk register also allows the organisation’s risk management stakeholders to have a clear picture of the current status of various risk factors, at any point in time.

The people involved in managing the risk registers are called risk registrars. With the help of risk registers, senior management can:

• Understand the nature of the risks faced by the organisation
• Become aware of the severity of risks
• Identify the degree of risk that the organisation is ready to take
• Identify risk control and mitigation measures
• Report the risk status whenever needed

A risk register will enable risk registrars to record the following risk management information:

• Nature, type and effects of risk on the organisation
• Probability of occurrence of the risk
• Risk priority, on the basis of its effect on the organisation
• Actions taken to control or mitigate the risk
• Risk reduction measures taken in case of occurrence of the risk

The information in a risk register can be stored in various ways, including database, spreadsheet, or a simple paragraph-style document. However, in most organisations, a risk registrar tries to develop and maintain a spreadsheet table layout for easy and prominent display of information.

A paragraph-style document is generally avoided because it’s difficult to locate important information in a paragraph-style document.

It is essential for risk registrars to record the timing of risk identification and risk entry to the register. They should keep regular updates on each risk entry, the timing of risk entry and historical analysis record, etc. They must also ensure that access to the risk register is limited to maintain its integrity and confidentiality. There might be some sensitive data recorded in the register that should not be leaked in public interest. These confidential items can be ‘flagged’ by inserting additional rows and columns to the risk register. Risk registrars need to develop and update a risk register in such a way that new risks can be added according to change in organisational profile and external risk environment.

Components of Risk Register

Some of the common components of a risk register are as follows:

• Date: It is essential to record the date on which risks are identified or updated. Optional dates can also be present, such as target and completion dates.
  
  
• Risk number: This is a unique identification number for the risk.
  
  
• Risk description: This is a brief description of the risk, its causes and impact.
  
  
• Existing controls: These are a brief description of the controls that are currently in effect for the risk.
  
  
• Consequence: This indicates the consequence, that is, the severity or impact rating for the risk, with the help of scales; for example, 1 to 5, with 5 being most severe and 1 being least.
  
  
• Likelihood: This indicates the likelihood or probability rating for the risk with the help of scales, for example, 1 to 5, with 5 being most likely and 1 being least.
  
  
• Overall risk score: This is evaluated by multiplying likelihood (probability) with consequence (impact) for a scale ranging from 1 to 25.
  
  
• Risk ranking: This is a priority list that is estimated by the relative ranking of the risks by their overall risk score.
  
  
• Risk response: It indicates the action that needs to be taken if the risk occurs.
  
  
• Trigger: It indicates some factors that forecast if a risk is about to happen or has already taken place.
  
  
• Risk owner: He/she is the person whom a project manager assigns the task to record any triggers and manage the risk response, if the risk occurs.

Let us now study some examples of events in which risk information is recorded in risk registers by risk registrars:

Suppose there is an organisation that maintains a risk register for the accidents related to its vehicle fleet. It is estimated that the chance of an accident is likely, resulting in a score of 4. However, the consequences of such an occurrence are evaluated to be only moderate, as most accidents normally result in relatively small losses, resulting in a score of 3. The risk level rating is calculated to be 4 × 3 = 12.

The risk register can also provide information on fleet safety training as a measure for risk reduction.

In another example, let us assume that the potential risk event is a fire occurring at one of the organisation’s facilities, leading to massive property loss. In this case, the likelihood is lower than the previous example, but still possible, leading to a score of 3. However, the loss could be much more severe, leading to a rating of 4. Thus, the risk level rating is 3×4=12. The risk mitigation measures taken by the organisation are the installation of sprinkler systems in all facilities, training employees to identify and minimise fire hazards,etc.

In the final example, let us assume that the potential risk is windshield damage. This is an event that is almost certain to occur, leading to a score of 5. However, the consequences of such an event are insignificant, leading to a score of 1. Thus, the risk level rating is 5×1=5. Such losses are required to be managed through regular maintenance practices.

Financial Risk Management

Financial risk management can be defined as a process that focusses on increasing the financial value of a business. This is done with the help of financial instruments, such as loans bonds, or negotiable instruments. Financial value of a business has an impact on the market and credit risks of the business.

Organisations are expected to prepare guidelines related to their financial risk appetite. Financial risk management includes practices and procedures followed by organisations to exploit the risk and gain financial interests from it. It is the responsibility of the senior management to present a written document on the risks they are willing to accept and follow. Moreover, they should track the risks and provide an analysis on the same for further use.

However, it is to be understood that employees working on financial risk management are not governed by people laying the policy for financial risk. This helps in avoiding any situation leading to conflict of interest between the financial risk department and senior management. Moreover, the duties of financial risk department should also not be delegated to those working in financial investment decisions for avoiding conflict of interest.

Operational Risk Management

Operational Risk Management (ORM) can be explained as a continual cyclic process that includes the following:

• Risk assessment
• Risk decision making
• Implementation of risk controls

According to US Department of Defense, there are four principles of ORM:

• Accept risk when benefits outweigh the costs.
• Accept no unnecessary risk.
• Anticipate and manage risk by planning.
• Make risk decisions at the right level.

There are three levels of ORM that are explained below:

• In-depth: This method of risk management is used before project implementation starts and the organisation has enough time to plan and organise.
  
  
• Deliberate: This method is used at periodic intervals during the
  implementation phase of a project or process. It may include onthe-job training, performance reviews or quality assurance.
  
  
• Time critical: These are exercises that are used at the time when a project is in execution or completion phase. It is marked by making optimal use of available resources for ensuring the success of the project.

Human Resource Risk Management

Human resources identify the importance of risk management in an organisation and play two important roles. These roles include:

Human Resources as a Source of Risk

Human resources are considered to be one of the various sources of risk under circumstances such as shortage of workforce, inefficient and ineffective work, refusal to take any additional responsibility and key employees leaving after being trained for a particular project.

Risk Handling Ability of Human Resources

Human resources are also considered of key importance in handling the risk because they possess problem-solving skills and find innovative ways to meet the challenging tasks for the betterment of organisation.

Previously, risks specialists gave very little importance to human resources as a source of risk and also as an asset for the organisation. However, there has been a paradigm shift, and a lot of importance is given to risk management in human resources.

There are four implications of risk management in human resources that are given below:

• Since, risk management decisions are taken by people, it is important to harmonise human resource tools with risk management. It can be done only by placing the right people at right positions in addition to providing training, motivation and rewards to them.
  
  
• While making appropriate risk management decisions, it is important to keep in mind human resource crises, such as divorce, accidental death, etc. These can cause disruption in one of the best risk management decisions; therefore, a backup plan or a contingency plan should be properly planned and executed.
  
  
• Management teams are not created for an indefinite time period; thus, management succession becomes a cause of risk. Legal and financial considerations affect management succession and, thereby, affect risk management.
  
  
• Risk management should be considered a major factor for evaluating the performance of human resources.

Strategic Risk Management

As per Mark Frigo and Richard Anderson, Strategic Risk Management is a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organisation’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder and stakeholder value. It is a primary component and necessary foundation of Enterprise Risk Management.

Strategic Risk Management (SRM) is based on the following six principles:

• It can be defined as a process that is focussed on evaluating and managing internal and external procedures as well as risks. These are responsible for delaying the success of strategic objectives.
  
  
• The main objective of SRM is to build and protect the shareholder’s value.
  
  
• The organisation’s ERM forms the primary foundation for SRM.
  
  
• As a part of ERM, strategic management is influenced by the board of directors and management.
  
  
• SRM provides a strategic view regarding the impact of risks and the organisation’s capability for achieving the pre-defined objectives.
  
  
• It is a never-ending and repetitive process that allows strategy setting, strategy execution and strategic management.

Information Technology and Security Risk

According to American National Information Assurance Training and Education Center, risk in Information Technology (IT) field can be defined as:

• The total process to identify, control and minimise the impact of uncertain events. The objective of the risk management program is to reduce risk. The process facilitates the management of security risks by each level of management throughout the system life cycle. The approval process consists of three elements: risk analysis, certification and approval.
  
  
• An element of managerial science concerned with the identification, measurement, control and minimisation of uncertain events. An effective risk management programme encompasses the following four phases:
  
  
  • Risk assessment
  • Management decision
  • Control implementation
  • Effectiveness review
    
    
• The total process of identifying, measuring and minimising uncertain events affecting Information System resources. It includes risk analysis, cost benefit analysis, safeguard selection, security test and evaluation, safeguard implementation and systems review.

Government Policy

According to Kurt F. Reding and Paul J. Sobel, Governance, Risk Management, and Compliance (GRC) are three pillars that work together for the purpose of assuring that an organisation meets its objectives.

Governance is the combination of processes that are established and executed by the board of directors. The type of governance an organisation has is reflected in the organisation’s structure. The way the management of the organisation manages and tries to achieve the pre-determined goals is an indication of the kind of governance that exists in the organisation.

Risk management involves predicting and managing risks that could probably become an obstacle for an organisation in achieving its objectives. An organisation’s success depends upon compliance with the company’s policies and procedures, laws and regulations. In short, we can say that strong and efficient governance is considered as the key to a successful organisation.